From 00474a6c26f89ac95ab90323a21cb732e04100f4 Mon Sep 17 00:00:00 2001
From: Brett <brettdavies@users.noreply.github.com>
Date: Thu, 30 Apr 2026 22:56:37 -0500
Subject: [PATCH 1/9] docs: fix stale docs/design refs after layout split (#61
 follow-up) (#62)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary

PR #61 moved shipped artifacts (`foundation.css`, `og.html`, `og.css`)
out of `docs/design/` and research/concept work
into `docs/research/design/`, but left stale references to the old paths
in:

- `docs/DESIGN.md` — 17+ refs (would 404 on github.com when browsed on
`main`).
- `scripts/og/og.css` — internal header comment block.
- `tests/e2e/flows.e2e.ts` — single comment ref.

This PR fixes all three. Surfaced by the audit pass on PR #60 (release).

## Changelog

### Documentation

- Rewrite `docs/DESIGN.md` companion-artifacts intro to reflect the
shipped (`src/styles/`, `scripts/og/`) vs research
(`docs/research/design/`) split. Update all in-body path references.
Research-only artifacts are referenced by name
only — `docs/research/` is gated off `main`, so a link would 404 on
production.

## Type of Change

- [ ] `feat`: New feature (non-breaking change which adds functionality)
- [ ] `fix`: Bug fix (non-breaking change which fixes an issue)
- [ ] `refactor`: Code refactoring (no functional changes)
- [ ] `perf`: Performance improvement
- [x] `docs`: Documentation update
- [ ] `test`: Adding or updating tests
- [ ] `chore`: Maintenance tasks (dependencies, config, etc.)
- [ ] `ci`: CI/CD configuration changes
- [ ] `style`: Code style/formatting changes
- [ ] `build`: Build system changes
- [ ] `BREAKING CHANGE`: Breaking API change (requires major version
bump)

## Related Issues/Stories

- Story: PR #60 audit found stale refs surviving the #61 layout split.
- Issue: n/a
- Architecture: n/a (pure docs/comments).
- Related PRs: #61 (the split), #60 (release — re-syncs from `dev` once
this lands so the fixes ride along).

## Testing

- [x] Unit tests added/updated
- [x] Integration tests added/updated
- [x] Manual testing completed
- [x] All tests passing

**Test Summary:**

- Lint: biome (37 files) + markdownlint (11 files) — 0 errors.
- Build: 111 pages, 97 scorecards, 96 badges, 0 orphans (unchanged).
- Tests: 205 / 0 fail (unchanged).
- Final grep for `docs/design` across the shipped tree: 0 hits.

## Files Modified

**Modified:**

- `docs/DESIGN.md` — intro rewritten + 17+ inline refs updated.
- `scripts/og/og.css` — header comment block.
- `tests/e2e/flows.e2e.ts` — one comment line.

**Created:**

- None.

**Renamed:**

- None.

**Deleted:**

- None.

## Key Features

- No code or build behavior change. Pure reference cleanup.

## Deployment Notes

- No runtime impact. Deploy is a no-op for `dev` (docs-only via
paths-ignore).

## Reviewer Checklist

- `git grep "docs/design" docs/DESIGN.md` returns nothing.
- `bun run build` and `bun test` both pass (no behavioral surface
touched).

From 1d80b4663c9fa987d95d0c9e76052a91e8524cef Mon Sep 17 00:00:00 2001
From: Brett <brettdavies@users.noreply.github.com>
Date: Fri, 1 May 2026 01:58:19 -0500
Subject: [PATCH 2/9] feat(spec): vendor agentnative-spec + three-source
 spec-version model (#64)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary

Wires `agentnative-spec` into the site as a vendored snapshot, and lands
a **three-source spec-version model** that
fixes the v0.1.0 footer drift visible on anc.dev since the v0.1 launch.

The site now has three distinct spec-version concepts because vendoring
(we got a snapshot), scoring (anc was compiled
against this spec), and site reconciliation (the prose has been updated
to match) are three independent events that
move at different cadences. Each visible-on-prod surface pulls from the
source that's correct for its event:

- **Footer** ← `content/principles/VERSION` (the spec version the site's
prose has been reconciled to). Bumped
manually by the contributor who reconciles `content/principles/p*-*.md`.
Honest claim of currency — lags vendoring
  on purpose during the manual reconciliation window.
- **Per-tool badges** ← each scorecard's own `spec_version` field (the
spec the CLI was compiled against to produce
  that scorecard).
- **OG card** ← anc's self-scorecard's `spec_version` (matches the
per-tool badge convention).
- **Vendored `SPEC_VERSION`** ← `src/data/spec/VERSION` (whatever
`sync-spec.sh` last fetched). NOT used for any
  user-visible surface — kept as a reference / diff target.

Implements `docs/plans/2026-04-23-001-feat-sync-spec-plan.md` U1–U4.
Plan was refreshed mid-execution (commit
`7afd0c4` on dev) to reflect the three-source design refinement, the
v0.3.0 pin, and the dispatch-already-fires
discovery from the cross-repo SYNCS-doc audit earlier in the session.

## Changelog

### Fixed

- Site footer and OG card now display the actual spec version (`v0.3.0`)
instead of the stale `v0.1.0` literal that
  shipped with the v0.1 launch.
- Per-tool badge SVGs label with each scorecard's `spec_version` (the
spec the CLI was compiled against for that
  scorecard), instead of a global default.

### Added

- `./scripts/sync-spec.sh` — vendors the latest `agentnative-spec` v*
tag into `src/data/spec/`. Remote-first with
  local checkout fallback.

## Type of Change

- [x] `feat`: New feature (non-breaking change which adds functionality)
- [x] `fix`: Bug fix (non-breaking change which fixes an issue)
- [ ] `refactor`: Code refactoring (no functional changes)
- [ ] `perf`: Performance improvement
- [x] `docs`: Documentation update
- [ ] `test`: Adding or updating tests
- [ ] `chore`: Maintenance tasks (dependencies, config, etc.)
- [ ] `ci`: CI/CD configuration changes
- [ ] `style`: Code style/formatting changes
- [ ] `build`: Build system changes
- [ ] `BREAKING CHANGE`: Breaking API change (requires major version
bump)

## Related Issues/Stories

- Story: `docs/plans/2026-04-23-001-feat-sync-spec-plan.md` (refreshed
on dev as commit `7afd0c4` mid-execution).
- Issue: n/a
- Architecture: cross-repo version model at
`docs/solutions/best-practices/agentnative-version-model-2026-05-01.md`
(refreshed in solutions-docs commits `bf83c71`, `47c84b2` mermaid,
`7201181` three-source model). Governing
pattern:
`docs/solutions/best-practices/cross-repo-artifact-consumption-static-sites-2026-04-21.md`.
Sibling
reference impl: `~/dev/agentnative-cli/scripts/sync-spec.sh` (plan
`2026-04-23-001-feat-spec-vendor-plan.md`,
  status: completed).
- Related PRs:
- `agentnative-skill` PR #11 (commit `3c3ebb6`) — deprecated SHA-pinning
across the skill repo's shipping content;
the site's lagging SHA-pin removal is captured as P0 todo
`019-pending-p0-remove-skill-sha-pinning.md` (gitignored).
- solutions-docs commit `7201181` — paired refresh of the version-model
doc.

## Testing

- [x] Unit tests added/updated
- [x] Integration tests added/updated
- [x] Manual testing completed
- [x] All tests passing

**Test Summary:**

- Unit/regression tests: 206 passing / 0 fail / 568 expect calls (was
205 before this PR; new
`tests/build.test.ts` assertion verifies footer renders
`v${SITE_SPEC_VERSION}` and guards against the `v0.1.0`
  stub returning).
- Lint: Biome (37 files clean) + markdownlint (19 files clean — adds
`src/data/spec/CHANGELOG.md` to the exclusion
list, since it's vendored from spec where the line-length config is more
permissive).
- Build: 111 HTML pages, 111 MD pages, 7 extras, 97 scorecards, 96 badge
SVGs, 0 orphans.
- Wrangler dry-run: 367 assets, 237 KiB upload (28 KiB gzip).
- Manual: ran `./scripts/sync-spec.sh` end-to-end (remote-first path
verified — vendored v0.3.0 / `5cea8bf`); ran
`bun run og` — OG card regenerated showing `v0.3.0` from anc's
self-scorecard; spot-checked
  `dist/index.html` footer renders `<span>v0.3.0</span>`.
- Regression-test fix: `tests/regression.test.ts` test #6 (install-page
dedup) now excludes `src/data/spec/` from
its grep — vendored CHANGELOG legitimately mentions install commands;
the test's intent was the install-page dedup,
  not preventing spec mentions.

## Files Modified

**Modified:**

- Build: `src/build/util.mjs` (adds `SITE_SPEC_VERSION` export +
`readVersionFile` helper; `SPEC_VERSION` reads
vendored file at module load), `src/build/shell.mjs` (footer renders
`v${SITE_SPEC_VERSION}`), `src/build/build.mjs`
  (badge call passes `scorecard.spec_version` explicitly).
- Scripts: `scripts/og/generate.ts` (reads anc's self-scorecard
`spec_version`; drops the
  regex-from-shell.mjs hack and the `SHELL_MJS` constant entirely).
- Tests: `tests/build.test.ts` (new footer-renders-vendored-version
assertion), `tests/regression.test.ts`
  (`src/data/spec/` exclusion on regression #6).
- Config: `package.json` (markdownlint exclusion for vendored
`src/data/spec/CHANGELOG.md`).
- Docs: `AGENTS.md` (paragraph explaining the three sources),
`public/og-image.png` (regenerated; card now reads
  `v0.3.0`).

**Created:**

- `scripts/sync-spec.sh` — remote-first, latest-tag auto-pick, `git show
<tag>:<path>` extraction (no working-tree
perturbation), AGENTS.md filter on principles enumeration.
shellcheck-clean.
- `scripts/SYNCS.md` — cross-repo sync map for this repo (was untracked
from the 2026-05-01 audit; ships with this
PR). Includes mermaid diagrams for the bidirectional data map and the
three-source spec-version flow.
- `src/data/spec/VERSION` — vendored spec version (`0.3.0`).
- `src/data/spec/CHANGELOG.md` — vendored spec changelog.
- `src/data/spec/principles/p1..p7.md` — vendored structured principle
files (machine-readable frontmatter; diff
  target only, NOT consumed by site rendering).
- `src/data/spec/README.md` — explains the three-version model, the
manual reconciliation workflow, and the
  bump-`content/principles/VERSION`-LAST gate.
- `content/principles/VERSION` — single-line site reconciliation marker
(initial value `0.3.0`, matches current
  state since the site copy is reconciled to v0.3.0).

**Renamed:**

- None.

**Deleted:**

- None.

## Key Features

- **Single-step spec resync**: `./scripts/sync-spec.sh` (no env vars
needed in the happy path) pulls the latest
`agentnative-spec` tag and rewrites `src/data/spec/`. Operator never
needs a local spec checkout.
- **Three-source spec-version model**: visible-on-prod surfaces stop
conflating "what we vendored" with "what the
site's prose has been reconciled to" with "what anc was compiled
against". Each surface tells the truth about its
  own event.
- **`content/principles/VERSION` as the reconciliation gate**: the
contributor who reconciles
`content/principles/p*-*.md` after a spec bump is the one who flips the
footer. Bumping before reconciliation lies
  to visitors; the workflow now makes this explicit.
- **`src/data/spec/README.md`**: explains all of the above in one place,
co-located with the data it describes.

## Benefits

- **Honest currency claims** on prod. Footer no longer drifts behind the
spec; OG card no longer drifts behind anc.
- **Reduced cognitive load** for spec releases —
`./scripts/sync-spec.sh` is one command, no env vars needed in the
  happy path, automatic latest-tag resolution.
- **Foundation for future spec-driven features**: vendored
`principles/p*-*.md` is now available as a build input
for future consumers (`/llms-full.txt` regen, coverage cross-refs,
etc.). Not consumed yet, but the data is
  in-tree.

## Breaking Changes

- [x] No breaking changes
- [ ] Breaking changes described below:

## Deployment Notes

- [x] No special deployment steps required
- [ ] Deployment steps documented below:

Standard pipeline: squash-merge to `dev` → `deploy.yml` publishes to the
staging Worker
(`agentnative-site-staging.*.workers.dev`). Promotion to `anc.dev`
follows the standard `release/*` flow per
RELEASES.md. After production deploy, sanity-check `curl -s
https://anc.dev/ | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+'`
returns `v0.3.0` (current `content/principles/VERSION`).

## Screenshots/Recordings

`public/og-image.png` regenerated; the version label now reads `v0.3.0`
(was `v0.1.0`). Visible inline in the diff.

## Checklist

- [x] Code follows project conventions and style guidelines
- [x] Commit messages follow [Conventional
Commits](https://www.conventionalcommits.org/)
- [x] Self-review of code completed
- [x] Tests added/updated and passing
- [x] No new warnings or errors introduced
- [x] Changes are backward compatible (or breaking changes documented)

## Additional Context

**Mid-execution design refinement.** The plan as filed scoped only U1–U3
(vendor data + docs) with footer wiring
deferred. During execution, two things shifted scope:

1. The visible-on-prod `v0.1.0` footer drift made the data-vendoring
useless without a consumer; U4 was promoted
   into scope.
2. The user proposed the three-source design (vendored ≠ reconciled ≠
scored) mid-execution, which materially
improved on the original "footer reads SPEC_VERSION" approach. The plan
was refreshed (dev commit `7afd0c4`)
before the corresponding code landed; the SPEC_VERSION/SITE_SPEC_VERSION
distinction baked itself into U4's
   commit (`7e5765d`).

**Cross-repo coordination.** During this session's earlier SYNCS-doc
audit, four sibling repos got cross-repo sync
maps (3 still untracked locally per the do-not-commit directive; site's
was committed via U3 here). The version-model
solution doc was also added (and refreshed for the three-source model)
in solutions-docs.

**Skill SHA-pinning P0 todo.** Created
`019-pending-p0-remove-skill-sha-pinning.md` (gitignored) capturing the
follow-up work: agentnative-skill PR #11 (commit `3c3ebb6`, 2026-04-29)
deprecated SHA-pinning across the skill
repo's shipping content; the site is the lagging repo and still carries
`source.commit` validation in
`src/build/skill.mjs`. Out of scope for this PR; tracked.
---
 AGENTS.md                                     |  17 ++
 content/principles/VERSION                    |   1 +
 package.json                                  |   2 +-
 public/og-image.png                           | Bin 44975 -> 44909 bytes
 scripts/SYNCS.md                              | 160 +++++++++++++++++
 scripts/og/generate.ts                        |  39 +++--
 scripts/sync-spec.sh                          | 128 ++++++++++++++
 src/build/build.mjs                           |   5 +-
 src/build/shell.mjs                           |   4 +-
 src/build/util.mjs                            |  64 ++++++-
 src/data/spec/CHANGELOG.md                    |  58 +++++++
 src/data/spec/README.md                       | 101 +++++++++++
 src/data/spec/VERSION                         |   1 +
 .../p1-non-interactive-by-default.md          | 130 ++++++++++++++
 .../p2-structured-parseable-output.md         | 124 ++++++++++++++
 .../p3-progressive-help-discovery.md          | 106 ++++++++++++
 .../p4-fail-fast-actionable-errors.md         | 141 +++++++++++++++
 .../p5-safe-retries-mutation-boundaries.md    | 118 +++++++++++++
 ...omposable-predictable-command-structure.md | 161 ++++++++++++++++++
 .../p7-bounded-high-signal-responses.md       | 133 +++++++++++++++
 tests/build.test.ts                           |  15 +-
 tests/regression.test.ts                      |  12 +-
 22 files changed, 1491 insertions(+), 29 deletions(-)
 create mode 100644 content/principles/VERSION
 create mode 100644 scripts/SYNCS.md
 create mode 100755 scripts/sync-spec.sh
 create mode 100644 src/data/spec/CHANGELOG.md
 create mode 100644 src/data/spec/README.md
 create mode 100644 src/data/spec/VERSION
 create mode 100644 src/data/spec/principles/p1-non-interactive-by-default.md
 create mode 100644 src/data/spec/principles/p2-structured-parseable-output.md
 create mode 100644 src/data/spec/principles/p3-progressive-help-discovery.md
 create mode 100644 src/data/spec/principles/p4-fail-fast-actionable-errors.md
 create mode 100644 src/data/spec/principles/p5-safe-retries-mutation-boundaries.md
 create mode 100644 src/data/spec/principles/p6-composable-predictable-command-structure.md
 create mode 100644 src/data/spec/principles/p7-bounded-high-signal-responses.md

diff --git a/AGENTS.md b/AGENTS.md
index 16e8f53..7c586a8 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -22,6 +22,23 @@ The scope for v0 is decided and lives in:
   written **manually** from these files — no build-time import, no live link. When you write or edit site copy, read the
   relevant `p<n>-*.md` spec file first. Do not edit the spec to match the site; propagate in the other direction,
   deliberately.
+- `src/data/spec/` — vendored snapshot of `brettdavies/agentnative` (the canonical spec repo) at a pinned tag. Contains
+  `VERSION` (the spec version this snapshot is at; exported as `SPEC_VERSION` from `src/build/util.mjs` — reference /
+  diff target only, NOT used for any user-visible surface), `CHANGELOG.md`, and `principles/p*-*.md` (machine-readable
+  frontmatter — diff target only, NOT consumed by site rendering). Refreshed via `scripts/sync-spec.sh` (remote-first;
+  auto-picks the latest v* tag). The site copy in `content/principles/` and the vendored spec at
+  `src/data/spec/principles/` coexist intentionally — they serve different audiences (humans vs machines) and their
+  reconciliation is a deliberate editorial act, not a derivation.
+- `content/principles/VERSION` — the spec version the site's PROSE has been **reconciled to**. Exported as
+  `SITE_SPEC_VERSION` from `src/build/util.mjs` and rendered in the site footer. Bumped MANUALLY by the contributor who
+  reconciles `content/principles/p*-*.md` after a `sync-spec.sh` run — bumping before reconciliation lies to visitors
+  about site currency. Always ≤ `SPEC_VERSION`; lag during the manual reconciliation window is honest. The badge SVGs
+  use a different source (each scorecard's own `spec_version` field), and the OG card uses anc's self-scorecard's
+  `spec_version` — three sources for three different events (vendor / score / reconcile).
+- Workflow detail in [`src/data/spec/README.md`](src/data/spec/README.md); cross-repo version model at
+  [`docs/solutions/best-practices/agentnative-version-model-2026-05-01.md`](docs/solutions/best-practices/agentnative-version-model-2026-05-01.md);
+  governing pattern at
+  [`docs/solutions/best-practices/cross-repo-artifact-consumption-static-sites-2026-04-21.md`](docs/solutions/best-practices/cross-repo-artifact-consumption-static-sites-2026-04-21.md).
 
 ## Thesis
 
diff --git a/content/principles/VERSION b/content/principles/VERSION
new file mode 100644
index 0000000..0d91a54
--- /dev/null
+++ b/content/principles/VERSION
@@ -0,0 +1 @@
+0.3.0
diff --git a/package.json b/package.json
index b0d7dda..b57dec1 100644
--- a/package.json
+++ b/package.json
@@ -11,7 +11,7 @@
     "test:e2e": "playwright test",
     "test:e2e:docker": "bash scripts/test-e2e-docker.sh",
     "types": "wrangler types ./src/worker-configuration.d.ts",
-    "lint": "biome check . && markdownlint-cli2 \"**/*.md\" \"#node_modules\" \"#dist\" \"#docs/solutions\" \"#docs/research\" \"#docs/plans\" \"#content\" \"#CHANGELOG.md\" \"#.claude\" \"#.context\" \"#test-results\"",
+    "lint": "biome check . && markdownlint-cli2 \"**/*.md\" \"#node_modules\" \"#dist\" \"#docs/solutions\" \"#docs/research\" \"#docs/plans\" \"#content\" \"#CHANGELOG.md\" \"#src/data/spec/CHANGELOG.md\" \"#.claude\" \"#.context\" \"#test-results\"",
     "format": "biome format --write .",
     "deploy": "bun run build && wrangler deploy",
     "deploy:dryrun": "bun run build && wrangler deploy --dry-run",
diff --git a/public/og-image.png b/public/og-image.png
index af0904f922dc652de4de97f24ed575f1ee44b34d..5cc49f4790234633302c148309af8d8ea50ed885 100644
GIT binary patch
literal 44909
zcmeFYRZv`A5H3m*2o^$chY*4f5L^d>I|QA<T?Y%!U<n!^xO;H7!2*K>5AK6QaCZim
z%YRRubKcK=x>aXY?T6`Fvuby*UfsR>`&QT&6<HiCax4@S6dZXuDRmSS)M^xzm+ly^
zo+X}H5e_IQuTZ`yX-dDwdW(vI^8yVU0|yWN&AYSHgVU3JbZp$`Y3FB$1jOW*4K~+T
zr&w?CkB|0VqGLa0M4FG!oE-0AzQILB$KKvreO~%`<)^17bSxZ{7q8K<aItX-?(dKf
z_gB7telJilUc7q!5)Jd|>HZRVa&dly@)83J=iSZq`Q7cs)6;EFPv_IawVt8jQ&#k2
zdgMi&H4YvT9wF(`;STC+%%?VcWWCM)-X;M)5kFAst{GzC;Bl4^!pkp6NJ4Q|YlTfn
zMnHi7^z`WL6HGxv=Wi@BKaY6oc5?IZAf<f2wzhPi7O}ChV$?fS9i(D0y&%W=={+68
z2S(PA(2)NA9*C>&=H@?Hc?GY4pAMeirIj>KPY(=@jVC5Xe&zmp>TtAO-eCL04R2{e
zASTR4rp(3=-o8G273K~dPpWDf!@~n09o=u=znNKBD5|JhOwK(OCPv4^2mwXKBxT*c
zg>wsi{`YS|QA1Bd8<dio^3~Zn;%7ux*Pol;wkWT0t!-_YSlC2AODr$V**Q3H^6+J5
zWmtcO(tMWw{k#4tFFrCcv%S5=3kuaSu~FAGDJm*>`W2I$9A{+xwW_KjKDYAx?0}6&
zxU9TXijR?tiT1Os3I#q66AeXuJxs{r2L>?<ldKK{fExo1&8qHPn4SJD`3E&f_{qt>
zsg`tHTCOsX_0<~^tC^*5;R#=RpR}d;Lu1kjn556n4&Rd#qrUraR%;D|Rr7oxaT$Cf
zVdR0p?|+A@@oBqS&;O(1lK<mj?-Z8v<!1{emk7U$Ck_>liv^hA18aeg0<EwHG_hng
z!jD72BBc-(oK>0ND2a=OA#LL80_Oi!T>j0)N;V;t`?C_8p_!R?f~|q-kK}@@l<@u}
zkfjROR+(vbS)E2zy_mXX7)T8YF))=BO*hpY4{+B`>X*~|T4itUt|Y4i|6}YDY*M=U
z!{1ffGiM@0Po<#rb4bKNY>?;VlWx}ZVxG}zk;%+2gN_)@^IGe~NWbK`(6c)0^V7rc
z>rco=8yR*I`)6Orbdu9?K|#SL`0sgvl9oY=g7O|kUP@fkGvgo=Vy8L1{B(8HR^B?O
z|5r&EPGuR=v_i@>NjxB3s{R)D%UQQ`y#j48>fkWSX6d^Z!DH{g&<=b@8UIEr*snnl
z`I>dy$<Xr+1H*R3b_R(IecC(asq+lUGm+7!?0ODv@6iJrY)xzAo!1L)Z-ilED)P{=
z;^D5M=hO3>{r`0QWM;t2@}F`;LHUOF=N!qafNFq-LW<5bkl!eF_uFzJk12f{^L)Vs
zUlp80FAYfqr&;-4{rbt%IL=1&O%}W4<{)$d^x6T2TRYTAdUof3=zMI|LVRp8=Uq%w
z688HBWmE=i0F$fbu)Cc-JNmv)cF7w*u7v)_^P808;|j7Plm#3dJLp_%#sAohhFgK(
zwM_8Wg|3}#{<rsWe-q<X8{UsneDPc=l4Ta2(c9+*`rF)cBv~z8CtiGFPtiP|i%iGW
zst%`1#&K<6yVjDO9An{J1ls-E7+89Y1xCNObG=+NuxE{~u!9KK0+c9v?x0T)#~d$&
z2d=Iv{?eUMtEk`9^IC>K6dW%_lsZ_V^!Ywr%~r93B}==jud2T%UVWP9sB=34PNf+w
z`oiot^)zcdpAHO03DE}6j>Pxnb4L%-fG^poY=lt!ls%)?Q{_dh?(s2w<prWvZ#vhS
zzS<WXv91c>WB5DZm&;SilIE^-mz>yo%}0zEdz);)zBjRwNMSnaKpWdw>w@{c4R>th
z3cRt7L$xu_4SMjEkn8SO^P@!rEd8?3g($bsE(Zh^=7GJ2Tgug_-~0z~p@$4RG*4kq
zXJRpKZATd2cgx1$hXMge0sRkMz!Ym7VTp})e)X-!MyjQBxbtw_6lE-_L5-(&Y(iS~
zN3Bcndmo&KSv!+c-f+SaOhr5)i9PznPqZcvJxrQe7725zVg!YQbEU>jb3ay&`J5T-
zW{;zZ3*_K(i+Jr~<y97t<J_Prp4!c;u|C&eN@a^g&CZMg-GEK%Z2SV;$MDAK1yGz6
z3FUsqVG)+NC%-@JFd>~xrFu&LgPj+UZJ4csIj?nnsrg+Z!&W3Z8vQPcr>0Wrs#x1;
z7cRf!qtlIK@FOuD($U}jMtS#elw+mk#tWy6g}6#U41V7=Oyl?aG)L&K-FxH!LG~mM
zKXyP5s~2=;c#wt#8HA&+eItN>1NP^{YWHD3&T8E!6Qyyo4cLSnEVp`p)qLWi^n_ed
z43b9BODvA}I36rNBx$rN%vwXPj`)eC=JwFM8V<5Pf5Y95d{#`SCLfmY#j%Mo#sfCe
z*(pr%m*7qz?j+ct=qJCArw$`;O$c7O)4#E!rKL!dkeVbLdk1-CG6sERz2mnK3C$z{
zU79gnh%)-0ynv~e2gOljw*TYJ_Wlg|isrREFTaD)?#)f;V4&EO$S0=<SgDDW*SSh`
zn&q!;SgS?%%#?l`_pd@`K(p)x{Pk;&+IZV6((9XB<o=U~P8|DF_ND2@=n%`FJ1dV7
zV8hw$ViW5XOtYG}o!4V#(!S3ULL77#$!)KCyeBe^$1BJ!U3NvifV`Nrw@Q-6<PO{9
z7%H&IGU2c;<KFU~{gc{MArqC+1aP4Tl>8_NO8c=(J>ipM-&m*Ap8mURJ8P)6yE4x1
zpOT)3+Q?13J^bN5CZGofAFTsExGpTt0cxfu7xmlf3g2{%AaqBIB{Z`<JLD_s5w5tm
z^)H-OPA1Y{0YMIiZTDS?9a*f7Gw&`hpK#v1y?k?j)}@S8;5PBx?EUk3^l&iQ|M%qN
zId&D9fwr9Tzpc->$}Tq~OPwEL2VcDk<mWJI6BO`#fOXf>tWZ+6IIm+S`QDu+b_gf0
zRMO_LfnBUTvYN)cVYTt>8u2>^4I{0!-l`212TVTzUqRV(ydI8@$Nddv5qUu-R}F4i
zX~4UwN^FukT1a!K)vLZJBIloJJ$?F^ilv`8ldC^-VG|pmoS}`lPB@c^!tQplO-w=Z
z_y!2U#+tFgk5H4D;2bspKEhdWdX8^FT~*N~UC~y-1)=*?HxI1@oa*(>*QM!Ah*$r~
z3yf!f^4XS@R?i=WzD5^K7PwreX!M32`RGpqmUhS}?`QkY2ew}Y0{LwT<-P7M|4^}*
zSe(StRN@+X)#`-FC0AX2=~zn~eGRSjAy!NH8<~~Gnl0nCd&mk5q)`yz@P%6Z3(*uK
zhky~xt2K#5FIO?<7Tm+<i3f#70TD7E?hi(|rxMg?$F1g7*rQ}Rhq&Qcm@cdQ^V)5A
zky5#EP?lZ#;dc2|!iII0?dj|M7JV1Yku_kcv2<=L+!E3|**_BX$q^(kI<cgkg2y%V
zvB6E;_%AP@lW*iOf7r>$S{MN~W2*(HTH7dhIl8%zxXXUvZH4YD;*SE|Y`?z$2T(@u
zcp3dx)Omd%J&ya`zZ4^A<)n>nEsG$27k|5NLD4pMaM`y1F4?tsTKCtCi`~S1nzGvN
zIQ@iZ@7LbT37+g#*u=Es&tAlz54BWxxpp7@gA?W=<3~#R8}K#5_2xFS5eNNfT;KIr
z1VO&_`y?RIrA((YYfqo}t5Bw^v~{Cs#|OLhfd&ga#%;}{`pgX-XV_st_KC=;(N4bP
zI26}xIF^&mQr7j}L0#QJ9<#^0PS)-SEt7HD%S?7#Ue`Ze;p}k<4v^7TPN34Q&W!+#
zxbX>R9`$OFoY~b3O>8AKY@06xV|1M>ZII1F3wcfl;%|P;>q3Muh&>ag1iadGVn6N{
zGJs!bIqv|DF}12Q2Ks=&!0giKcQ=2x8#DwBZ%uw}Gx(DJ-3{oGeH58>*_^y5P!%~v
zz3ck(2N!Ep-tqF{ULu=h`SAvwVj9lzUj`hqhku6jZ*5oVAGmWIi4<Hv`1woO9*S6q
zuo%Buf@hA)r3@b*iV$FMfW6AK3_P40N9@xNt=RtC=(NO|#RJ2{Ig%u4#Q_TdeRa<*
zndl2fVc}dU0w#7_kUR@`lrU?Z>^q;NGUnW$)Ddi@k3;yT(|iz@C3>Ld1XMlg_snR?
zD4=5ZJ@}tmC%@vs0*$}ldWeGwS)3V$_UC5Kv2*OAijtTg=G=4{nyNf>;mnJ}^8Bw~
zqgPqKxzul;Q<57d@PNL4qRdghOuc|$Xm9K7Ips%V&z(@%GkT071o%MSFXb>5_4_DD
zRHz_&g8aw+c>-5L^$_=uwyk~k{o?@eO+yjy<9<MNLOxgW7k2Q--y?%oSFeMi8f|`>
znzE0r&;dJ>n(>{n0O?%#!o13eXhO7%Tv$UY>pJ^>js$1Xl<eEhu<7Xrm@A41m)yo7
zMI(9@?wgB?H`?#Y2WPw;xSM5(kLv`e_PnaU3j=}K8hBhs?h46OB&hoXi5=+x?yz~2
zSII=1XQLsHkuc+meAUN`RnoboxstMhN&CzQY+~$%=OO~6w=K`|t}TF>yCj7DQ*gzV
z)cF=A8*x$&S1Z+2C+vT`y#D!GqE&{{bwxufk0ks#)#RuMrSi1>+M)1<&zam;&o-*K
z9oeSe4e7msAUSzKy$17=!HE4wt%5KuF;IMmRsO4gY8|YOhGf4V2O~!x?^h3L0p$z%
zhPBnRX=@e8Sh?0M>Iw$mc$M=ZV(n25Rl;#lGt`fEkwYvxKryhwnC%m8U+$^;&v1sL
z<>%n(NU1x-Zdihu)IbnL3*PcBO=lC-rJlNR^BH!<8O#XhPd4VKFBhD4XVR^0JgoRM
zdUwboZ(E9_tZy7|eR8Aas?&R=L1RgBEb3NXVej~jcY1O{Un>v*G_T9bskm~v4Abi1
zDhf3IF8kW%@nYcf=q9;*n3RJye);Hga1_Z&lM2#Gl!fzl`rmVsj4yJ$@__Ep^#&L#
zujP-TLn~XTO4P#ShU0gJV(*?KNSD~v8$SVZl{`so?cZ?ws%DXmtGkaqV`V!5iL5Ia
zvblEG6)Ne>IY{aTn6XYaewzAtVvZ>$-}7->o<;ujKds?@(L81ak`LiIUYdqnyfdK~
z9Sd6=3)tL9u@36@$gc7H3{KZ$0h>VfAIg1A-4v`<{)=jFvP#D}0Q;^&saOF$!D6iv
zB$+RRPJA}Dh?XQXqwjB$v$BjHl~$BZNvB1y-$@h&0Qu7~X>OdHoc@In{_|QUdpzOR
zIuY1C`-6N=e{F)$be57pjff0pyr>@5(G5&lY5JA%(q!3+U=4>5M*R(mg+-s6T=*un
zUI$lINLhl8dm+AShjTh=#FQpY`rz@h+jk)e-UTgnB!3EApqxCXZmfZOgtjOM(0HXJ
zo3Kr$?NxUEvld)f-$Wmv)x1NExxm<)D@-c<1#|Z%IC3hq;1f|fMp30Ga<QB?Xc{%5
zbn5dchgV66eIe^^nj24v-^Ag5VBn0SYOaeki*ukyRt#y97O3SV@0+kiO463IoT(v%
z+#<)!N<Ox}W)Jjev8i(2G%rxd<dnn|Q~9hj%QpQmucl?-`H;)|j+=dZEhnqHt$ru#
z1}Wb5YWRmRZVu%j0pykEpbhFvoKl-9$mM!3EDKB*_J}WN#og{4FS)_yRcUZxv5isn
z!%;if8dD(go)2K;#zv)KFue%L?ii{fM{RzSc1JjV?*x<u>>gG!m{OlCvk!mu&v2D~
zkMOpuXarZReTiGZ)8Zr~znN)qtE=UV*&rp(Q}li{F)M4qv5o5b<ji<9vt<wQ`LL?v
zd9bREHTt9!wmw){{hJ(pPF9pHF5G{LJ(ikIZT=mOI$Y}CXmXd@I^e#!TrAnx7<n6L
z@an_TbHOEe4h7`curW86pU+b8#>%<Qk#&JI3`RvSwR!OEfnLr>izoy~4tj#=xS{<A
zW{e&-QF%Syok}IfL<2C*dD})Qw&(Ed{ib8BYbn!8I}0FCpRA>R)hBk7#7%B9GHN*I
z9!}bZ<s<rQt?t$&*s76gVYumG_1>^qSu$rRZYv3c*vRf-ARcZhn|4UR-JSL}0F9a|
z2xqZPRKRIdWpuQCu}viqy#Uwo>f#H?W4HI&09hS_!$HZSZQM@2{{}KUzGr1S+Lj%;
z5*O=&=hr1!e4fiOkE09y_6csMhucI(TY=qL)>p4)(2vLb9r?>VzD`8$2hOlQ?|GN8
z2kySeT!T9HuppuYR~CsD3AGWP7WQ`Bu58s;+rMn6Sp4tDVq+8)c6IlIlHPVdHi?Sp
zk{-q|^Rh;oSq(rDO+iCPk!ew5Ha&Pad)IEVRf<(JPKrYH&{p_d>6qJUeqLp>es}4>
zpl{2zd{J>IfH%x7%XVMneCPn%YJQ8o0Wqmh=3%3ZT`?o+U`L=4SoM(#B^pcgmM`)H
zWs9$5)7S0LQL&ALXf3OtEQ$$S;DtZ$5X0H!<^l-%Tyrfp-PE)_nj3bhulTv^4R5ax
zg8Y8pZxtaga^AN>oPJrIj0}tML)L3=CWS$jKHB2d*A~xeQ+#banl{56EzV11Zu!yX
z7AJ$6ojRP_pwTbpQhvDG5FeqporPH)^p36kD&Q{FV9)*6miK@&Ai<*YvpmbP?z8Xn
zUh6D%(L+r($=ptVm}<z^=lxz{6t)>wIbtXU4%}H)WkB%Dm+VQxaq)Gmju%G^ctUh5
z<ZF}^Efxz7O_0B~u+?;VM?`CEZ_*~83sJft$EcQv(>});IbJW7*bm4zRZX-`NEPJM
zx3ppz)8)r=t8Cwt=;CNJ#Vq_%`Gho8vB&E}%YHHp#kl4IffYdP1ROlvWpV)kg#6YK
zl2^Zy99JASiuu%d5XqmkS#O_vF$Gu>F9-}fdod5IUQumK)}gdeZD<v*pMk3CL<Pf!
zz#54O#?5`Rx*?nA-*eLwmFeqoiZiH|;43@-x_Z$wL}{j+*N3<@Izx8bgd7259wp2P
zI_jwtm!I(57E+2E_LU2|3!c9jgWk32obqyCd|`H@_@aF-WlVPHZ~ywQixPLFStVzQ
z%s8%Muvu<+l^1>=Vk}b@37?&SGmr^JO^_!wYZX80&<39d6v5|%b@oreuF=g*d58J3
z%kxX5k+*bqb!G+4-je-53qj%mmXd~>;DR99eNau@Jkq+GhV$^i>JSsci(wM)r?DrI
ziWr!^h-voCu^%3$2T#5@VageA-y7BPFXNJbT4|oFoEB^C-pX;1zi5bSnJ(+WMvT&^
zOqLT?)-0wPv_3L*$)sxZoDeK{A4Pf(=16>xFQ)1Ldp_RMdDO&3@1don&+LKnM>2rj
ztIEex#|#P6u-B!0ZXW;CnZ?e83q?~w7783bKMTxAI%Sf9F3v}(8gL5PO{F&|DAz=^
zt4t*S!qGclq5PQ*E*|Z!{`D;WzvKT};QxaK)@dZD-EdG))~VIa^D$Wpt4?0X<Aqr0
zB+)Wg*|$k{+$UY*@L_%n4TqyZvcIt@s-3=Gz*Se8BC&i~Ygv%OVibowvp~a@4pxX1
zm-$ewn@+8p=vQ`6{FL+^kE`tSA8pE6P0nBkn#2~i(ZP%F$)__JPmgd_hlh*F#%!Of
z>FLj0<xdlqkr;Ohk<zZgR4kY_<&~9{4nCf4w~<@{m9N|7e|RG*IA|uX&-98S1!78%
z$^9lYL@qUFA#K5J^}}V?-}wjp9^~&X4}BjdZ}09J9J4+5)64oTIl5A?r~|TZ+ph{z
zzJ6zrnT||+IwJ5ub|z^lrX##{NYUFJK!Gbv-N5~tM;mg2yDWvIIi>tPQ+TYgu9)(d
z7HMBdGU)V`<Jmo<uP?#E0)^)M0>y13zmEs!8ZU_m>fu7WdT+3?jj1NQ)WW15{wZpw
znM&`T?(^a_TdL;=c)(pf+Mw={XHg5qAe{VO^j9;dGC_RE<>3nbpdSkJ)764oy^VE>
zH3p(?O%L9JMdKNN>@zpBy!@#~PSU&UvM=kbNC^$MBYB~noQ61wLFUx6u!mH-d&$%N
z;dGtRa6Pg{W^uY~Etk>dJ+cgon6V<&dH4F1pv<?|cGa`DfkLsF{N7<qN+vnZCb|{$
zh<)O>U^JF)Bi+H$Qa?C&{b&EF*<Tl)1ur#cIeeI0mgnjT2>s<tiHRuv&Gh3`3#}u(
z0SfCdUfK!(N-s{=e-(eDa^r?J$ZTJs7#iRP`4~m^H0y3A|7^qpV`aOQ$JTZ!s+Rtu
zaHv~Vz$T8-gZfO_Wr)p#?*oCGUYW1%oyMb%n6e$e22Y35Pe$xAKK8#7Ee+NtS{%xr
z`n$P6<QOW%tX$sJqVSOqwM>FP?LVWTmE|1APXyySo~0k6F*jLZM?B=K!kcoco@yM$
zZY~E8L;R2{X^BtH-q~b%F@EPgk6-IT>Nk)Kpviqjr2wrDs<_J43^PsUoY(1i<!26n
zUE333qVh0;D&6Fzu)Ef5C4xq80)TBM85G%{ZCOBid{ad|NmTB82Rb?ytufwNYfLIz
z@jK-3e)s9QXMvDfx^KR53qvrW?#~dF!=4>fwIi3yG%+;c31VP!Bv~y7ZX6-MZO3I?
z0(8kd9PjdhB%dmD93D=iZ!wC&(M56jp1$`Y`=+lV8dS1Gy!JnIeSJfWC^j}rN^;}9
z&cq^4#2a+{_FJsUzr*xZ;}o*$vdz(_ThZVCBT*L8zWq{e0_xJE<iCW7E^Ksd%~x|Y
z7rjq#`g?Y~ka}lW6m(@c@}ty}B$s#5!2N1=C{Ga%?GFAU_Si@dCZM=o=1d2F^l8gf
zAv{*BmYeS3*d4|pSQrJ7?W+5^r3u*U2D<S+ETawbSciWn=cDWA!&3L{KP_Jv#*g|b
z@|ZV4gpA|<{FNN!<x$2rk@2Rg2=)`0l_#zWaNPI)tWK#YnG0T)4~bUb<PCp^&xDcW
zvJ<0<<n5ab09Vyh*m;8jJ@6YsLX-p*kz)yQ+Ze;V7PcAVhWl~(%q|bq>Mi|k6cq-*
zGmb=o=~1v@8Gom@->ZP><*Q6Doo8nqsN3+X3Lt7LWsgYoRLpm<ceH*wtI=z0!;MGB
zE0=J3t?D0g3rYWhb12zxLA45ImN<*l2Rnm4NtJsLb0iv#vnRGG@l~qJl4}&m#-*S}
ztls=sbLZRA=^0JNVb5}5#fo>d8*=euwoBwm*G)}Re#-u6uZaeU$oK!k_myQU)|7~b
z?FZ;%5=Es4Gi8{ZiItg~*&jCMaxIeZ%)wClim!NiUuC?>dSr(Vnax#>!<-`{Z!DQj
z>t@?1j*k`TGxW|}BBx(ytC3bp$OfERnke6&nQEQNS}W}xDOR_v7V&hX37nQP2Zj3X
z?H7$0We`=DP5`mBX<4GNWzS@Og(w$OQ&?9#N5^4^m=a%A8+Nr}?nY6TXpPBeLM;b~
zwZR30&Axu_eQ{B0y>lUr;Qkah&t^rto&CYDvjm;-`C`kdd24(CJLRsSpG{9zC9>-9
zr<CGrP^nJoa-*5=Ocp&wA*HWPDu?L=ng+9Uoh3mlh&VKPv?!oHQfsiHl0EV_%Z9jT
z4}5p$wvrwj_h2PCIb6YX0bZ(=D`lkP3hn7EkZopXGoq?4)~D60l+kHGzMB6{RmH?>
zTc|&~qRe3rZg1zuXJ6I?6zk|ToE{|5c{h)=%^yyxYwq+;sF02)56mc5K%y$azs=82
zAIkQ9MQR>D{kbLtl(8o9-!MiPF69LiO>f7$;;?GnBZD4Rnd*mVq^hyhyhN%fbr<UE
zv~i~7l0x^sP7u#b%+p6n<7bKq6i7$W*DD(6CERW$^9R8?>geJJ*%r6V28afkTVufL
za7{2B(QTmAC=l){?*mgOb;^K=wB@^N4W46x{_0H_ArJ^G7+~;&ua+MCVqS-#6q~qD
zacNtBPQN$ytp&lhkPmUsT0&1e$!oKmI=UkaOBXf>yrA<RccOYR(Z0b-ohFXvxT&@+
zh?m~F<HCaNFm*eEs9_@~KcOU@d+y8p>fi1F14tV0*OD=~L+1%^>~wOF9bbHu@I+IJ
z*}38}1}Le5L-#>9Vp(8xTw6@GJ><wm`L^I1J@n^o3bwA3W@}&Uhy_qKd7Ln@Ikw)t
z^GDm1X7^oZ=a-}{nsC8FySR+-o6r}%WyZW0zIyj*@@K+>KToL927!Z4VJVmO(QI-_
zGZ1(kv?`!LdJ`>Sc^)iO`P#NlMt4vGDPW__hv(nwP{t0{+c%76ghBEVlQnfa%?wz%
zeeomg9JunP>H~X9BJ4AVpr3m&C$J<}ky!2<{o0}Lb|11Fbl%bTv<Mzrh)@^3QdSuQ
zoj#|=w)fx{78>?^t7rNIsN+beon&Lbkq3U2Nc*R)cLupk7`Z!VA7NS2!{rY5DGJON
zXoD4h8KyoH0WImXK9Nx3I<OD{=x~oCa(?ZcjRokN3VAnk4uKAqZ24C|MBZ`d1P#)K
z2QV4BV5S~~9Z4+r*ug<V{N#+IM&o#!VUF4JhS9oT>_$aeTMGl+9e&tgqDHgERxA~r
zC>1!ES7d&Q<48RBD32Btu~h`Jb0%czJKmUlJCzV;Dg+jW{v&*qEI;kNXNB{y^2l>2
znuX8ROV=9`HrbZ8=~0G@6<XH!15Gh<ARYe@jBkgJ_Wgew(zch5XE?hY8?kYt9Kcvd
zU;kmt))_Nw2AB(o$hzT35c@)RgrNI69?w3ItudeEf*BAqYlFHQYb|Rpae+Eh8{AUj
z-*l<|PIK^c(k`p`32Jn0vvI{qJE1dAlZdm##b4NB!h*3g(^_IOH(By~Z0hKY-&^<=
z9f?0GkO*r`r2;~hfx@@uBDTN6iEB+0%18i01E`9_bOKsJ{6?-#BCvx~3>cu<l#x9B
zMxj-YYBLV|Z8s{e@{Qe^0W^DOV7ije*3|W=ElP{F{_D(CZ;wiK3yg`7zn;I&sRm(~
z_lxLp*@|14dfqmfX%IFTtCOdBBm-gm`A>24evr@HW~5HTB6^U%8=;^P*hBN0l!H`a
z{L|^+@ifWdo2{Lz|H%bdXy-(gjP%y7s60j%lzS7DKj+r2&yZQa{kyBURr!)}0>H4g
z$*5)e&R><kQS*o&k0SjnU~x6~X(H4JcG>OAR_&ROL8dkxcrHI+_jaAg@b-HXgNwin
zSvejmF5-W3XZi@b!OB^4vyV;_Z9m_`O$X^m4wOC{LGi<aEO-81XnmmFh}tLCc6d+`
zT;BK*j9(S%{KWd#S>w_=$5X|NmT^*zDB5B@><fTxLXA?`Ktq+~H{cx~FFjM~cb20)
z-B8_(lEt75b`n56NtThuwzHsVlavTW1Z2&*A!H=a&bu)!l6^VDKF&h?O)nQ$t7`tl
zhf0LY42&p1Z)Dgp%*rKfMv|6=S9wl)V$ZcR@$VM?aR{ugwerBP=hLROc+RT|16m|@
zEO*T>xgKsjqlyhyS31aH&}zFTzWq{$i&|57pL3WLJF$n?-X$=b^*Mxkb^r)h)VzyL
z=2a_txq+AQqSJqx-A;?{@Bkq=K9HcTx~r>)i{a_wb^&fmoQ?si6+%~f*xc{Fbp-%f
zi7~zYwuq@ntKWEGW*H;Ln{e1cKNZJSY9Xx`yUrWsX_6YbIy0?|w}t-*b2<Keoj6NT
z^y90o(yZp|)fJ(>oypLBeUaEVnb4H41D3EHNHErL7==KfxT?TyxndpiL8Xi{9|qci
z<M5{WhXw7c%DMT1T?xA;zV1+ha(Y)o=|lSFy*#1=g@g)|aS`*r+{!ve_(l(JYgyx=
zV}D7K@_|-bmHn|cJXNuVLFZB+0G-%guw{31()kA#1lkYFFR=|PM8X(non4iWS9z1U
zVDGV`w3b*Ulv4}q7oZ+0z={Tt9E1hLWbM^JpDFlwR@kLStc<DFbZSn_Zp`AAmuZZH
zEI50tuiFZU(W^Jpb3AUKDuZPWZIMvEM1?G>5r#jOr2(gwuj(5*|0x?z&#bnaC?E=D
z$nP@%sA8&i*4YiMtMMK$A6eF@cssBvj3}Hv5e|Al$K@8UDyLrjai;+Kfq*;<Wli<_
z@Tq3e?bywrSp!ScuLI{7j8xugGa(6eGE~#f5-C<6Eu%w=HC?5`bQI)VJ5+RYy7ty9
zhR<E!?yA9ItgHQ*hcO?sjnokz@#|u8`)g<qV}oa0?t}^DPvzCu6_st&h*A4YrtR&m
zJ4~-ZTf^y%E^`phWPrILFrQ@67RO-9JI6v=Vx;Bw=UAWce1LFTo<y9rAmQqvH~;(A
zUwc~CtD+yqy+2g>#1!bJ0ZBN?{9*4%0@L9(>x3)0zupfXGZg;rHl7g)ZUD`j)-^JL
z1M(oMAExS?W$ddx2B}&2m20T*AuEyenV$}l2bjxjq9i`l1~woVnXwIr{)W9`!^A-R
z?g9{c*{jT6g>AX4Bllx@A3*&Nn8c9`_pp^&oU)wOoT_64h@=azS6C>3UZ6S39OU|p
z4yc+e(h&e|7l^bKTjJN7zE!RNkc<J&kqi{R{@CmpCiyN9os>;@*<WZsmf+cg+e*m{
zp5->Q!Cr*1mhCGvYA?&CRP!Ex=(bnWf-yly`pQ8rXD#vZ4VFOIzuB?kwEBw*#iX7g
zbNX_>Bl7}7Xf$J;;e&PvF`#qIIjsP+pJvWkCmmk8d8^of&zC??Yi<~mR&OhnK(hPG
z-J(Qf0qG#nVjL|Q)8jfr8#b2Za;EU0YinjONrH?VA)2HhW>QIGjYX)h#!#6;O+xbx
z*YYFlT6Zf&4mI;6&1q}BzGtz~xpBDufW;IW5L?>A$F-|NuGQtQ@hd`N{KUg;D<Ty*
z^3jBl-3d-DCd63sL`-`rDh5KB!iok>wmWx8nQqwuJ)RG$YGUJ^kGwb!3+?wu%nX89
zs+hYR!11-&G1`KR7A&$F<MC|g&x!;whQm;E)yoWJ%8ENr6~Z;PDL<|Y*6|MmraP#5
z4uLu{c&lDnX47Q0mI~jTbRT}6GF$T1?X`hg;E7Reg3F2|XY#H!d=pU$hU@+QpXVhG
z2|4pr4nhb3x>2jUZ8DfURA%<tIV7gSAG^vj=mvDO1fv1&1n^~?Vghs8RWE5Q(wk~t
zMrZ1|c)hA{dvSq@GUUgM_JzC=l;ENBTl(dt=9mVMx08wMk9UrO`J{8N^Ot|$R|)~$
z=H1QEI!Z4J&f2`3<sn{0b%E@%64kv_mN{Rt_V}egdp{UW5&`y7H{p&QrY);FD;JLZ
zmmRs5i0-yW$M&cRgC!dMYI9Eh`cHl-c-X}CVQ(0zmc>-%#>D>l%q4L!+ms2_=dx;+
z%7WxB%&+`okRSEu^(Boqu}U95Td1ouC&eVS7Z{J8w&m$We@)kb%4<ZTjjy35o@W=r
zVt~qnlq%IS_=?sS63{MFWX>;b1sI&3wwP*Q?t<Oqm4S`gr8y(XUHYnzaIloP?}Z((
zX|ga=1=qSvejAIxp`ukn=8!w@7eugDI6-5s%Do>;y{;3mQd(iGb+29@EW_EFGi^{z
za_q1aQ%FotywpcVoFnI3#sSl~GEy&K>r{RI?znzLi#TnL2eschd;50`*;+g99N!(8
zhOsPV8)NQP_U4ZK)US4iV66vM-vqxESMop`K#kDgD~PoE=9*tI+}wSzm%QaIqGRt9
zyQ6bUSz|#~FDJ_mc4Z>&bkCf?=1hJ*UQ#YoS&~UZs$Tvc8WQi;6p1wx$w_cOg0l_=
zw@d}5cbs}I?>y6&H+@^*+KTLI%ya@Zb@gj1q<fOkh6$(2RKyzfCl=Bd3L9patR?e~
z8giD2bP#dxf`W?DE4QM-)hxax<)vv^8S`B|qMl(Y1hn9FoZ2s%^f>$>9&v_ru1&4S
z@RJ8s%xUW=^RqQj<E?Vq^m5xn(Rl%d<5ILS5vcoEx*D}Ft0&k*7Q7w)lSv>6ER%bw
zHvQ86Fm-wfMwx3S-=-%wCLg1{jEA0CUYzvjFIq$zv$T<yjj~*V!MRal#>MF!b?9eM
zTSXBbFU_c0UjBy8#w)BO-Jd!>3DY*>#N6qb<;uslz4@#SU2%-Qh0J5j&OkG3W+Iw+
z*w}m8j+&g`lhlm%c}J+6T4&g3ht(o|Q^c8-snYh~j?(LbIHyn+|M~1hQ#?(=XZ7CJ
zehFG?mKpD23ReLa9?l%gRu@CO6IX7g_{GL2U9jNIPp)kjKdSHE0XQ2gNCmh}JI*#l
znR*qIa6GsVpttXwrURHV!3Wskl?S>s{_l6>dB#I+TB`WjNn{p)N|@^*`|9#&UMng(
zexNs0jg@gl`O>9SlDzg8sAYAe$QK3gyCEc+r<<*cA1=ZIzpPD2PZ2S9)Pxe-yB;;=
zewx*X`Ou<a52o2GK)>^OKAw5MD-SoaRnVa-x&+A=aUHE+;Gz`<twR+^5mw)$4az5Q
zv%hSIURjyoRq-b(*xVU=&6ztRW?XHp5B8Ql2A%))JOJsHeh4csW6%)+%;NaVjcv+k
z0s>X6JuUnZ^jn220~;xd>B@rBUoDiRWdPu2iXde)H^`tVA2H$*I9KoIM~GHdPTKn*
zK5|}}A#kuh00r^u{6v3O=*_-aiHZ500pRYi>iA=ro}z<g5Mg~{gIpc`i(0mpoHn7<
zd{dCg(kiDcgMkp}`ar1iB-|_H4O0;I38?%7VRW9uNIK*+3U;;Q+P%7o)0!vXt(rN+
zHM-v`I=mehoXUIrj>c+O*5|pH9!$i|w)}<-oJMyi(=XrUN@eOZ{j$;DO5$>ZJs4B1
z;_V(*mA2<bK;m*tW7V&QwmjA3@Dso02DXqW$cxW;3}E`6n7_KyKjw=B2BFEnDR?zX
z&DY9T@?JmfWI_zdYMaa%!3A^VIEJdAaamgvty}fXi4XH7=Zd;zMj^(L+~pD-TR5t(
zA5Ji*`#SV!i<@$WI&G)Bd>BNDE}K`p_cE*6pZ3y^+qgtkVvF06WgNUkH*t}6N0Yew
zKW>sm)jMEHA4Bm0<Se8lB2BotLGf9m7+D8`Vx!LK+#d|^R+nyYTrm}K`6z3Q!%~O8
zD+EaM!*U_~N$(i!iDceny$93~0UQ*zL<@rodaU_EQ|3MhKI=hku+CKCb(&>0ZROWv
z*F>uT!z+i`*#z2*QvHeuq$7NGol-=JMMc5)oSFB}zF+o*kndo>o&380<O98h9t{M>
zSCcae{ft^NaT#xuGV8~?cj4RatGjY}xX|dI&T{ZkvW2&;=z@*17%sKffx54=^yGxm
zp`hcJOjn~iR6P{-i%B4=u32LM;>z$_*}3#w>Q<BE-wHG1vRjW~**hL?7;vc~0J(P`
zN9(A2Uj+bvAHHG+7sTh^q+LI6#LT;LBKm-Wic*c(T3>2o7aOSnqG{Cq?p6%#0*-o#
zqP>Wx>grxH?VR_k=Q#7QJJ2!Vy6XTcYk~cNaU$h(mBC8Q@nD1&^UBpi{rYQvuH#r4
z^#S3uFpF?l+wmA>S93`@`Ym8z6it!)eKCk}@;5D8FC;k_v*<$TIVszHeBWBmZc;J|
zlaa4B{4qX_#IN#R78~W>NQe>b@;_mwJ?1a;7=bO*JJi4F>ujk{_Iw(TV_x;eNE%LX
z%ChG1Bt%u**HpsvCrH2wZlF_=d}6cjH;4>k7slzUs2om~i?Z<uebjrwmpBz9zvMV|
z54n&*!tdI=$Cyp}G5s&0Cu^@T5yV2xFb=uLX&WK_Hw2})2AXi8#r}F%%t54r`30cd
zUhvkn+&r40%8?fbV?eFl9!^|LQ0z@oe&Zf-1k2c&CRt+R<u4aFPs>>iD_rgp`(~WT
z(L9Onts5vSUR|f6MI)FrAOCDd3VI1O0R$wi`9%_gyv0KAbzNBAk%{h5nZm+TX=YZR
z?e*70Dn7@>2Pf1B(O&#xy=opuD%Hz6J+E<3zQ0ZbQ7I8nQT0_86)TzNbs10g(o&m<
zRi+arLozZ^i$|wqIx2G1+#uGwKhF4&Q&U4G&VR>#3NI0L8Y;>%fMGEWM~pc@ziApX
z(PCqpCAuwk>B05NXRnNc8Au=lHIP<bdk%h^==poK%^{B-afKF4@lrP$Z}z7^&9@bA
z-}LHC<Z;pih{|QiD>8Ie0s0@uqv)r&PyNs$=v{#eHJ?U3#uMH5d<(o3p|I_Ikcj3`
z)ZTZdL{wI8=Z+8KXw3_O@&hGyS!};mcUZY-C!_K*>Ug(eWe2}%BHwaU6>Y7WoKk&x
zy1r27{9FDjU45n9IPo^mHYzXV%3p_nIo;UC-!({pQucYXBVu>0p}y@KFy<U;V&%pU
z$~9<irwsK?%iUp<J0Gj7=Ophg9q+e>Wx|%QW{WYB$d4KFNr*vfnG<|&qpf#@fZ;SK
zKi=_js`eFVV!$Dv`fdGp-Z@BbG5JI%R|P806)CrZ@BFYh!+e4&GF)9YgIL|vFGO{!
zFX@aac&qrO9V0kR)mtXwm~|_^Kc$o(*VM!<m89n97^T|Mx2hJ3W3_7VF(G^`Be^0+
z@HWSYul>cRq-tTqwhJk&bl=K1Y<qVMyV{K#bj-b1^$s56WI4@bNexw8!0WkLn$-N3
zaAJ*$LEQrAVz%)qdO&WBlN+Q=VJbrQp=P<=xIh!6qH4F7E0l~UUVIm0$<J2hg4xqr
zV~1MyHTnqalT-!UtJ#v<x`<Swt<Y?h-5vmrrjF6`8Mo-}^i!Yj(~xv+WUMtN8|}&H
zLKA~424({_0rq<(w>jfXlrDw(XYZCKz6^;x83)jlG;6~Zy_EOSc&S^TwNkF$vDMPX
z^<!`DOhyyi4^2({-4$3P)AZ#X@5}iE7OkX0C+d;zkTyrln=){S8{^W-zJhEvptPj3
z7mwJslnMAaa9DM#o6f%n({7@^Vh6v$gw%9JTu`COeJ1*b{tn=H_9edghueE529et&
zxNSldqsOh(mv`aflbZnrY?{JJd@}X+h6-=h>nZ+}a?*R7>d_bFG`+B4Tsj}gqiXtd
z_m<II#|co5sP831gk(uq7ZYuzwW|$KP{1^24Y#DvFS+WDt)&d>B!JUETuN`^>z{|@
z0w2absW^*)%04I^_-plpN(+OOQG;pi>{bhrS4?2T6%%DbBY-PQ)dSuq%p||UbiXt*
z(%J;f;L~DNJz|jkdwAr{&sW+Mw+_DkoPY9l+aDWL^{#A>@1#bX_i|V9R>rO-LEGns
zy?4tq*%uIZkas`XWF9Se-t@3GiVi#BTLZ~rVUSYe;&UON%Q#^!B{-fNa=nM8m>Y3r
zEo`=X%9V&3k%18oBlXc*G5#cSpAe(rZf*d3&uEy0MR7f>mqKjw1y=gg)kYsjZ;r*r
zd;F$_W<x}?E1Yet{1fNWH0@2u>>pJXjHu)SOE)8+m6T4U<G&(Oiff(ye%ZJ6#lp&z
z;P;#=QL2JoM&OkTRhO?&l#bl3sh9TWK*rc+o4}Hg5<QM&k98mxao6ve$;j6>5NwL;
z)`OT~itAm*@ZF-+?=^}|NOM5uKAdk>&*UJ!*WvK+!PjW{c4L9#&b2kyFb@i@O{SK}
zF|d2?B0LoRhkJ3->D;;d8cix7f75iVJyc;}HluC55Yi+H13>xN;UZyoB!FH;DjBWu
zb8~+3wh7lFGPh&3bD=L@%gwhRC$<aI8s(@Jo*|$$x;^*w4ys<_{smj^3!k(MY8s`h
z_=%6h95=pkX9HmwtmAQ?u#@<`<d)`HT+G+^avJ28l^W#??d)PRh?W!4WbI{B8jlTB
z=8GL-Gxq1r?P7h{75jV~fMrLLNEAP?fg--3S%f*vLiG!9uM51wvES=W1W@rZ%;aIL
z!^x><iz5glC}fL^B<Pu%913|rewPi6B;EB>m##vCXG(Q#)9mw)B&W=-%!pNp`_GJB
zxrsZ;T~ip;SeM%PK106qZmIili?>5$^c|+8m#7bVEU&MW3|n0$dxx8X7V9p*qeeha
ziz%80VfwTEt<`XNObqsEhkHQ55k32pBm2j+w>hK=)ubwO$pkypM><f99up{rbcQbH
zxyKGJouExN-)(?Z5%rNlErQ5)phE1O4`T6UT#FQ=NNylCF835IA(^Us^z+{!x3q*h
zNb7P1)*!~69KkFeV36r{VX_K#-3Myfh&HOn2k++XD92$wiwjAnx7MLwP~ku6i_RQc
zK-dw~65<|v_^>kf^4&v&S~D#Kk^U*y(n0xk*DuEK5~~97>Rv9sNg(j${H)iMp;F6Z
zQQHA`cX3W@2Zl`+;;PmC<98_C<o&R_K|cdu@y_0~2ZZOci{-g<3QMcp{yRgd6B;vO
zDWdGA#}E8QL!61(x|W-6JCT^ynU&vrBj{RG6tLfDuzZBO^DY^fyO~mz^NfxqMCz1+
z_c)E5S5vBRv5Iu!Ptf;bwM>~V+QYu^jVDwdYI}4rH@x4}%k;Y>2l9QP-b<-c9_{On
zGiy^RGcrWG<DICXo%uMJ`|hU&sw`jf7gf3l#|a9brvM_6cLFi>l;@ja?cTq?>`pke
zSUo4X9s}AzP9tTBBc~hOF1x~jnlJ{!(gaco@l0Y(w24diMrFxus_k}Od*AZiFVFCJ
z_+?@#c=dSUF5J6$zrWD_3E|f_9>*0@>h3m|T0&?zXEY<le}!zxdMCmTI`}>6W4JZe
z7c>8$j=8^>QMirAuhYOGpQRD4>9$#iH!{0DEGrb%jfyn4Sbsllq5>_5o=F6`*hFu>
z*YbL7`n>8zeSF-u^<`$LC+OgmN09Q)hgCuM53An(+MZw^(OdQDOP^%-Zd8&?E(m%F
z)HM0!UT-!LH2Iukp9Lt#>pDEf3V&POWNza~+sU%n$|HrVt}IeUlTW_FFU3Dkoi8+%
zJaB`1SVNi5V%4YsDOWpvu6ocknQn{Juoy+l@Wv(!dF`I0Xi)fUrgTjHvAXS>u{hx1
z;2a)K-rg!UiZXQjBjelJYz})gpZhvAcPv^KwME`uWRjYCV(W{PigHymLqf9AB1J`s
z@NQQ-|F%vwq&s@+!lTWmuk5}#R0eumUG;^d=tBJ`b!JwI(VM&4{`A%O(2?HSoS$6+
zrET@)2>spI-Jt7Bwjtf9QWC})k_TMU<;D``?XM-<gK+#B`m%!0HrN;%=M!09_~I*{
zVJVY19>+J&lSd(X{h&RAk@jorel?`V)*PjlBYrtdG3k<6sp;E9tCwG=G(`cGmSc&t
zJioR`Y1`SeG2UkW-IJY$>zlGaI)iI3rZNp{LU{e&AL%r<`6z8N`&MKGjg}o#{A?w)
zoA}ZKSi1e~=xyZxRQJp{Sh%CUJF?}`W#L=?bT{Q;v{zycd(<;BxJahD(8~Gw3}hJ2
z!fb6OZ#$LbLmexPmhlH)Q|;;l>Q*-~)Ea&#A=tkHxPWhT_taHCkGYt(?x!bd`-yBM
zH1sRlLX!EYm~KZWV>0RL%WNSK2rkK6{p$X7a`a*0#>y3+{Dubi-TK;}$`ykB`r?NS
z7N;A*9bl%zAHo51`h)YJeCT;jSWBIYG((c&vnXYMkv2><vHshqi8WqGksVl9k;WHj
zB>#M+AZa)i%)ahqZkkicJKPL-I}ZO37zAiZ%y&c$a|rq}xUuY`r2l6`)QIhei0B6M
zT5<H@nOgVM`d-8{kTn;zqqzBDnItL*R#(uJvi`@G`Ip1`>iDbS(*!3<PQ@Z7f^v70
zzdRRKs}%|((Cu_phb8DikzTgXInulTY#mM-Vih-j)mB*I2R*3KTk%Cs0lFewXQ6M<
zY&4fF2O`QqNo+#C|Kw&0W*Rn#BxX_Es%@qNsd+up5xKY@qz6mZCeVt6cIvj+NOX`4
ziZ=~j=iQ7oFL=K~^6V=rh^7?ml1i@*!7KGv{UOW{Bi*eCC&a*4Jj=-_+~z1s0pJah
z7?7j91uZB-0gt^(8#ZrK5~oxB3_#oT%?&FOQ_r?@a1gb(Dzqwk7ThFC7l8o!(ER<0
zv*{OMn;{1%aK*yQw3gW>a*Mg#dPd@-U7<VMMh^Y8Jfn$7gq`d~K_O|0+weRQc5=DE
z)tW706tdt+*w7z9gSZy=ICV>JJLW1fO6MV5bGv)6doKpj{wA+2Fqvx7l0R^4m3gC6
zYl*hl_7TDgA{r!Zp5L6oq)EE>G0W1*Cl?yiQ7lAwNN$@q6>LzOu9Mm)^LIIA%tg!>
z0@4>eM=F?<+G;pQZwfvcK^b`0Er@zD9XCFxOFfKLqILJzHfS}Ls~3T#ozclDyn1qh
ziFZNi8_As`y?edi^why+ar1TNJBo$VzK7m)|8Wdj)g;~4TYXDf;u!&haQgPznsKs3
zA0-7b2c-q8+!S<?rM?$@YMMmsv$LunH!Z-3VHnboSE@(?PnV@Jy`W0QFnYDj{wi#y
zpZkbBWKt%c7X;@DVMeqW@{zD!#xjS7_as|puhqR>&urk;=;IjNuUzON)OVh{1uJX3
zL_nsqXm5l5qju~C*79h6HTN}bHut66bvvtL=sszqX`qmO?qpTxYsR+3kDqS~blre{
zaPVFZiUU@U!(vN@B;T+-um#n;Wn8&h>UPe)_a3&bTMHVzXY`9aj*O;UzMXGEDkigz
zm_EL+fw}X!j$@*ud?F@u;13OzrGHvc>tSZA!rtU+qN^D1d`t4e#!5pXrfS@!(!W07
z1xntZW2I^Vn~1!Ax@Kocx-XA@?6!LORO|N;JxjZhyVoc`nf<H+q?606^#fAwj19qY
zKBCfCc6!pUcz|=f+E<t;e^S;x7{IPp8A9aqbRqcLhRcoTCxsR1l02VlnHvy3JPatt
zfU{>3(b`Cv$pVaN+muXPrH@PZ+g4Z$c^E1RY1b_33h)C<a8MMN&u^%2rji*ZkX<|}
zy8!QVrRPB)qPq1J8jA6OF$wb8x|py|VE$ya_hAP1cFs&nJUj|~m<wfd#z*;-R1*pH
z`Kb9um(u>4e1-KcTEMjF7cpAuT(wVX_vfnTYrnIvSAgU!XlzkXL7$K6&sVmZ2n-aX
zU45(XZ)E88@qb~Wkmk+G0!8tubx~<X;Y7?zXS#&>>49Eoe*{e4WOiJ=gGdNOO-))$
z&<zoyp!9N?$rQi%KV}zxGfGuk$@M>=9DRv$%_gpH_{=NR_EkHJeZf6}J46Pv^NPAk
zIE*O(<G)FF25=$DM2O3horSy-Ikh=Xs^vJf9$6SpHsYBJS#)}!Y*=~yZ;5L0S^WNZ
z+JwkE{_AJVev@B%Um&=w(U7RftZbyTs~nl0eMTyTxM&*@^1b%|D4-qtj0uIM*q)rQ
zpipxfGVF>z&9vX&^*ufIMbkWN;(|2#SxoUsS%ecl@A@W+o<PguhHl#ZPaFLou3VlT
zMroeTX2g;<JXPnkm8?$8F~1Y0Uw~o>xv5Dd(fd|bY|hgDiHh{lOMR{MGr4)plZ~bZ
zw*DaA_p{!X4dndZ81B2B2j52wr*K=1{3P2)P~FdvfXYhW_{!fr32oDi0<RXu3ZHsz
z(~GaaH?nx0;`*nTSb92*WC;E@_cWqROTOwR`k!2FMT$yjwd&)!AokPsb~KIe=~cwh
zM~E;1mEQm2wmg&Z0^j{_awAv5KkddXnmAKDJ|VYYI$^Q&VM|Fjbg-m)8HI`IgUSiR
z=#zKv&p?lrY*Cl3q20;jHZhZtW=#L4l&Mhffv3=?6t9zi9hm!%wVFD1Vkcbv=SCup
zD#I~b0xq{tW0Y2p+ca!gToZPzg_E=g@uR~6)+Qqv&pHAh$5*nIxXcV;854-+nf0)P
zG)`9V|KLNGy$7fL`!BV|W#AS_0CduaF{qRK)=zmX*lW`A5tX(&;6p!@e)6ctf5HEg
z3*bEb;wODezXx^p*Q+B`0`8UU>Z2yH-Ee85_0v>tt2VJN8Jz*KlV-@{?R9ftv>unH
zOU8LmJX)>&#($fJUmjTci8xjC;Q@|rRem>Pq!F?grIRu7{}M2`-G;E9xsE&ilyX{x
z0G8jUGy4sqlpSmNn{MpUfC%d3!RZ8Tv@&{v=ss??D-Li*o#jBmdY@|f<!PS2!KXdX
zc>ipdFQDYq$s*P4l2#v|5pjbW&7PD`CY=U)7R(QS^pMN4`wT5&lL<MGxBixucc(sT
zpJmeQ{~zAovMH`FX!}iq1P|^K+y)2`+}%CE;I4za6UY!;2iM>P9o*gB-95Ow9sc)o
zo~l##2RQR;SM90UvsU$5>+0@b_wIEu@0<#UO7E;TJI}qG90D}~h2I;;sKYxe8G--9
zS^fn8e>emcJV4083@>8Em=Hx0C8XT^^z=$kKj4(AJF1{>mz)|viw+CKI-6Ln_da2*
z6_>DoQPd2+Urli~A4z82Ea!YYBYpN?vTUdAywqsD+ve3PFIdkIW>0rk=2|xw6x?nU
z!iC+@L@zyXS4Ya>dwC(idd)QLyI$(E7lt0{Rvj06a|iCm>qj=4Y9TQ5H@RN!MC!~d
zcNRw?SD{z<qIWLggD~|>W=G)67yQRP45lFj&Y4fkQvTjP8QBKxuQyaLh%4cS7<Uk%
za&O&w2lLXjhw*mb>ob1=L6bgtrs2DNeobhlA6#e7Ws#G^-uCaqv3s%EWR21b79deI
z6SJnA+je&frlin-rzxvT`6P=9wstpl1y^ILzQN_!K#qcTSmmCy=V=smd2_|&t1}^i
z6yt#hA^t+Wl=FN4=YZm20WILo+ux(vRUY=&+xe@HU2z?~?f%~_qRdTS#v}Y&3*SoL
zAOE;4#qjoe(a3Xjt#vwbpiS8a*w%x7n!0RK*3&DpYsB_Im^Hf6vl4m7M^w`ph{bZs
zLf;|Kt0T-Z6@)o^Qu|Amqnd1i{R(xNM5Be`9q+d}4x2HdEYrbOghZ~tdfD@@7w+~|
zVS?^PC2^-hFAa)#ov!|WA8TQcHpn2U6>WE|LcSL(ytc;giz~vtugW;m{oSc=9p+NZ
zY;p9gcq0b@vD~*Yg3oQ5hN+@#3@7IXA++{-E^p;FCeLyo;1G!J=ZSftXJhwWN<W0?
z?TZfw+eecH0|agOq?6JmnSpD?SJ6t!W?QEb{s!0VUgBsnu{#j|$<exI_ESfuw@g?$
z#+Wi$8kSeH-x>)A&Y8_cpq+_`9zCxC>~0G~$i~OMFa;|yO~d5F#o2aw=ulh?l$Q(A
zWqSSe&U)wanzMv^m3>luk!FK3VFz;Pe^tjLE6nxX12^x7XXXqFO%kkh{`&m3{pEE=
z00H;!qtd8uGv79)eZt}-zdGbu^vUuu-Cw2pL=y)fs=8KO+)g&b+-~sg@b^#mOTdv^
zHNa7uWJf{BA(QeuqRe6nCV0CBg?p^+TbCoapoo@OXa)Ee|HQay<igraJ|AN{E<<FH
z&+`y6Hl?wkG5+tvnhXOH?)YEN^F*`_7=}j<wNd07^1Eq+UH5bT@yfCq-W2+eT{tF)
z8P;$S)Zd*^OJAh9X^lXZv<|(JQ{yl}ES;frS*(%uhYac^i0oek?=lbUH4d|mXjXim
z$=)944bFPIE@>)?=TaGDaa(iN^3=(!!fsx9Qx7T_fYt%}Z+zC%|7PZ%14#H~WHB%;
zZAPwC2FH_aGel=TZ+5H3gKS2)<S>px)PqGMDJmcO`uKCD?b65xoJ*CEl!mzWXoHxj
z7Z7nt_U-DM8MG4>vN`EBF5YiA83oOrQ4*Kj%e1}gz0_fbj#%i9Nn>9hw%n0sK?6Tt
zf=`S7TagxQcwq0jkGLZr(N*bIJuHdNCljRDSg=VxLbiJRido+_^hF)bsv!H9tYN}`
zj6}|B2%#K)UA&eyOsn-0E!de6^JqkKA0~n#C{pncB8?2uEQ?XNX(LPoPm8+$3@oS%
zTtZW*cpH88eDUn91b;gEB^-Oc`!yMWx^wlu^L$a)EEvC6c{$d^1#lEdrTt#ZxX2Pq
z1%mH_n(NC1pq}G#<@Edd3o`Lr9suzv$I+pxNQ*+^#c9{uSv!LTURWNDA))sF1E?yt
z)K#dkiRZ;2&zHiY*$cSmfMn)Foh#Z@bFn`$+QNn-f3~cVGXa4P8d$BxxXG%mPC`+=
z3(}VpHD_Y`*=7BPmu`q|OSzv!ON=?jJhqVCOBemEdSfXWnNQZ|i^b&*`-2kTK(|>7
zP*bJ(#}^%3MvnAIL&r_&yGuF7TbD9_TZ^9fU(^dwbb<qFS-(Ro?cR6xHfhFU;kD{1
zE(h6dERE|dp}RP!)-!V~yUKE;i?54L-h|aU#3cW4zg}Ov(&(TI=g8gWKsmKh^aSre
zzSf|NQv;Q~xZF*&vX3V3@L6vbrIBwtJkRRauVPbm^#szAZ>nbG>StC%j_!R1HUPq6
zvd27Sz23)JxN!1!W206~R!%=#G8K-`*yqo-`S$KJ1~%F}cU)}}t`W+-cOwYQWqM~-
zH>LNhGINKquh6$C){>goD&NUd>CYyes4TG0i5Su$H69>MibUiBk^@6##>@qactc8{
zqSe~(MD<!ZkPas`Q-N|eCvmQgcI+Vhbd(|UOs&!d8_N31vy*0w{?Ja9lz!Aq8g?M^
zlZL-CQP|{?g;V87ED1^K0KvnhYJXIIHZW#R2pjpt)6sGBYAXkW#Wl-$l2kglD%6=o
zaE$rCDg8Uc)!ss$H%nXZkT$-h&8F+G?v!Aiy~)ic@u#9@f|$lIv=1=XvHUz0Kv^p}
zgT8OCTSHDVY&L}^MT3o8u1fT`|7ND#T6V(bV0dY1Nu6n2r_JD-`PWlgj%JH4Fwfcj
zVxTET#XM-_MXD4q*k1DZ&ACgS&-ahW&|$>Ii>m=Yap(I|CY@PnpL@w3*<xHXIP;&4
zmGj`w3G2V|qH`|i7}B9Q_%t+zS_vNB#(?eImNf<4rTpeEB<77B4PjRCxz$o}2|ZYd
z*BlY@XlpZH?gDDhg`az1X0I&uF|6rB)2A5aoI*V)GW1Pianx*8UnLG={$H3Dv2A1j
z!QtotsO{qUk2;C6uG>`AsZ9(t-N^kClX!|rQc0aAe?uv*Rn4$RH?zJSV(YO64MhsX
zQRbXA$6_Am5JA_g=;w5KQseCW-8&#%Ca8@wy|^n={S$54pl-tNk_r=19cY@;CQAig
zaby7QS&kT^s!ExNNa;osZpDi+8l#CE!Khq^TpY*!MY8C*>8Z8Bx_&2jzob5Wj-X#@
z!eMjn>J;Knaap#}F;hjE1JT3)Dxoz5o2vw5i(?%vgF;1FN?BJXVZQi*5@er>BGUx7
z?Qxcs79L-;7O4kFqrVOZ%Eg;S7oNh{I)9>!vkPj!Ta<_NQ(GdMCQ()woJ02FGvu6^
zdD(i!Mf2h|hiXfiU$+p6R>_<vV3}1E2XgkcI=55&`3=O5VTb8Qby6J%GsS(ve^69O
z+7^HfA`lfw$;mw|ZFi4pf=(9FT^n_cMGJ1Q^jyP{;E8BYbW?Ez0yi#NGNlnRL4gbL
ziuUv~(cfNod4lC)B<5?yMSm<OqcKPS8=m|Ba<zG!ifVShPH#+6IcF#-#dK5|jmv40
zVmvZ5RIW$-JHKy}6tpL2i~fWad56zr(fLKxp(B&Yk~VvU9D6Y|IVxhF>zmY#G%5uG
ziReWsG!0V+3SsQUeK+`xhl^oo2y?*RwCCo{6hWia_SeVE(K>aS-gDZ~8EJERavS05
zKd0qSC1nEJ3a=_09`8EGuPuxp<=sfvRWvKjNqwGMWlMl9m&PO{d7^Y_xR@z6lGvu%
zR<BMs^A%s_Cj#cml_BV1`MdG}x+&#4@fCdIbbEcdr37@aApjD?z8LX!fVsc6yB7oB
zmuU~fOk|`d5RsL1s86731)Hz<fhhqYQEjP_VOu5yQK~WPmwwvHg#!5`)<^-I)QAWU
zW2;f66XzV2d6gA8sa$v!fGV}gwVrNGsDg7^9F#u#zISJ!A_g9ZHt!MGskPX9%IAqK
zVjvGXeZwt8q8ypW8K-mp-;k|FMf(kF&RXh9+x+3o>r~18e*~|}+W8B|j~G{eJI)}?
z#hYTo6t9V*&H_&Y1x&2Wra{%w?4<~~M1d$9I%aOCM%WXs{`Z=!x~948R1i%w6L}#y
z&;+Ne!0)@L^XZt@-Ipd?9MJ0If^x(G`|ArWqb4du7N;~Y7;N^kraJ?9D`Qw1;h9Oe
z$_4@-i<jhW7f0aN)=y&Lv>fv0+gq$G&e|gNvcbZipR*C{<3e^96J7T1httsPwZ2p5
z6^om1eo}{#aRzA)B%qU|;1J#2kgnA`O7xM_=%xgPyS9TAy*%6Y^|a){oc0+@%~ub9
zE0|DK29d3gs5CmAWcfhTIM=cjkuhs43Akcv`l~fp54&<~IfVW7)N@q(8uDxP&NqFi
zBHFFTpO>g28cMjp|CCWV%Y3b-$GV^NxntcBsu<mMH60YSAi0E07I@4C&iChuBywUu
zF2Ey#wO(E+DfDWA3XK94Wd{QMH|dl{#qAmY3-SGN1mP=p?|)YYAAO0^mb7Q_F=uNF
zmh$JvmXH(Cmz<cF<3r)#q6?|(RKkv<IR>j@bgE1a4>QIqc$g;qKw&4!3y0J$1xjV0
z)Uvwod$NY8pph*FeP7+^w3Kfzr=6}?uUAUc&A$l4MCKc1ClW)x(_hfM<qb}D?$4l$
z6NT)FzP$=Gx(oa?WJSqlh88mhwe1*_$un}_@{=WCXDP*fs+eluEI&5oC7%v1`M-pz
zs!!a`YE>{=XTbuR>(BSBKTxd;qQ#aF`%c8hCI6LU%LFsl8L$&byIf!d(;<iUP;dlL
zJm6NKhE>tJ&nd~i7q^kv{Vme;vMur?&*Q3!+q#n>Nn_6eaO1k=_l`K}ztg!teChwA
za|_cLn7d^vrm_zQN&ad4EAI;1S*w{5!D-UW77)!rPAr-Yx3@{4YBz}E9W(zMnV?lP
z_7K6Qhp2RF6TBp9ra(bHP!r%o-I?QRt%aq2G~J|M7G0F)(|w~UF;nPY7D;lb)`e3R
zxl|Vrxf@pjZ$g`R78?8xIEZEePLD%sNF5QX@K@FkA@9+uu$C$cx*<`Y@h!_koK)jQ
z(6wfa=S|G(d1dXCThK=A`_^&cZ_cm3QfJ*4LH6cQIaG6#Ap<RKRwQ`pvs5)MZB)v-
zs7F%TiI8BnoqaJvNL1O{e#<VuT3#g)Ou8BnHP7nd;mO=jFTFN~9;7mQ&++S;{YRsU
zrxTC!5d8Jd=IsF`QG4=kdvTJ7bdC;FNe=&vO|&ftqdEJ*rRgNQT;(!LE2v)VUf{8o
z=JW`YHl2fBaq>qZIXF%2aQ0@%Eej%QtJ@f9ZKW%my03!T1*WZ6FV<vvzyrvKSJ6IU
zqDs<~Rx?r#8C&|U^-pf`(9*VIW14Bor(HWug=-}N20}ShQ3Vz{4<csL3y`*liXmNr
z(oIhL))d4FoiaMrq*@L(mU;e3$FSjJGC{ML6?6UbBE4M@UlG(O(z<qr+(%7nBF(?~
ztm;9&u_v&MlT|#i`tdoK$9GR!2KIqVVA|B~nvr-21dS=bBsNN)ObP3|T*Vy6ps{5*
zwz~bfN%Jmi1lL2qe|ehLg8kX)HO~?0+weP$u*qkF3GjC5ynLGlI#+D;Y$^C<%S0b~
zy?%ooPJ1>c$v9iny9;VHfH4{j{fZL}*O&F9&|klf8E;%yRcJ1_<bSx<P0+``T+Ho^
z&Bhh7#1K{e;i(fvH(W7)m?@)K$>oaFZ!P||<-N1<%j7ueB^iP@XN`5r#)Nj=|J1WN
zGgqkFUw66lbAO=0DV=(NEw=@}G7bGl^}2wY3ZC{SGfsDw#00xB(kl+_WD$)2ala(~
z56eF^IQL%r<L)P`9N#-)o=F|V);scBWA!e~z2r8G_$(jEga!B`>y!5Hj|b|tg8MV{
z>(CboWN3gaB{|r=B=fYBUhy}V&y+0_ppu$POWh$%Z7I%E!)??+{~0Y|+BJLR&EibY
zWV?9mWwW)F1!T*P$7(V@7GXi-yu6)~5sGbq`9_2d)7ju=I&`!^D`;yR+#?f{!A+-l
z#H+dgh)K;OZuOJuGX*yWdY8n?FLXR|*+v9yIwrUt^%sBPoZ=-vy22XYe9iHtyA%OZ
zqVyRaix)xhi%bqs*~@XQe|4sX0G<qCoD8y9i7vI26>H{VwBhZNfru9jCGuLJg<F~a
z^M#3|#vMJ@+)mGyrDG_<@S|PIKjI81mD!9(drZ4)|72|TB<H2zQN>YXpuk6{=Gr@D
z&N>$k6rANu#Q1dhQ=mRflT;Zd&;q5DEkxpKFK<@VsARLD=MNox*VLWx+|k_6r&Rur
z63R|ymjfw$0JE8Y5#2<Cr{b#exf~AI$3{_KaXa_rW?g*7;Mmy+Jh8k}u|)=MxS$~y
zTQ3fb51W#5pD(wv7i9lAfA7)(<1AaQQILH~oFV8+fc7jXa{GPXqwMf;!+b5FViE3v
z8!fT{)bSbhdV}z{GkN$kVKfAP^N2}jUoc@2)t66ZC|ChDcZ2@4AGXa`=(l=I3Pp-%
zuLHCj&Oa;h<i?Z37+~NwU}`jy%mJtX%7}x*?%5xoVv~XmY|4IPBZjlab??FxanQnk
z5^QXdz<{NO(h&7-d#a%G`;rSFpl+bvc*2T|e6ebouJ=E!LzY@nMaVX6O){}QzjT9o
z7a}62p2<p|UU`0siy4fJ5B)V~VL|{U_&rW~PQMfPDhWXWoRB)ee>Sj>KO|jjGx_7*
zJi>}_q0cf-b6&u`kbD~;8C-L%8l=woNyNrwVR{EdA)78p1Fa^|IqqF%>T;z8=mbCd
zIK6x$E3aw+l9tL!;M=li&=p7m1G@Z<67MJU;bvw!xD~(Y3M`iAf9uQ6Yg45+(lZzC
zw7ES!daLoc*@Ej6JW8|I@GqlYW=8}~Zk^$YAd|QhgOPDx%SPxD135uIL|=9xJ@@B*
zb5v*;Q(G<iRYeM6=lS*AfG)a^zfYWlFjjuL=lKR&l#*}OlP`bU!|0F|cS%R@BNrNX
z(EqJ404)DYYBfK8dkn5c`V!jneUCA%aQ-X6wfP`BNY$39HwkEOuaC`dk{XJrKSG5C
zUfBDAuuaALZ6lyQiRz!YdWIfB=eI(FjU8L(t%GM`ZuM{d=^*F4u96O<x@$|GuE5ne
z&r{<O3xbj05;~TFeyOpO<Db6-&s-4Xl(iFe4k%;VW0OhPhZ14XB?p}Jv9G;&*uyd~
z=gdAAQ33rAH4Rv5esq`M`N{Inq4oi5?v>{GE{^sG33Ov8^{$Xxbt6vyj`{Y8(UPsZ
z+q})qVfP@U^%*z^?_Ll8?O&e#upkbd_s>B`cka$u%1-z_*EjZ>j!%c)EU+VUeo36w
zm2A7fUgJNU;_LVYxS0V~$6qS`*$j>$Dy_5KOLyi#+34~3af_)V6rH?V1Dig8TwqTV
z2+`eNQzwG=>iyIpW1R)ki5A|JPw*v1i#Ax8WM!)fu7&@$IySI>Ws<|{&((#5%?u>c
z-uGb`LVld)&$aoWS!{)onCu?^u<6i0MYGjh>7+m2C(sgs6-A604`s#^Mo{!^&HNlb
zYF^=c{F$pl-^SF{;9m2*zJ^tDz)I7BJ4&&$EZ`w+bkNYPf#X{`{|>p|T8@-Dy9q7t
zt(RlZK;NHc4pVJnKJ?!ZF37J66M9Z0KRDSxbqF8f)(9$M#lqx<GQ<Qd;M4f6n>H>U
z_<O<BGBAuC+iG#2nwr7O8Hd$>XK!-ZlG4EvTRE)Frdx*gN!Usyp7}DYYJZ5lseM^2
z0~JJXH^IIi(qI`d6CGi-*vNip>3b<4(vD!_sZp2y<TW%v4%r>ggW0Dd|I;(|P_V{y
z)eO0%!uW51_tlFwR5@nwLAJPQWlc|y6`BS{d7qh<kXUcrxW$}N`c*WyK776XtAwXx
zmtNiNh>b$*J3K`Yf{6l4r9@taau-1ZS$Z<RH?lfRxJekGTZr8T5%_l-MtMl$e2gz&
z`I=lSbB-+N;6n!c#1L5VcQ9$V7Ow;x7X!0T&3&#0fOrw~tK_b;C50h|htEWp;{4!9
zjQymbpb*$(thFa|;;cYES7zk~%fliyW!;GKEr>*8$z0e8Q$xZtWzyFzS)!*v7TA_k
zY%)M5P}B#@Bq%#rxXq{-Rb!l33{JvBf13FlEckG9)Bf0b)0h8fs9tyT=+8XoM0M8m
zc*^iy!kksiIg_3!HP^oLtJYTr`#krhy>?`yl+A@5!6BIdNOS#6G2A!=-3#|z=Ap*P
zMrOcndlqG(jvQ;1>3r#UM{Ra^18iW)@M&fQ5~4-4@}Y~!2VM6VgoKdNp#6_9g$ygq
z9r(!-0GIQp?4~(s)FCBuIiI3yYnNJTrUCP7wr`{8lJjOqY{P4#<}i#pK0TUFy3NQC
zc=z9g2=KK}_LA+AmfJAVDuc}k$N8JVG=Cd=QWX8Z4|*$;Inv?AEj*<h`l^v0X;Jj^
z<5M$k`RnW98Hm0ZAy9<V>Ck*Nz3mYq{W3E>oZLBH&I#!LWCt%qB>6}orB-PB+I#}d
ztk@Wq?Z`jB3^jS;Kk$$|M-1G6Af>#-RObVX^1pZS=3phpq^Kd~GJG=5?N4M7B>&nw
z<(Pjo&>70fuZn<;g)9C<&({<Z;BCxS58uCREkBXS)(`^a_H<V3qz(HRUA*V>LhD^e
z)BWNJfkugv7I{2)`PiYTq(F}sTXhjYs-6T1`y>;p+6q$CR8q;eL?Ud5M=A5zn$BT$
z8DshGb+MKoWPwS@ht=)+zBgRsy1qB%6(@+#D!$^&$X0t72L(y=5WixoR{2{jCN|Ft
zgA7S8%KpHD7{B^!HqGP%Ga3^>rrd@pXuY7e_Q6H}gR6qd-LKfjQdw!;jICf`4kl8j
zZyM(aQ-B7}N7la(tB`VLQ@7iZ^`$}ZH!;hcWT-ej=SK@mhrYRtjY0`vlpI>u)=rx|
zyy)FbrO8w9oVXhIjy=g0LZU3bgJ-j6x&AnSe;TZ=qHhkbMthCJW|rHG{Mnm8%X}_^
znE1zxD9u-CV+e0)v)?4i-0nv?8OAV8w8M0f=cIzR?x{%Nx~04tEMy$l(u^)}Q7zSZ
zzPv<4tj2JzcLK1>9@jB0K%BPFO->aoqQ8^msBm{5waM>c97aIa)0V)|bY~{)&Zi|2
zF(7Jp4se6<V0OIp`$|qN^i7*~TRCjERi#T#0u1LvU0wEzCzjjSnOzJxV6aLCBUF7G
zT8EGb0c^GWwL7PnMhri`K`H#`{0AG&?1jpA8wE?l%rka02Dv~6I7a-y?@|2q_x1vn
zqNLPaR;fDq&t|K?xL;%tkJtiaSjS6$JD4Kh6!7>Gg3ads09|^^pJdgjp0XZOfql4u
zXDk(HDQx~2WsBi$d|m4_(=Hx|1e@&OMxnUA!q{*g^mw&}-L8)_%?@?!pKrz9T+CWP
z>tC#(59owgH%sWYmOrZyQt@bDuMi*5h>f{N*%OTByB5=@|CRULiaCt=gluCul^<lc
z!5Mj8h!dhc1UFY^-NkJiDv}Nn6oPLEudI#uY3_GYAH46rW6r;&Py^uA<22!X<hlZL
zO0wfsY^VaURs{q-%7546zOO49!=tyfn1P&Le~!a6-Vy0(RYay@E$I1sY&d*GCL;EH
zl}=Q|S`mbD%hfCkteBtIsyR|)E3`KNZ)Hm)gem{|aW_$X!l#Ju(=+c}N-U_sO>1RN
zKJ18{#2XbzGyBuK6e^768Y4?C;YR0U3EGo!kVhiVh09unSvx@M!lWAa!~7RVow?6C
zO}W*43aweNQ_8~dgau1b5Y&<=A;ppXq-^))W?5sUo%lYthOuRl3O!^TJjy}GZFk@9
zSqa$o%5m%Qe!xBjsdfacORLEqVd~?43qeF#(b|fX_=(@Q*Z#eX%^(%+cC?EO{BkRx
z5i_XYKB2W24xG5|6soKP-WYmJaq4SxkJd9@1r-+yKJ1sn;SBkBI`*gQ^4bZ(NKKm3
zE_j5j4y_p7EJp$*Eu%cXVkU5j#cO+|<x1n}2(+IGTfnTS36RnYpMqaBpcQpOjBdoM
z;G-jyqh#y}RcarLE;jXV&6MKXUn{*qoXk~=SSDWBu@^OayRZ_eFkxFLSh$)p`gj4*
zn0CifW$AG%>)K3mGHQC-uRm9HenW>6wR7+1KUQUe6m!CH{o~Ajfvc5$zvV1;S2P&U
z`>J;y;Hb_%KAGQqDIcW}kl_D;SlZ~9%^73YIfbp-Eq6FQt;NPURot+optoKXV?BE?
zk7vDRx(;}4vT0Ib$)x-Kkm@8w{FJi6k0~n}(c|R@J4^8FlP->OcL^Zw+VA*ULkp@{
z;b4`zaILjBL8LCo;4~DRUCh+c!c5KW$Av85#F2;!bv)XEckPLPHHfAyzpFK+ZwMus
zc`(S>r5lzFt!>1ESSVfx@+IJe9amNax#-A|$mLA(;C-D<i3mS!ZT!mGiQ=G?-C;U&
zxDK3vV<%j_%6rXuYqY#qfQ=$<%Ft4c?ChJ@jgTwLgOI=vv&7=@%(+01<NU+g7ZOBO
zUFiL^+9E(Mb<Os2w!f%{DV!-l=kMc2Z6TSrZ>K1e-h3b<jVoc$1hz~_qz(gCMMh4n
z4ZMa|%F=G#HJdj(=D$#)Z~YG9{Q+EpHl?oi&Myw9=@hX*ewNIy?K{qqB)A6A^}>M(
zQ$SIHb%T<`u|uHM?wx&gxAnjAGHm`~-WM->70)lQWQ1TG`3`dxOk}Kr58QPR2%%AS
z^Q$@LaZrY#BjX}4ohJ(B3U<^CaCbPz112TdO^{D=-1z^p07yc*=%Ct<T=+Lywbn+n
zvym?09BGE9PUXNF%gy=utTxU8*sRB$hu%j)t4$Xt0?<oqd11(#`Nh`05D$q2AZ+br
z@M!#BzpEz8Gf)$uwo_=frVcLL{bggOR>bAxz+hFkJntn(&p^l^?5Q}A#z^m?((Pnh
zsY1Wy5y`egB3#2?buGX1Tc|~oB<nB))}1(<PdJn@T^hLf$B=KffI9Drq6MA~jvEE@
zo;nd?10R$rUKHgsHf%IN#}JZI##WftAR*n1Hki_)i{!r3DOHmUjle4<t@za3j8DXp
zH0`Txhk8t|{D36IdWIS|=>BD&+&x0#tIh!V9%P$)q!YF^bRzMShnwXl2fG6B|5(b?
zWK7RJr>#6bwtJUn>7U)}KmdQt-naSn$l8DG?HYWgZW40M1e@ZlI$_HA*}uXyS?(XV
z_l4R#v)gzYy>711vH6&~jC0A3B5F6nf=cjSZnpQ|Zr3$gzW>`!3Cdctb^i9VvlewR
zkWu68@p`-6x7Dz=&rnnM<z@b6NLiyQL=RaG`j~CgDgg|?DG7IHnph=hTdZC9cG3Ka
z4MD8xx9;@hA^PAyMlRBX4l2bKu2Jm4;rPH<3Ibc=@BqXi`NhTTd}N{T+P@s7`~J3q
z$orv60x+MIwLj4fyiJw4uKV&c)3-9o@^l$1BLN<b+txED_m(jeGf946NMYh*3RjE$
zax^PlKkxnomyjoo%RV&er6m{ZQ~Kedg1>gSlfb3`u_UgAc?eBzSd~eHJ~BSBfVb9^
zmWqBRF0fN{MT|4`!I$W<279nY|B7N=6cOb1QT^rciPwbb@psE*-}387SA~r5unPh*
z693z%sc>0)Z*$vZiLP#|@;K0h?Af~YBBvJ_kGW0s?QphaG$WabWS*<{ejf*|OZ$(W
zp5cz2{`p83T=XL2R>E3qyCXMzL_YRXeWVTP$@0Q9nmXMl&$tf@0MSYr+o2-~IyY+x
zI^&mAR6N#W0-WNh9`<0~KB?f_tn&|9p|TJS+TY#F2-JN|duS&oM2l6Ts5?)5{ATVz
zWpzmk!a}B>_c~a(WaPAQftbzEVtW^#rzK#y%n8pAsCSn=m;yUT75{WmI!w9aRTg~~
zF^Le1UHE_OND+~TU!=x?wY*e-x6S?Rz6UPI^j-#%tM!k|`?pOO|3O4FcJ_d^dT-AN
zk}R+qnNIhH(FDe&H%9^)7cgPq2hl5#0Lnud9v=_&2*vaq;SR<JptY7a>!-|4C#KyM
z{_6u{Ed%(EVQ}lEulMvOw47R9Y7Vni7>QTa_H9}%k0!JtiGj#WRzm?~KRO`H9$<O-
z(a=C_W&WP&P7fhBN%!I?HiLi>h-8?O;N;vFdqd%{!Yfr~l6Dx4wwSqX&_E;EbBp&(
zOCI(VK^BWZTch$$u$g}+3KNs^GrT`hLQFI<6%ir1{s6**i>_tZ9p|Y_AEBKpTp5y9
zX8c3oLAadv_oN{L+EUreCOSVLT@|WzqYOpFU*R%#4=RO2g1&ool$%|R%wJ(qF^iHz
zs1h!B+&WXpVT&KJ%O6cAMcEy*Uh9OaK{x%p&FJs0vE?LtIavKtB&O_f=Wte&e|slJ
zV*EXta<AEG9PHdPr`rz7&h8+1dN&<^hqA>f{9c@9moDv%mKMWK_Vr`!hR2Hb@~k}Z
zR(QqJ5~h%kbYz5I%@oQ12xX<&uN&-mV}Y8sl%>_R{^F^Q0%>TNm*>)Or8jE+2(!d(
zT=npc@cLYa6nBs!52eHVv~{GLc=!Pf^W<5P{FfAKRWnX9e{L{hA4!j;=9{rp-tb+0
zGy(m5o^3s#Q6<p`9OT$#&yCeTa^`OPGD;ov1CET|2FZ-T`GSPLY@v1dgD}w3`L#Ug
zhpoHX_pG7IRP1*RnGfs3^W>6l(lqj651m-rLONErK_&neE6jP0lauJz<z)d+im>o7
zh|=pP^dA~1@e?_Bk4^)qbM}uslXlI&G=FC8mdCxL$RrYclgV<u=5pYPD3F;<*uTQR
z+Up|6;`$ZW$N45uuLMuXpJ6z0;<Is8p`d=ld6-38K-oeL+&aH=@7An=zp7d7cS*-y
z(MTvRZw0e{i^I)fN!Htrw$4db)y9rM@K#>j6HjZ5kN#?XrKLYc!aNF#x{u%_ox1&<
z&raOz^0o0@AT(~qi!6;Lmv<Xij6_ysvSc9q;l56?MOHl`o?gSsH7(XdT%C=8S}&e)
zQ46Q-m^$%D9cTK!ODb_(EgMaMivFDbz}Gjs=*77Uc-3E{dgDd^l>gq8O!cN0Mz~J}
z^tvlMyNoc*`rq84(9IGmn^f|2*Bx;8yQF+f5x4fY<)wY_SrWTNObOfvmf%!{CZ~p0
zHl&Up<R4Pb{N@P9C^aT~>>Neb{MBkTU*3zX$?|%3lr{8QA>(*HT&VS7FHK1A+>6yH
z;o&PVLExpNo%!7<3<}3P({Ay&=sIJ0zP?fOO9K_dVV5Ea-aZG;PPkoc1tDvmJ>JjH
zr{Z|q<Th;o;2h9@(%i3AdV4I~_rDojeFYqG8X`8Bj@}0?c{HI9dtN%Kx8}Czs&6xf
zLp=niJfRZmCZtN`F=!|NcVf#6j_g)iarIGewoF|?J^ba#0{1^R6f8VfdD;Wsmq9Lm
z9)1XeM80~GL)c})mPz)xs}_^~Te_OIn#0fpOJJ6Q_i$KwL9Ga%QG%}VFHl-j={A#~
zioc72eB?eqE61u6R7bL9+u7lz&sM<X!UeE@(Svm0^AyEdnjhju@?mVI^ns74VMXD>
zhhZ3m`PF|rv^E%xgl9}gP-l#Fbw>tBz;bq=IdzWj<N&Fqy`upge+li(D1qNYb(`&4
z+}NWMpiUn}U|TFM6nvPy@_#%k<XV4T7ixIT234!qB?)+y{f;xNa3T}#+Wj3|?*Fp=
z_WHP2@jh8(x^KXe)+wXGjo0b+-*s89H``>o{zzuwU0x9?E5a?g;VhCzi#B;-DVTb(
z5$R6F-m_6AQt(Nr6(kF7J>f5Xp&24T;^EnWVLte%n&_J>?j{;jD%Gg~51vZ%Ct>@i
zs>)8!Wl7#$^ZtEZHdn*b&^5DeygHQkFoge_b-w&0v7a`{0o#IC!`#1yf#eiTLPlNV
z8aWyPsMAf~FVN>Z5`upVlwxJf`}<U#Q7b%e_pzOozI@R)C>*>6XKX)BUdP~>-M88F
z;XD<Py5Gj!dRYsOP`>{7PA+vvD&UdrUh2CaM6zuwv-s64R|JW+5uPa{GU?H1)CpEa
zopX2&3+>#Z^I-KhdsJaMw2CZdCqK6MtAheI@AWcBCh5C*aZOzwy&7?j$|1A0JF%;6
z2dpd0)87Cw#0adSY}O%DM=*!;{*p}#$`%%PAR!S^s^gS&woP{Cc$bsCjm?HxdR0{y
zXyb^2d)GGN(JX~J!RYw?=luU|ThCvMLpd9`4K&-p+(KxqsF8GmSf+dV2Ahr8iARKl
zL=UiuFJlMIC>!ZjxdFqg4L9E!TM7{OlkM0iPGeCwW7d}!I-bnZr-r$gJ_PZ)ytz3T
z7i6AR6BP*-wLeJ9UD`br>FTO4ehDepjCOexzDf88Gy8e8Qcfrx){Id8>D03Vj}@xy
zS#h$L5v(f0GXD4iU<)tf_TJb~YtPyp4f`AQig9E?(8`?2ZWcBiKfEfrSO75y)SNu~
za-~l>S5@QO<7kvDaJf{%F3<Z@<|yC)N4hb!rvkFww4+{JdVL!jDS3AzfPL9L^bIbO
zI{hX2!eRWt<(?(_yQ}APn9?L|*7lD3Q$=elz4TpN|Ksa>5#-zMa75siap&ksaA07d
zu|^;!E*xC18H_9t8yh<bmCi^-Sy`9!4_HD(#Bs5MDK6@NzSZ@=FA}?$enkIw%PlZb
zG5gP-2AgvhM6&mb{~tfe`kSpX#b*jj9k)i4{b~<WE}582=-i9bM&@J_*xza;AuBt_
zt-fL5U_z`??_bba3jW1liFK}u#PR|pn5JKehHh|jJ8Voc`V{wtKmT$}=~SA%AEiDI
z%g+?5y12sg$sviC7|NIy?>blq?0M7;BJ8qz;f!ZXyqWw?vjo)B(_58J`h#U726A<E
z1-aa^;!=FEar&-UhOsPdH>KkRDNXX38fdy&IEEngy2BJV?v)U^ls>Hxl{4DLKAw2x
z_M+BHdh`dUKR4@)e6hbjOeKUU-A|0)D7ASpZ5k3Nwz+2r8alc|Mj)u=wujo2Q~D=`
z@n*m9+&vO!-5xlNqf*p`Uk`5+acUvP62pdfhP#p{Wgg;zY5d!4L!r)kwZri*67?06
z9<E0<ei-!3Fn>}(b{;#pBrIzTNdRxbi=`%_NO-O_LI&gH^L-Y5D<7|2g*)x_eaN_;
zOq=_zf)I<of`1!goAa)Mf99i;C}6&XA;o8SR~QJ`m_pg@P1{?ERhdz*j)7`lrXUT>
zyUlCZ%}fy<5Qm$wr2q{kA9uvOohOVXbdVCJJWkk@KHuse5*0T51G^44-M}8%J<73?
zv7!X~`$1mc-+fe%je(oxWA>8J7kuu!92NTI<yPW;t4XJ=X?@9q6@_K}5#hjLHT+KT
zg-OijWz0u-q%`>k+`FlMHAc+ql2`E~5$~fuzq=I#ePBE*2wY1+i3AZH0UYUTG){(D
z!`~GNb{3K{#?jM$i8<m6JJrv<7$I@yROx!mk_H}Cyyr89QSZ3$rbUw9o?~5?_BHjj
z<bmMPh%Xho{@bXW)?1YIYtp>>?$c+-M~Kw^PZT~DtCU$uz#f_uS{)%48l;pZEhXT2
z)y`HWPm=lgcCYjPJrye_5n{<4B|WD!Y!qW=`Dyu3q;<(+PbRJedVI&nVAOzd>m*-L
zm^?CJB(j3szG~ManLMy}=F^54?@0qDZufIaO!UPIo-Hr=FYB5w^8%NiGgZx3v6^=D
zTnlgLT}v@`n7&Dt<LqgOpp-4-1>quTsKEuj$*M^L5mU*n^Q8#KSGXCbsO238CBkxC
z`xckK(rrBP&{qqrxo~O?YW>%6+b`<kK%Yw-6X$&A7(LpZ9d8a!=W~3rDPG;TkX7+F
zp)e>jb<l`*mof0Q1Ct2txNH=`*l)qlb}$ZR^6&R8E#?|7N}2Z*R@so(Gu>?CIHh!;
zMTzbi@p3p<5tE=ncvHYB^pzHCE<tncGR)aIGWE>e=a>qhMycyR%=BB)iZc6Kp%vsv
z|GE0_)5YNaTrArB>h+Z>@*CAv9@sSn1Gih;MtW!xhg2luL|!89cG#xMDHnmfPz-KC
z-gV&=()~31ld5k%@%gue<9PagI?n}<0JqnmecIL(h6ZA|!@av(Mg@>sJawx6HFn&-
zA^!*M&iR>(p!bf3)*ETz*@Etg8Dtdlp45^8wxAL(%W^7R<%ColWNA|Z<%qU(sP>+i
zDg=AHf=zO;>EhS;$QGBXjZRlk1#}9Jxx^fKFy|hL+MD_|_d-+ObTgsyk^kA~YvRO2
zQ<@)0hkRpO0>$usbhem0?lx-6hFW7o5OfWRq`k8>!?-hrBvJE)w<eDo8SktqUqutY
z=>|M#rv)r4XT=)zxe-z%IuXej-(qO@b}z9xhmzr^!p|Guv#w_d4OBzbu>XR`m@w%a
z<}9eeW|rV1`$qEOll(9j(Pi>2MwzvT1lI~HO`4BqW<a4~iYOK(V8}Lb?#x0f%Gv+l
zz%U5a!#)N6Chv2*9L%y4W9aopD}RGpHHtkEeyX?v(nTUbb1i&<usus+?egvvQ%&_0
ziGc#pbMcLOhav1Tt}2q->Pzn``9BtU(s2n|fZiLQCiGf}i)j*;jM{;B6JPG5XSj_%
z^EXnQZKn70pW6cs!*liu&tMC?9Bg(RguuOcTBlr$=~qqyvv&R7gw!s@>0Tqd2h`^$
zdvzWtFi&}l4EecFxv)O5Fp%#MC>6nIL|!i0XCr1}0z+xiKFq$~h>dpP^(!6((+*&t
z_!+(dJ1GcAHnQe7z^>}chDEE?H8BxDh9NTeMdRuLlN}S;!2Ky|AHscLTWS|U;{bc1
z7L97UTG2sGWJDg-D>E}OKn-obrcM)AHMfA=DpPTCg0WmtBT-!uiH#b<m4KYc&76c}
zOKA^pVJGLfvZ5%S@x3zGw(lZD4X1D<n@TZ8YPX+Fr^ari93!iPzPz$Bn}9YvaV$bE
z{XGM3xNl;ci$OGd-<tqECL}j^#ryqkAM4x%77=+mYv!|T^}1%A)L3$y83$y`^;hCj
z^(!Nly7Wel0K0`2GuyX?s!q!Oej-+#=aKh1_B!k3*iJK(7f`+JaXcuDXohS1(6KDo
z^D}K?aNKQBes3d(DAypoK(RtI6Sk~N#gbcr`+D0N`*NSoF1CelHv42XHk~P$dXjv0
z)(e(+D{fF=Ir^r~{e(zxv66<s=}lqwm+Z05PluY?rltfFIf{QdrIFAaX}e_q<AIHZ
z7Oba|T?%RwHkp*kkj_CbD2(H%lgn8FMCvi=hK$GaS~xNy(2Qst-H4TVO@yBa{+b#=
zG56fPa@umTn*DW8ER=&1hA+53@n)Q_(HDF0*)%LYop(ZnRQ)X_v#rS4NNYGpOTTTi
zr^VOgg*K`jk-8zA&M}M)3|B`D`si?3hSuhUnW#Y7B2>z*63eu@_1(BiwA9n?-$t$K
zS8!6g@>EcIKNe$A?J}=fn@eyn^)IZK2N(YRiyh;Gg^gRwo=Qvf=;nHt-f31#bfx}&
zHy6S>|0{UD{kr}?!4b3txZ3b@hR(B=oep{mAW!`@_K9_goTY((x)d|+?+gv|jzFdl
zdB%EuKG7pb&c4QXj5{d-Njr&Q^D1g#1TuU})!CNMZFxwvNdpnXpKi8JhN_mBjc_>W
zk@FSb8*L?~fDR7RS0GviH#V4w#CB^!_?jj>N^Q!PWQaVxS@Npp-?#Dvum#e`6kcTi
zbFG{z0~tsOlxEKH(xCSPsWj)9wo@(Q!@QBanR?1+2;`pEreDkZHe!2`tj+iLF4gux
zalRI?>ZAMb&KCIzK_&u?g5zS6#BwJt4z5V~A9yro_XSf6jV<h5#G~Hv*xg^~lQsvZ
zU>r%_r<Lnvs`=w$EVh=@xpIt@gOu9WSj;a!KBFTkguo5rp~E^*i~vpyD5Sy>!y$LX
zDpxs5*qY_o5?RS|<9vn&-w_5&H1Y(@fBmEtXjpt@*XSQkTdsu<{D6whF)=xEd27fm
zaS}PC1DZy!Dv)Ax$`*iW6qUS&6Ia285uAkRbHcjVh>u&HE`^aI;r$xN@1d!C`azA3
z-kWevo&RT~jP-X_w*Kj`1>01*ZB?a(Na!w8V}vUHUPL{9<%pvC;Ewi^>cH1h^@bZD
zFYV)4Xdphq&P-;hSap`Ts>b&%s&^(V7$mtg&4YLf2aB$}6%^3N@JfM&+Z}wYQ(UE(
z8)Z>Aj1ojCB>+d^YdhrLb49D8cB-})7rA`t2uE7+HEiEUR9~Q~4?D?LD*~;c^9X0I
zNJ$0MZ`=NxozW2qud8YI_xNDwnipdS0SAbt=qCDE>q^@J9XIQ{?p#1_#J0F0OS2Vk
z-r3~$b~iCcfUB}=U{Z8(m{J_oB&~EH%S1fhBSov{XCuc;OU=&D<Jv#4S-&FXR7@C$
zM@h)%6>eN0#{J_fq|=sa1S(A#1N7Ij#=CEXg;mEM#AV*Y3;}=qtpC7u!(Cpft_~Y3
zpr02=usM0u$l<_r<hj#@p>xxQC^W7}rm*Mk*PLU@d<nWjXG5O1kz*9RkIR#W4*05i
zb=<$y3w`lFYKy=hAgCY&oW%wzp~ITZ_%Q!H)s{f%nbYPh?dp46tEm{IrE`ZBm%)UQ
zt6%0Cg2>25OGYTo{WAG&W396Uv-<vzVtYDd$<cvcMMh368w6hgifghFz$ad{qM1DP
z6%0=|zS<~sqO}59!H=*kGJ#6*dBTQcaCjHp-xljKtjIrr?DH@4qMr+umn{&w|21({
zxtg`n3nwPf$;6FA49pbG%&8SOWr0V2Qb4O!1%FoG0u+I>-t~h50H4t!M;D=K9n)>a
z6p!@_rGZ53p#E6(0H%Y7D2|3~99_>e4}De?vcg5@T!tf`kz+PB6HgWeLZyp-?4`9n
zI#t&Gihi|;;0y#;LI%NO%26gPpB+jE&Yw%cq_t;}{wRZFI%O>xTIfsxXuGaV{pQpn
zaEw@s=<!>;HosvYZpjBi6&hCT1xsJp2PcAL>LW*yP9R_r9Sm^-Ln)T0K3W#y@{1Py
zG5=&*1P;fHX;MZ&ke$v1xAlrHLac@3d=47>M&6+;JSu~x&(1VPkz`rZuv3`)R?&1a
zj5t{YZki&hYX7n=1N)~xs$ll`@D_xmaIb{V#0zpa_D`dr<NkUEZSUv(L^^ZzEL2H~
z^6=~@HpC?_--D&D*xQuhVuE`}_^ITAR-zC`74kml%RJ;T1RE+smt1#}^~EJJ+RM1h
zgJimnzyW+)bL}l`JBCfBdd!zE6v?Q4lLO{2kp``9-I4FILtFxM!QE$93Z$*+-G5fJ
zs|ylPy7V5AN(_O@e`;J<I@$K_udj&Q)t(^<M&j%e9W8rt%%bqRY$fWeKP6e8NV^LO
zV_8QNYG3LoL3&r3wXGJjYpq1@TeHN%%}#%$I<@^6W6pIRuxOQYs@`?Bz|YpU!25gG
zoTmBagz`vXk+o#FwaLruFUKq@IAaAEEV1182a*kX!VYS3|1gsrx6%PjA_Of1oR^NM
zLxYwAVn=h+q~NuYOzD!aJP{<WWsH5=?0Q81p5hRAkQraav@yZi4$zj3M5lrC?-k*D
z<n3(xCoI=jZt(}o9i;KZsb$npJ3peG84!A?VkX?57d+@lag7VD;m}S`%e&%1pxpfJ
z=rKLd4)Ga1Ry8%0f>ktMJM94VZf_I+<}OfQ93^5lq_SsX!tih9n`GiXWiE_GMS2I{
zl0ml4a}#yy_>XjP1+3+m{Vm@n)*?x+wuHF@e45=1dAczR9cW953>r0^Uwu@*$Z~eY
zzYAr&J}M3fwDjwH^H(s+JK+Hii6nHp9T!tW@s<o_hXYaty^aDB#qg`sp0-uz|42a*
z!Xfo}Y4O5-i$3t%%CIKpuT?(67y0#8XQ;BZOjjXse@r=RjEO@HSA0c-1T@-O6H1YG
zDo97*s5Yaz>g-Y?rno2Lv8YAPk5Olr{bc9SdISOjVg)g0ad$3Msxp!J<_CaL;-<%B
zhf}Utnd0M-%tD#BGNP~lNCmLV6Lulq+H8STJ<+aGP~up}q9>rP$JDIx$Y5H)hv~je
zO#ywl9U7T1XpiLxDMi}oDK;B!I~`(XqB{MQ=aF_yCdHwzX55cmQsQy=AFMGYQzA_e
z$0FyS%Kf1TO$&U0x@;j9Sz{l{D8;Ss+EcN3WI?oB1k34NPIO?$YfJceZr5_xDx)wm
zd)jfXHNmKFXoK9I8=p#vvb<Dv=CtPn3;pFo@9t(}60lad;lb1KbH>&G9h2|*6x1F6
z|6G*1ZZ=;`J0G|N%*4MKYejIZNz;gB_vv`{8QKf%w0FB3Tzu=xk+DhJJS<(dt)3nr
zg|011ISqzDd?NiQ0+#-(^rX(=O)ky2?`mI&1D~iwR5dmUE0XqG*GxxQf!KnplQG?C
zKgc53G!-54K8DxNnZwef8yvZpj`&)irJ~1RiPu)@pJZq)qi?m`eESwmyOmS^M+9Q-
z<D!V=S)!^<l};AWh|gUL^SgNesMSaGGz2kjoIkf-Am+zD8>UjfWd#KpPeI_S98!@~
z?HzJHZ}SMQm;NUiWw7ALubP}}JLu`py`7A(JciqipLo$7`YJ;s{YDLMhOJzfBx3~6
zo+^mpn+~6oSCNBNeGcV43n#atl($UDzal~@XQ?{2NGc1Q1#iR$BUFlQM<}I@%l)I<
zZasMTKX{iqFKvddaSSjDtrXN7ou|5WZPh|i(~LsZ;;8{PROVj=RV58aoA87z$~gCs
z&8HDKvL@Jgvk4+h;D|Lsh9(t%f#pv~7ejO-hr9<ESP@I~1<_n6BeXlqR9cdrZR~zc
z`0B+X6{SHp+s7V=_IfuoJ(DdIa&3hLLVo?`;RxgELr}v!ku*q=4Yz<2&3oTK>jp4c
zH?CxAy+!+mwn{b{^diWN31FE}l<w4>emo&<RZmbTbN^PbS0Npw4gEW`OFOINvW|Q5
zGJh{;^)ZgWEAg~5qW23(pm@~^n~b{9idIc6_T4noztFNNzsI|A>XMzzTF9&Nsp^`-
z<$$Kk0BKQkMmL!?<#NiN9Lk-ajidbiApn(qY_^A~_+es|0rHDPdS(_KXV?LiyGkwu
zxq+I6Ioh?<*vxpJgWTjatM{p*1u)$toQ9bJvxEZ}ssD4L?eQmu|A7<hpC5@v<Ix~N
z0!O-(xX10B`YS5j78tnC=;q*e;O|Z3GLSZVg8)V@K(l&qFPNw-|EyQ6GU1PIq@+h*
zIPFgyfu|*#;ALG{PNR=E_|T9_w%#ru(5|D$wkiinmUHJ0!H&Z5$G1P}*%|SDm`)z$
zhgjGLKSvcJ!T~B&A8X<;4K!Lpi{cHlr+)dt9M&OQcPM{#Wz>wwbDYN$I<7~75hT;1
z=wNwPj7(;fE;jx$7TlfV={#kf4dpP+ypm!?*AUJ~wsHSP3GQ|92;bum`>Z=<qM!(j
zW3!%sxvW3s=4Jc7q~W6xxnSw982{-|S10lF+hG;U|78J~zcbJUQd#xa^i^?dLJJLU
zhn5Xnd%ZA*$4h(Yhp;q4D6=__$R3c^1O(XsJ?hwbFsaG{6D2*mUj~L9iRaOs<`EzA
zPIFv$A8*ta4IMowZNT!MCJF{QJ7n1qkjDnaMb58-t~~^Pa?R{xz_JQ~dEh&>(x`AX
z7Bx_N#=TN~6inC4GFov?I$hU$M%eB*=QImqj_PAcWnH6f)>$W-Nfckv&u%VlKG}!;
z;xRVJHP>@S^fQm{=@s4-eSfX`5~XY;{^xmc&QnsbQy;;fy4CAY>-C<g4|KxcwBmU`
zrd22IA}(*$uhJV6EeQlB9|hNh;!vws1{+_WWHq03#nxeq(gDwQlL=c|GLG+gnFWn5
zVqrc?p!4e)asjr#YcFBQc2wh<;1NQ}JU!1rMrIMa(#3gi6B^M}h>apIT8B!oFhmbi
zY0@nPl>m4mTQ^j}MqRnkCK{p)$9KacF9nyXpt0uWg8SH^Moub-Op)jNz&VQTNZ(|u
zS{B(w3%ED=!`-n>605AyLz{MMjJc>9rSk|5s^i_GDpV8Fk89UnKV}ybFv3n4(pzj5
z`7^Sr;hgDadEw>Sdap?*@+MI(YL-sl7pMf52z`WO9HOYaD+AaOlLY^qj?=6*9@=5c
zKzX0&w!yn>dgRcrnw7TuS-sY(&ridB_%bBZ3>5?m7ms;jwz3~U43K80>$W^!wuOVM
z)_2gl0{nXKU7W{oryTLW*y_(u#zDuK@7P<Dgc4>G?BDchODie;76DXP46?O_)E;tC
z?euva1H$xNTYcZAi<J-Qw8($rf(fqNN0QdI?iXj#!p8oe-p(p4uI6d*Nl0*q1ZRRf
z1cKY(9v}pFhu{+2-Q9KY;O;iKWU%1w?rwwZyzlqlZ}-`&efDB+`)JkaQ(e{l>#C0u
zcD=9|KM&P_%E`qE8`In>cecaTHk6KxQI^7Uy9o?!c`J}67bkDtI1_`&5F`Lqc=OXW
zb8tJeorgxf{*86tvK>u{+VA{^nmQm2JTi?^D9Xu)uTC&-xx?tcxn-04iDF6tx&aIx
z2D@3DGUinB_JKdRC=}6kl-nN|=y1BFD;>{D(cn4^-)f7~kd?c)uuvcw8i291i${}J
z^tfrHWb}$DQDbyaLVOFbQ9}le$ZJN=B0tnSx(e2FP^7U$a%$$-b+heq<7g?zPUE`M
zzO!QB5e#Bosx~u!P5uhqB(3hzBkY;PFkZ*Z`&Uo;RU-imGJ>6F^Dh+@bfH=<Isvpu
zp6XW7qA#<~F`r!rgot<1Aqz#MwjoJ%^#~qj+OVM%k)cOJQ~&E^qhbyqSk^^dl`!On
zWz|?@?kPM<IoJszP*P&KNinr=r7Q2$6f1zE!LI2*Nu{XW%be4-k(Y9_sbc5Ql=zgh
z&_&HU;NYLwNG9na9#@wxz?XyWYnJ9LQyi*)>ELVj<$p(`{XXy`8Ejx}rYb7?+KQua
zTYi+WR57<vB{aIa<eZ`Tv<tahu4l<P9n_s?@%7I?!dWyAey34;&me=Wa@c)>WiQ?0
zSiCo)pCI`Sk6#e97mt-(q$`U({|Uk!)%vS%Sd<j|>a)8t$5-b(qbfW}nMsCJXy#_a
z;Fp)LL5}|9k(!Xa=BOHn=tAb;KDuRVbzR69GmZ5pR}Z4j=HxM66n8np8u_8&ru0CS
zL~s%A&{}iMQzj4B;LsW(Z>F$1TEMxeW#CcTn-xZ``7Vht>~%v`BnRDS6hciAX*j`m
zw<->sW|bqFy&q@Vv!tGfG=)`+2<RrJrzwjWl1;KR1FP%d-bg#7l^58@;sjGb;g5r)
zv|>^<{_e&^(pMYFeHL?myMB`zRFU>#nbqjDMOls<FOuYL=O%*sFQ|R{KS6Chwj@mN
zpP^q2UbO`w7WR^!#kLx}a9H2{e7ETek~Xsc7JQtr@~Zg0B=eEZlvaAIqTw^c%2Hu5
zO!ir}m$Vdaah`m>vcfXWyG_vOCe9H^HW@ql2ZTWaCjA#F+031h<YV;hDtH!(&9UR!
zi%CSt8sgwm{Dks*(D)qXiRHCqL#DF$VkVmI<hr&!T;jfsUvD}^sQADi_Q(TxSGQp-
zj>`8^xcKj{^tkQ%NZGeV)Fo5me^{j~H0}rg8l(&zMTxu)?ajCn5fUKS(6HfV@z2e=
z<3jcKyw(?`80mGUK<_D~q*E>l!Tx*kat;p&jD)7Y6QQpB)GDzXps-L##<*=8IE7cz
zK2>ZfnYr9isLJG;9q9V#tMKPHY?@5O+`>|UE2na#x21g5Y4}mj7yiwlXUSn&GEDLw
zHZ(Q0)q9ylu`Ns%B{QO?K5zNN{XkX1@^FK3UV?97)qx|KN{m_g^+kDs6n(A>i@t<m
zUFjRzsH>bkng{$9lpe1|{tCEoq$;BikFbo---4l6KR%c9Z8Fz6F(q`d*`b~-%pF#x
z!~{@t`*(;byr1(kH&#~4zAlWhY(I0LJ`hpgp$ekEQM~k=->)eQS3s1i`K5ip>tL6M
z7K8gPMUHCw{4cvz%^%*VR+qm2#en-NI)Idij=8=X;$o@VVi~xxO51bN8DJ#@;q&F;
z%%aL<_Mp=c5ImI4u3S5Qm6zO=K|(p)Fn?ToByWZVBptg~B|!qcd46!K@ljDfs3@0g
zy6bGGf?KHOr(qk6w@{j!;V-m1;xzCH?<d8x`#p`NyGpRrwFpQums5s?GE;e-tzIY6
z&5=W%w!7@vdfw$Htn)0?lo;1mnqb!he$mx&^s%Gw_Q{=GzV}!Dpd=&^7imFi8iZxN
z`w^+kALhy`KDnk&53|3=#$)62*tI<|7D*)w^ejO{p=#~MBgvG2@M*yQVn?J*tCOYr
zMo!QeN=`5R;Y(hFd3nceaNakkZGDp@yRhPlOxTAEf)h6`FbmW0*-{HMsF&Ku?x}@s
zx3XdMZ_7n4Ec$e7#nsxR!q$q?(p@)?W?;AnFGx=>8=}OWcvELQ8VfHQA(Mt6>b3m~
zi#S?mjdZ)}G{#Rs0V<~T9wPn8eigSk?qk%c-}QU=1RvIL2xV%vxu6qY^!1JqmmFrD
z4$w}m35dcR8h+-xOQaN54XeoBT7^M#MpL=|;P;o8AVi7rEXu;0HYKzgUl57ec_&Lk
zmQRE@aQn+p#1mWP0qGiRW{400>yP6>6PvAwk>tLsZ}Ev0xzdrRUIeucrT@hG=(url
zCG9JQ+lDC*o1DoK%`XF0Hcp#+#uO@td=}KCSt1Q)w{jcWADZAtUD&23N5wig#fS)V
zE`3j>-<WaAzlQ%8P3_-SxBBK->^7GJ%FUDM?Bmhy`mTNCs&{36+~X)<$nF|um;A}_
zAx*zRmi0m9O@1S@{X_6{P+YPc(klpGWSubf_ahWvkb;kVJ$t-N1USB+=;6_q!Bsb~
zTIwIv8!4gLK%1>+Gr_|GVoK<Af>_w~{fqSSA~#DyPp!+<STmFQ0z5D_ce|!gWvZRm
zU@EaBXiagdqPs<~!J3_z&*Pui?xVB1#5QO*SE%+O2{Snts|U-F&6vzTid<Jd%T9A9
zo2R`nZ_B*H`BHBi<;S4^9h+4SdmD!<#gbYl-dQS+Iickl;sx!80s8Z$U+?pC`;ewg
zy1YUP`~SK>M$%&FV`Iy3rEQrnAy45<bE;xXVvkK?5702CBj^U6pm_q-7o|VpZg$`+
zDj1&Mpcf<DY%Tt`pg8jhLf2%*yCjg)3%Zn%{YpMBIapY`j3wiQQL)&$6)610Q(*AV
zhEb4Xd@5*9@h)nN1RbGT99?)<h;<Ex;FWRkyY?YBvP5WbS`v2<PQURs?Kkjg+<2T8
z5rx9YBav+sH@&U{lFp6eexRvcG=+gDkDaS`yP-Myg6)UNC1Uw~tDC1zxGXf|aS`vE
zete{$FIbr=IJiI2zvD_r(V88j&r60LeGGHA_wbNIgQ$*8t#M05mYX0&7?h$5Ge&)N
zL6nKKA=X*l*Yt=yF3MJBvy^b8<nj|lcjcazP%GK9nr(qeTU$_c^SFOl(YnS<KXLmh
z<v4L-i2ZQ+{Wn+u?=mu6xaDZI2n?s@8(e<E`vto7WC<g$K2^+T75Uy6%H;F&U%ou+
zZ5Tz0rY&xIfy|K96}Z;YuHRZN>O8JWX3VES<ga|zgcY#RVw|?7U6l^adlh{wrATJK
z%7!N6T0p~6#r2|(xPNY@Gb#uVMd|YgWYt)<_c^yaQe%edN4lF+%)1^Z_4`yo8e<=4
z{R7$=46vray_jcI_P6LgZ0Mgm&{@o@Tj$}3h~QOfOxC{4i-&(#Sk{C)cp!1~lz5+e
zDq4zuGjf5XYEvFgZ$KseEvCA?nc{@sd*?^iNlQ}71O{Y?UDLbVuqXXLXt@{sFsZYK
zeUj|CM*uDH(T4EYwg4p|5WFCvzMVKp`sAstCC|@?gKc)>n>~Db;X@~*@Wu^dc9={g
zHCnaF$r)9BpIW#ePE)Vq@dCju75LhX*jI|2{Sjh)V3J(*d5mcQXXax-Pmt8SI>+kn
z<Hj<NxWA$>wbY1Eyn5;vC$4B~c$%NxQ|Q2`MN=8%0xpC6V!H6n@8WM=OfGp_&#DO@
z9T`51*UE!m3XA0&u6Ph(xihY~*5R%1kYt9#BR@-VipR%@6gf)|M^FZ~sK3*YdV{4H
za}pUQBQ%~NoA>KokddTeEMd=mVR7?41I&a4evoGVtW)=5e(&D?A-+VLyl2w$FO3r+
z(`hJ;fo41=QPZ@mF5d!^vj%GcmHWV=$iU(jW-u(%c+s<r#({~2^%2hGiuqXQGOASO
zj7$fC$`0*uOk-b;O%ghLIO?Z{8up&e)>8dcx*4PjwAt1@dQ}hVulVF4+z)Qnx9`3E
zDg5*dTR!d2B_PhEh0PkqTJVdKkFd+8=J4}G_YxyKJYeTCY3dq|3Uv>k=OM+{0y2=E
zlI!=RdKi1)Pi-+Mp^1Gx-$y(Gj7?X1-G(%bAVJ|=BH>_dA1?HtNKe1uGE*&qzR!#5
z9L+K6BFHq$^o5_31Ll-|l94sFrlAxHMfr`WyC28i(kp8|eWc=G>Veh1>|56VjoNbX
zFB(pUbyFBlmB~L<tR*?XBV1&OTgNZmI#kmP$G+4PwyB3Az*UaFv>;J?HskT2Xo$cl
z2`YU!PD6U?^R&%K_8yNoCsgO@GKlRuYm-@){o|VkQxG*3BZX|h=+Dx7%D>Zyz>p!@
zB7b@AEQ|5SOeM<-+~L@w<dtPT#eqi>x_Enpg4&PBArh8S8Plr`n)FLwjj=8@!;M+<
zi7QeXaEAwxG5vN+bkM1E2$T!=9;2*Tl_+DTccnL-JS>Lunh-7%;VFgx!L#E}YDEJs
z^3py?ck@e+oGne56-dE1(B*`-BuA@SmyhKOp3i+UIxR~5%(`vqCc%aOGNEbMo9CPT
z=hqKur71ot%Hiy;>e+8f&_64KTk(@idD^8Uv)gGBI(+Zcen`#6TJmb5r5Twp!szn#
zOrb10r0wOL!md*Qn-V2R*)ImgQX{_okDOSW934Jg{NI5Z^{!j3dlITsDwD3rQU}~5
zWf89g<L!QWn;&Yhib1gM!lV^cZHD7%KAaHC`i((^wG=ORew$IGyV@+LIShZC_z)jJ
zvgp$TXDOkaj*2F;iYQJiR`_MPE)F;Mv&5J0SzjU)Bk|r3ZB&Y2g?A_hzC%8`Pqz8H
zz5aN6j^#i}O<RLf_E?|BQ6dnX#!BlEtekmX@KrD$F$fkLhJ~kozq9u9#}hcA$89%P
zYHE>vzuYH9?jjvOB6n))>>^CYgP2A~XvZLBk?yVTO5_GL(s2yAy^XTc$c4XrCdrnq
z@AbdDjx91+pp?(2A|dnHvP0c1|37GRvqgsI*$0Zx6+-CYijnBwh;h2$$k%`VjgcE6
z$IX~7YS#@k{H+>DKD)+CfqfUxrthxOGHi3@L$Tar6Uoapkfs~Q<+-ogYk8eCNrEF|
z(V)hZg?V3by=|vt=i26u-Y8mt2qUxcG^Z(6v!Y!>73yyilBoKp+~`uG*WOx+NM!)i
z+uNl-h+tnG@Y7v=07b~&q;qdeaK*wGjHDPRKd}9oX#op(ZhwBb!QBjs%=!5F$okh<
zx!`n)mK*w?1!>bXmSze%A&cmbIR&W*GDqwsy-}wjn4Xt!&dD+1Qtb&OpNXZ<QPV5u
zf8=B!$ETAT5PXahi%CyO6ye>vDjej(V~zuSq6vUJY|G~tlEBu2zVS$DqE6l+rllgs
z@aEvQJRWeR9+NV@SrUq3?#};&tAxaCl*vV;a~653Ok&dcE{!INS9k6ErY=)Az{$bR
zt6oUr=yUPFXU0C=tC=Xf51ZK!lbm7{+F);i3r!Xsr5v1|-@)=j8y>?!H%IhA0!x^v
zHw7d?%3DU3N>`U}p)u$w)<@q^D3etb-_yF%-Sc0dGq|uK{}+5+Vv1C_?*N0Zr>02B
z9?Z$`>~NKmlCvWZZ?E$VGiS>tGHl3`xT)|P=s*Nf*Sux}kc?g9cW?iyN+oUVoYb@{
z;0}qwbtX*+ySuv8QW7M0dUy2l(9$h$4++N$NXwKyA}5QM>n46Z(|+P3!AaLv`f<?x
z;=6;Tw556-7LI%V@Xj%M<DtfPqP`y6;HSyY2!2q}3?idkIIYY8k63^7wb|gXSHp+e
zcb+*vER()nwLDZFa^q>N>S;@Hc#mDjuu?Q)|8KOqxpW1%t*_%(2*+@KMayomq|MvZ
zk08Ie%J!XP2HVN9J?<qttLrknjaRkSB3}5c*!qr1I}5W{)DB^nk3HEZ9XZ>#zN)3(
zJ3M+q8oag&w2Ni*=ndJjs<u-{F(^GUO5xsCosoy-@**(yTISka`T@pX-zwc81`RB!
zNS3(U+st#nGBCST2E;IeBs(b(^TvM{+}$LNpt5q{7};}x>QYK2FL#BDWtqeCsvS(a
zX!^GXd99^av(`ls_F_HRTRK$zfp&Ev<y3!^AX~lk9yVG}+J6J7lcp2htAQDcAxgd?
zr|*W?0c*3NY9%te=xzB45F9EM(;#)Kp7eUG5EsTIHW_!N-`|^Hn)5*KM<Mu&$Nf90
zRPFMxGs?sp*dn#pou_njl{_yyW0}!Z+-~YxvKbJRlT_N|5$;VB=23!X884~jII6~F
z-mLQac0FM{4m?L>|0kMLd;8<_D_3)Rf#N31(eQ7zmrwW6G0Uy;mK~K!^L6=nff)Z`
zCDdj<4r)>GgBwdAZgxF$fw$S1Dja9St_}~s46GzGjL^tQn{Fcer)vJ;DhjSn_!g_b
zGBLBbj9JGNZt*A#;QT;gf<v&IU(S6fThdbf#ZkdjYCcAD7;_p?a*;_>RHTLO3@J7?
z4gC*P9mnt0y4ekxAqj{T|Fd<mjr?<GNU^r1T&UeuOjA{BX{LV4xzZ0CayJvt=<6}c
zrONmH@G>qO*ZnJ}I)CmkB}W74v0+k5rkfJew!ni3FOVM?xE<A5xoDCt!?Th?*GV1Y
z2<GjO7+PCgtIcx`Qn~hukIo#AmYt2%D~|e&Qj<voP@Ca<<kN(l-aYIZuMr3b=@Gjs
zWp5x=X*l$fGiJy9BDMNHgYTB<=eH9r?S&WSaX`0GfN@7ilI%Zdffs9;VK;rBuT1tn
zkY~&B(yOui-qF2oGd_$egZVn90Y-1HG0jbXl`{&nMBd!#OFx0@IDrhn?^zQaBt{VU
z$_{5;#Q+G1VW^M#xT4YU9_n0V*<e%o2|$aJ+g9Jujdplp258;4S#nXX-EpzL*zF|=
z&wD#WH)diQD!V~Bms2=+L---X(r#-aTJ#y(x(HRUTGTRHJ5KVSQaa+~X0A1+986>f
zWvLFm)6e}Sk|1SaAu#_tS&k&tBhO{wJcvp3hV33L7M+lKMYyiu&v87*h>Lljdzg>X
z7H;EV|9G_7w(?ym$zU`pGm$P|wO1G(lqM`|cV`!lWYB%7?e+$Aa1dcQYhj7~Y0!b=
z@-o_w;^aTDPPjJqgDs2wVF(AE#jp8$$u`9zG|Q*&Md0eIE16M<-+xhEU1E0O6QLPb
zwgR9Jrsn^$-1Oh3M;+-H=Q!9oFOe9bI@oSknR>|t`!Kjm?EB&}+vz~))fVQ|L};XK
zbA15$$5wD{3nSKE3hUB@`U<{v@cf3fE%+XyiNQ=dQ7+4ug7l5Ngzi?~uPS0av5ECC
z#pIH{%}Eh?GcoyDK5BkCk)%u3##a<+DC+M7zDX^2&!SJ7O!thqT@Q-FpBNKKtqcK>
zu;)8TMI$58uky*J+Lf=j*uS$+6S}GFN=80BD+Ni>)HTK(fu`P^1<?#%y0>R}u<#Ei
z3|ewBWTOoRZ5VAc)rox<kSy*m45+<==e>mXwsUby^KrE}5Nkv-ZdDYJw#km}<Z1EE
zAtk}=g-7+xj(9o9gnPyGOCdse%d=0D#1B1bW~P5w^3R^DC_g#r<@#V$UJA_)zb|Th
zP*<M2+D-gxBlho_z!bWoMt+8h&F~ISB9Z6Dnv&Pa;@LFfr_0FEtmrq|g({owtU(PS
zozI?hw6wIH0!7=362ij5tVBXc5&r(0wQs2yk&(k8@QKy1!^}jAJ$e6t-Rq==GXI=~
z@}0Ub@gL;-Hdi~8?gNY(XB11r{DBO+L<3RtZ}7i&Kx_K{%Ygsi;^z0Ciba*JV2Jw~
z0b{y1T;ByMMBWQkaA;Ppg@>RLoy<5g0#$AU;-vkB|Hkbf1YQ-f?r-`5m((UAQ3dGo
zv!`RA<@u~!3Eht$y|ZM&H+AKDd))Ux%jX01sL?|UyGGP1uREsI@_EX!aB0Pn_n63a
zjCxN(SpNOG4r#*G;_GRzJ3?(>?kDxH>85bENuZZO41muUHt~zxJ^?*J_xlTswUYK>
z5osS$(R!Y4*lY?Rp_7c2xz!tXPPyAr(|zKZ<*R(q2{?jjX`OGQ?d}U)>c@nf)VI??
zKeVTpv<teXXYL=&ajBlf&xmDe{+e^E3_ev!=-h802txZcyxq}y+Q6RItv)_y-4oM@
zC>-F&O9005LwDnEXSI3K>7X**meY$t3|k=68uag0NK<B|h)@~}vG>#YRtN^*rJrvH
zfCpV{VC+2~rXlTkK67dL*`gV6=6|-@i>j|G=Wht_YeDM$T3S}Q=vfhve%Pb%x^JeY
zb5kd{X98cC4ZSQalaN<vY)KUt;vYQ75W8o2!muaCGj^4SLfS{Z@MC~JUVV+h&o1L?
z6^fkIBLQ^2%0Hu3`-~Hh&vvbTfc#Ndw!uv1sQ1cltZ@OJ$Fz~(XG<!mkd;+%AZbBL
zn^s@8{9Ye7Pu4&c9!Ixp{DnUIC+$}&OHBath-4DDAkfQt=gJMgVNV<29;)M1#3*->
zikA6>2-EKp(R7DdP7<T??kCvd=ID{zN|ZYrb&DBrw^TixwR!nw(@jw7Mcip41kBC5
zcsmJ@AO=@?UWNf|m#3az0Mx`O-w#^=m6|V$cyn1YI_NRPGeh_gq<a=Xa!qE1XfXjq
zy;9bYpqB|hg`kL<z#v{-p8J&H7(-<yuo{)`6ZJBqT965`!G^oY08*`OjSt35;1_fi
z)?4^!W}!-W0}auoy`Q65w%(6BYnc@&Y8|&e^ZHSdJM^nONI0ICg-t$=obj-A)h*`F
zV&!M+>Ok*<lfi1!UI(H8gLBzEP*Or1J#OVY=fsAewbH5S`F@TurW``Fe)fGJWR+aD
zp8A`0K?GTgMsFPeLT{=+Ep{1Ct&ZSnlR*Ms|IXWK;_yInr_tO{?S2~F#|u$52H?fk
z;Bf?;$=c(&)ocu?`8079UklIsekH7}c6de4#-~(WEi(v_=G5o4ap`gPefPlCITT2u
zH#NcubXl5E2w8R8X#}h|>mjG5VBvU~*xt8*&`<17NzQy;uY1p4e_gH6HG7=Ibj;PF
z&OPd#t#QhvFLs7t&vm)37!0g-tp-I^TZu01{(Q%wmb<t5G|C67c{9o=Blrwzvi7Fe
z*h>xcYd!A;5PLS3X4`g}T{Xnf*t~uz!BHhi@!UFj&7fRDYGTFzHR|ZY-TW{HdMapx
zKk;5aJ8Qq3%AKO?3(SAL$zS3GAlBW&I}g+nPR~@2KkqkoR8)DL*#OU|<)E0Aj@7cG
z$4$#yU*7v=8a511#$z~u(X_O}A#laJ4X;nD(EKz0JJ1?*d}<WKr{$UX6Bc#tt3}=T
z%E_HOY-`0`Y}DX=AI_XW;`&3M>|7T8%SncpkjkBR{mxn?)O=mJQSf3CvIp>bx?NjN
z^19g>hZp3BPG*3tTdMxF61#2YFEu@%U-a7AQrrUa1MqCXUW54|uuSUbHKy0+a7|#B
z>%k@;=gXSyQ@pXYmsK+`5OO8GbmtFy#INS9)+GeeKj~<hI`fDqX`*$)mf5>yk?A04
zZ~opm2<UnL1XwGP?YQ{+APHQ&Rd<|E4>W0!9Ifhnko@vvCP>t27^csO`nZc+uGJTC
z0ht3qfUWn<U`#J&$T%<+_0-#UdGKONh2yT>)4LY~=zi8~>H!Bi4Ni}OH*-r>9LE6i
zzTR&PV$<On1X~H%F*{C}7RfSMp=a885PxPD#cVq<Y%o4(+BP~G^(M-sy3+vr(y`~H
zdvrcsU_i$N@9F?&z^wK?3_xeEdvDv?Ve?WaXKEk-@KzW7%^Q?CX)$4CDhdprgXZwk
z(~i?lMm>=04F*Pb)`_!A=fjNN%dVBmVRi~ojuUtRfvLB&_3i{CBLnaP>jKjoO^wS*
zJMp_F4=;DX`P=!1V=dbyxy?|o(}<WC*VeZk*Si;OW%qnOkAI^(Pg7Q(o)=o7XHTnm
z;HQ2K(i!zN2q(}U3OJJy%ZBc-#H+$d;tf$U3L0d@@hB`!aNPOW4nu8U?1vS+YiTlF
zkyfih*1XPYD9thg-SUTNyi1<Le1%sKA=D@t{lMdj-8BK%bW3wYe>BVWn%CaWn}vXd
zZ6dheN}~!sc2B4DT5uWqCUxDX$66o(S5CKa$l#eNPGwIdtnPfv*js8VsZm1ijazQ~
zRcx_Y>e-dqDFJ9T6<}^jXqM3$SB|yKFCF0RvYEyEQ26Yk!U1>3?=s^R=TYVOl*-Cq
z+IA%g%;2_Gd!9ILiWY2xMm(IofsDHMOzzWCf@fFSp?(45mosPz;HSH``(u=|tUsqO
z>vz)3R&C3~?(6qDDx5IT{@vOYL{FcS5qz_1goO@#-aWJb=>2m$t96&s(;*q*Wbr;5
zb|XJCitZfGvk)`4I=_6BRZ2$a#4Nw16&P(4>*+cJ+&wI%;(CXGa5i=+ZLS5=)ro{H
z*FA)s(GITx5#oeOt)1X?w_c}WkQ{_`a2IC`((<QZ^EOytpf~2I_D!#VZ(AdAZKNl3
z-{^qWp7zwc+kr&qsX4$iw(~po(+eLA@XD->GdxSRZF<RETKikAy3E#^Pk&k5rC?BV
ze`b6d$d4Jm({%v_RHvTz>OC!iD>RMne9+Hc^0rPx0Nn0#Qz>r^u*UtZp-@<5^y%fR
z%SOq!F?ak8ZLsd<9jf=dpUb#r)i!eKy?*~AN0A4y4Azd_e^%H8K(*iS_{W6tW6Wmq
zRz9foNXkt-ky5ju9z*c8;5_g?8IVCIyp6Ka=e`w04Ssmo^#~on3v{t=vc@h9G+8t7
zTZ@xcPiD+K&FwCA!4PcY8^VDXcv05*Iub1_p$lD&@xJcvhL*<8bO~~l313!>lP2!`
z))Vx0$&36lN~*o5sAiOqUZE#j-l+3i2NUZ@IlvG))vz6)Z4=-)lyw-Gf}(g;=HrUG
zcJ;cd)}KH!D*zP8;(#rfd`4(axV-au*a~5<qiK<IR#!Q@%jzI@R<DkG+8hLQJg+Xd
zCET??3|dzGw6d}a?Wx&E@bTHJAaOaNmebd!W;wRO>v;^4Rv(3(lu_q|imU~SCGmd|
z@Wgns2;fBc9UuYwcbt1_gBy1b?)!xXTo*l%zY@DPmJV<tStb{9mbZ>sYP6w2yihO6
z)h;-Od5;9iH+}=S!CR#u0gKLqi7r;wvbXcq(YiPLjUh@qfj@87IT5Cx>ghOEXKg2T
z?B_q&^BRYJ<TL&`G$<&0#fg2Zp&Q8|X>X6|eGdt%v-O3De6@=K2M2ZFXh_mIr1uB@
zV8k(vS0HM1bx519#%9cDCALyW?G37X;;4GsfH@vsk2^lgDj!WP)+IUc-7MFy;lPL&
z#RJX@w>_WEs=00VEAB|cF?-x4Ulq5=#$E&-HZY=r4SYi!YvA7l7VG=uLw406(hkwN
z)>riq+_zjEy+j$9%*{lR5|841G73l?+M{JL*?-`ze+Ql#ne)Y*3*?`D`6PPmz21Rv
zWNAE6=-&uW-O~uK`%uBO)pR4Uvj;(%I`nf&gBw|iP48ICfo$0!k{gEKur6@2kuj13
zByDFYj~#wDTlr$!5_do&2IH$0UL9U_oHFfY@J&HWaKP1#kTtLe*ZAC-_uDbdD99pR
z?p%iFLF=p8EC?H(!uEO7it}x9j*BxGx@yE7huU!-QRn1&RR*y3xmH$*6;_!wN%Vpl
z1Hud3lWIGdHMj(xUS3HXl9B<c=?q1OAJeLDI!f^bJy6xC%1Gaw(d7$gb)fV;vL5$8
zm3!@%^C-|55Nv&@V`;y`ls8m-I!>rAN`sB!YoI7f<6aDgxGvjFpGJDCM}r094a)N4
zHn{QNa}*!X!B!vCvtP6X?k?*Kh_EqyflFK>!0P@W1=!6tfW@gUk*W&w_XtKbmFm!l
ze|Zo)3(xocS<J4a1GSpM+`g(n0$n>?JdElZ!dF=AiKvZh41Vf!S`P^-UA^DH09e9z
z9IPPNCjl%6=(pG|yj}O$E_ye2Jb=*t^c@$$FXxz<)8M8<8W-;ef+zhDn7>Nk_O?6T
zSX<)G)9zfb@pQGx$HzLZmgBJl)X8s0A92`T)!AZXOT@!+C3yETZgWPUIT_wFduNgT
zqOZS|{_6e)zJ_qVO+U}t#oNteF#a?+hvOIL&#@^3{nEDAikKl+MBePz4i@i+n6@(4
zCCc*TjTOC4uV2&GzkufnAef&IJY6K=5LmIUwTtYQJbgaC^H^<t?u|WpfxX-+%WV5=
z-QYOD`<&5?vzml?k#N0ftm^T=x(V&1BiRYhG>b=U@<uR@s$rtH(Qkz`<Qrz2wc(Bx
zg=4U%(4bRGl+=7DHY{Qcbn&^^Qb}Lg+F*&kbpltpwdSwrY2S%P<*h#6b)Giz`7}P;
zfS(->!+?>;4^=EI2nsIBSL}i4z*YOw7WAG_0MOGFBGD`@=x}zDt{3OD@Oq9A0$95|
zCISd}uij3f1b%qo!}<MV-TwN1D`ec3CkZXD6b~H)gn1NKAs*QcK2^JflS@M@<rTtx
zv;C(o7(nlri{20b2&$}8$CF>pp)hc8EH+SvoVRP)d4Ja{Km;nS{nq1M=CrZG^4uLx
z^*-};ROeP*B!e+i&+|S)5(6OU&U;aRBB=Y^`_L=krN__9O1K*Z@4T11>k$c$0dpOn
zPGEkM53~cgYO)gdBh?hvvyhURL@hW}!Id!qHSY~P*v|7UBejh@q-GgUn!1<N-oZ9p
zC%PVlq|4IwVZRKj0GDL_;lE!wzOvc_xUJ{fZ~Il$bev`;Uf0G}>bPwJ-@a*_^=}y{
zuAUdS#Jl~}))3joeg_cwEdJ7kg;>DbEHngY#ywDiXI4oUnk)db`C%e%@4fd@Prvv>
zw!Gu8y5ko9oJum<ekJn~JL~S#8kS*}YrY74=6qPcO4Cega?`158a;CB1ZU0NtT;hC
ztN$Fm=nJr$)v5fL({C~FjGn6#b$okh(_|i^E?^xFIQ}$B)#2WxJ9pE%%CvQIdC6OK
z)Zd6`6w>Azn(N(T!y}Q{$5VP)d6d`YwgYKxr5C{#YoCTC!z-T4sMHj-%u=>Y&CYil
zSR6ZY(&#(FfR<O5m3i8`brAB24WMT{AI0cZ96mzVUd>kz<ft7p4S9pfEdMrtgFLTb
zQIRivy|5v^`q~m1ONzvgKXZ6)8?VwZIy=+o(@l5TcDs%Wjd1JGwPBvz)o5NA!GqR;
zeP@u}R6c18ovA=df(M}!+DRI!Bc<eYsVTsRhbC~gw(*M34TK!>=X9XGb5dEOU@1s3
z$%Josf{bKSF}GBTJba6og95ON^1ztU&@CxUxl6`SH!;(DSa4Hav}c}uSlbw_+8+G{
z@<&70<bmxlmeP5DVwug$t>HPhMT}IQ(h+|{4Ap3Mz@ElMGBK3B;yZKxQ>OYrNvm{b
z%kjDBP}$4hiIbg|$~$K;I=}({(2VosE(ZFw0hx?9H+0M*PteOzE$wT`IKgcd_~9l(
zLHFi2`1{RRaq`|@XGxOF60%^P;Ffsq!LCj7NARmC(%(imC)~w(FNbK>aAT4KRGh1u
zCHB1v5cqyQ9{@a7b0tp;Is0uG8eSj~0bC^cP9A+b@^|D;lJD_EZ$>`|fqMDr@^axS
z1!mO*Q0-@Hf3H11JROa9mQG@jfGuMLD$c1FHQB8R((icsG#I#a`cq%s{QhlDxA3vm
xI6eX5Z<g;Qa6GKG3}&nTKNpPq&xNKKeQW9B@LH&==Su%HNsG&iRf_2Q{|}653NHWv

literal 44975
zcmeFY^-~;O&?rnoaCe6Q!4`Li1b3Ik-Q67m1b24`Zi~AIcXtoYqQRa0c;2_}UvPi=
zs_v<pnyQ&I=XCdJ@16)H1xXY{LPRJiC=_WaF%>ANFSSrmpWWf1Kc0BzM%hC_K|?9Y
zsfoiPqQawKz$2q$;Sye7on8Gq{RD#qi-h(u?dJOYzS#-}0r}znA0jH|<;4jkJLY2%
zI7F0xmnR6wXi%SEKEolI&MqGw?!3O-K_IVR;F0cbFCh@fXIKP3fB(1Fhfg1m(6FAL
zZa+c8LVbpZMM57O>_bFBhvdfT=<C0~J-%nfpkUzKHd;a;Ptfovj}KQE*!VDTh)<8#
z5Xk$*`LW5&5*#wd!NK3VCaX`MzhGhFe1b(KAR#wfSi{CAzD^E>^w@K7^O`$&l2Ze&
z8!V8p2_QwuT!Nw};C(DCEW1CDzuW5ph61GI-yj2yHm-i|o*uiqThDFQubEM8?JWjF
z6H=@!Ul34he<`f5FOQB6UR|Ae2FHlYsi_0Cz*VN!Tl*$c3-U_JGytZ?#=5AaYz7t%
zCl?oH4&LASzkde)^!D+w^9XeE{srl_;}sC9t^vWoz?_{Pa?pMi`Ys})svDOO?=lLR
zoE+6RG(ttgn4h2S>h4fhRpa|Exw^72J2NRQCodr-P4-><wZn#;SJ=fj^!DcBvDF&V
z=a8M7ZDQ+ITvB9bZyypG5*-r_G_-`l{FaiMqM~IK9uaP3V=c)`^FvJhrol2Uqp+f)
zjQYFwcS!|QLdu)#v%bC_Gjogd%nXm8k^lakE-lSjG~LjWlaO-A7@3#`MI{TeP!nK$
zunG$!6ALjbKbyRz#quVPafqI|V|+oal5KQrq_Ur*iHm=@fTlARt$2C?$a3xPXC!<r
zZEbTc>Fn}G>~EaPu{}O1<=B)A5{AAS-&y{6*r6c6xtXey65^{$3t1_#m-@;4%BiAJ
z(WJyjXZ?!H<>U^`n$dO$GE^4L%8c79H#&^@`H&uAW2(a@EEl1vZ0egFXZvHlK;QU>
zpjd2DYFv<VMQygRw!1cuYebHHWYI)A(5T{|KS4d*-^pE0QaU3~%D*DNylNp=XCvHq
zI?zqXHYv+hLcO7l+1T7?8KT|UCnd-x5bz6RYtrOsVQuFMDT=+Wv-Or5yZPXC1V<??
z7bqwstpBc0P?_2IP*7i?q{V)yd1jyG*w|ueK0_?1*)s@++-bULo0G_!hvN;SU09Vx
z&=J#SzW1Ax!*C)os!`A$pa$6QC`3VtTG0hHfBjv2pz>U~Q1!iHjay2*Qlp~1#<Q+U
z&F-auKBc0<Tg%Geto!jaJEP9R7Xjgm)Y|0{O03_-{nK?e`?L#c{|8|IKOHO;=!3Wy
z$}OLuphCaP%8Dngh30>TivF~wb`^88+_zg;mbFJJ-Gm08fQ2KD;j&b5e4KkzgHdKH
zHvfqQ7d>kV;`(y(hw;E@DI-VJKj1Nc(T&-wZ^tM)3V#V&HyP<Pl1{7OFm6T2{nc&z
zJo=H->D&K&*rWp?IQA|JO37(M<aY?z3swj9s_#~N6-c||uM(m;2z$K_-7n6<r@$+p
zw$7xTe{A|<Z_#=wGOUzrSq6r}#|q!MSq}Jbg{-!n<7diEG*>Q^YD|yuLNNyh0T9}`
z*RL|mn?qk$)1B-P$=HqK-;sk&=a8QB)eBxo`?h=J+C5}_dng9T2Q`G4>Dpa+N{*;u
ze;8Ugj5p=^JBYJPW`k3ar`-|1;jJ(9ZvAB~iTzoTRBJ^NJL+b-qfvkc7~6Bvl2g$9
zIwv5^Z48F;jBl)E7!GGV`*P#(tYWGaYBTzNGKkwem|KERF&;TP0>{-$amhkq^E#k~
zILwlLXZ&Ska>LOT6@y`_?oKFwMM6N@q;hkDJasII(aABT_GoM|e!Q?Y>;ca}5r@M$
zs2eiU_b&Af9rbwjoahj}KjCKDXNVlw+yjD5&l$6^(D%q;EDnfRyS9)cA5+u?kU+)3
z*A>Vo-cnb|N6zF?3|m$dHCZMu6v-}e*ek1*SJ6>OdxM>|Ge?Hqkt(S`GTy3UbEC-R
z@w6Dq(do<*zpoGrr+m!4#1QC14Pmf1Yv4eM;#9lKP1)E44w0WWFXPgER`;3pmc>{>
zbRk}SM&igiRBI>ByHW?B-h@*5MKK+FDqZEygaR&;sZcNf0(1(zzY3(hB!(B%zyi!!
zH$mMM1xb$^9hv5PH^DzJ|3N*Wg@$-N_vv35djCe#Y0sPMX=z?{z?{TcDc3>FO;1kR
z77t{-Do+TW{<c&wf70*#S+T|c`Fu|iAd{k+FZAB)AiVj^*b>H>&*+uA-~Jw<O%9kn
z{k2^Ues0=6j!IZTHcAS7OG{OhlGqG2Y~sA1<`)oU7mg8oL9MwkBu)*-pD_ms`L<5W
zZ{y%pbwU2^5NNmBN~q9{V8u8m6sZ?fG10`T#S#LDKRC5zcgnt#ezpkMnP9x%Cs|r0
z+$y#0ZOx0y1T0GKe~ZBgby@<S+3U*^P^(CIlZE4psKo;-!wI|GN}&HLlXG=Bb=dqB
zhCEFNz`|DNI@n<JlWlje-R0#~d!W2p7#jZNt^gRXKk@5HWL9rS>PTSq?VNf<JJ$!9
z9TMUnw^xVn3|j?4+L)x5C-FoB%r!nw2|K)9@gf~fWHdN-6rlH>WVwJdD3Oi`aK#Mo
zVkoC|wFByP8hF{Q%+~SzZztG^?BfqI${g_yiM<ZzLJ!7ZOgx5iB_p=d=j~HgjBCcX
z;3WaG%A&xQ1B@mlqC;sCq?U&{_b+3y+fo4IItjom5z({D`VH2{p@Lk35mO5$_`7#9
zEMkfC@Nm!F_}cl&vzJvu5t3}vmY6Nd&~d0Qgsg6tGA{gkxS%dFaKW$NmlyN=JKpCP
ztE(#=I3mW*A+Bz2ZYUe?U|c^*tPF&cVQ4+QmVl2LIn~wcjG?m!Vz!Z6gvTfCck6fC
z_F1wb$`Cul-=|9sJ)0*dgsn_Xw9EExZhBqstp%M|>x<R=%iFC1mvg?ond~2=L3&ZF
z-u~WPE^fD#aJT+&DePsMf0Z56%&z3VSIE1+iQ+PX>gV~Aa98^A&JWxNV=}gO?P%l^
zktqsq%cCMLCW(?LT03GJw*^$pLw0=Lv0xG#Fpj})ioF{qYAB?%#uI91X$_&0xDODM
z;qCJ87m(!7*<>WnM<U{i-x3z}nLeb^UlF$GcT%;s1Ahhno$ZxbhPWJIsjG}`&HsVJ
ztkivZbk|(Yv60Wb{h_J3+{9Ha{$}{Q@^p_{U1hsf(D5jyghGV<2gK_4>4}&8V(}@o
zTCKKP!LK7Xb-S0=%F~nWMqF@ArJi1%6eHu@b~UQ+SM}%t(o`2|9*Z5Yr5Iid87~R-
zynp`{s{As|*|sC4m3)A*j{m-CM~P(mL0YP$HpLqeZuOF@9)IV*eaV|w5G7j5cb$m)
zVq6Py+$Ecu-kfn!7}@1}gG>v2MVe&~$yVc-{o8kx(sP^p`-|h>K0xDErz!8bm_H$u
zNJRZpd@eEhL1qqCMGkMzZ=dwgF1da3(jFhdN$ds69{zmrxSp<#c4P*E%x#6rscrJe
z<f*e|`%-dI5?>BG$21x@E>521F||^uR9vd6ihn1kHrwdw=^Yg#*v?@yC@*{*wjYB!
zO95`%Cg;Dpf%dyRSSb{ctKZ)#qEzSyc>8uT1L0D^xjqSVhHO<_+>|6DKG&9YMhPY$
z;g6F0K1!1IEVoJ$A_eD2&+8GGo)M=4NZ&Kc%Ud=(+8#qfot^n9?kCn7eG8NwT~g87
z&zq-;b8aRN&q+mZ;)J8%FlM`!4&~XSPr(SOTqZljEr;%Kgo*}IfHv0A)BoiDa6bWw
zuiq)U+xIQ>jZZcH(Nv|h%dIHbFi=uvWm0}-?VEJF8N5ca464?FpaRUe{J`<aHicM;
z_L@+u{zRX3f<Mu5dvQznfN^2aAUJ@kEiq2`{c&&10UBDkoLDxxb$#D!=R7cPL1eLm
z#+jX)Sg?ENv)9aO*0(q$X!fN%4Y!`{8d<YbMV&arWJ`!qONnIP=s8iWB;_X3QRBQ{
z>Gzjx%A4C-N=5yMW_1Fm3hvgKe7Y%b0!b8^YQI#)Kcgs{nNnX)YPSk-Y`z@{`&xP3
z^XB4Mvacj6MUWZ<1kO@M((*M;u5Nzcg6H+Q#Jj;FTdiqO)5!rF8U;!sluC~gEek#V
zg`V%L|2B*XD!c9dzHGO&(uV0)9!{SCB+txfXw!-~^U>ox{t#br0XWj0`NccU9H~`K
za3H*fa7OH{lMzq7cmJpt?8_0cqB&z~_<$Rz+tGU`G{hzGeNnRBre;3v5S+=b_(!=w
zzP4|aa$1S$Z5yU1J#9>1lp~uNXz#aGjD!)}+SLNb(*>mD^}9=$zqex(pNGX`Q0DL4
z85w=^la|N3X`I}`w+QIN(BUivQ-*a8oW7I~SLny1{*(+|xgQ#CX@`Y{9Z~Rc>SbeO
z%IqApo3F%GbrYlV4g<mKI0qe2L$rh3?f{JOD@M@E>US-lWFZp3T3nT3ITOB<Fm4dH
z+QElv1mz_(0h8a8h?q#U0-Pb)yrbE4l%Z(`nWd81UX4XvVqqa}D~SZwM!YJkHni9b
z8d-J!LbD=n0~+<P+6rR6`ABfLf{Y`yA@}e9^j>TG{7RP%)*OAkgt6S8)7OZwM#%DQ
zFQG%>I@qtWLpbIl=;h%46b9Mw2e=vjy}!E&cq=Ljxx4x}gxM8Jyp$5%rO4)H#D2jw
zIcqG2=gae97j!?>ngmXApLLcY3Ef)ct`UV{%G4`12Z#VYKpXjNyVmICq?=%eV4#oh
zgBw=Jf%gJtnT2A*!F)X-)O@FlJU%EPL4&M2^ODbv|L)_SDY04$VzB$oN;L2Ttk)rz
zeR>;&>5<`VCR<=$$ynRCP`h(i*EH*RlV6}M_M!*>W=~@#VUjOM0&HUE4w@b9)nUb4
zUFRC3R7M|qakyOi8$it~8ua|jW?9>H@BEnLIh>UqNFnR2=O>EB&B@6b5))D+)p9BP
zWTUxE^K3{iL`eZmc&A)f7gbyPwm3&$<+Ibbh@poh`MgBNtc%Haji0MG2s8eaJd+xE
zhJ0X6O99O8ex7p<c<CcjuAkKeC5RO;owvN!4mj>z-T5UT1S6$pnQ`Pu-)}p5e&^}P
zVg@F3ZiPkBl*o$c{Es?oMAvJpqP1_yq9X^|{<2*2q60({mu|OPdzZO98#s8lZNAed
zkS3641W-yJtNg>&I`?%>5g>|o#-eVe%*!qfl8hv6^?ws?kzkU@P*7+$9L0+zK#HRg
zPYsu;@7M&z&7%dl^8In7s5Ibl7SL)1UyLMK@Dqp_Zljc91Kpbm<$4iUzC^7kx=<5$
zy9V-!e26Zk#54Cq21dR_*~rraS=){VtPUpN?0#>PaF{i6t>rybXY@Z;CD$+k!}(T7
zMS#^0HbUNm1;C<VAE}R#Kq2Phy0qfgzW6ONvTZ7B=6?SB@_Erh(W`JhM1d;uq5%yZ
zqSCHWG`QiVYm6Oo7|X?4;BWI`qi7OKIHVa{;ErMO{9HYcVvV9=kZ%(R{T_3fnLk+M
zuqgqk?{*iOWGp^q^7D(->A6ezo9HGXfJcFKlaSb}RiwB6gix)Pm~;Oc_+jkV-)B$e
z_m#;<b&C=PBm-U~X~tczJy}2xSgfqvB@{C0#y*cyOToLNvM=i5`@pV#bcTkh&I>*m
zSu6s{%R8y7fdR7#UKz@}%}<WZu@{;h{?A!2Noe+N3G&xyMF<1pJ6w2H$|&R3pYfjd
ztu>d=Zydyg$(c?<0}71-KKu&5Y)@Xf-x@3DJ?(`7FMr*a7b`vdBiT5XbK)SletWNs
zyF4-hFY-mHyWOQ6eWs3)rWwB<9C)^N6f*06HFtfhGI{G;G}2q<iw#J=>yNyx%A2nN
zYrl*Vxg3fS?DFu%MTv=xyUpd&^zF<4)75joX5gPx7EK>NtovdkQWVf16GGFVa1Im0
z@pk2K+rg<Pdtu<Y-)Q*+kdu<2vo9snFx^Vvy;=E5DxLdo$y;YX$#>J9MFZ4rez=jk
zbh8+D38Lbg|55v=P*km;1+E>odJFtKoudN{Jy3V!&=P^Z*+%UrhXeLbTA|SEU}yP`
znZWbI#UkAZ8L2W&NXVAFdHMTt4!<6><|yTGWgK@M=IRt#t9MwZ)A&jy%@nF;grdgP
zlA}jHkaW=Rx-jJ1PqBz8)&l*$AtdE2Nobko8i*x-)?)kCJQ?FgcfiXt?;FyQ7!GUg
z>qux49#gijc@Ive$#{~1aW#_<GzhH<FP5;+m`m~AHr4U^@fqb%*?*8odWuN!Z8nr>
z{DE26-?Sh6O>gVzA%J7pbjN*`92og>n{daSdfDUnI^tx(PZEQ$|3I_uL%Cn#X>9zD
zcYgDs2KA?pS<pRf3`M7(-rM7p1DS7MvtHp8ydIg9Z~~r0y8JrPvIEvryZ2G4&0!o*
zN0?c=MT=fxU06%CUeELVhZ3!HJbbQ{@K_Z;ckrmz@6zbANj_~w8Z3##x7_yM2&d}&
z(GQ(*h7==E9AMsm^_G3kld^vuBAL7D=q&M)O*C6e8~I`dybSqsEgLqf)_8<)l$KsK
zzV)-yn})|)$=ORvjI>H*fr+8>2X_d(IH5FLq@b_!o8+`_<NLl*LS|!jz*gTLZ|@u$
zSzEkMJihy-aQDs}d)iVSS94Ci8y_Lo$YoqXde<@&G4GiJU2eK|_q{7R!$0_p-%VXk
z=W9ep<#eOX(%vxr1orT@AzAN4R1vMz5ng*WN7Dg`3t*Gp&eC6v+07+AdL8$n)NO?r
z(gl){EtZMtd9thm#1d0|#slBe84{1ZXw4Z9ky!iOK|&h|3w8<y#y}ebzt-T{R$8!@
z*z)=dT1{>~9ZejFdhK*VRmr%SiGNDXi*w}~C^=56%a-ZV0GN}q<^*3{y!Th~w}#(+
zvZ;oPnFGFzsi{%KyoI6FTyQCtk1k~_r@y|lcxTM|tTn1c+{}Oa2amy9RV8ntEhe51
z7YP`^$S;>RDw7mRs{5S%oiwYmqFQc*KoYCoADE0AnoL<Qlb*|Ny{}?f?Z}jdZ$IYc
z9P@`1S1%{g&hn*-V+koX+Zqpnzh;=iV!<l9>{mZB<vof00*9XF$W1_huH!x(Evrsi
zPUlD5cji^Uei!TaVjRP<wLCH#)Ry!%f#T5)&eepajNED6c1JaAR<JNZlnf`HkhHDp
z#l$Q62=yqMXA0w`)!^RdzrNI@Sc}NYZh`6rHsz@s9XYZJZ8OKaSDgIcf074I!Z?_3
ztFG*&-M?^3%%;zine{719ukoD)8~tY?03#0h%yiVLnLxHxpq#G)2(oY`Xd@->&2|Q
zH49vF@(#vm{0s$EnEEf|E^TRAt96Ic8;TAJDq3Gm{8Y#P`Y~qyhEQ@}0r?}b{4*RQ
zCZ;};bg17O>Q9*@_UN9ZE$x3P=l?hU9|itzDDX2Zux4rac4_%x4llq`Y^=~82FfJu
znW1YC>-JEEc8Wo!yq=hBfej<z*Q%hOH>2uB+=H|3kHKK&0_8%DXjsicsDpe?@WYr=
zDB-I@My{DhAQVROnl7TM&GkD2!}xt*+-$#2!0V+&k1y{{+VuO&ozJYN7{>$%ELz}M
zC_x$6QJJs;)X>madi=L`%WnoRisGNQpa{9H%z!m`J7F@O3O|74*ixtS-js(==Z3s%
zfj}E@*(JU&tGiQEQ|%w)<2LO7bkWs1#0wyeZYO(dnn?eHURXag2f2(2tS`RN(aB14
zM2rrG<6rpuAoF&c;YJ<jCWOOWo8fzK$<U0suqcT0u-Y&q9F>yt_A|=i4b*T`HyA~u
zip!j<yUhF4b9tO?S?P(6>)~G&i_pt9P*(5uK3D(Uos<sSC-bSUqGEyV{s&TO!&aTb
z4ht?S=VS19*M9V*(I|e%DfU;9D#);csvWhWKLb6mSvV^BzfA&O)Q@%tlgP$dy{`7B
zG8Dm0&5>|Bl~Xmtp&@4B36%h@?M!jw-%dA)>XrAoyP!5|*fH(OFAlcG=g>F|8f%<R
zi;3z!XwOLRF9gBZBtxC~umQwn_US4r+&4Et2H$Hgm#08m`wR@v8mvg;SD)}8%?<W-
zT72qkW4rC`ihFX^yFY*ep<gPSWd4R!EP)KI%(j$RfL-i1iV=bJGI-2i$Z8GSiklX}
znTB^v5oSX|;$f@~WxZr7wWK;5TD3+4gL(C%V=OS^cwU$Esx>1jwG9`n^Gn*gEsu1N
z+l)BI<|OuB+h{7J%DKVu&Pp~5qm(8MFTuK~CN#a;p|EE7+?As3FvApli5I0{;Sxjn
zi&v1)rHR37#}p_TdA;xCZDK;8t-=1VChzSz#ms@R`o-+|qK1#el)kP<i#znb)_cqL
zo}*{g1PdhK<?R`yex4BW_fn!3@qgh|t0nb06D<7_5jcI0)Utzsix&W>)Xeka>q^~e
z_7|M@wQxFG4utp}{+SyzAh~>hK3`dhz-X$MyIVLZU(8@b3A!_csWkk+She;zHbIos
z`fYm+8DxZ*%51D{k#y=GJ#dOs(y{?*vvQHIesT8x37+ixQh)9Vu=nZln0Sl{EsR=<
zB@^~PFR)zkgvMP8R~leo#JBzjhr>WYIVEoNx4{Pww6)nYBaG+afApYCa=R!|0<jh#
z(#=k5GtEa!#JEeXjz<Q7`YyY_5jVd3xF3>UBsxCcA=61FaCl5=FeoOtxxOo*wP8LE
zL%P45){W-G;-oXzyRmA~ZY3FFpfM$SU7JL;r0RgJ-xL$<K<(|LULD|mT!wYuDHv<)
zjQuHE)O7=jak{|oT_cgAaS+-&RKIZ&s@5uxw(lLR^Bc$(CC(Fqv1ZBNzmG})cu%X%
zQXGH!p5b1SrWl_l(?-sM4BKSGbGwjJDRJnCeI8~x|85xb5X1i>@aQI8Q*j1K$y7DD
zO`X)Z$j)i-3`ceaeg{sN0feHb@=2f50PUj|MwONDmro?{OS@ALaa#k<BgmS)A&P1(
z#pSFW>n@`a`?_@iIJ@()GNb49y0Bl~e<dgdW$JIM<Gou#c#QsY>f%rDXHDiOvt`-#
zbX!wOmEXU}jf>O~x12i*_amoM?Yg763E8V!Hln}PA>j5qwG%pWQ{yZO=NmdZ*?w2|
zNs5UX#qGg%lF6(}?W_A;BW6W{1IkLA^{@!eF<Ssw6D8T&?yJ#FY}vUYfXZYsJWRAq
zIKGzODd>%$FySRcPl2;D`c9bVm#EiXk{Gl1XIF-Xim1UFaZzX{y<d^RvN)?h_brIV
z3nDAnY<tn5qverK>uR<}wME;+Hw6)wR6`8~?^k>hHXIrs${q67J_@><UKJd=y<-vw
zbr^zHAIF5Ss9LaJbzj74m14^O#9r};&&dle?t;UW+jw=(IH5N;&9FL${UP4i1p;*q
zQbXO@Czc6Ttc-CPG;_PpXEcMl68vYjEU_54b}xnNthJ_dsY<!P+FSb-i$(P~{HbSJ
zGcJa^nag}@u31bg)}uzQIvkS4g3iVO3{VSpW+P}Krxdu#Hh=(VxgMnQ@kW&sXriDy
zNG>`)#!Ol-wXVd=(Q*In)_YT_KpZWDs8a-NmOcl{^0$~Y5tfA1V?bVtdNl95{UqY{
z*$x2KD*QtZxvhr1H(ASfEd+Ej$R_Xq(dhtCbg#$Eq_cMOny3m#zs58B)DLB%TAN)B
z)P0@Lo<A0ZPi@Qn<^yatF{8MW`ljSK*Z=PeJzfg;k8_=d(xyaM>j5OuJ0Q5Ew5gt^
zON!zYuBDN7Q+4%3D__Hs*`Qn+W*((i%owa=Czo&BR(w?94bXYgQ*jp%JKvbE5>($?
zJo{y`i1lqY6;Evm@KR#h4FZAo&9qWst}E*6@2<@y*kPh_zIFvnVaW^-&T-~Xw8e6T
z88?-&4>6;JTF)_Qin1iH)R!2HHBW2EHmf7H6t$(mR^YSJr&Q^%6&YVAs>x{|on>f+
zYFBP;5K!W9ei7{z>}aI6kDo;eN5)%1tKJnY2d*u~EBu<{-@XQ~7BmE(E{`cp(&R)f
z{_13IJ|*sNl)B8bL8UUTc9kD#s+hJ`tfo*n_jmFKVAwhiVv=8G3Z*n4G7w7)^1_Qg
ztJt`0yU1dZtN6>88STo9R;>l#8-fs*_NNS7oOhxi%XJjQxrPyKZ~<=H&!;w3d2w+!
zPl!}jD?w&r2jYwDDfx}#;-5L!?(Tz>1T`{~E1bKux|Xm(O^Xig6)GJ?_h}-my)IgR
zVQRQ@_%N8ULE3kQ69<Wv+te<@WgK&LA<20+ZRXhK#uXI+t{xq%s(KoXUJ7PCCcF$w
z=g>~)wh9$lZ^qupiWh(=LEHn|G*T|NDBQE%x)()hx8v7^uby85k6?QDs${(ItRh$8
zbr@HX5j&!}g5Yr@w4B;1EC=^-o+w+H4QfHk|GKoXum$v05+uWmr#J~y9cO15kyt=m
zkM0Z!SDr9|c)!L;g>c&+{hMtoS3HUz(&Vey_-PdNma3cz0$|Q-(loHOS=P^LstV*a
zMbtSyUEZ0Bq`aub((y)5{lFhf8+-0}2qo-nEY*)w!Xh#tKd*md`IFv@8QGrEbBGiQ
zwC6GUFamDon}PyVrYDSKp~ENLxff`T!3eXpFyrB4^X)!Clb@%PzQ?$Cb$wNfOQDA8
z^1WHODlv@7TbuB)(O6(Y^2!wSJ(REcIv(V4;u3<kF!255bK2jSgZ*j7u9WM40tQW^
z-Yn$Sn<?r++^yW%j9CI%?E2RNO~|Ghox5HRjw!~7OKcDu&T8{G%_(?&t<)@4%{3QP
z@$6@3hQl4Rt<x0tG{K+=AGUnX?%ISuA55Arb3Txs_CHLj(PcguWMkHCsAZO&1@IKm
z*Sh!i(!v$U?~2(cj@d2LDXF`<h#=pRRT0WbkQVAqDig458X(;8+pI!ZYa4HL$?q~!
z@SB?5&Man+e%Hofyvg(8TRNlax`(f4@F6r#T1f0)IVJu@?pqGpa-tHG`Ayx|^M85)
zsDlAMf}}!?LsuU%535Q`EquQicRRQ{b;;2C+i7~?<au^uj4;=5HM^DC<NbQ?=qen@
z?;K>d0vJ0~W6xM6Xv?qH<IbZwKuG=SQ_&D4-du?FqM+`uV<Td<g=39w`UH-)aL0I1
zvr``%*R%sSkfMfPxzN=x_=xOPW&DwOG44D==mONaTYSEr%NjL3?vqO$t&|H@WMEDE
z6+x9{s@XuVmgLnyeMPNEeHXQQqO)+M!j_?~p0B1}LY<5|!ho7%Q-Lnq%7EUBh{&Nt
zrKGX?y|Q63D`7q)NPJAHYD4|}s#PRHP930T7CwH+q9ut#vRPltWnxjGmFh)~A2|wE
zqM$^#!a&U|CK|l%&B`jZFGr+ebD*{kU*IUkm4=%qP*evfQ!N)s1qkM=hOSy`sJYbH
zDx$oJ>;q|O(XS?2^_7ySLY19R`!;*jlx?;%uF>0^Lon6VBjU&Rs`TsFQeKRHvIfi3
zzDw?#Id7(|!dr$62`W~<T$6;QBd_+IY`#?<oOHKVyBvC4rkr*aPf2yt^vW=35!{-J
z(4{S(j@~AtDA%&(PU`pK=+s*tl;C|RKE(Pnc}BY140qX65mK$P3{(4$WVc6Ulw8SQ
zvDuBECdF9faj&kn;@yT-NOo7=qmaV^wy!mvTZidZMptzaSizGKFs1G}t6X4RQ5?p(
zHFM)dJYzBVUkk4-+kBqp%WHyk6-fD5L)bl8hIjEHcy(zb)p5#or4?m{qt)U*b6aZD
z^c_>gz7GqpUz%)1PNmugCAt5A5IM)|TgW|~W+UzB4ftu6(T!s6T=By&GlJJU#qME`
zdLAz_>@KS#M>{9D8}FGbS21n%Z<c!Hxu@Ht0-hT4omV3jikgdpW%ajO>;?-WIGL_v
z22!UCKdhAlYcJuM?7^#z)VP<>V*B1^Fx>X$Z07Y)Za{Tlm|={dvq;@yZP-VwU~|Uu
zxO<uL@^72<fg0HD$@Q2av$PNKYhSM+5Gwk}b92frEwpypZ1M4A{n6GD^T1;Gaj2)`
zZk2eVS$t20P{UyH%fFuc?5DcHS7GoBeF@isOvf=OmECuV6p6VU!xL|{uU<By%*`QF
z(C7Zd?nbW@eO;P}+vomFh}~NAUd;<DtAnb1lDWL2f~^SCrBn_%nIzoH?0s@zous1Z
znX3G%iP7rE;ZvyHtqy^1Eq?4mL;0TC2<1(kn_m%5gT=Hx_i_@o1cACvs@eVuJ-b@D
ze9A&Bo~oEs#o+^3cXn2fBqg`dTfM<Gk5<}WeNMARMwxLFv>q*-;epVb^H$_i5uhB8
zotbfr5#(cDnYhg?&CTA}Q)(MD$bF_2FD(EONq1jqG5(a0bvT16O(zuX73{doobrJ$
z)pf?-So<~jrk9lT?2Oi8#30W5T7*G+7x~AG9hZJBr)js#rwjR7e1q5WniJ4`?Z^*c
zPLJ=Kf|!LbB_(h_jZ}MSo4TAY5CK`fcElkq;K%L;!?48LCK93NYL<7kq19Jwc5f*s
zJc9n*-B;$~PUjQ`AJJ3f!tsPYp(wG*n$!07bxYJY(dD~vDj<QPwM)`eJMYw_jE$;(
zhC}O|)TFkCHqrG+Jvvd1#PN~6IG^aXr_KGGgPCJ5CV`4#Qe$<y7Ou6uOs2BamU3Te
zz3JnMOQJc4sHOo`(pvnHaUoHJE3@NOJ^K1QO@!(GM)q1`=n61xQr^$TG2}MTeo<Zq
zr<l_eg|Xw;?Hp=E_n^$4bilk%qL^6Kr-Y}KDf<SX#EHS$*AZWJGf6QzzG!h6n|NmR
zXb{EoU};0wV$so@fR?whG|yozLWmelBu~k_Ue+_%U~aQ&%AkM#Qn?m?3bK%vlhgqB
zm>_E2{d}n^w;{0TH`5tx^ghR~Lx}1s+hiY0fvQzIqR4Aq6d@BOqQ9E8X6up8iNGL@
z{!$)X&4BDSHi2iFZ(g%o+dG1r>Vg|VJY08oh{y@3mv{j^(G655XLM`o{`RwiW*)C*
zAF#w~B5*AU(NAWWc3}lneRYpSFGA|*K)@{@zINR%mY585a;N7<%qK}aP@j5Um{jA%
zn}81=l;D=Z8}Uu?Xu@t9L*Ukv^E7iXj*yoHdr!-Kgo#_ob#;#`NQXKa0qnQEA)H@3
zZT$1Bafni;S|<+5JC0dW(LpK(fTKLdqq|fWS$+{Q8FHWrYL-%&;^HdBZ(c~t0z#Ch
z`DTM5tFGy@hg;4PFK}SO8`N;I?7;cVal+&UN6vqznpA%iMo@2vku~Bxw{yGd8w!*T
zIRY)KxP-->7v2P=*e}6v&8%msZbc6RZPGh*f1IGHeWfZkMv#7^ufHc=HMr7V-I%jc
z<4ko=I~ocrPR-$Vi(T;I?j@9A$mc`^L$f;@KoebVs|=2d1Tk14NopcX=EWh@b8`xD
zZy}#<4`BUZBhAVj^j1BxMPp$i?2vA2;ekYv*G$aY^_>0GRao83-#979CP*}+AZVr7
zwpQ*1JQWiX#fY5A_<UVwVw&-%l4p>yZI9zT6H&IYuZPrU{o+j~%K8`Qcc-ww1rxRN
z`Rd{QMcrc4ba?Dvz~z1(X@FwTVCe(L;k`vD6R=!w^@)6mCXMT#$k|hwOJNwH5<Qsx
z50<Mwy4e+cd9Z{0oww+rcA;;>6R|RJtYJcVI?B46>~x4gJ@*|UopLl5JB@?i82FOg
z!gFhpy-;AgwUxQ|x<tQOvtOp>SEniW<TMU}-jw15sgNC$UW3<GiPzF0w$7mmudw=*
zqEMPwKcDOE1LNAZu>oa2nB=C?Q)us;MmUiiNu!)uJ-@;#*3lk$Bme~+R2L>sJGPff
z)L-f}rTIRkIiTq0bQD0@^*|1cp2myoxw&I@<C@g&Y`qz;@``j*3`$wYAd5A;VyeHW
zW23t;V-57U<1sI|QszZLEZ4&1+N>x1qN!M)H=Q2!l~t+vci@5~V_-f~D)$lI55h<L
zn6Ex1m{_6<Yj~}m9W)^c@{~R!p~c)E4hn)@Gx<p`$7<mkxSE-*J(LxUaPF8qT0tKy
zphcm%A1O~}37V!GuT%x=v?bjG!JEIn`iLwPeKb<^UlFTDgJir8#v?pjtS$gRsvb2~
zk%Jm*|FEu>p^pE>ks=TzG3duj!?1pJ`al6h?tdD4yD05`N!-Xy5?p+fH7Pu^_mVYS
z1$?X#$S#V@;9#si6_Ib)&QI8sCh*0U%03p<$V}_0V)ME&_`9Xz$uEb!3e~0=#YFnJ
zUN`NUaO9~aLH?A`M3Gju>Xx|4WJ&r00~_>eJpw((G2H>MNOlP+q(3p$8#`)qO_<4q
z&GlgXs-6{`#g~Q^O5woU9S;gQU|2f)w}91;4oWnzuJWFt8V_olO{J{;^(q-iwUe%o
zDPc*A8uQcKcl9nmk%n3nW%BCD+Qz2brz5U1Zn!kyMc7%a-mAjLVrsKeYOBLYXm|`>
ztMta`BOH|V_vmGF7k-4TAKF=H5hW#Ol~x}P6Bx3N1lf1i$FrnTe4sp!QXmDbWrdd^
zhT1T@vQFc!WgRmW^V<+dt^dn$f8zv~untRm$*78%&`-zxwh0T*#2LW7*aak>!T|>Z
z<a<i9ZdBnSiv2&(8_mf#`Pnw^;TW@t)D984=R0QgPDSwtM5hs@DbDEF$RKFU+H}{0
zPxhR8w#k^eQUCpI^$yt2sp&c6sF|wsTEH9i;Rcl(SVdV8w1?o-+if8;0qKvam-t5I
z&*ETv7uQJsIgE{LEmVZls#FGpK$gK_Oh7R7ZHB)Qbj%xxOIvbqq0hR=WTL=P#0w6n
z(^@Qthx{MducE`yb?`eSYcV12K4Z3ge`O$0N*uOjL}%~|eb0(*n5=K5IOB&Ftl%wk
zojk|?CH}!b;d->K&);Ht$uVZGvg4pNMQW*!tfKH~+53G-eE@xn0q+Z?+wYHe9*~!{
z=gy_lr}6IhF<QXo*DRmge&^S@FaS_wmvJ2dIT${*%x%KsYHI-yV^o~Nnk!VUx{|{h
zxbj8!tJl{_B#qjgco^C6^XODe2Iu(2gXAi&wl`dIPi3`%f}p{z`NWyJ?5Q>4{fyEN
zEJnM~o*1VOy!a$?lMZ2*-G7Sqdg5V#f{YtT?&)@wU@G_1tdXsMI7k~Fn*o6)XkkjG
zXlIo^%tzvY$fuyDEI!KvGR3jSv6vgvvaz-|VRyoZ?N^m7LA$BpkT=B)vx7}Kcjllw
z*NK0^#A3D9Bt7H#D>UxM(A3>VKYV^`2#RY2IY`@Uc&BuF%SS$Qk7nrVZp^?`78SG?
zyX}9i9OzIe#u&FiH@Hj;!il|z-pn#QU`!lA<;5WL=sngBYGTOTRN{_ei`}Y6NbOpq
za6pl-ZEqkUtv5`0R*^-nXnTsI+5z^HV|R}%jSe-xEa$E5x?WFP*ECI8d+3`SN9oYq
zf2d>L&BoGY6#uq$_lm+Ajkg6%(B&B#;w9tbsuS3URnSqEd7S~WgP3aceMH^jRc<eZ
zqp4C%LvW8mD8f5gh=7K@SI{`f?5z68Yt!Y~_R>(ckEQPRB0zeCK(;S5<uGwZsNMLh
z*G~q7H0qo}Q*ZUv)L#!@frF{PM5rG;@BLxM@zod*0?76eLY%+@`|ZqNBle`z?r#lW
z4dgyAh*laB0bUI2F2*<Snw&(_kG%@-)pQ5O-nN~ux)p6|xBqGCqUpCW_qI!$Yaa7T
z3#U`t^oL8`8YyZ!s=I&LwGq+Za;6|5==G*g@#8ZmVuk#`L>GJb9d-A|(_YxNcWgVf
znQL=8J?kPiRYxP+i%G88K87bYL14oVK6Q`oR~uM?Uv8@_pqCByPW|XN;r%xT5Nnt!
zZ9PrjLWaVnS|Va>%o88I+<n8Kyryb>>=~7&k`h@&(D-512AX8;2m|(oR_%b)b}FFW
z4M)kKE*FIj)E?aFuPGx$hUH9JO8FHygylI5?OnK^*1)GB_u2C2416mmhl;43zsE27
zxv4+q1?KKy$o;MBCi_kj0ceV~h#Q0qh2emcH^kJd5oIaR9O7Q}SD;DUtE$Lkl<K5~
zm-rh#&%9@WkTx&lSW=mOOPyoU(c(&1{Y3hSz>BTem&(}{OQ#2OLHMQ%(%lTtnxNwF
z{r=m)Zx6n5Wosg_Y`<y#pkpLy_^@|!`y?;I!{hRz#S7(}Hp}u-N`w=bv?{h1i<?T8
z3^h}VW;1tQhx5h?k)gaGu3LF}0`(!dP4Da|-=^6xKf7E8rCi2Y^ThIX?p*5CMnhcx
z@;v*HL#|a{7H^aI1FC4f6U#7g<#QVQy8ED0PDdzMd{&^lQfEqj6gV}4;ceTGkZ@x>
zTs%=)i#^UU@cVHX`ZE*RtKa3VF!w99N~D7SRzzRO=rxP`CV%9a6=pU`O;qyS#~a42
zjfy%FCwMBDC8Q$W2)d=nbjB#rGevg;%c1bBN-;`I2Okb(ygw4a{=&FRq%YK|IGL0a
z)DU58)IAm$*(-Ts5zAOFux7$G6#nK%g6ex#w@PTqepG~B)b6J}sc!8dNR^p~p9F4X
z_oI)w^ndyJtRu>(CZWafaxSwfHU10fTI^VXh4BkO0ucCY(&f=xQCyw9HB%(MNJ<|x
zb4xB?C7^u1!!D4c{?T8=^5|~v(ArjMm{DC;XC|%FvN1=`p%gMkMZX!Hpx4x5*XxyJ
zJz}Nk-dmuNe#i0K^<RS^ae7RTqOp4CH;Ni5ev~|St+IR#MJ`1$-Z>@s>Q3R_#IC{M
zJSze39Trr@S_Tgk%vW0^e!Ct_moLIZnjr^z7;q9~Ar?SoG>@=KwccJ|jJ-%T3WaU?
z2b()Nhp(iMvkNrWrU?_!c{|*BvWw%ip8}p*hT5H+k7}lfAQuL;_^cvREYv;zdt#qh
z0fLffrtKEJ*Ml+gpfo1fkZ6yle0fkK1?|j(r%>0hH-!N$Ftqo`+HN7*ME{yeg^??e
zl0>3*M|;%H%3f_vVycr;rY{lY(N3L>cRGJ!fzV?h-5a%+tvO>@R{HdND(3Kbr?Ig9
zVYXLiv_?VBKsx3elKErR9wAVI!oKj<io(SpXs`poZ#z70TbVe@Hyhr{Ks;oGh<mgx
zA<lYh?XJXYOvo3T##)2O?!XRRnC6>bOL|AJz8i|7_LW+9qutQW`6x}eyCJLm?RDKi
zp6q@wCy#*YWvnVGMY^J<h1xIr^2R}!z4?YrXXB~7Kf>nQmvQ+!F!*-Pp3^!TriGbu
zJmUqO!I@HCE}s1+!pUh?4d`s05;bj04p;h1s#6Z3S4GTO?kBpg1t|-D+e_jMFzDKO
zaa`pds%KSpz6iTtGoo5D!nZ0Vy5V@uw^C&*TC_IWB1^<uF>HZr<deU1sDr20+;N+?
zy`G>E>EBXqxJTagQLx{@XRIK+4yvI^=O+7V#%sjMBsN{~OVQeJWnR(D?`Z$9ir=C4
zqZcb=_KpwwjEGANS>+6wc`f7bm-zl%nx)wa|C#Pop6HxJjy6UF(b$}B2sGsb2_-<=
zZ&BsIs8hb4=j#T8?h}qXfX{oLQ$Z>QpVXA3zQE1$w118j)p)Lrb_L0YGkA;t&H2mW
zAgZ%S&A!fn<|wJd;eS4Uct0&p*BNi&ZBa&YTBpS}9Dre6El=)wqe#A)G7%1oq0V>c
zGn)>3FUb<dsDnD}=o<&ZO*PZ*lc`ju!F7wYHDvG?O#_t)9)m%rgMa8*2(zAtV=ZN(
zhsJ1cCuO2u3JFH_<8l3*r?;51@wCj40L2sW=$>=}fAEE5?PI8*V8*}=T-F3-qK{OV
zOI;vLKaXy&@nVYWY<5J~T-BUQd4~alIUAmx<hLyD$l3LY4=rjdZCSNH;ZheF8Szov
zD)G{O*&mEsbX!`K=YnKzJlQRgE#N&(sWDKhTj*^Xs~+<8xPCc|j{czQBgIpX8vK2<
zaI4ipdrn03M(1Jo2bYi(pw!c}StxoOu{(1KwWb@Ae8UZYH7}5;)e~V&H)I91Q}iaW
zZ>Xk}Zt=C+edM4b0LFuIn?_6hGB44qcpCy%>lu2?Ue?Xu?)8y{>@EZGX%tsY^8<C!
z*hi?ar-u=l@;%#r(R|t@-;l+jmuJdfX}oSq^PEF>==XJY9(;pOjR)3qHB#XgrYQ+n
z=!;-%nAq{+Ae+p}(!#!|fR)XcsIV=j;$>+Cdd-+iN#f#0V~lUBIpCMdN=BTgJ1<rR
zyc!3j3$9Ad%?B;7cSkj(T=b6OyfqxeBwniL)#`_-RpssoGj3`Tzf@`nN=+psGk1tE
z36UUrx2V-@dXV`82P{t?;zc=Q1P$rqyaG^p!E~q3dZ4pE0B7dZGaTY&UleK}a%r_J
z#^80kNI8JlXL1>UsbPUlxGGlz!o=isFvl#fU<8jnfa!SJNEe>bO7gnps!@{Rx(;p3
zq((XpPpQ1~#OPj{UStYBDkwtukyj}BVxhX3d(H%K^;>a<Ff<Z0B_I2E>0LM57T$!_
zJ#rcZ`<8$FdZH+QpIIYEv2T5-x_-9on?b05Z2={LqDEVm3=~loeoN!4_`cetXGB;4
z)Cp)J@v}Xi`KX_7uN_F3QV26O=YZ|0D^FjW9wQ39+>)t%7A<l^2Fo2Zxs&?+x*W_s
zYlgA3cYCxv6Raa_q@vzb25WsRGB+eQY(0KZ&;%#as|(VZgt8BgAKu2okmqiJZ1sw~
z)3WplByP)3F|BI$DAc`94mVeiys~>B&d{6ecx?5{>l=U9jto+lp%wIW&I=xh(^{n#
zd2aO9Fm?q^M{RYBPEe}W<niLDB+~9Y1o8qBtS8N6Ya&s;C$td1O-ca8pM9)H#49pN
zC!^H#=w;AMuA<c7UR1OoFGwo)QECS>+E!`o08-qgm7nk-KQ4B|Yxwb&7v-nU*>Fno
z$+<duN+ij!oU#PGu6GCBa@-(3G>Ue<S5<j#?n{hQ#hD)+3^%9R>lp{Z3(ARSBuDo^
zkqYMd=>+=eQM&_Da$IkpmOY8<US@CRX9N19fI4kzkD}6+15(V^;$@NjliP^}-4%m`
zdIF}cmQ|dJ2u{<Q3T8`AdU<F43?{aB9N8SrMWj7?=XW^dqwVGFf8NJ$*ST_KN58Qr
zF9Sz@8R*1I!OT-tSG34s+WF47tNR@n7dZ|2l+T*o-Q$^X##WxtOfj`qY>@+D9C)9z
z8fq6FJQS*~;}x_t7uPehg`)>+D#*@c&DNipv^5uf1VsAooCj)eOA=Kv>cTif%kth2
zG}-AC#hqVNe~qp-;3Lk@xXNT_JBYiNoScmGBC|tY^u2lyFuTLA7a-mBDhYld<{tlH
z1J7B_D?XVY8$pLH&0Nf*J$ym)$(k*{RC+^QDb!pJ%yN_+ytV0l=AvxTg0%&2m*5+|
zh3L#}Xg^=Y>v(HYPse4_w7aNBB*cF7m(YI<7l1~Qtue7>))Lcd+wc1SN`{A96jkO_
zKF~38C(&23!TFhu<BRCXRL!6aMs>N`2j#U!2HcNYVo-Vfk#63=BJS;X(;|Wn{Y=l0
z#yU6Ii}*W%Ugt_~kHkbNK~A5oML8`7!FKuQUUgqu9NCT$sM5TE$xU<B(x6YY*Qtd)
zTD`kGkZ8Q4q{~Sh*<YPD&kMMcU9m=L*@LKHS+oBw1s3`)4+g6wlkOQkE$z_l;2XC~
zD_CRi#r&9`S&YKXdk1^uy<HznFb6!HbvOve;k9)~?WB7?9c|C4v0J=f_tfNNUZCy!
zz@}6eelw<Y%cAoP5D8hUJ1&kwx(D&Ov6n{{U{ZnCl7`-s!1hTuKfd8prF@w3@?Zs@
zxhwN@bLRzvMq35jq-0w8jV)l~;uI_)r?tvzB#G=j!!a+5)1(cF9p9;~Zq(G-dY$!j
zPy}<#<wMd-AEM9K`plvR>9rBImO^Rw-d#2OgV;%aA5`7{sYSnb%Enal{8-dr=4(0o
zej0S7+2zdwpxgKjt#rny6JV!*W}CEDXF2)tV?pkAXLS!_;!$B9cl4BT*lqC=o61Wy
z=XmNp!}{yVkHKkzqi3_Y(IB#=mHe%Ndp{xv<lNA|dna%2&&L<wc@K7{0Iw_l90CP~
zhnLgMj#9<EZvMY<%R~y7qE^F($<A`PZQ(^OF{8DBkWsPAVlZe5A9b=z6fi2rD#V?;
zd1U6i576N1uVuiRqGD1>YY4=SMJcm(sIOyP-A$v=?X7i=tbk370WpDZ`;7(BH?xg3
zvbhWH^-i?KQ$EiQNyJ7kDGmL?aiiO{XRwKe{noTqUL+3tdqk)Cea-zL=2G6)R?gbI
z6qZQBqR!(*g_oNKV8rzGX)`9~!nr)AoD*$`oCYofE%h(>efW2(iFd?=nqyNjS<R!h
zpG1XsqQ5CE$@77WOIILEKVict0i_0m@fp(()4{@t$WAQ);UwVag+*G0P|u@w>R3!)
zThthTP7k6*yZv_YZf8qQ+#)iS5-3WCL@O#5?g+Qvh~n?XtI}Y8OvE|k(VkRZmg?ug
zTHr2?3Qx4?tIA+_QEHSlw@I?1w=Ewev15KBi4|QIo|LL5n0BcHW^c;{56SO3jOdnM
z#i$SF9Se=(HGRINO0dbxVY;${U(;WWP_eL;%OdakGn53C2mj>Gj`A49L(EB*rou+0
zZefm%@kN&sU}s&udoaGAdkUw)3T61^F&F`tepAlj3Nd$puqwu-fp~ZcF!usy9OU$f
z$G`w3!5P5v;pbLL@f=pHVn|=VsM9^$(?@9Dmbmkh2z@kc#tNq!Cd{i;N?XP$sk&Vp
z;AAzQ>vSXy(Q}0@4Hy}GVi|iXL`cP#nya<bipR>wXD$_GrTp$v^Onf-(Y#qC^>351
zKuzixzF&MSRc-uR>dfhm*^?FKr~PuoD(krD<Tw<lzdw{2POfH^0G3WgI}|Yv2B@4P
z`t*n@mhkFK6|~`$&`{BQkrIMJm@=@8u^hUsc6aMYy5yK>Tj;XCjNue+rIBwDf3kj`
z{o5faTK;<wqb6*AeGIi)u*F01bnZhso<#}?N0DZ}Kt-!WN`5Rux~9iTjHgr_p3YJ5
z6`Em!9%=}_@EEl_Yy~sHY!HzU#ws-9Gt?hT^96X$|C@G0sGmjvYd<+ZKR;$aR!p^p
zXYW&lNQYlCuYPQiOq+l)OI!V_^+{z3t&Tta1*vp#Y3v<&o(0V<0{Z%wF0|44{C9VE
zPi->(e;%cHowhGF6$R=#ng#T?#&N8dl%g2*qNM#kMb|V35l}`K*vMakt5sDU$qHO+
zBLUJCdB4}S|NSF`B4rh#CS7?R><M^$B7;1>_xC`+U7J_VtTZfL9eFG(IcZh<a6$%N
zogSxnkoWhj0D+e{hi=GA&sL>dG7rdDwq*QTjI_h!VQBBbn2{Y9UmS0Ed)@9j^e^lQ
znRc+)qTjy*O~tOq-6-bn#&BevzxkVFC=xK;&Ij{o(^GuSS2Ib9_8UB>E3*#oT}_=E
zb7^ajJ*aPcs}^~F?ql0IJrRjyk7Ik6ui!8%i9khCK8}y6d62dyfs5MpP;J{$SKK>A
z-y2Ypga7-#JcCZG@a4F`lrkOd<co6KyNzU^IW`6CSn8C6ot=Ik-R|$8^;}=6NP56p
zkr_&UdA<^Da#?p7Fj0F69_th>h`IYNOp7QkH;3PBt<g%gBs+)yVy4b1Ab`eR;Xxac
z_bzZgN|Q(IamMU5rt%6+hPC~CX%RR3Svq3AWP*xH;br_36^6jNj%r?OLHOz{zff_F
z*VS^bPRm93)!3ucV?j1mM_cEuq!PeswSc(v3RG9OCeRV7MeeOSlV(obKr8+c=^&(w
zxBq{70pw{%d<6Atme+}O7Hy=g%}!s7%>rNI8A4bRQDD#z4PNKl8m4kdEKJrmoQ8A#
zHq}6Dj~`Had_eEQeMm1mi{|_3z`!MrB<GYiKAGoqMmTRI(@vDR*_1EpnI>0ICWLi3
zna*XJbd%>aD_~K(g5TOncCVD{X6x@U4rmF`OOyrFQK=38+r9<Te{uX0m7<{L(^=2p
zDM&h<dJ7ngSJPCteeXiTr9aPXwH~eLf_vM5=f;cX>3%E?`~P@5$M#5~Zeh<%oJ?%n
zwmtF0>e#lOOl;e>ZQHhO+iyS5Ip;6D`?~r|SM9E@>eXv6+<UDomPMnr1WLssO!{Ly
zuD4Rg^-}!^Z1$^*3jMLTZ{O;VdwAd%<DOK>QQm7X;J2BC8Uc!J>QvrWs7W?UxvluY
zYJG5&*Y}pGDory>*BUWQKA?sQnAZiyDnoYeCKZSIQF`|tx@a-AlLCWg7S7J(9{&&l
zDwTiHD>ZJl>mn{nFN2o5L{8EFT)9c?X1_c^;ToKl@vz??iWHm1s{g)--;Y@3qv^d%
z^!d7HRIDn>z;!VN9t@63J6dmO#m@GkpW@}{O|wsmL*1lwV2^qy;%n=^+V<5|_Ap#k
z{Imrfr=^8<GfaiYbG5sCx!qsBBJxu{-80%!cH{SB<!cbR84x{9{&BJJ%@BUl+hRA*
zhUfnD4&R;aF)>#i$<NPNqL1?0gYLTLQQlG?Y%KkL6b$e4;&xS`HXlKBjOWf~VZi&N
zm*`HMlWTHeqF#*stJG7;XWKxhW-0K<gXdoO9B(R4P9yPVOla~*wEK^o1dPZ3aG=0|
z18Z70XiPu4j~6j&yxBgS*UKq#V}#8)e>UqDCj0ZW578MD4NUnS{qXNjuJ?nA>+eRV
zX4%q}&na|#JT5~FH3#;u54WD@9MJP%cuIcH?~7amG3j#au-Q=gaR7QniDO<{QCnNl
zTL6j|<RldNbAek|S*xs*B0zLujA>D^yjaC#4Ctm^<LP{C4@Z=Go#-6izG)XV^L)L+
z7X{(I9fiK>K_yLl26sG1(|g|Dy=ey}V7PuBs}(`wy?ea+BUR*A50}DI?!SM``|xv*
z12AOL>t;8?u`?r_diOp|w6)m1KiX8Mc_Lsf7-w2?e0{i@hRLFKPl(#MG*Mu`Wq`Mz
z@BKU-JTkz?eV%;_%~kEycqr@HZ8yeoS92+GS73YMcSya>^-Pf%T3_$&N<IZZ<ZRUc
z2<=V}b6T2<h9Cln1`dpVWp>-(h;3)y9n@d1;K?KzQ(VpY7qxi&6hYb;)}&Ne-+^tB
zx({pY7N~)a3qfpSiznI}iB{D^E9Z2k4~NeGITxdk9i{@^i$(o1ww;T_Y_+jk$tF9y
z44;YX@^BI__We=pddUDPMe{vQV_ub+`IuY1ab>EF9rZo`Vmg+a9lH7?02Z!i?sa&m
zgTp%Da78m-f(<$~Nx3UPP!V#qroe9-h3WwUv?Vkq5)jmuDE=9RPYcExiNxgz8Md}h
zCdSRuH8rcrK!Ki#Xjl<>QPb27x{tSV1{o4`QmpZ?7cay=Iat>g=-Sax3h&~8^oUR%
zc{C-32TJ1%xuPEJa70zwu%{uTu4>ZcrnB{|3Dr0Ea7GcG7wP!UjURDI@I@PUgR<v&
zin4ayJ%^}AraM2ZPCL}1b~bL~V7oY9)$@OURPO=+z*uCE{a?<9No2TAqOF2Me5^3m
z=N0sR_ZL@LKao8Dz3jQF*uu(Be|=kh&ACBS1B1A5@h|Q6%J|4P1fU^V8yP7fJ(tOx
zBokOeML9Y&M3OJ*OQaZM&~K&i=Pw%>(1K#V$nhHtG%Gw*7i3&rTA(V^`O8*^$U1S9
zmJ>cI+Dv8!2CF+5vY;}}#<sK+|Ab0GH*Bu34qE^DbivlE&mp4<ay3+t_eQ=#Z3{YN
zNK7o!q)l|G2Lx$*TszKPQHjjGwU!q*MIBD?+p5HHoQ|4%EYohs(N_OaEw;xSjha?d
ziBt#@KmozoPb6!}PEoj)m?-C7ESCq~bj-Q;x8iD>&yUc}{`>yB!EbBRxfbE-;d_u*
z&%^9*|Ff}#$nE7PKG$9%%x;FHToaQ|BROQLgEgX0o66Rg55Fv4<Z0gKNO^~QMr?^;
zwo=@Ec3I7uo!80pw{@Z^$`L9B`@<+w53~o(RS$EK{DOu9<z91h$MrP_kLQPrRS)aU
zvzj#63K}ASC5dF77S{Uu{c+?XR&8PAYP0dRFBtN4XS&kq#6AYAo5SQ5HSahZ|8f;q
zB(scVxZ}0E$6{R}Oj4!0he&GKAtfZXeEYW7`(9!en8#CA8>g_9emEo=_U&^vps~Va
zI!-a&Q3EPUx8KsRAX+{?UYkhzzj!WkFuS%$7fGeZ{Kaa$s!jU!Uf{~qDw!A9Y|3i)
zA5kML2YF#j0F{T{WtowxdNSSm`&gK@1A^)KIx%@s9Q`hB;1MmggK(`VdDmT~Nhzki
z^HTSIld$gC{^8-_<KtKjX!*yzNwm5VDm3UUyo0=W;Gr)J+CKHSZT=}@y2dpcQP^42
z<klZ542M?z-ajR0doZyK$><WprJM9qvZQ{nRRE#`t$CA@0I2eJZ4W-QGKqGqxn8-O
z9tZhuVZ=Z3<~r@<$VAEo{-rTBE`iFzh`shw_0<zLl^3b}K1NGsldD)s@~U*<fqth!
zx@E@G(2KxgDMg(f<SEcaTD^bFd&k`ar3qKW*I~-3EQCUJg@qXqq3Kp;FHO5fByg)6
zmSXNSPt)Wk{Z!ZMvya&#$$*IKeE?EzkfSt(LsfnxEt;jNh-j4@bwhIXLV-9ka%iDV
zBjX;!P<g`p02)#hF|zC3804g0UX<yCrDf6Cymos_!(14a{^O7c#9ZzlnoIML#Q?v`
z>M1$S`p3lo!nlCDy10)=zp%~cS&1E}{wqxOt5MngPPO_GF$NuYEw$ewX>8W&@?IrA
zd)RH={Ld@=_;I>}+uY`SX(S$YqzI_rc|m`M&QU3}uhUt39WJqsLkhyn(yIc>c(m!K
z@3m#glv=0R4%HfMY$(WFL3dA!!Fq`cgppO(eQq>G=G!5J%vLM<&L<a0mROP;fawO>
z$tww^*0Q-%EjYE>#v&CRlyXF#WH9X;cmLkw4;*w#k5HCgsjWMf0OysA>6NCg<hf9)
zJHpaUVwM1Rm9;f;rn9Q080vNJYHG(rutlYm3SE&!uf*JlVUN^fu<7(%kk79*qTV1C
z!vng~%%)*eeJ&>=YxJ4+2vzwJ4mal1->7J6WYtWVe6@f6`y@4C%yoW)VQU&MAe2AR
z!m!>9VL<w++6KClmC_n(Mvp6tNRd{L;P-kVRLn~DGzb;p^1c<5@BKU$1fZnrQ}A)O
zXDSdSVN>_j*YnYwm7j)x$Ggh`6(O@4GVt#{#s`{GcN-k{iJlnNtXLPE+^Mad<Q7dZ
zu5I&3h3^GzBr^BE{OIG2=&#jzg!F_@iTbmmrG(&#zl8CKA%?C<_wYyFw|RM;xaI^<
zJboFmVAt~<%iK;9Of+c7K-;OE^(eLzb6L8y>5rz)K_bHT#UXP?a)XM@rDFdkw=iC`
z*vLqMmtV2F{F1Igp>!o-@Ay6N*G&C=-8lg>dHOJE`Tj?gKi1aGRqaM|$`EvI*zrbr
zbEAn3%p&!>5lgjxnA!wXf1jnessUSDc1l;6nW@fL<gzZNc(vbTi$ofwLovI)()F52
zdqS5`fX4<B&28|0i=eUQVm3v^@`w)0K^!TzB)7mvLpDz>W;DdeRln#q%hA2?Y{^tJ
zTDeTEVy6y<3q$&4PbVcSYkp|*?KONFCc3hYT69A&{(-(dVd0vMrlfwji^6;w06yJd
zrx*hEgaA5@{+-~SAkEG7e1C_8-JbDg&YD`_DNQwLqMw`6GY({qRZpw8Gpbn8$DbA~
z{{zT!qCrEGB+%~HslZnFJSC-&_uu!*F$nV=yRFXKx@laIS7$=Ifu*AB=jw{uE(U07
zt69T!n!eBiVOxzgCCq!{fU+PVeu#S3P||mEP#cDXBWxkMJRr4jd3GdMkMMiYRh5Ev
zgh{8dP=|ejd5XWCX^CcBNSR`>XS`Mpc6wYp*`(=^ZSYkG7Rr!{J;2<MQ#>5yr8Jym
zO8%H^b@2jv(QvCmqGNP@?b<WK^ogwYT8R~x{(rIFzg1oB(aXAmOLWP4x~WBS=1{0K
z>yT-*;+N^T%p{Eam3Z`l?^OPHYENxKtjZnKu_G~d79|%U0pnEIC9THw>rD1oeyrxF
zo1dRUnlzLAK#z=P>zrqHMInL`+sAct)FVkkq=4j@ka4QZ$0mPE(_4o7k7g~NpRSS1
zVv&4soxZJmx9X8m7h&h~q1XCU1)#Z@tbg3oSPDP&X7$vasF4&`^X{(8iW*J2B9{tL
zgUjDMrzG*R^wuySXr<1HddgCx)>^GXaKzOQA|g68@cvH8zD=OW_;@Ydgsqd|RLKH1
zwj(FkRi?M@flBdD^~BOmZKlVZ(Byy<HG8LR9y!GfM^}2TF=wsiN0&6jGA@CQn__u{
zND2l;yMl0$d5zno1vR_X`t!zMN_aAFDQS@gNBNZ`Vq}scgv`ZS)8$cA7FM3C=L7&%
z%}FK$!%~KZqw##AN#Yo*%<__+41hUpT)h)UtJYvY53`?)by<7Xe(svs!!uM=7l$SM
zYty34va>^tk_zBC88(?~oEM~hoixKG;lsT^GwzvZGF;%Fu5#rb8V&Ww(WOLEO*SY)
z$sh&bSIc@->Zcp2?s@xsq#n%rm-GDq=ykq2x^!%GF*TqVY;YWxD$4S`7SxIuLaTfz
zn(In?+^J#t0mSJIT4ts{@4JI`x19L>7SD<4Y7CLX7Xaq;%f$DvFxoRCx$SW%T4G=D
z&jCa6V5yv1*iSSgBw0R$G^O4Wca;EvB3%blh)jZtHsXbh+aY&rrnrTp<bo{;UPhZC
zWcT$IU!+D%DQwWx>N5AJSdwm?#5LmzDCj!&Mm6+%psuz`&!#I>HMTJ1R2(cGjvs1}
zz~%P$n_#E$;-dwXwfzsh%Y<Y}ZqjkBh#a1X7F&8It$Cp;0ijG;Q<pddoh?5a5~A)B
zJ=@`ARNxl3(8(!cS+Vl7?Wq3j;lIeP8T_J_GNyJD7eJ{7G}XmwRYX)NaV>e~39@L^
zrTLZ$%Ij@;YsIQUZXG+)00bL`G#lK&MElZi@j|oNk4J4|p|bhEWT|I+XQVgS+nJH!
zh9-=$Y2$&~eo>U-fhvN=ve?{o7H|6|pxR$Pg#PPIbAE^^y7KK+_BvrW)z3k9WY`Vk
z8cRX{vQ>8VrL+3w=V8~K&pgUd)jP04gN26GRrV>L58}W`Yl7;L0d)Zy`?y_&MyxiJ
zb?b$MRn$sR`NXiZvs7OCA%LCu5gS@*74di^?ELgMJ*bPbc!c~9gOU&$o4jy><_DFq
zi?<ds3Dhg~sD1OzuT5@)U)N<9WMR75*4C#JXl1IWdB+)s8v7EJ`Hi*mW=+W$0m{l-
z3+knQU5DAVEYc4*tVj_wL7UUVplT&*aS!zc?n|3Qohrm5SuwRIMun;)N{Qvp5_<Nv
z{_B<Ooqw<{pk}RVD#YCt($gK23Umt_4M(u5SmJc|_5Dc4J%fOpaKw`%z3GmT%^4>a
zj@R-n73^bm7&}(uW0J|V2pt(f`QAmP5PeY+$!__M`ioh4fNY~&L_D+6TIKAVusybl
z**nVBfmPzXEZr#gsHgz*N{hqV4P`&P`)jh+Z1w(WN`}+X@@iYhq%O_~xnj={Ec~i8
zd-Fvv6b9Av)+cT5{yMlmSmgQDY|Efvh$tlNT3>EQ>%P5G4!)U>TPf3aP-QlH@^q~I
z=($woMO}%@07LJbB&k#xSO=4-n-cvEJF#gtT2>x8=)PLQ@|LC8SzPVdygB>J$J#Ps
zrD$F2fodJg#yruQi><W~UDyy}HC;U~e8@BUfB0VaPz>7)A7su`nW~F>ji{ZBCvOK-
z`UM(7KI*(B=?hvLQ>!L7OWo&z90Hiy%mMk{GQ|)rN@lO>7J>IUaP6Y{&IDaVuduMF
zr<w1cSA5z9enbdnC?c^iDOp$6LG_+<;p%|Cqyg8moq+G@t@dG2yG@TB?)_9=lRED5
zRn?CA@jBUheWN7{dT;|hnvzh-gO=r}5Y2QAa$SE$8Ac2UL55_p78j7@VS3PD0qb9o
z2{A4UJZT7~c_hkdV(Us~#H^C{7Wqe_p=A%z>t&sDvTvszN43oD_3dOFDDKl@s-1eC
zPZ`YHocF2spIO(!1Ic^kpvxcqfhH8V8K|K!eKMg9GYw;x3K3}gtxvnsTOa(*SIc+0
zf>@;<$ye`t#p){0X2>e2`iu>(+uq7DP~oBtKkRcPYVwYU8=hfa*P|V?b(oh#w@e<L
zc+(llexMcRV@CHtyv6#%Hal@~M)T-TR1!%N*9D(oLxQI;OC`;p?zfdAhUvMQE%M6k
zI+YK5q}ONhBu{5HM^P`h0A8UgnZb34+K~whuq#&wnDCw$;zxXUuJ4UFnJnVX{elrP
zPIMhY_U*ZMQWOS)4dG)H4Fn;OZqs_G1UK(a0#Gq#Y+@fHd!kW-YDj4KY@ws@8((c1
zvK0fq%SK^hC<0~c|EUe=Yapu>bdMHoGW$d9)r@k7VoHm5`Bo|>NAXv3rOyHS&SA8>
zKSQ6BueXbhV%zj){lnSlKEJq+D2(JV!WpLj0M1f(htRRBu=^C0h4>hhqCdq+a?K=R
zDUs0fNrT5P89HXz*k)^q2JGCX+YEnS|GvRV-aJ?IpZSqzBOA5<(jyb-@`RV>Wo%kU
z8-Z|F^k)cd0JptP7nF#kq??-0ESmZpk;A0pw~kr;Z2>Dt)8r7@a{JwpR7q|ZJ<QZj
zEdj!x;n!Va;?I601K|)<ktM`IY$Dy~Gtfvlk>H&t=Hp1vy$~x0w)P<-xxEEO-^|Aq
zeMES4$mO&eru9d-#@CCWSBAyIL*3*={fLt3WI;gIL~b8#ZC5BlNom$koJ%8d3JPe0
z8Fb}fXGy>^X2+J{-K@q}hs}4F+Zx|_FT}G?L!hhrc|fD-_H&p(#f1o!o?9__y`Qsm
zNx<1S`Aw`<@)~kWVhkE_7$s?$ikFtwoyvS}`(0YLboTJ$OUlJwUFM^F_s`KcJaPyX
zqP+bE{fqm0Hqi#wKcqBZ7E|&5Jgj2HPgRz~+-~Ibwr;ANU2{-UcuTwuaxE4jw}slZ
z{8Qxt1sy3+>FE0D{goKxGjFk$+H%N_dA1ti@$(aASQw`h6(Km;V8zgHDfO^XN-sQs
z-XoV}Vwx4&)6s_*|B2yMkbAwdF_^pCSO;$6ogCQ?oW4CFYA)zg;+Sqb^c398*UED%
zq$n;7L^l!n+^RV`iYgER(%yFbmuy*fx<%#wLu?yzJRmSkv-W(fG4Zk=e(+m{ydo03
zTMp)g?55n<v00hDEqMKH??xm_j0+x*YYQ(3LvQn?{JLghc!QFM#-oSKPvpC(AvpTl
zS`n@irGdTaGU`5Sf-DeBSEs*5FT(%P-vSO7^X#ulFSHF=#Y5UYp>6Vx{jvF2rras`
zjnEn8rNW5qXlxpYF(<1515)pUmDCRCJX@`oV?nm8e|o{4%MyERF!2E4{8xN0i12XR
zbT#I0G;mui9&St?_8yD-W+EC{_Y#4BN3TkW=nuuNqL@Fbl#)dNo*PO>!M&UJ>7my{
zWt_uwuysgLY4+lBeQnzRI<#%5L^3csN`Yc=lntzv^QF;PafQtf<|74S@bWh*Up{`n
zg#Gp3o{`h_<#htL;p^Ovp{?=;mgOSw716+)4#IE4mmVvenchbJ=c0VxzL3HiwrHC5
zbrNsI$xtQ;x7Nx|d&I*$d}p+uo7kMQASGa->HcP>>ef<J#zd>il2H$;PaLKN9Li6O
zPr)tNXboOXiwPMmG<+z^ND<;qBOoLL>R?#d9oo^Vy5I^7#$HO`X}3i0A8HUUK)G)&
zia_ef-%t6la4CU7nBI<2tMATGG{WL1*ec<wgUSxi>pvXRt8K1kYQ4Wmf>7t~zB;*h
z?fOo4?$~ipVm7a)->~ZLav}O`3_-L;0h}yi4mgb)rwA+^4(|;(VqVPXY5AN{afp?@
zZ%+>+gds=|t^t<na8}%GN#YczAT0beBArYhhQBXHViVbXKC5twxwX-MNUC0CV0rml
zx_-`1{mYmN<XC=bp+?_Uu0Vp;qyybL(lr~6PJ{weF^OL<e6naMfHe{UM9@3A$BmEt
zEZ#8#5>E$7c*T-{Frf<d`G^}PBH=l6wFu5g+$2i|f>g-z+_H{`6F%YxBK>(%8ddp4
z#)D|w5l{|NJ}Q)CVp{U)W&;RisA^`Gj{6?j?e~4!?)NX+G^FIawfO4|CY$Uy;@7Ri
z=(W!IO=z=R&ci0=tpkuSlhQaExo@Z1*sYn$&oM|T_+heVc^OEU!Ybm%R7aJ6GtALa
zA>*&{27J}KpK`xfz;Y-6o4Y&In)AXNcxmA~_N{4we1S)2A6N3|py=&sycx_y#U4}B
zu(pHTG;l0QEb=pC<Cb!?#s<KWd^G^GRZ7md=a`u;SM@2l%It^|AM`{XxzzbVz3{}L
z3K@Xs+DvX}%}3<oLE)h+gCPApmsKCtkuDp?mKzm0gpi3ALgys+e5ynLqk0lSTYnqh
z4+xKE>y7Wu&u!+E%#JPHyPt`_@HF4FnOL>@=KQnAagfc?Y<XW^qu*(9r3oiHoEuar
z%ljRj0rV=jMx+3YAzVcW?s^21qdkr((t=FInEFB<J>SxH0YHX>3S~nXBn1XHC;#;x
zkB~srfd?6U#uZUlfk*(@tamQ)03{W(@@Qr6Lz8;JZ#p6xQT6!@=i83q)L4fqTyl7P
zSq|r6m;f-h9HPVXTQ$Z%PJK-3)wGc1c^wU7_hb~5m2_gHBw{H;*n)8$*R`CJW}I27
zP4k?uO37!JK$(5}aUqbz-{Sdt=fU5(-ov<+ARAgIKd}$Qdx|vQO5+}wt|?<j-}$6d
zp=2g&<!E6i9p}bNh9TamRj2e)DP$HdHW}1lZu@hp4w-{{Ml`iaK~;-KBq8LXI8Dfv
z1Sx`4PzgIEf=<pHO{Z#Ghu1ADS42(oQfgcY8Nf_TckE_Rjp*ZR6pSFlW1oUD5ZaPY
zd0b78+W;8NZ-g?1IY{m_TUT6Ug~n)EW_@Wv9SbbE#wFB-YoabNaA+Q+qfZZ~Ajfz1
zTnD?LU20oJMHx8(PF@1=-_%j6Ph}Z`AIU}C{R)wQMWh!>BZ`hu2$bV0kL2{%O4ai4
z+>)g2jG7H~6=Mf3Wn_f@klz-<M0ZjgE3CGL8aSSCuEj9=+ZBJO%4Tsjy=2xxXEVn$
zE&5b`Op}Uofs!Od<7WsUS;KMz7)AT^!XRN@B<&lr#|2j=Fvl0bw*S?{bQ_EP_?UPr
zT0;Uzf+7+JaSsV|>BV+x+er(e3{^^W_cPuHpjJ@P*J0N67$GIC3j2b|q8b`ti2Wkh
zHwb219FyZ~bNiAf{TGY0^!RgA1};5Si8FZov{+ol4DOCLxk&t}`yR12VsicYxZOh<
zN^+8oesZC(P`^74WmK}2i6JQQ9tBcrrx^5JFv1kZKtj_2dJdH(zQ2vh8g^_5bgFOQ
zrYIuVq3Yx$G8BB^>^zs|7iV_ZWyt+6^y{I@&WOEKbC{}tdd~V;Ui=ilos3ol%85go
zd0{V*KBU`(-@za4+%?&#iU>3P;@tadlzNgz+DJqB{?Zlc+>9&Yn%^c#HI^l59c4S%
zNN6ZpR-{!u6(itY9BXzfVAHJK`Y|})3Vm%dGwE;4gs~#;e2Zu4X%o^1DK|{^ZRJYL
zHv8GvY|dgiq@K%RasrcPLKOFG-ewaynUYk5bK%yXCz;gLLbpA69_1*x0=reL>%q~M
zb1xy%jBulN3|=a76GC9a@|tHHXQLTIk1w`_G&MIa5J^b81RJPQd)B<Eg!psnHKT&6
zB_k(OP^-cuGo%tc(;#hP1Bq8PdFkRgciOafkdWbjn98E^btCrek0YW!*bwp44>7MV
zu$P1#j3a6k77rdP5zx398CX3IN=jB35vl9+I$U@Ll#MyVEa0&iDb+J>3)x=iz4DoK
zwq4#MJ!q;c3ntKO+sgg1nZ62pZVD)pB%P{kgaBJ8b?e(2-q$=1mrF<?EgmYGQ7KbB
z22hYL`x&~;OaVtPQo;@|MxiMU5P1s+%tb_6u&fTx6*lF;9+JEFW?32c=kE}R@bQk2
z#>2C)93p;+ga~ps6s1U2DK(C$e;d`PwYQJ$*WkvDEm9(G{P08ycq=*W=tw4hiP!}}
zg_n|5+xXVxyqJ^GPGi~7^9ZwvD#(}yhpGf9H!WZd^25b|D%l}vHC%TZ`b(-&R?8|E
zh1?!vqbh8Ef2PNa(-)jIvVU6VGs)#5)GvRPBxzsg(^6>(p#t}<W=yL0+Xw()p9;Lj
z-?34<+-<kTjOHW5UL4z2S@HM}8Psk@V3vd<2GqSl$9GJYd_PzR!Zf*4SX8dk(tz6=
zA8?%zBoijtbeFc4k~Nf(((;GU%1^a3sKtNvQj^grP^7{?FmvgJx}uyYY~KoSF^GT5
zVMr%D9f@b@j?A#nQ|Ym~d0_{jMqEy@wWsX|-dNeg4;ZP`ZiTjB%Sg=+#Yh&ar)YOY
z?4|u%{_3h5S99#|`fg3-h<SR8ui=!ZviEYs99@R`S(aXe4b=I^5Et&HZwE=}Qj&}4
zAL!O8&DZ%5aic-nx@ltFGcRW_E}<Gp`MDUKXoY8;?EG)@&&RaNb54`(xt2}xNT@Ka
zcC9@Ef=2qEm%KS-msRj*0fU?t+`mta$b^2Kgd%7UBj7?P@ijLs4ceN!d{}A|)VdO7
z5v7)}_Wd6VpmVpn1{W^9TZzyKz>+Fa%7kvdCOWMECM1L3$ha%sHd~c5>We3<pU~pL
z318%hY3Oe$kY64W=za_#25F%uZx*(ROp@p+CoVVVBISXCws_3NORK|*xrRV1QXl7^
z?Shc_ET7evE%upXouZwq|GKbGX!e@TE5zTdJ2bAIe4p~5zfydbFpPJ=3;^r(z%sa8
zf8O)ZxO(E+aN&R3dLLhO*BEE_&ZP=i+X)yx+H^mEhu^qx+U`7bX||zJob#UT#P0-z
zkzZ(M)>ywNv_1`rjX%?N3S!y<FOoJo@$2RmEWV}Q=r@E~+)k9;j<wvL_!k*(E)4#)
zO}`U~FMi+oKZOQR?^(FGNdhmLwK9^I^7xGy`Goz<VN&po9Q%x(W9LSRm<$QSz7}lD
zEz*F(PF>0lTxWqn^)+@U3)3I(eA$?T6_BfU2v;j;!5fTVzka?Q2yMt*80-4!H#k`U
zt=@#2v{bSR^Sd`TNU6!(5wR%>gSv>3JvNT$!-NcN^CUdJ=6sN5DyWZyHN8e!>bD0-
z@-T}+$Uro%7Mt&m=q}IO@O5@;B{uT$=lDDJWMM$b?iIcAP?}5sTwyrh=iMOvcZcV`
zcOqYsO~>Ymy>`hz#_OQM=B=;6Wc*2uvJ*RYn(wXelEhr-QKG9&fZr!Pi6U6vTCsNL
z<Ca^Q@QVNQRe6tUjl!-l^-b&1Y??~ktg1N<Dgg)saLbt@$@9T{`!ic9Wt_(^65`^d
zy7&Wvqd8#%!3ZxTIN85KQF^MzAqO<DE`rY5vhGI7b6(4{Au-qZ@QK7U*wD!B9vca>
zN9jmOX}Bx{+0k*H15vEUM6XkuYKxUW=U!t`Mmw1K)8Z0PMj@DEzQ@$oe@^K#O9TF+
z4limFXcm8EXW_sIYa2raC&!WmN-8h_Lj0-kGJ1yJMW3lC<J1a|L@2uakd_+3sy|(}
z6)`Pl{SOkCx1J8M`H3#<)wpS@KQrl_z&&rYPi(e3;muDQlFBeGSP0&~J!L0*A9wOJ
z*sV8Q{NLser5-a=2yvJF2LayIp*2U8s>f!n>BqF&9Mzr(gsK0!?bs6(cZE~Cn2(<$
zE?XTd=wVf^e=ydci%_tQ?B8-w3Ncoo<w9P_S+<NEVfeAfM02RZ!AD&3G*H5L4h5$r
zaxwlMT_V5n&06Iqf6Cfki@P0gapWGqs_CItCcrx0-J@M%C!k@wWjPq%6Y|Zy^cVsU
zQU$l)zuQeT%P0RRWSNHY<m<e=A*B$S{q;^AHT_p@AtmK!Ul~y0?kB_$PT?{bd)ImB
z>gyjb$YmM6#E#BZNONbRzEoT|#uA}O6qaG&o96~NMfO^KXBP2q)|k$AxZN)#XV*xH
zls6yZcRaOk>$q2E5#znhGg;EEeIMqFJnY(bfAi9E-xFD#U?1_ee22R<WC98UisfL3
z1pr6gye~UlpE^{{a(EFoY7TH8IXr5dmj@X?Ifotm$g@cyt^=9!9GHrjbnuFE3SSKK
zt=gI8js-(T><Gz=@qH7gM~f3(eolP~4WKGV!Q?hvIJO@6vZfO8)9k|(nVY%E-eP}9
zD+w*R{IfJ|5nme>jI2Hq_t~d(sMrNhRV<H*Wzu2r^8R9M3>x~2tO8Wd)ZPFJJ8<(>
zD4vK^^gT?4<8n2;y3)-8PY;LkDIpQD5liBOB@(4)4&gbNFbj|oD<7L#1zx-Cw<h{-
zRTK0+jBqqs^{&~l8p*F6tD5d+PoUd%r_k9iBK7<^rE#J24@bIr1K0s)r@?Est8lwp
z&89R`AId4%>6+*M(Ct2n-}QQ^F#C&9IrmTJFVQuP^j%&#z6Ig23?Ts@&C2+)PW(?`
zp9e&Wf;62%GzBL(6i8qOhTeh1Hf>y({@3xCXxk%~=iKREyeEL%(ZasHn=$Ty0|*|i
zQJBihyloj67SPBl40j@Nn4GIi#wq2ri*8~S_)7C`O;rj;)wQ3zodM)^-?)r0EO2pW
zDw_`o=_yi-r-b7`Q4e0xf)fN3PH)%6m^12O4wsWvhY{qvY2GRt_tjApn3K^2yZmvE
zBWksc$AKa{FsZcsy<AEQFzcr&9?m~#+|3jKI0ida_N8y!?R6DCPier7E#!%W<7sx8
zZhx)Y%xXJ}Ki8csY1nk?b&KF(g!2<<*pI)%3-uW_cDupTWxJfuY3O(onBC#Y#d_|A
zM`GImz6dM_b53F3le{0YI(s#E!bsVu0ve|^|5<K#MZPD~`P_D<!#4Vi`Ne_<6BWe0
zt2M@W^31!Gn))EdXKk_ZAK2dpDm;Qm63aU%(K=7tm5WzCPqoHf_4<2mzB+1G5=}!8
znPA;M{S}u=%}Z2a#|)hwCoE>x={RLj4W#!N?R_v2YP$`TcASW<=b6ZGX%({H#?zU2
zae2{yJ$j-jJX=(Fx_@`Z0<O;RKLV6fx}8ehk@ZrK6t%Py|MjuraU!HNPBP%$r=T$t
z#6#kjCGPu;7xEaQAOAIhUqTULi>2jQOq~L?H!pnyZPe51zgfeD_xyf}d}qH}hp2v^
z`+Vo?Jj^W6SRVaqxz1m=>Hd6jyGFmR8T;t9khOl@EPn55b|gNv*`B+$`Z)Q7_*hy?
zUB3D}4ZnYiZ+d^C-Sjy}H_n?Cs~rH5u<4)7M$`Iun5O@_>J<AN{dKPVE8Y|fqbzX4
znbU-aXgvDj%39Up;51;cuB!=z`rt3Yc|@_%^hizt$%H}=TceES-l$G}>%WXEo;f3$
zy5q#5AP!F4;OwF1Nh>F*WKCN2F_c09)9~}SS(DlBQ%fnU@s}o{JUu5iFKTu5G*uza
z;Jaj;i?O4mzFRbG=}2er193X+kr8S*M~RUS7u(Mvtzj-=dxGNtHs3B{EkGz?9nO!b
z1?YQr_L`RTJ)jS%3P#|wUz8{;951%&H=X46m)Z@9U2en9QcOH(I0mNR(DiaO^v?_f
zMcr=GCB$)t{{$QDz6a7n!i{>+a#BP0{rq<4i;3&w_s6FOUJIw$OriUAms;<p2tV~Z
z1nKS_?X}PCsaUhm!zudq_onPNqY4*|`9}JK&FlWVj`!Q_Ww!S%aHcK!q#o}Zg$lve
z>>&DeS37%Z!}@{(K)H9Vz;yYE7=qm8(NcqxspIc}cM*vP%sh#cWAxuAr>iZNwkl<*
zf`ZLo)FR8U_!rxY^KRBtsrOcK>WET<eScg(FQh+t+u5x)Q{xcq2Yyp3Dh1;=dWSPr
z5Q8matw*9;xgRACQ6*cBk!IrIC`=ZD#J6*ii?u<FPE7bfKtoGiIz-E4onLS}-K|WC
z&OgwCGfZx8^Z+sSp>m??Fk6I_s+6IIjGqBvqJ=91C%(B~Sz5(xxR@uB;!Z`6z9|ec
z43Cmr*s*VVTKhLd9!#q-zpPu<vllYAP#?^#(+0b#-XY>TSj?W|z7)O;=WNbuT52b&
z8c3x*6c0sfe?Y-gcUs;TJrL2)|M1Vl5R>;Zm`EDv0_Sz9>K(EWwnQP9GcfSNAYY05
z6ey#E8t<&F%}T84j6v1@8IHt3!#4C0ckoZOemR9n#IBU>@LUMaeo}ky&1%<E>k~=;
zqh(QLI|PYC(pdWqISI-DYLT6-PM+p<a=sa(hsDPMB)q-$EVr(M4*7_&(l}?spa!-1
zZE(naiGH_6eQ5Rv#R8(z(OFK`)iTcpW%b+9IU%bmxXoC(YteI_QX>On^IDTj&`_6U
zO<stlw+}+!t9+_3W%UTx#}~m|cx8%*?oPFLxBnt_QQDiBpwCRv(jas3-`Ws0YV={1
zCbL7S8>+WYYZavci$zX-jOJ~8M}k>EX71h(uFB-E{4<pD(epZ8R@`zvMB<_yjhz}s
zqoh>Ae=$Qy3Yz;huJd8Cv(#e!Dp5(F!{Bo=#8J;>!*5^0dEsUP%!B;26&v0Zz)>Y3
z*O!-*(_$?E74GM^*Y=Z?1{yl-96X`sKL@b^B6IR`a&nsSHDLw$Il%MC^iU<l1O)}{
zBKxS6qWyqV)<9`9g@A8t{zEJN&nf@kMhhJDHKM0Kco09@ryCc4+lQO>6#bX%4z~Cm
z)lX@Vc?+dovg*zC;+LeEf_}Zt9xc<|s)ymc?Q>Nr)%dq$-PE6zf>I0`dA=is%g&d*
z{IGwkW7o=ZFD~E1>3!nqi3Xj1I>tu<DDi)iG6tgkwS!^Tc-fbJv@Z8Pm%=Q+DIQNT
zHIN1lVl6*oj<a<^y4vx*ukv4i@Bl_EGS#v9h}LylG@TN`;$L$oHAjrpVfigtzG>EP
z>sC}MK4fiDuRj8Px&<uk)_M7s9>hf7&LiLOZQjSFrQfdAwyPJqKQ1RrN>xSQ2F;y%
z_O7TV=6kCwt<BVCRriY%jQ)kRJMcErR!ODQYAFKO;x1I$M%3B5J<a9Tv&gr#TeF|m
z_9OZU(k2?_9(TcE);fi^PvdVy3YriC((Id08%U_tTf~Vp?`<dP<&WUgi3}0%K#pzU
z%Y7fWo8lu&nkWBbcZl0txg(9Q9puY#A2(athm#OuJ{u}<kGcw?&;Cc%lpN6(!#Sb}
z1@ki&Nd@X{Og)j1?^@NGK%?j_>Sbutl)wlk^aZVYc7+WQ1g&~oUrEA{g@^qnpks|)
z=C%@fDQ*!4Qf2%0eGV7i-^VHV?HLTlx}$h;;h!{5{f_8mv`Dv!hR-+EhwWorH!ltg
z4Y^9&G3VUwnW_)tXY+4P1&2L6z6JY9WHkTgX-suamR6Uw_F-z@5R++}BOYIi*cx>q
z9#zDS`r`6owMzMt!l58|6U_{2hZ^ys3KpR%e9AVDz@g0Oi8TSJ^X%9fv<>kZ-BBy}
z^lqgA@yAt%^2F|K*Znx6J|fGa&)AQx66CFX$BwtCZmeZw$&XXzm&vo^F9m(Xat2v3
zbD4j~8I8+4dcEUu;h@G=-Bc(<d#m-DzkH;TRIF4+unB;Q^1!{#-F^|v$il*Jw)Ylc
z_>lMfZ^R&3;yB&CQRGnT(Q7@W-X}7$3S;9Bz&7u+nGYQ)P5LFX5Z~Ih4(mw(+d=`e
zVuh}YiPtm@CHo3Ll-^|0u$$_~ncPU@UjVOL^6(EKk&N3g>h0A<wN822$n02A!|0vZ
z<}~a0-r*hd(IKhCu$?p!;LWDjXw%kG)y{omJ;?#1w9Zsc4u$qH^5ljEIuw@1dyGrZ
z9&@{X$6v+_v)>MgOUeZ?7Qj##oO3GTIk^f4Ctug3quuJ;%G+6FQZ3vNJ0cS3)atx3
zJ&!kv_4&B{uVh}j!U=<LS0(LT`^p%xQ@Hc&)Ees!yHVz&XjF6el?M}My;H1RKhicC
zQwG)6)NTYT`^WO^(>DBcV3IwzdC}#gY@ts_FDs#@in*_D6-iXwWtoeUkAeJxS<Crv
zF(P4cqS=bR6ZTbnZ!i;{Z}i_J&wl-vn~ISNwOF-ayNj}Iw!uZ>3gG8dr;1=yT*Xx=
z3l*3Kz+}B&G?5l^5&D0Z-K{!2i=SO%I1L+{(U-Hx0<(X(dbQvTu$R#2g9rv4e4U~-
zN#H~sJ;N@`=Q@855SqbUd*kUkU6x!vR!%Nf^M|8!664{+d{Fd!vyAQU7cS(I0tzhx
z%5^>i^Nv%Ugl=w$ysEt)WuXdHQB+(kNf%6cxi{5Xf9WYZnRVTPqk6lvqA>M;Ef3}^
zUwElMyJ6n9M|k|i=Go0l5ZUQx!6Fp<t5@vTp9&U?nkL5Ry9#o{l>P9qrmY;Rh*BDG
zL>sr)WNX0LH^<TkCS@H?=|OqVnR|<Hn+j_2HX2#JtyHD-gL=*H3mig!<t`u)V+ir#
z-5)Nf*84=<5EpjlAL=-Zcr4xr8tm`!N|HH$RJC*v%~G}go*9xN#SlQ9rWzucUXwVD
z&ovq&>0wn4QJ>In7)7C^JPLZs{t#3TiYqulAL~2UE~h?)$L{*m#JBt9h5@~DdJt@4
z2JYRE3ZkDRXsaDGIlNTqfVuWvyPDr;fyb%(-Cm)J0HmZQbRu1n{B@yH$r96m^6M95
zZ->UVWTrQj+>`V*Z^>1+-mGvOF7-Cg)ZQi1n(nUJSlE4vaLc5Cz?7T-+{ehsM>eQ;
z+APlT06UA!H3G}k9(sw+8QolXvCt>^e|SYhb%G8fSpIn}jlO1<e_4Ba)~0iy`tk#W
z=ytUa+21(9$H{DkEGx_+MC^VgwtJD549MG$Iu7Q7Wnn<VFv4>9o?)j_JSBG-qLLJf
z5vyF}id*)o;D|g%K2n4svmLFI(*PyikqXV(h()Eb-v#UP1}q@}qmCjJnPO=LFfCeJ
z-F%mTnb0GDSMmWcr%-2iUk-`fW0+q7;17l76*BK571xkdfJv!f|1ygqenR(G6h_p;
zWEHxQ)55rV>69>Apj9c~j;I4KPwG0P3J(lDse={f=6XM}JiCfZ!+=nf1Vn%=SFg6&
zi<wNfj^=|zuGH3)Ad^u!W%4_mY04f)jpiq>6%_4>#6s_<{haHs;v`nYt%Ta|Q`p<U
z%1!^%iM3d?fo2}*Y{k#Ku)Vy>?`WJO3e6md-yjA*4FS!0Nia*u%4!aZqmR_pyX*hy
zMeDUL<6JG(K-b{uu$Y6ikJf{0QC(`LW2##LPU=T@#DJhOLAE%}%h6iyFjXYX8n?XR
zMk;YS8?q(Io6-&=RT~ORPVVw>k;22-#z#SD^E$*V3}6GtC*=E0e3lHCA*$!Ee8Hmr
zaM9pXUpebkEGBb#b+O8Ld~g#WT}I6hU#$vVea*MpU0&$$JhR)$c)<WC4?vSv7`~8p
z;No_%!O~jBGU}2BN*6L3&K4@#4`R&BnlPyG97Mj0p(HLn-}#YL0{fHWAfK`cRmfeV
zbYRZqY65)D{xX#<ly*~(5$by3ss(416X=cLtgzzTr=r2?+YQGih2V@BWwwUkoboJH
zt$r!fB&-=fgXKV&un`mwi!JG4GlBItvQ!(M7xc#B(vp-#Moj(Dc>cX8df-R^QxD^4
zed*`jc+#3=xA#>tG}0JxO{noJ;HE9sm=k%LtNylOB2$y>R2Y+BZ&yy%3Z@zNJRz`;
zT($8bz!=@pNtEk%WR6K@4T;OkOshCq%sBYmY1e#Z(G<0WWVk3!$%^o7zu9&TF}=wz
zI}^H?*w;~C)0odDsBmeX&5Yv~&-;19(*!3hR(|eA;(&rs=`5Cs6-@Yo!<kav!{P~W
zWRGADPGktX!o!WG`7KbzHCAdTTtKV@MBS9D`cuU3w56p9$&5T6z0NmGd-V6eYRF00
zlzcZe<@$X|T)C0Tn``Jauj~EN;?EQ6a##tbzwX|OUK)1pY;iacgO08NWP@Q);j!T4
zhaA^?ugc}FTZ6|3oad3?9ER~t%_B0MzQdH+>js8U1Ck!jqiUu-b~6MCw~oQM6^s~k
z38&E#!xo1bNQ>b4%$5ES4yOp$z-qbE9-5viS85=R6(ZAtA<y|(MCi~L0TP5_jw^{!
zZah5Q(B28M$0qD%!k95}PeYk9dP|sIulc6K91{lE`Q3wX>o`cNtEi$_dRD`i5P}#c
zZc)#!_No06@y0rW3hFHSgLo0To6^TFqntmlz(99K#pZ}3ou4$wXt2+jtxLzaBGa-m
zshAILoJ{83oQ67v@5M=M>v%1BjmTzQ$+D*U_YYmaD#F9Zi?fynjR0r{#|JUv!b>I8
z^vhQ)4F7qYeSS4b8&8<8-{5q!Q4fyQV90v4mEe&vf_hryELgpcVs3-go4Ht>lDJBf
zx`nfUM@S)mUGITT9hyZsczAsp_vshZCPlzxv1U)-<7Mq@ouUSv01TyYWVp35dfKOs
z?j^-qduspmx=%_5@7c9n-9o<B(`oN$y15OMXK_;Y+Gf3E*s99rVE)=l5EliHZXD@=
zNO_3$%(~Awd^ys*iW@kYb&zxo%^4g=WO87~O}wXjiH$+mjco^Y8?ewTyKQ#ia+B5c
zSk!gPo@(KUf{8@Ul2Ww_c?Ko(Z-b@wqFkhJPt(%;LWHM>>@ex-MbT1IFlW&>%n^bw
z!sO~RIiPVo-V5yL@ldhDoBl{d6LVtz3y5&U+4z&0X{BfAh}D=<_;ryG71QrUM%==I
z&_Q5Jr;Wgqr6!EF7pxbj<zP4kVqv4KZ5#V7zI?S9kn6O0&D}+{bwM~Dh7Q`B7&*OI
z%vAqh{krHwS^@e6o;ICOblmx-I;dn#M3XOy@h75D2C@`WNwu<jAZAMYsD1>A!Ii4N
z5(zXb92g^{6KlC0X?;>eB-Uf>GTOIO&D#HEPe4C#_+uEV>S7hD(_qQv?~$ADz2RX9
z0jME44Yaj4`_h$eE=vX?kKYc|XsR3^(XlJQ^KO)kbU5nkiG$53&DTU+Nh9T!wmgy@
z<`;e(vs%>OC}bX)WhVT5v1!cx-2fcIiUG{keyA)tGGHk4^zR6WFm8l8#n0W`h+vpV
zcwlR01j(!kSI}P4>7^uQf0rT7UQ+!22pIr(^c2=Hk$sfIn3^_%%AwXci+4Fuso8@Z
zOK*N%Fggbx9mHJ+GZ8nh-wX|YiDw8CNPv;>S7L0vA2~>?;TU(My5oT4u<_4&+t|NR
z<HLs>Jf}ym1l>qAvrSg1#)3O9|8UUl?YX8wuy3(8OSHsf7B4~&+<gDI$soLRD9V4C
zXz!t@Q0>Nfe1Rqy7~%w4qS3sjyRVoK(YRz*A-(~yp)DZ%j5B9YvK1le3~7*TPIbM;
zUl2UO9DGN2eM5bBM+K~T91M-t1OOD8^~8H)_p7eoCq1{JzO!GhNz?7W+8daOMc1-?
zohS{Rakuyw?aVA>1A?_=GfYhjdb2oaMEUCXCQdttn{8HN2`v=)DiE65nC7XMK{eet
z_m%R1Hc*-aVlsj2uSsG>iy<;+xa=@)&fY{d%qR0%hcUEpRpDJB3zDGTV8a)sV%3O@
zZRV!qkC8AI%(0VZs}L$XC{M#GU`%tj3XQx2-j`E+Gl}V?<^oA&5W=x<tewrx)x^{2
zIjxqr{{0t0`-J2oeREnt*|Y91fB4B@jZv{Cs}@I3%ju1LT0|z^ORLW($nai=c|2cu
z%WzIAj>shE0kS1G(3QwTGWg334nBr9;<#f_I(|NYxwr`1aLfh`WR~TQ(sR#1T4}rx
zD4+RlR#btT8qQS2@h@uN42+X3WZ&vs@~z?!#~@M}J!!x+?>)@mtD*r8?O(S?+;0nN
zQko^z8OYGsA$4*Rh{!Um6|Tt|6BJxO-aztBgGdl5z6e|o=Yqg22em2zKtzMG^_0gR
zZ?Yv2U|_h)Tt|LB(5f^45ZtZGqM^6VoiT+S;=>=(N@o&~z16xjR3`A5tZEV4!IQ{7
zjTxbcRNUv(-f6iApf`F+sKN>5;3Y18rjoa!xgtB~^fJf&7$evF#v(wO0=B4=c-R08
z%de8!-p=+ik|I^{j*x+?3Z#$p!r>=*B3WN@VC;g@9jL3`jWNt+(O70T^jD*7!5xr6
zy2*ThfvffzBmV`g?Hz+nadz?k<+6czCLx?I_fm~ldc^xX4X(sUw5*3cqTE+$MJ#}u
zDm^s(b$L<a_t?JQ(IW<KTj4ivDj_z;{%_p*%6I)<4+q=H4~cx5F2nL<Z@B;9RrJl7
z2$*Y<slfMh+K*d&S8O|~<L0_Q-SqG?JamQN^0iG{T)9Y1<PcfKRpEWDUabC-Sk*h_
zgPP{`mxL<ML8KC#ICSh2@|-Gv{<v=F%fd9Xf$Lhm{i2Kb6J+!!p#5$CW(k-(eM_nw
zbMVyFfM^Q+J<gN|>(axnih!aBkK@-4Dg$XXEGTcNCjXZOS4oN5NTYuTwhl%#l~x3E
zuE#eT=o0lJr#_^s7HxD_p-M?AX;hbVFjJp<MWp!oqVJVLR#TbI6hK8!nWMdokm9Hi
z?S6zjMk2srC*{EmqNF3OmMq}@^HM7v#Ryz?-_hbWQhZXZfG@&D0*&S=>(D7eGuQs*
zJMQ4Y05cc%+QwC%u`~KRzGu5Eu58U8N>|=L0eY%+1@?Km=+E}%`d-a5tz;hieSndH
zEqlu5JoTleYY9n1jind`v?MD!eh&;P6vs_$&x@L>v0^PTkLPjEdU*6ThSD+~H7l?Y
z*m;G$Yo0UgU6{@MQZa0`BA^4UNspPvF03vfu#s7CkGPQ2%`fnyNTF};&hV5k*T_+5
z;h_d8yMCv&yX0rEa$i>BJi(M2H-%YjIip!j1yW{>0+OWxsC5Ox239}vLA@J_(6h40
z7_m)H+BesJw};G+uCeu<3hWOAz0eT|hVoQJ16Klp2J9LxGiql3tj)zh#XPK~BkX-%
zx@0--lX(?1Z0|NsP;SOxSV5S{d9QX9MQ^_ql7<^YIQ>nH1d+MXhTw5_4Nry7KhIjT
zxt5?%+=r?^BxJb$dNAnw&7$#FJf_$eGj2#vO(!hZ{zpZ~eb~<JR~=2LXjQSziZvw+
zs61aHp;@LUZqihpu$W&#a&{E&bQp^ydq>3r$fhN^_X{bLF^!nf?kbiCNx{=)esUJ6
zVs#lXyg>KA4Gbspu2UErtM8#4LP?Fb6u0S{Es@LZNJ2@;S~LnU=OoWUJ=z{)qw|P)
z%hO({9b#=gG$P*G9$EU<pfsBR0p<^a&=_V3-akm8vmwzo7BnTliL{Xcq$S&&h_XMa
zjo;gTAK(67opfa)hteyjj-URgShVy@CyjnQRxRBzOHkjjhI7EK6}QY;0ZVFRXSFVT
z9A^BtwLUOKhj($+Mye$iX8GCjBI86n9xVg?e=LA2WuM0Zb2?L2N0~sGO4X0hGDUR$
zi)I!OzI4D)FZx%4=maXMawEijzg-Szy&-2NU)44Ykg68sO)Zsd_s1lp!S-*CYXA@f
zB%+NjS=5C9rbrWeuZ)p+G2Nfy&#$ZoR)Z#s6d3-n4dl%0F^9glk#@k9E5ShBN-bj&
zW1c>IPM!k<@_`tLw;>f%$O8C88SD6;(J37Bjls2Q4w~4#3ImL0An`?s`WgOqPOFm#
z1Tc+NqnE(JCH7}w@*q$!%H{;U;p*xtK!x{mgYXO+J-;ou^8PznkKgCu`(e|j555n?
zl*@+@*N-fnBgcCJC|W~p<IUi!-pHubk{1$351lc@;RCs+;PEj}@q^;|2f~QXL-t@1
z@n}dQ!<;6GURw2-`aGC~^_Ju;qA6HCK{b)Xu5{Fer+&c4ZzEg9O<(ZxZiC1>FsK=B
z7i1A*q4^lMdlUbMpdP=y-K-@jqbn`rMKQR}T{Q_JTknG;w2?Hl6x^r{zj$fu_Uh9|
zKIgspr|#UuG0q9xJ_PmJBggwh92;1Li!>BRuQ}HZ?<}c#mGMTiNbWa1g4auGLvWj>
zGTt{t#-&0*DIZ^pnam-A*%u}WeOM8sk3vyKQsoC5A1HZZtgP{d`yEb7%A~y>jCyR&
z-kz-j>!DI13szo#YwlYUHA+Xfu7=N=R4uji%)u#_s6ep+PTe+A)hBLZEOPKt@&B4T
ztEjk|AV8Dg!96&^-2#I{@BqQx8QdL)paBMVcL)$HxVyW%ySuyZ<lo(M_U!Av?7YtH
zzFqfLS5^1@s=9OoFt>KN6TSu==%!@?$}Jno3Hi<1#|^v|`Qg%lvkjvq6gx^7KdaOw
zGFgW6WsI|(kfPfd<1F)BiD{pj%p=M01nsY_rsmqBa(m=(u{7e<ytC=1iCCyGzJ$LW
z=nL(_mpgyOBKWl?%h<nbqHJ1hcaNHc6iWm-n2COz`ygMhd}-J56o`r)QwWmiAkoA-
z5ip&8@9FN*!C!PO67bbVv|!6gCZ93!tNQ7JLjy>dgW*;f?9A2D$JLh2(%nV+3GgDB
zA8+WP8$wshky=FhAX&MDYk6DTez7Qx0Pzum_s{Kb(*CJG^1su}EdP}R&vs?Lrv2im
zGL1u^C>?Zw)%peS^aK$WsTbt5R@#8l?~MTg7~5$B-HL0`s|#%Y@PUyoki>+~-~r7G
z{$N^HL}EJrA8mQjg-W_9o=+`@jEEryRJBz0eims9g1l4X1)ZujAAxy)TIGDVr-S?g
z2j^<w(elO}MFw)zV66wZ&5#PwjQw}~9vYQD$Ont%(KbV!1}I8g{|WlkVkT#;D6TYp
zkd07LYP`VO*ZI`R85D`^l3#5Q(9R3aBN^!UBF0lNITg8K{1vr~_VW9Fr)d9jH+sEo
zBb?$#>yN#A+`)amSVwZ`L2cda^@{3aFWnmH4k60%s)$(a^EDl;O5sPpNt<Lq8UY-r
zNP4ZJL4O}{o+B;in2!JCi+}6<%;QYI<o=s=(TPDGk`uBc(93zk|C3t>o0wb>jRtf*
z2tWF34W>^cG<FKGV_rUh(DmJ;LnRAessaM{WzGwXa8>|LGypEY+r@(iQoecfiy?RJ
zA|hqcL?VjAK4_^yndFZrB?Ga!7?_bFWlNkTTrUqBV>z^4eTV;ize6JNm1lSYv!`16
zvgp33QU(0IHMkA_zkux%RSL$mQHRinX+)C@2_{~{KN*WeJ^UAo;Y3F(GXh@>^)ti~
za;nA=i{MFMAA+XL8u{TFgmrPVafqp(8|oY(Ncg&64;>?7u`1)jVjg%aL5}gF4^SdS
z0mg+bWDDu#{X(&ti>0Rcma0VNL*Y5*9H+49Sa22;KyU==3<BuubfY>~uQWaxgwuY&
zHN|0}U=LTH#*`+g=xLLdd#On{EKz-_L$2SJ$;jMcckG~ZOYKkNY0T@_45^5Rh7xF~
zP_Rcs4K>~%`}&#xTewE928>xH<GJ<W)pOsKAI(>6@!*q>-%@1#*o(bOBUY0Uic|k6
z)RHh}Mx&GqE#XH`H=^$okb-u%n#)q9&5bU8ZmE4B06sDn_YzmO2?#hMkmvA|d`U|b
zU5<>P!bB=)ysL@8TfDJaV-~l$Niez|Z}~S_aJMG}@Nc%TkTRv>F%vb186+y@3Ja6~
zW-`qBHUZe=tZAgR5lJE%ZxY;VxD9*c4LW6}+2xa@%8p7Va!KxR^ypIl)x9VR*mn+|
z8`zG&*%_w$q=)4OV_Jg5e0!%IUCjj)H|f#m4m=%0ZP=D^@~f#`FgGJ{<WR$J0C43Y
zPCGMGoz`L37n){+NS#)lfm+Eyn-V|3s<KLjT4+=`#n;V}y6DPhmUs4J!Rco_LU^7-
zWvIX}KHI2UvFdXcGgY|(O7k&GKX_%f4h5LMFz?GpKDJD2d;I<2qDnMoGFv7yS5W7;
zU_bgpCOwA;co<krn8c4Y-SWMAV5N_~5>gTsvPq3Y^JD=QC^qI`>e@=LmS*!&YojKj
zAnKGHnuAmM{zvSK=pBG|*^sP6)nQauxEaqv)@iBtn#4?EtkE@{-;;lHfjA2eD1cd+
zTxya66NK^-Se0?=y*0HB0ZPf)GX0Ogjc`%#gvg+2@BNtas~D2`q<Wma^9W-^v%jyK
zE{QM@<2k<LJFVN3bYocr-k^ikE~%2sog-#K-i|Et&(P$-+#-u#`G<qYLh@~%j8O6~
z#Y_Hh7k}5#9U4+Zw1R^yN5CoJH7}}=9o_^;1!lH9Fzl^8_NzS0bIELA-4tTXc7FR0
zmJ@tjloPVQg<xqyv;DxuyoCv3Bzo6OrTO0wZrTJ_t>jodv)9@%rN0F8%2#9!28!Yo
zh3AVL<Mhvqi7}T-R@;D=PdegVew7U;gJ)BRT8UB$f(If84dZie%#wGi!7-71QZF*$
z+|eIqL#N40=ppf|=pghbyVx($+{CF))@PRhZH77wkv1)GKu!-{hSQzOMM?cZut^TL
zVl}AS*ydZL)9>!RuR)=6<lm80y4s#{WNXiV>F84JBqV&j#w=j{9UMNBgN2m%a{ATa
zGgX8tA`pk8i>kK*pmHde2MJAG)&-Dq`8+#+NPw6@Wr*6HHZpXiuUl2lwBg!u-tZyj
zUr;s_`WJrPo(7O5j||dQd3*dvUwgX$AM`a@oDOGhvt(vh8WXkE=F-T9%m;3a&wU}S
zJQFBDfUv!o)12!=+=gEvPmCH>iDhil%6w1^YG=qdL2vtyQVpCZ2EEB!L5>Ls!)i%n
zB+d}?1UWSWnS#9pC1ikQ(_p?M#>T<EXCtFGJN*fe`2Zp)3j%)sf<}rrTBBJb*m)qQ
z7P-pS4UslGINW*HCPZ%;PNO8af+NDd)5)i~KU_a1LZ#@uFw@PMU^dfV^sxHqizZJ!
zT$LZ0XC4<d0eW$H&=B;7)NjTtf7AESo~A}D|A>vVA37)_G{aCaluU|lBUh&wm)LG8
z{UDHm5JNs$5fg=QRnjNOBFTVp{>4bC)uGBzAf+@Q1|_EJBy&Wn-C2x}kP@SoS$>Z{
z5Ng9O2w2;zFRPUF`1IQV`Nwyi7Q*^F_E0S9klr>+Fs$#6bpGV0HBVFddsgmG)b4|i
z`Ts%XqLBn?GEz|uGYE2`TAYs4w|tHSk_ir06Lly372J@hu&}CIY1p1_Xw{D@dbAu2
zkr=&20!t9OLanEm_WWR1#Ut<{%rY{UZg;1BLBG#8PmKFu;@+syNy5%JEjViQDjal&
z@~ko7Ti}+M>Nlx?EtnTN{OcAqjANt9qm~xU025PMz0-li`T~YCJfWklu)Sw8V+G!C
zHf>pT{4DbN3l-8Q<L(cb-5bZJlhg95+Ap(|E-B?`$9!^izeNTA>=VnNHi@W@9+dHV
zsn`=RogoA?&smcSR!PM{r5O^%ZW}x?8lSKgJ!|c2#rp=vqp`zZU3z04|KW?=QtDS^
z<(eBW>7g5;rKV7}c$yve3M^SN|7l3ZS5&k`g{7)06enk1a;M|v-@DP6mm-QCQMhr4
zYFEAyGoGA2L1?*mrn#<`HI>c+%ZV)#1d>ZfLaYwX`R=*IX-8ceWUg-W{nDpi4bcUq
zSWk%e+gqQLM3P$ZE`lPrj^Y_QHgPk@+@!gtNBBuTxW#Ez1J%z~3I_3t%P&aO#@b`A
zq?1?O=2AUr#-vp+)!n1eUIhx684bHlpMm)|MZ#%MRv{o#Y(;>9S<=*o^#@DhFE^nv
zP0x=dVDXsfZ`VO(8}GIVqnAm6dl$o)mH5%zRfV?_+28*rhu4(+hC?Z9kQJtQktumV
z%HwuSap@W^z6;MGuKiNHVRnHxqaxyiQfWPhN{v)3(xY5`RhHP6i|STM*4Gt>&u$M!
z(3^^`{v0nm`^vtC28;_JiKK-X1#(8ju;jOpFKriTikOTL+iZIarNr@5*n?dXnF~yG
zyU+gOwhky>>Y>}3JBrzN9e1?A0RKg^Fdg00WM&>`QnoAkE3E<1VMz`0v&7N<@{-n4
zmii<5C!j@&#Bh}A4~>H9(Xz`2x}eJ+6Ee0H1r0+~mlk*r0~Xz_tb@Xs5u_SMWQ?6g
z#4jVfrXpJ?mfz&_JYIxCr?5Jj{KjWum%opeZvo&UDjt&a21RIEMl8nxEFpN?>9xdx
zH|)fFH|(i~tUFFt#S+K`uKnYCun0IcKSQ*`I|>S%S0fz2!1-PiP-g*#x#F-;Zk}}1
zW{4-rO2Xi=d29FI^$cy;$w}{9Nw$!ky{{OFhT~Zg#|f)6v{dMewA}Yw$xl-iYy&gQ
z;H{QLpjHA@5yJK$5kJnxb>^)W%91aXe3`H%!l^>*(N;Ni(J&PwcP^L`>nInfEau;?
z1%_=qpwu<^SunX3sezeKW$)|jM=<`h?9pMYur(y!A_*fnzqmI&M`F~y0r=~c_vz3i
z{1|I$^;agsAXk~r7HS@HvYKjS*MqqX<V)m~FJ*p34a#w|<Sar+z;KHaW*%>L+m|%C
zS~GTk&K-0b*8cd8sIOEP$`66^q+xaRHb<0P#%()pG$E|Yj6j{><&afm=*P#LQtgD6
z9%(Ufj;n*n0s0))1Jm)aFG*3uf=0Ulih;r2*W6^BFPwy3#LHXJ)qT-O3F()Yjl{$a
zs!|&Tt#FrZw+rRrI6WRf!b54hs=x7mM97qkBjvxMUg=!E7Ep!`Mu{@(;u{9Vt7k85
zmD3julQZs~_>Z4j#*uMl41gWDh<J2rHM)jUBuaUel>6+*64{81rKZIDe4B-<nPi3X
zl5f6T%is;RC1Ebk9bjOtWbj1DBECGh`4E;V&+j+sHi~>~XGm!HKJ@EQb(fYN6W7>6
z;n>?kPPvyR1U3SlJlA^HS%j(J!9>MFZ68~&DF6G~HkpMbWW%uFT7d5dU2K9%ua3Jp
z<M$;n4Yd@#_7)73#qIY{<Fyo0St;qz9e@1bZxFxqO-lU&;}k5Oh-N*jM445F65Vs$
zHxnyvhvv`KamMlw(cY>5Ux;>J%Fj3mY;BNxN~k(TUk|@%@1egEx4+F0xSUYAB%#YA
zGBlU}S#9t`64ws?EGA)>t*`($j7mWo#O1Xpi%?M%(6m;C{kcnMij)9*zPlY*o>s*F
z$W8eqmrF%VC-n$X6n?Ggzavc!Dg&Zj^K@a~#ulYNoe*1DTZZn$RoLp_b7Dki2G`MK
zt+m!m$;PZeGf2MU>SgzcE5ZFJrk4bI*W>}Yq+x0@@roNz=*__pqsZjk)s<K(y--cZ
z%m8ER=VsvOw!a{!1QuB{U>3>7McSYkOX!9+;zP3;!mLB&EKV86KU7NHhY`$LbA7<X
z&Nlab#pySLaBkSp7O0L5W|mQzYkZYn-H{wBZT6$<f1M2;?<ztHbQL<tus<)gnOPgS
zQH`8bSeOFhDd`R$A*{89IPD)!2jB7Qu^;<$*B()JLMt?)onfYr;k9C7oO%Sm%^c^e
zo1K1g&Y#^NH>g4!h_?o%c2)<xyXkrQf`_-2Odr<zB#JGex_?E@)lEXWgbc69Ti@!3
zWGC8b5S-;N9p1SlxLF~Csx+(mF*(e>Az_TrN={{Xo{L`>#_F`U+DQKwl5U=b5fb(X
zIay1!Y|7?MAFR3%p|&r<H_dPrIM2}qiFb_{Wy<d$wbDO-;{9@=eK-gd{}z){ovyVP
zHY}XN@)++nbc0$sS+}YXIY{x1t|C3%8)goMhJg@NC9_E8WXVIXw1@OIHZGJO#4d6v
z3Q5HqN{RlR^f)y%tJyBFaf7Tc&m8OOsIXnkGqrA>sX0{7Re!`7UyXIcu8&Mj)%$x-
zgEwA&Sd+GNI(>1@{B^4`#HAzb8}e(3>H7T9KElSu@6sKM30WK|T@s)LPJ~+l5gw$%
z)1l)av=zJhAX->V$L@;qj*>ztMPGdh54=>E@RQsaK3UXK9LtcwpEZM=V;zEpK<KE4
zlJv1|)Ahrdv9#MVqyG)2&t5i(goH`^2_5YiJevE4tHu2$NT`U0M8q)+==URubzdNa
z3@lRcy!&D7#|-p0_uRi&mUy@&Ww>|Nzve+2V}wXW`FvTZ;~^g5q{ROd=uS)+c2c;A
zbuyt?eM*G=sclwJEuAe>Xo{G3;21*zT%9KQnK$V?W<>voeq`Ob-cp{0zE9H)=V{ke
zDMa~~V%m0grC9q<(~=rs;`H_=N`Q(@2?tSdvs>hknQbjt;(=w}p@ka-g_T7A*sf8D
zB(i~6>8%Z9)JjXmv8`UaR0R_$*#h`&=tMcQjmZmUK^8Y1=J67LH`|VG&hc^yjZls-
z{w(HV42|R~eipaCI7xKwuHiNH08zDHNY0jdRTe7>4>QjGZIP?J0V)(`F7KZO3>lir
zXg&t0To=!X{FS3^Hck5w66PGFx;Y70bzXL&ER-mJK-NRxV%BurCbqmKaw6=*cpfgM
zMCh+dggF5JIgLnFZr=WSU^5s2QbF<n+!@Lsd&Dc<7LPUYXFoc@X&b%%;cw1X@ygjN
z)bdH+R*O-($#BZ^yZ+?({6A^z*eeK)ohm)M><R6)r*!*bUGMs)u5+dXn|6>a>fP<o
zGK>@ZeD@G)7HHjBH0Del{WbCLy|l;JAP+mf?JPYcFIWt<4nMXft@8<W1ao7*F~n~Q
z!S*h?mQtvF<1#xzfQ!jH-&_QTinEj?e7tWygC<~wC)$F{F(1Qj9Go7NOq3z*BmQ^9
zk*X{;X*RgCe-CM_MQ74t=4g>^YD0mNcuP04TDs`zKS+J#K2EBJG+6RS-qAiIWFYDw
zjj8G7y&#<m^ctnxfP$amn0Q4f#a+2JO^0^%bQ1^=Qb6>r^;?)Spcd#kq;J=J3XqAz
z4t?|f@OT{24&P?vbzh>URsK)uj$r>cH6dZ#xN9!!XQB?MPezkl$e#<5ZAnKo&REp>
zCI=!pWG@x&*(x*2z~G5?GKI$HnE?GkN}JxQQd&M~`voB^G8TWOlaOi#uDS#yEY|1b
z<^42K)P(}15}bn9zh(VHw+oF;2LhMtNYkBA+3#w@i`gVfRHj=YQQnrO86Y!JG>#8T
z)&!P(>-r-RHs?57y47!U$*fq|iVnk}5T&p%l|Kq;Jkr!EQcBauolxZ*fS%6Wkb>QZ
zy2eu5!`R}yIvRDR0uTAM*>nL_ajKFTgvVu2RQ*gHc4(XW!NAK&ve<No0@IH62+uZ#
zrnfN&<gxfFxE#O0*E5*nHkL99;U&)KDr?CIBPulJ=3Nb7V=VZYJS5<#jJ!)3Vj8~7
zBQglCq^V$I^9MP8(5!Rluknee2Sah?zGl3vDVD!pUzzq&<_rUnPY+Jgh<Ikcz$yc@
zjY6zKlM-@{1JUlzj}G~{_D3E8bUHQBDHSt<_Xj(TV{OVbQK#07kIfN?+o`^#3?S#b
zlhm*5vy-U?;YV5QhL<xMK`Ks%9Xn-XgE42qQznBW=vaM-`Fc`O43@BI{tXVJF$sLU
z+E1=_ORN|i)^JQ6v_&q*vUvW+l+*DlSsBR|&syx+(y^&}XmE@_!1Lp4GwanJ({mYg
zh!7Yp#j=;U#$P2x_pavj69JDH`*fd$^=w!cu~l4-?s61S`pRsz&F;VjJH|6ZkKDY}
z=ItuYGpN@2jD)w2E07r0b{a9vfmK#X@_xWrfB#H2_gE`;@2yO1YX+^DJXPiMgJh#Z
zeuU_=WXjvhUOS&(LRu2Ec2dXNQ=fYpS`cD{2G4u`QEUe?g#9W3pXP-$X;Oz%sjM#y
zNL23Bf8QBp_m(;eK*fEskLTo~-L?(?EM!|d%asFuLJD(L_(NW(!y<Oc>W#=X!!^et
zqDG*-tLrEF=%84V9ROdmg|n({vxP&+IZE=$K=ETxZ(p*0ERj84>mLWv-sj2~`s$D!
z98O1Y!6}rUBQ$cTh;8^&UoumO7fK(CGTmplI&ywGp~N3HD0iNOhPm9n1cb-k+=?~M
zWk0r1W~N&|GJZ@N(otYh4RM~bBGi1lX732C`@Mc{Fzd#5tfvu3bzZkt;s!w8zJnlo
zl!=--w7uw-4i$z{a6^vQaJ*N~t4k~;%bJ4;z>UNg;WQ0dfx5)hUh!hrL@auSB8z*2
z0~s+0Ki*de@V5{!=skTOB9Qf=(yTES$5{OKP?Bnzvn3{mjjY8_cm3f{5+j&QTJvwx
z30DGl1XYV3Tj{Q*4UW3*&N^73-NO1vh~uvdHGI3EkrRs~)Ld4!;e41yiNH-nfy_Vb
z8#Xyn6dx8Awzn2aS_2y!dme=r2qDCExPF7h|AW9WaUp-YKp&$ke}aJIR_G=oKj{9U
z<O1<XY<Uniya7&;x+nf0I8FdlYA*U;o4{oVWB&i)&l8$VtXBdu#9s4nN$XH-B}@m&
zZ=YTCBr8Bo5rg&!zjY^AGf2Pc-QVp06JED-65Xol1rG7VDmX7+;Ja>IR1sc*xMm5{
zXJqp7(M>eCS9&VASK(jn*;8mZ08v?P&A|CG&oGdzHD-B;l)?xMx+4tX5n~<nz>%tO
zoxy~f*>ihjFH5->S15C}aQ9cx>%mxU`(5QUA+&hb)8w|*{M+5>QFs96+tZT<w`JJu
z{5)5FJSjxOp$U!|UfGeI15-)fI-~M4t!bAxLhW}2Mxe_6-3Th0Vx*@hc0WX6fdoq?
zEr`&N4fOE-aQ~^1rR`#A95An|2YtVl^nNS!c6*#vBNtVn@K7|~uGRh)_qAO|$A$OK
z%)7z$bZL`mN|a`<Y_+NPj4HQO*Te8MWGH<8Vs8`$puM`MF4%qnFVm$&po3V}5`^Eu
z$%Yt;4`tc(aOv~554u}9;fg`Gloou^U;kPEkRf(A|DJX3xqp**46Z~UW-U>Fmrv#}
z{2W+2%Z9wosaLnCf%~TBtRE~6NR)!4M1@%+;TsUD?7O+OKEZwVk?a%QgX?1^LYZP1
zw*sqvUg94AxDuxSFd8TIGP5tg&^pnf#(^j*^IQ!np6q?GJFmB-bAJ+$w5C|9Xt>-|
z&)iZ|a(q^0M0W3$#b3$YOaA!;P5$nvN~17D(#{}o?H5A4I4gq{Fx9=HW!!Hj{8dX3
zHP7ZSjxF3eKI+!y^NyT@7gQzVG1Yrm^z+tmE|yJ{*Ms)-Jq{1#4YYgi2lYZW7t7Zh
zTenA(-nT=J{VH2zG5eIT-{M@pYe<uW0Y->2J3gDZHNyaH*3D|F3gfx0l{Yny3LF{N
zh9guN*C4PLioF0mFt6wmM7t1LId1zE!0G}lmO1!OT6y9^+w0zUZwsgL<u}L+nD|yT
zpF)%EFUx=TB4bCB`>-p-j|dLNqn{@hepv{}+Jc*!vqVlq5pvyvrrWHhsDBL*;y;Xw
zx8TKOt<_V8o*w^%63qm;4XJHyE_)Zpje$Ur-wg79V#AXoRBIqn5bhdz5yCYp>yUl}
zW|hyvzcVZ@9vBI|HP4W>UTuT82(vb~g5cmt-ztJ3aqX72vOG1HzNb~g-&9AG4q~r|
z?dS9L>l!?3emtQzpZ#gs*3J2IeW&@<`mDxx_<JD?iKSgQ<1m4*o8Eh6oc^-;37*sa
z+J>a-wfmE-(WBj@c8w30x>#IX3(0q#KF#mve;`k0GR>exaur|%ZG;Ec#g1%~T!4yQ
zmpi}ic6j#m^knbP<*@Fv+P<Fw!!9dgchvUK<%@Pw6d-$l`g7`j=vqjs@R_BDlBDV4
z7-lg>BLXPO)%v#S3z~m_29es3^OcyLEg^cCflg9LSK9Y1K;@Obij0A9vMA;68*kgE
zc5lnM-gDB)eI$(g2Ju?i>+Dh8YUp6a5;#rV9sd%$?uo>$Cn!tz>-M&1J0rXHH~sb3
za>;JIb>16eXh&$Qlz30TlDj?|a8_LZ@p3(v@k?VU?!MK>fwzf}()X)wEDA^t^<=-G
z(DlO-5{p2J=j-*ng!l6ugI!DAEuzO})p-IJGf}J4X~_H-`g7Dr$P{ML;l6qZ!NNmr
zA*|E&-0TXNB-M92-DwW#Wyxx|;7l$&0ucI``5g32o{<U)UETj#>zILMN5`ECvc16F
zD?*FtD))JSbO4#<0++LKv@Z*UW+Xxmd#ltSAf}WqgIHRY`!)ls@)yZsAUynd#cd^0
zXb7ohxFVkStNwf!x|RG3@22ic*CZ*V{gPeXLR#k2%g71ey!UHde!d9wdyhvS6cjSP
zl$fxJ|0>EM3Sgdxxy@zsBEx{zgNvXJ-LyCxzRwU9kXA}o+ts01-2Y)EAF+#4t(;k=
zU086gz7u=rt(1{BGzH$${YX-%?RqtTUg+g=CO70+@a1$FCCB5kdNnHb?lqDZgb4id
zEc#wa)yRtDbu^~0Ucs$TSh)N$Gp_HxOyYfXokiJI&i_6Y2YePSf3?2e3(I=h9MpT6
znA4|D0efq@KWxj7wRkvnSC`|DUl8cEANK?n9JfZbUZ$a)AZ0ZkM^Je1k$7z9jk=(f
zzn|#}y)W+ZVl%!l<9qKumS=`P>AgRWYu&=_F}LsnD<`|cQ*VCa21>}Hy)Rcqtv^^U
zw)=o4h`ml8lQNO@JdcmFsKetX?67UOZ60V0htU&-aRZl~!Z?xEc`HnSUaff68WiVi
zD@gY-Zst27_783H-q$i7*}k3D<I?W_fjiaZuf|SWZSQZR@F<Ehz`h%j=v|@(Fmvr_
zfNySMRBjnr@XlA*O6E14=saP;#Cl(3$M!iq)&RJgN61{YyO)k4cAr{<S-F1l5#01R
z2+|%2`~=w))u`(oclD`wSZuUgzu%P4cbI#N5+~N|pHw>>l}y8Jx8Lv&-~_GTulu-F
zF+ZNnqfxSWUnw1n)NeX2+;`b!>a19LuG-Y`dajTA1bVDaRqMB>8DDzYwSZ3_D%aaq
zm*YF+F$6_q1J;?mfyOeix6)`3IWpEdRs!TS`m(VCe&UiqSzg6lVhZwoUiV2c<`P}j
z>!!TXq}KbX=kbb6UyxE!(pS+)JXnwFX#j#J4h`^O<H1B|YeRmfe7PFHZO#_{K&xY3
z@lYCrb^?0V6MPVx(n|h*-sz5N>p$}n=*vU`&;F^4Of3s&?C*JkTR&+P&$nu*%ViLU
z_G&NFaJH*&r`PaU#OD)1`ZN#93wqlQ`3r`9u0Uh<UU-#RNYp(Bi}NFm5iMQcEKlY?
zzdes^|Edl0S!{m1-S-L1;=TM9%c*DkD=8b~gaPFIaLlNa>~`{)Rl_bT-+DQ<>|%}X
z>r#kV2jc=rQ-3F>W<jPk1&BfnnqWpnw1as&KtAr6+HmFm-?d1Zb%$+SZSKve61*3k
zhLAa#0Mghf$iY$*#x=cHD1R-5CS|;v!+=vg@9ww0YkgcLec6bE);?Jif!?0^gn~KV
zc4sBkbl&cBJzQAJigzTSG4=r_TV`~^PPhbOKtGWyqB8)(TNbj1`xnvxh<&v8#~q(!
zvY`U9nyz(UW<Yfdi>xOVnN7!vzga~z0y<E!fOJWCLVQoYuiLHjy{Je;fU~E|ka^}2
zZ;s0uLj6@wWg|$&Ci2><{M*G{wPdDsp%uN3TH9J!7^2nJMe0g=;0NEC#pvb>yx#k7
zj~Q|rvIc9@1j$XT=!p&zPyDj_$bTZ>ZPw2M@FT4&3279QO(5&pveP}dT$EvV<SX*!
z#eDGQn^)wsAiu-O`}5@fQyMDD2-Y;=FGZUhAt9k_kOvPC*S#WD)VCrv$0g9a6*sDz
z5<y?MWPwsfR<KX=s2+oJC}Zo%m(aPZKR@#%p#N#P{#7{0w)>ML6JnSS9N`?6q9io1
z(P|y0gF6<<&V8?Y-diFbp}Cn0q0Llpy_!N>??KZl<EpAK355kx!Hq5Fe6idoRmD}~
zZ-0kKm9Jqqm`e9$hpSy@gc(_ge?i6E;Hb+=8-WQc+`_z@{}}QKp=CP!3YCy1o6}kU
zrN>j67NQznZ(>tc+*CCrqKiKp&IzxVJ|R~=1eE(^e3JexQ>2Y`?`33%=e+~qK+g-R
zJA3iDYuh#(My#F?E$=0Y?k3~h?)WEYu$XX3EYSGRaKDWgp#;QtbA6lammu|eToofG
zLL+gnN}7~ITy3>O?J8n#DK&7mQ%VeT*W{tX?(Mm?mp+gcd|n<Mq=geOywuij56eYd
zA8rqbYc22=e0jifW#zzQ&i(Tg_@YHW@c~Fk6wo@&f>)gu@)L~Ej{%2;Bll!;)^&cu
z;`0hQ#$id{&Ens*o(UM;?1z|Ls}r;(WKqIB3-XdtJRpBVOj7$BpWKFerVr#YASUlZ
zk7#*o%_3d`hfs+*wvaQNH6WEVQ4yEAOS+Bo$`?)Od3HJAnTAhXzw3T(Ad!-uqwwo>
z;8KUz<@GzB%x4;c789`ML8l|Cy;CYAj&Uy~2@*z^m4&SYe3sBF9PH<i>9+Z--WATm
z6KaQ4cvy6P@`7>ji}q<DiZuFVBM3(vVC-`;#<xxdPy{J7J#02F$hSbx4sQhAF4xCF
z+^Igiw?@g$gjKs&lhJDs#qV-Y?~D5Pwl@>UgB`t>E-QUH%kP_2r<?Mq{F{Xy2VF9u
z`rIEXM%9hhTaT|};A0ErJYOS>uyl9gbv>`wy>DJNIfs{4ZC^oLT&wqk19=7WUI_jN
zC@p==)|GWGEcyp}bBgCo$QeHlt~m%RNxbj&jrn1S$6x>Xoo<#>B$PPX8fO;o$J$A@
z)oHKS_V;J^h5DY3=~r~OCPHH%fxp7)MzsOa{Q34^FN^2va)Hp><Tl>ioBP*XPF50T
zT!I%EA!p#T?)`eZ)7BoG6_DI37`*G1<2R$lg8Q^;eansPr?H}f&S3OeGYO40QmuZI
zwG0N5I(!DH43oSt8dC6l85wm>nR#~BJO0*>hU39|eX-I1Ugf2UCpLDJq<E9SH!dXb
zaD`S5Ef1P;ULTGs_j<WJqe(>%UAv!Ks<o=u^Gh=h$q{4Zdop?Nm4~b|o;o4Rjm!tl
z&1bZ^FTs6jOPHlj`Y-mU+g9?{USx*>v;te?wRa2fee1Ax?vIy{E;7A2%*{8xI#)h0
zaW>iAv3PVpg%bt*BrtoQ*`MfE3m&#;IxO?i^>~=#bM2=5QGcZIvJez?TnYY#r7vI+
zOjYuApzB8TzSoRYzuDDUX2za0E$iu`XQ}&K@cCh8J?*Fl4sIIHlAc53r7Hl5Moy>U
z;#NJ7j~z+*yz@%1vno%zv~!|-ce?@yrn2I~cq6wsf{1aTpBtiV6@3Zc99E&kNt=}?
zkH``)B-eSo(t9v-E{=tGWpQV=g4(V#e0<;2o{jw>dh>3#kE*r;fD}>U6LdzEs4!H=
z>+Jeez8Ge3sfV1spYAb}SFhmCY=VSXGvOpcaL~wtE}iu|&-V`Hi8p|JG1j!j5zS)C
zE$N((QR2;v<2p)1yXpqdXQj>Ua(Ui^i;OhS-l?(Zcz^ir+H<zGjhA7G>q^x}U$Ons
zz0UHOAl>wI{nFjlT%JF(yt*vx;t!K|#n=+*hhrDjSr^rEdC?hLm+F-nmpVp~uP{2j
zy2!U!a|NT^Id18>p4BL$P33-OS#yt49ud?8V*Im<+ruSg%yqK_ysAp2KzGv9_NLwZ
zGTTtMx9YUxrZIW7#ch+%(6K#tAMo^FUmnv`b>DCHhq;oX^5b}J><y4b=W@K0;)XG(
z$Td^U@pE6mMHb+j?;C3aqP2XOU51M)kB;}g%GPCdGMclhYO0H8zwiM;*I|;2kCXZx
zN8raC#v#^otAqH_GmPaHB9W)jpW57ii>WzVxYBHzn!N-q>e`P$yLnB@J8e@cnjBKi
z_Dko+2pX%WIgDZC_=@~vipx&z?W|b|)n`SU=I9}^ZJ&>TE~zynb2oynqNs;2%b!F>
z`P<K27vL!)0)O54W>&}TmY?Djhz=6DbF&7rSsAteH+<a`+9XA9)E^W)m<>WhZ-r>r
zo;n?@R(0jL&Cu;XxIo8V_YFcyQjMbzCYV?O`6y%SZ@15A<4@D;h3;l5!%pR^dL5pB
z!+@kxHWP!LQE5Tc@G`-XIFh;9c}9XO%o&mdJd@Uh6B+g1*SqUkUYC|2taV@Gw`2Zk
zG0GU_%hiXenzPeKTRV^Gi=D4%irhZWPs_{m@4N1+9tT^6OqnlNtEW-xLZkOXJe~$<
z0;LzsP4pbP_^DBgy^0JhO`&YB_vi1!qVfzaVRcLT`h{oPE)Fw$ah#8W4MCY||4(Pi
eK^mLh_XxRJm6OWtYV`l>OG;c$tW3nf?|%THe$y}j

diff --git a/scripts/SYNCS.md b/scripts/SYNCS.md
new file mode 100644
index 0000000..c244da0
--- /dev/null
+++ b/scripts/SYNCS.md
@@ -0,0 +1,160 @@
+# Cross-repo sync map
+
+How CLI / spec / skill data flows into this repo, and how site artifacts flow out.
+
+This is the source of truth for sync mechanisms — the scripts, the directions, the drift checks, and what is *planned
+but not built*. Update this file whenever a sync script, workflow, endpoint, or vendored artifact changes shape.
+
+Existing top-level docs cover adjacent concerns but none give a single map:
+
+- `RELEASES.md` documents the skill-release procedure (the downstream-facing `/skill.json` re-pin) and the deploy
+  pipeline, but treats syncs as one step in a larger runbook.
+- `docs/DESIGN.md` §3.9 / §3.10 cover the `/skill` and `/install` build contracts, not the cross-repo data flow.
+- `AGENTS.md` describes endpoints and content authorship, not sync direction.
+
+This file gives the bidirectional view in one place. Per-script detail still lives in each script's header comment.
+
+## Cross-repo data map
+
+```mermaid
+flowchart LR
+    subgraph In ["Inbound"]
+        spec[brettdavies/agentnative<br/>spec @ pinned tag]
+        cliRegistry[brettdavies/agentnative-cli<br/>coverage/matrix.json]
+        dockerImage[docker/score/ image<br/>anc + scored binaries pre-installed]
+    end
+
+    site[("agentnative-site<br/>this repo")]
+
+    subgraph Out ["Outbound"]
+        cliFixture[brettdavies/agentnative-cli<br/>src/skill_install/skill.json<br/><i>(SoT lives here, fixture lives there)</i>]
+        cf[Cloudflare Workers<br/>anc.dev]
+        agentHosts[External agents,<br/>scorecard consumers,<br/>badge embedders]
+    end
+
+    spec -- "scripts/sync-spec.sh<br/>(remote-first, manual)" --> site
+    cliRegistry -- "scripts/sync-coverage-matrix.sh<br/>(manual)" --> site
+    dockerImage -- "docker/score/build.sh --run<br/>(anc check JSON inside container)" --> site
+
+    site -- "git pull from CLI's<br/>sync-skill-fixture.sh" --> cliFixture
+    site -- "wrangler deploy<br/>via deploy.yml" --> cf
+    cf -- "anc.dev endpoints<br/>(serves the rendered site)" --> agentHosts
+```
+
+## Upstream — data flowing INTO this repo
+
+| Source                                                                                                                                                                                                                                               | Mechanism                                                                                                                                                                      | What's synced                                                                                                           | Trigger / cadence                                                                                  | Drift check                                                                                                                                                                                                                                                                                                                                                               |
+| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `brettdavies/agentnative-cli` `coverage/matrix.json`                                                                                                                                                                                                 | `scripts/sync-coverage-matrix.sh` (manual `cp` from `$ANC_ROOT/coverage/matrix.json`)                                                                                          | → `src/data/coverage-matrix.json`                                                                                       | After CLI bumps the matrix (new checks, registry changes)                                          | CLI's CI enforces `anc generate coverage-matrix --check` against the committed CLI artifact. Site trusts the synced copy; no site-side `--check` mode. Resync is manual; `git diff` after sync is the review surface.                                                                                                                                                     |
+| `brettdavies/agentnative` (spec) `principles/p*-*.md` + `VERSION` + `CHANGELOG.md`                                                                                                                                                                   | `scripts/sync-spec.sh` (manual; remote-first via `SPEC_REMOTE_URL`, falls back to local `SPEC_ROOT`; auto-picks latest v* tag; extracts via `git show "$tag:<path>" >dest`)    | → `src/data/spec/{VERSION,CHANGELOG.md,principles/p*-*.md}` (`principles/AGENTS.md` filtered out — spec-side internal)  | After a spec release. Spec's `repository_dispatch:spec-release` already fires here on tag publish. | None automated on this side (consumer-side handler that auto-PRs the resync is tracked as follow-up). Spec repo's `scripts/hooks/pre-push` enforces source-side correctness. `git diff src/data/spec/` after sync is the review surface. `src/data/spec/README.md` documents the workflow.                                                                                |
+| `docker/score/` image — pre-installs the full ANC 100 toolset (`anc` + 96 scored binaries) inside a reproducible Ubuntu container; iterates `registry.yaml` and runs `anc check --command <bin> [--audit-profile <category>] --output json` for each | `bash docker/score/build.sh --run` (builds `anc` from local cli checkout, builds image, runs `score-anc100.sh` inside container with bind-mounted `scorecards/` + `out/` dirs) | → `scorecards/<name>-v<version>.json` (96 files) + `docker/score/out/score-failures.txt` for any install/score failures | After a new `anc` release, after registry changes, or to refresh the full leaderboard              | Build-time schema 0.5 invariant validation in `src/build/scorecards.mjs`; auto-discovery picks the highest-versioned scorecard per slug, silently superseding stale ones. Filename's `-v<version>` suffix is the version anchor (registry no longer carries `version:` per entry post-U4). The container is the source of truth — host-side ad-hoc scoring is deprecated. |
+
+### How spec version flows into rendering
+
+### How spec versions flow into rendering surfaces
+
+The site shows version labels in three places. **Each pulls from a different source by design** — the three sources move
+at different cadences (vendoring, scoring, manual reconciliation), and conflating them into one would lie about at least
+one of those movements.
+
+```mermaid
+flowchart LR
+    vendoredVersion[src/data/spec/VERSION<br/>vendored snapshot]
+    siteVersion[content/principles/VERSION<br/>site reconciliation marker]
+    scorecardJsons[scorecards/&lt;tool&gt;-v&lt;ver&gt;.json<br/>per-tool, embeds spec_version]
+
+    util[src/build/util.mjs<br/>exports SPEC_VERSION + SITE_SPEC_VERSION]
+
+    footer[src/build/shell.mjs<br/>footer: v$&#123;SITE_SPEC_VERSION&#125;]
+    badges[src/build/build.mjs:377<br/>renderBadgeSvg&#40;score, scorecard.spec_version&#41;]
+    og[scripts/og/generate.ts<br/>reads anc-v*.json's spec_version]
+    diff[git diff workflow<br/>operator-only — no rendered surface]
+
+    vendoredVersion --> util
+    siteVersion --> util
+    util -- "SITE_SPEC_VERSION" --> footer
+    scorecardJsons -- "scorecard.spec_version" --> badges
+    scorecardJsons -- "anc-v*.json's spec_version" --> og
+    util -. "SPEC_VERSION (reference only)" .-> diff
+```
+
+| Surface         | Source                                             | Bumped by                                                                                                 |
+| --------------- | -------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
+| Footer          | `SITE_SPEC_VERSION` ← `content/principles/VERSION` | Manual, by the contributor who reconciles `content/principles/p*-*.md` after a `sync-spec.sh` run.        |
+| Per-tool badges | Each scorecard's `spec_version` field              | Automatic — bumps when the scorecard is regenerated against a newer `anc` build (via `docker/score/`).    |
+| OG card         | `anc`'s self-scorecard's `spec_version`            | Automatic on `bun run og` after `anc`'s scorecard is refreshed.                                           |
+| (no surface)    | `SPEC_VERSION` ← `src/data/spec/VERSION`           | Automatic — `./scripts/sync-spec.sh` overwrites whenever the spec ships a new tag. Reference / diff only. |
+
+Why three sources, not one: vendoring (we got a snapshot), scoring (anc was compiled against this spec), and site
+reconciliation (the prose has been updated to match) are three independent events. Conflating them into one constant
+forces at least one surface to lie about its actual currency. Full rationale in `src/data/spec/README.md` and the
+cross-repo version-model doc at `docs/solutions/best-practices/agentnative-version-model-2026-05-01.md`. There is no
+site-own version (`package.json` is `"0.0.0"` deliberately — the spec version IS the site's "version" by intent).
+
+## Downstream — data flowing OUT of this repo
+
+### Build-time vendoring by other repos
+
+| Consumer                                                     | Mechanism                                                                          | What's exported               | Trigger / cadence                                                                                   | Drift check                                                                                                                                                                                                                                                                  |
+| ------------------------------------------------------------ | ---------------------------------------------------------------------------------- | ----------------------------- | --------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `brettdavies/agentnative-cli` `src/skill_install/skill.json` | CLI's `scripts/sync-skill-fixture.sh` pulls from this repo's `src/data/skill.json` | Skill bundle metadata fixture | When this repo bumps `src/data/skill.json` (skill release re-pin per RELEASES.md §"Skill releases") | CLI's `skill-fixture-drift` GitHub Actions workflow runs the fixture's `--check` equivalent on every PR; CLI side fails if its vendored copy lags this repo. Effectively the inverse of the coverage-matrix arrangement: source-of-truth lives here, drift gate lives there. |
+
+### Deploy-time emission to Cloudflare Workers
+
+| Surface                        | Mechanism                                                   | What's emitted                                                                                                                                                                                                               | Trigger / cadence                                                                                                                                               | Drift check                                                                                                                                             |
+| ------------------------------ | ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `anc.dev` (Cloudflare Workers) | `wrangler deploy` invoked by `.github/workflows/deploy.yml` | `dist/` — HTML pages, CSS, JS, 107 per-tool scorecard HTML pages + markdown twins, 96 badge SVGs, OG image, fonts, `skill.{json,html,md}`, `install.{html,md}` (no `install.json` — see DESIGN §3.10), llms.txt, sitemap.xml | Push to `dev` (staging Worker `agentnative-site-staging`) or `main` (production `anc.dev`); `paths-ignore: docs/**, *.md` skips deploy on planning-only commits | None automated — production canary is by hand. The pre-deploy CI pipeline (`ci.yml`) gates on `bun install → lint → build → test → wrangler --dry-run`. |
+
+## Release / sync orchestration
+
+The four flows interact, but each is independently triggered:
+
+1. **CLI registry changes upstream** → maintainer runs `bun run scripts/sync-coverage-matrix.sh` locally → commits the
+   updated `src/data/coverage-matrix.json` → next site build picks up the new matrix. CLI-side CI is the integrity gate;
+   this repo trusts the bytes.
+
+2. **A scored tool ships a new version** (or `anc` itself does) → maintainer runs `bash docker/score/build.sh --run`
+   from the repo root → `docker/score/build.sh` rebuilds the `anc` binary from the local `agentnative-cli` checkout,
+   bakes it into the image, and runs `score-anc100.sh` against the full registry inside the container; bind-mounts write
+   the new `scorecards/<tool>-v<new>.json` files back to the host. Old per-tool files are silently superseded by
+   auto-discovery → next build refreshes the badge SVG and `/score/<tool>` page. The container is the source of truth
+   for scoring; host-side ad-hoc scoring (the prior `regen-scorecards.sh` flow) is deprecated.
+
+3. **Spec cuts a new tag** → maintainer runs `bash scripts/sync-spec.sh` (auto-picks the latest v* tag from the spec
+   remote) → vendored `src/data/spec/{VERSION,CHANGELOG.md,principles/p*-*.md}` updates → next site build picks up the
+   new `SPEC_VERSION` automatically (footer, OG card, badge URLs all flow from the vendored `VERSION` file). Site
+   contributor reviews `git diff src/data/spec/principles/` and decides whether to manually reconcile any prose changes
+   into `content/principles/p*-*.md` (the two file shapes are intentionally different — see `src/data/spec/README.md`
+   for the workflow). Spec's `repository_dispatch:spec-release` event already fires here on tag publish; a consumer-side
+   handler that auto-PRs the resync is tracked as follow-up work.
+
+4. **Skill repo cuts a release** → maintainer fast-forwards `agentnative-skill:main` to the new tag → edits this repo's
+   `src/data/skill.json` (`version`, `source.commit`, `verify.expected`) → PR to `dev` → release flow to `main` →
+   `wrangler deploy` updates `/skill.json` on `anc.dev` → Cloudflare cache purge → CLI's next PR exercises
+   `skill-fixture-drift` against the new fixture. Full runbook in `RELEASES.md` §"Skill-release procedure".
+
+5. **Site code/content change** → push to `dev` (auto-deploys to staging Worker) → PR `dev` → `main` → push to `main`
+   (auto-deploys to `anc.dev`).
+
+## Reference
+
+- `scripts/sync-coverage-matrix.sh` — header comment for usage and `ANC_ROOT` env var.
+- `scripts/sync-spec.sh` — header comment for usage, `SPEC_REMOTE_URL` / `SPEC_ROOT` env vars, and the
+  remote-first-with-local-fallback resolution flow.
+- `docker/score/README.md` + `docker/score/build.sh` — the canonical scoring pipeline. `build.sh --run` builds the image
+  and runs `score-anc100.sh` inside the container, writing scorecards back to the host via bind mount. The container is
+  the single source of truth for scoring; host-side `regen-scorecards.sh` is deprecated.
+- `src/data/spec/README.md` — what's vendored, why, and the manual reconciliation workflow when spec prose drifts.
+- `RELEASES.md` §"Skill releases" — the downstream re-pin procedure for `src/data/skill.json` end-to-end (commit →
+  cache-purge → live verify).
+- `docs/DESIGN.md` §3.9 (`/skill` + `/skill.json` build contract) and §3.10 (`/install` HTML-only contract).
+- `AGENTS.md` — repo conventions and the `content/principles/` vs `src/data/spec/principles/` separation rule.
+- `docs/plans/2026-04-23-001-feat-sync-spec-plan.md` (dev branch only, gated off main) — the plan that introduced
+  `sync-spec.sh` + vendored `src/data/spec/` + the SPEC_VERSION wiring.
+- `docs/solutions/best-practices/agentnative-version-model-2026-05-01.md` — cross-repo version model: what version means
+  in each of the four agentnative repos, why the site has no own version, where each version is read or displayed.
+- `docs/solutions/best-practices/cross-repo-artifact-consumption-static-sites-2026-04-21.md` — governing pattern
+  (commit-a-copy over build-time fetch over symlinks).
+- CLI's reference implementation of `sync-spec.sh`: `~/dev/agentnative-cli/scripts/sync-spec.sh`.
+- CLI's `scripts/sync-skill-fixture.sh` and `skill-fixture-drift` workflow — the inverse-direction drift gate that
+  protects the `src/data/skill.json` → CLI fixture flow.
diff --git a/scripts/og/generate.ts b/scripts/og/generate.ts
index ac7d9bc..2c38c2f 100644
--- a/scripts/og/generate.ts
+++ b/scripts/og/generate.ts
@@ -20,14 +20,14 @@
 
 import { chromium } from 'playwright';
 import sharp from 'sharp';
-import { readFile, writeFile } from 'node:fs/promises';
+import { readFile, readdir, writeFile } from 'node:fs/promises';
 import { dirname, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
 
 const REPO_ROOT = resolve(dirname(fileURLToPath(import.meta.url)), '..', '..');
 const OG_HTML = `${REPO_ROOT}/scripts/og/og.html`;
 const OG_OUT = `${REPO_ROOT}/public/og-image.png`;
-const SHELL_MJS = `${REPO_ROOT}/src/build/shell.mjs`;
+const SCORECARDS_DIR = `${REPO_ROOT}/scorecards`;
 
 const OG_W = 1200;
 const OG_H = 630;
@@ -35,23 +35,34 @@ const SCALE = 2;
 const SIZE_BUDGET_KB = 150;
 
 /**
- * Read the version literal from src/build/shell.mjs. The footer ships
- * a `v0.1.0` literal at line ~177 (`<span>v0.1.0</span>`); the OG card
- * displays the same version string so the social card and the rendered
- * footer never drift. When the spec-VERSION sync work lands, both will
- * read from a shared source automatically.
+ * Read the spec_version from anc's own self-scorecard. The OG card sells
+ * the standard via the CLI that scores it, so the version label tracks
+ * what `anc` was compiled against — not what the site's content has been
+ * reconciled to (footer's role, see SITE_SPEC_VERSION) and not what we
+ * last vendored (SPEC_VERSION). Matches the per-scorecard spec_version
+ * each badge SVG uses (build.mjs:377).
  */
-async function readVersion(): Promise<string> {
-  const src = await readFile(SHELL_MJS, 'utf8');
-  const match = src.match(/<span>(v\d+\.\d+\.\d+(?:[-+][\w.]+)?)<\/span>/);
-  if (!match) {
-    throw new Error(`could not find version literal in ${SHELL_MJS}`);
+async function readAncSpecVersion(): Promise<string> {
+  const entries = await readdir(SCORECARDS_DIR);
+  const ancScorecards = entries
+    .filter((name) => /^anc-v[\d.]+\.json$/.test(name))
+    .sort()
+    .reverse(); // highest version first
+  if (ancScorecards.length === 0) {
+    throw new Error(`No anc scorecard found in ${SCORECARDS_DIR}/anc-v*.json`);
   }
-  return match[1];
+  const sourceFile = `${SCORECARDS_DIR}/${ancScorecards[0]}`;
+  const json = JSON.parse(await readFile(sourceFile, 'utf8'));
+  if (typeof json.spec_version !== 'string') {
+    throw new Error(`${sourceFile} has no spec_version field`);
+  }
+  process.stderr.write(`OG version source: ${ancScorecards[0]} → spec_version=${json.spec_version}\n`);
+  return json.spec_version;
 }
 
 async function main(): Promise<number> {
-  const version = await readVersion();
+  const specVersion = await readAncSpecVersion();
+  const version = `v${specVersion}`;
   process.stderr.write(`reading og.html, injecting version=${version}\n`);
 
   const browser = await chromium.launch();
diff --git a/scripts/sync-spec.sh b/scripts/sync-spec.sh
new file mode 100755
index 0000000..1490af5
--- /dev/null
+++ b/scripts/sync-spec.sh
@@ -0,0 +1,128 @@
+#!/usr/bin/env bash
+# Vendor agentnative-spec into src/data/spec/.
+#
+# Resolves the latest v* tag of agentnative-spec, preferring the remote
+# repository, and falls back to a local checkout if the remote is
+# unreachable. Extracts files via `git show <tag>:<path>` so neither
+# checkout's working tree is perturbed. The vendored tree is the build-time
+# input for src/build/util.mjs (SPEC_VERSION read), which feeds the site
+# footer, OG card, and badge URLs.
+#
+# Usage:
+#   scripts/sync-spec.sh
+#   SPEC_ROOT=/path/to/agentnative-spec scripts/sync-spec.sh
+#   SPEC_REMOTE_URL=git@github.com:brettdavies/agentnative.git scripts/sync-spec.sh
+#
+# Env vars:
+#   SPEC_REMOTE_URL  Remote URL to query first.
+#                    Default: https://github.com/brettdavies/agentnative.git
+#   SPEC_ROOT        Local checkout to fall back to when the remote is
+#                    unreachable. Default: $HOME/dev/agentnative-spec
+#
+# Resync cadence: rerun after every new agentnative-spec tag. The remote
+# query picks up new tags automatically; a local fallback only sees what
+# the local checkout already has fetched. Spec's
+# `repository_dispatch:spec-release` event already fires to this repo on
+# tag publish — a consumer-side handler that auto-PRs the resync is tracked
+# as follow-up work.
+#
+# Stale orphan files in src/data/spec/principles/ (e.g., from a spec
+# rename) are accepted; `git status` surfaces them at commit time.
+
+set -euo pipefail
+
+SPEC_REMOTE_URL="${SPEC_REMOTE_URL:-https://github.com/brettdavies/agentnative.git}"
+SPEC_ROOT="${SPEC_ROOT:-$HOME/dev/agentnative-spec}"
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+DEST_DIR="$REPO_ROOT/src/data/spec"
+DEST_PRINCIPLES="$DEST_DIR/principles"
+
+# Cleanup hook for the temp clone (set only after mktemp succeeds).
+tmp_root=""
+cleanup() {
+    if [[ -n "$tmp_root" && -d "$tmp_root" ]]; then
+        rm -rf "$tmp_root"
+    fi
+}
+trap cleanup EXIT
+
+# === Remote-first resolution ===========================================
+spec_source=""
+spec_tag=""
+
+echo "querying $SPEC_REMOTE_URL for latest v* tag..."
+remote_tag="$(git ls-remote --tags --sort='-version:refname' \
+    "$SPEC_REMOTE_URL" 'refs/tags/v*' 2>/dev/null \
+    | awk '{print $2}' \
+    | sed 's|refs/tags/||' \
+    | grep -v '\^{}$' \
+    | head -n 1 || true)"
+
+if [[ -n "$remote_tag" ]]; then
+    tmp_root="$(mktemp -d -t agentnative-spec-XXXXXX)"
+    if git clone --depth 1 --branch "$remote_tag" --quiet \
+            "$SPEC_REMOTE_URL" "$tmp_root" 2>/dev/null; then
+        spec_source="$tmp_root"
+        spec_tag="$remote_tag"
+        resolved_sha="$(git -C "$spec_source" rev-parse --short=7 "$spec_tag^{commit}")"
+        echo "vendoring $spec_tag ($resolved_sha) from remote $SPEC_REMOTE_URL"
+    fi
+fi
+
+# === Local fallback ====================================================
+if [[ -z "$spec_source" ]]; then
+    if [[ ! -d "$SPEC_ROOT/.git" ]]; then
+        echo "error: remote unreachable and SPEC_ROOT is not a git repository: $SPEC_ROOT" >&2
+        echo "       remote: $SPEC_REMOTE_URL" >&2
+        echo "       set SPEC_ROOT to your agentnative-spec checkout, or check network access." >&2
+        exit 1
+    fi
+    echo "warning: remote query failed; falling back to local $SPEC_ROOT" >&2
+
+    spec_source="$SPEC_ROOT"
+    spec_tag="$(git -C "$spec_source" tag --list 'v*' --sort='-version:refname' | head -n 1)"
+    if [[ -z "$spec_tag" ]]; then
+        echo "error: no v* tags found in $SPEC_ROOT" >&2
+        echo "       try \`git -C $SPEC_ROOT fetch --tags\` to pick up upstream tags" >&2
+        exit 1
+    fi
+    resolved_sha="$(git -C "$spec_source" rev-parse --short=7 "$spec_tag^{commit}")"
+    echo "vendoring $spec_tag ($resolved_sha) from local $spec_source"
+fi
+
+# === Verify + extract (works identically for remote and local sources) =
+if ! git -C "$spec_source" cat-file -e "$spec_tag:principles" 2>/dev/null; then
+    echo "error: $spec_tag has no principles/ directory in $spec_source" >&2
+    exit 1
+fi
+
+mkdir -p "$DEST_PRINCIPLES"
+
+# VERSION and CHANGELOG.md are top-level in the spec repo.
+git -C "$spec_source" show "$spec_tag:VERSION" >"$DEST_DIR/VERSION"
+git -C "$spec_source" show "$spec_tag:CHANGELOG.md" >"$DEST_DIR/CHANGELOG.md"
+
+# Enumerate principle files at the tag and extract each one. Filter to
+# p*-*.md so principles/AGENTS.md (spec-side design context, not consumed
+# by the site) is skipped.
+copied=0
+while IFS= read -r path; do
+    case "$path" in
+        principles/p*-*.md)
+            dest_name="${path#principles/}"
+            git -C "$spec_source" show "$spec_tag:$path" >"$DEST_PRINCIPLES/$dest_name"
+            copied=$((copied + 1))
+            ;;
+    esac
+done < <(git -C "$spec_source" ls-tree --name-only "$spec_tag" principles/)
+
+if [[ "$copied" -eq 0 ]]; then
+    echo "error: no principles/p*-*.md files found at $spec_tag" >&2
+    exit 1
+fi
+
+echo "wrote $copied principle file(s) to $DEST_PRINCIPLES"
+echo "wrote VERSION + CHANGELOG.md to $DEST_DIR"
+echo
+echo "next: review \`git diff\` for unexpected changes, then commit."
diff --git a/src/build/build.mjs b/src/build/build.mjs
index 9aa1ab1..5e8ab78 100644
--- a/src/build/build.mjs
+++ b/src/build/build.mjs
@@ -374,7 +374,10 @@ export async function build() {
     // existing embed continues to render the current score after a
     // regression. Score derived from schema 0.5 `badge.score_pct` (0–100
     // int) → 0–1 for badge-maker's color thresholds.
-    const svg = renderBadgeSvg(scorecard.badge.score_pct / 100);
+    // spec_version is per-scorecard (the spec the CLI was compiled against
+    // when it produced this scorecard) — pass it explicitly so the badge
+    // label tracks the actual scoring context, not a global default.
+    const svg = renderBadgeSvg(scorecard.badge.score_pct / 100, scorecard.spec_version);
     await writeFile(join(DIST_DIR, 'badge', `${tool.name}.svg`), svg);
     badgePaths.push(`/badge/${tool.name}.svg`);
 
diff --git a/src/build/shell.mjs b/src/build/shell.mjs
index 865c640..e9da185 100644
--- a/src/build/shell.mjs
+++ b/src/build/shell.mjs
@@ -5,7 +5,7 @@
 // Inputs are plain data (no filesystem). assets.mjs reads the inline
 // theme-init script from disk and passes it in.
 
-import { escHtml, resolveBaseUrl } from './util.mjs';
+import { escHtml, resolveBaseUrl, SITE_SPEC_VERSION } from './util.mjs';
 
 const SITE_NAME = 'anc.dev';
 const SITE_TAGLINE = 'The agent-native CLI standard';
@@ -187,7 +187,7 @@ ${AI_PROVIDERS.map(
       <p class="site-footer__meta">
         <span>${SITE_NAME}</span>
         <span> · </span>
-        <span>v0.1.0</span>
+        <span>v${SITE_SPEC_VERSION}</span>
         <span> · </span>
         <a href="/changelog">Changelog</a>
         <span> · </span>
diff --git a/src/build/util.mjs b/src/build/util.mjs
index a5722a9..4641923 100644
--- a/src/build/util.mjs
+++ b/src/build/util.mjs
@@ -1,8 +1,10 @@
 // Small build helpers: sorted principle glob, filename parsing, HTML escaping.
 // Kept separate from build.mjs so tests/build.test.ts can import directly.
 
+import { readFileSync } from 'node:fs';
 import { readdir } from 'node:fs/promises';
-import { join } from 'node:path';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
 
 const PRINCIPLE_FILENAME_RE = /^p(\d+)-([a-z0-9-]+)\.md$/;
 
@@ -71,14 +73,58 @@ export const PRINCIPLE_GROUPS = Object.keys(PRINCIPLE_NAMES);
 
 export const BONUS_GROUPS = ['CodeQuality', 'ProjectStructure'];
 
-// Spec version cited on the badge label and in the /badge convention prose.
-// The spec sync-plan (docs/plans/2026-04-23-001-feat-sync-spec-plan.md)
-// will replace this with a build-time read from src/data/spec/VERSION when
-// it lands. Until then, this is a manually-tracked copy of the
-// agentnative-spec VERSION file. The shell footer carries a separate stub
-// (v0.1.0) tracked by the same plan; both should converge to the real
-// version once the sync script is wired.
-export const SPEC_VERSION = '0.3.0';
+// =====================================================================
+// Spec version constants — three distinct concepts, three distinct files.
+// =====================================================================
+//
+// 1. SPEC_VERSION  — the spec version we last *vendored* (src/data/spec/VERSION).
+//    Updated by `./scripts/sync-spec.sh`. Kept around as a reference / diff
+//    target. NOT used for any user-visible surface — the moment of vendoring
+//    and the moment of site reconciliation are different events.
+//
+// 2. SITE_SPEC_VERSION — the spec version this site's principle prose has
+//    been *reconciled to* (content/principles/VERSION). Bumped MANUALLY by
+//    the contributor who reconciles content/principles/p*-*.md after a
+//    sync-spec.sh run. Always ≤ SPEC_VERSION; lag during the manual
+//    reconciliation window is honest (footer correctly says the site hasn't
+//    caught up yet). USED BY: site footer.
+//
+// 3. (Per-scorecard `spec_version` field) — what `anc` was compiled against
+//    when it produced that scorecard. NOT a global constant; lives in each
+//    scorecards/<name>-v<ver>.json. USED BY: per-tool badge SVGs (passed
+//    explicitly into renderBadgeSvg) and the OG card (reads anc's own
+//    self-scorecard's spec_version).
+//
+// Both files are read at module load, fail-fast on missing.
+// =====================================================================
+
+const SPEC_VERSION_PATH = join(dirname(fileURLToPath(import.meta.url)), '..', 'data', 'spec', 'VERSION');
+const SITE_SPEC_VERSION_PATH = join(
+  dirname(fileURLToPath(import.meta.url)),
+  '..',
+  '..',
+  'content',
+  'principles',
+  'VERSION',
+);
+
+function readVersionFile(path, remediation) {
+  try {
+    return readFileSync(path, 'utf8').trim();
+  } catch (err) {
+    throw new Error(`Could not read ${path}: ${err.message}\n${remediation}`);
+  }
+}
+
+export const SPEC_VERSION = readVersionFile(
+  SPEC_VERSION_PATH,
+  'Run ./scripts/sync-spec.sh to vendor the latest spec, then retry.',
+);
+
+export const SITE_SPEC_VERSION = readVersionFile(
+  SITE_SPEC_VERSION_PATH,
+  'Create content/principles/VERSION with the spec version this site is reconciled to (one-line semver).',
+);
 
 const DEFAULT_BASE = 'https://anc.dev';
 
diff --git a/src/data/spec/CHANGELOG.md b/src/data/spec/CHANGELOG.md
new file mode 100644
index 0000000..d091c4b
--- /dev/null
+++ b/src/data/spec/CHANGELOG.md
@@ -0,0 +1,58 @@
+# Changelog
+
+All notable changes to this repository are documented here — governance, validator, release infrastructure, README, decision records.
+
+Changes to the standard itself — principle MUST/SHOULD/MAY tier moves, requirement IDs added/removed/renamed, applicability shifts — are tracked per-principle in `principles/p*-*.md` via the `last-revised:` calver frontmatter field and the `## Pressure test notes` section appended to each file.
+
+## [0.3.0] - 2026-04-28
+
+### Added
+
+- `active` status value for principles, joining `draft | under-review | locked` as the default state for shipped principles. by @brettdavies in [#12](https://github.com/brettdavies/agentnative/pull/12)
+- README `## Status` section and HN-scroller hook explaining the active-with-pressure-tests-welcome posture.
+
+### Changed
+
+- All 7 principles flipped from `status: draft` to `status: active` for the v0.3.0 release. by @brettdavies in [#12](https://github.com/brettdavies/agentnative/pull/12)
+- `principles/AGENTS.md` pressure-test protocol updated for the new status lifecycle (`active` is the default; `under-review` is reserved for substantive critique cycles).
+- README restructured for HN-visitor flow: new `## The trifecta` callout (spec + linter + leaderboard as equals); `## Quick start` lead with `brew install brettdavies/tap/agentnative`; `## Live leaderboard` preview table; admin sections (Versioning, Decision records, Related, Contributing, License) reordered below spec content. License section tightened from 4 paragraphs to 3 bullets; Contributing tightened from 4-bullet list to 1 paragraph. by @brettdavies in [#14](https://github.com/brettdavies/agentnative/pull/14)
+- README leaderboard URLs corrected from bare `anc.dev` to `anc.dev/scorecards`.
+- AGENTS.md adds `brettdavies/agentnative-skill` as a documented downstream consumer (introductory list + cross-repo context table); replaces the prior `~/.claude/skills/agent-native-cli/` row with the public `~/dev/agentnative-skill` row.
+
+### Documentation
+
+- G11 red-team pass on all 7 principle files via `compound-engineering:ce-adversarial-document-reviewer`. 25 findings: 11 prose edits applied (P1 TUI parenthetical, P2 sysexits acknowledgment, P4 dependency-gating cleanup, P5 `--dry-run` write-gate + retry hedge, P6 SIGPIPE language-neutral + global-flags behavioral lead, P7 LLM-vs-non-LLM cost generalization), 10 `[later]` notes appended for v0.4.0 follow-up, 2 `[wontfix]` notes, 2 skipped. No requirement IDs added/removed/renamed; no level/applicability changes; no `last-revised:` bumps; no VERSION bump triggered. by @brettdavies in [#13](https://github.com/brettdavies/agentnative/pull/13)
+- Three summary-text tightenings (P4 `gating-before-network`, P6 `sigpipe`, P6 `global-flags`) introduce mild registry-readable drift documented in pressure-test notes for v0.4.0 follow-up.
+
+**Full Changelog**: [v0.2.0...v0.3.0](https://github.com/brettdavies/agentnative/compare/v0.2.0...v0.3.0)
+
+## [0.2.0] - 2026-04-23
+
+### Added
+
+- Per-principle `requirements[]` frontmatter contract: 46 stable requirement IDs (`p1-must-env-var` … `p7-may-auto-verbosity`) with `level`, `applicability`, and `summary`. by @brettdavies in [#3](https://github.com/brettdavies/agentnative/pull/3)
+- `status: draft | under-review | locked` field on every principle.
+- `principles/AGENTS.md` authoring conventions and pressure-test protocol.
+- `docs/decisions/` named records: P1 behavioral-MUST doctrine, naming rationale.
+- `scripts/generate-changelog.sh` — two-stage release-note generator that runs `git-cliff` for the skeleton and a Python post-processor to fetch PR bodies from the GitHub API and expand each entry with `### Added / Changed / Fixed / Removed / Security` subsections. Ported from `brettdavies/agentnative`. by @brettdavies in [#9](https://github.com/brettdavies/agentnative/pull/9)
+
+### Changed
+
+- Requirement IDs are now sourced from this repo; `agentnative-cli` will vendor the spec and drift-check against it (previously the CLI embedded the list in `src/principles/registry.rs`). by @brettdavies in [#3](https://github.com/brettdavies/agentnative/pull/3)
+- `CONTRIBUTING.md`: versioning rule now covers frontmatter-shape changes as MINOR.
+- `cliff.toml` switched from fragile commit-body-header parsing (which broke when markdown headers got stripped during cherry-picks) to subject-line-with-PR-link rendering. The PR body is now the source of truth for release notes. by @brettdavies in [#9](https://github.com/brettdavies/agentnative/pull/9)
+
+**Full Changelog**: [v0.1.1...v0.2.0](https://github.com/brettdavies/agentnative/compare/v0.1.1...v0.2.0)
+
+## [0.1.1] - 2026-04-20
+
+### Added
+
+- Seven agent-native principles (P1–P7) published with `last-revised: 2026-04-20` per-principle calver.
+- Governance model: three-repo architecture (spec / CLI / site), AI disclosure on all contributions, human co-sign on
+  principle edits and PRs, coupled-release protocol between spec and checker.
+
+### Changed
+
+- P1 "Non-Interactive by Default" — applicability gates added (help-on-bare-invocation, agentic flag,
+  stdin-as-primary-input).
diff --git a/src/data/spec/README.md b/src/data/spec/README.md
new file mode 100644
index 0000000..4346f73
--- /dev/null
+++ b/src/data/spec/README.md
@@ -0,0 +1,101 @@
+# `src/data/spec/` — vendored agentnative-spec snapshot
+
+What lives here:
+
+- `VERSION` — single line, the spec version this **vendored snapshot** is at. Read at module load by
+  `../../build/util.mjs` and exported as `SPEC_VERSION`. **NOT used for any user-visible surface** — kept as a reference
+  / diff target. The site has TWO other version concepts; see the version-distinction box below.
+- `CHANGELOG.md` — Keep-a-Changelog format. Currently only kept in-tree as a diff target / reference; not yet read by
+  the site build. Future use: `/changelog` page could render this verbatim if the hand-written `content/changelog.md` is
+  retired.
+- `principles/p*-*.md` — the spec's structured principle files (frontmatter-heavy, machine-readable). **Currently a diff
+  target only.** Nothing in the site build consumes these for rendering. Site rendering of `/p1`–`/p7` reads from
+  `content/principles/`, which is human-written site copy that exists alongside (not derived from) the spec prose.
+
+## Three distinct spec-version concepts on this site
+
+The site shows version labels in three places. **Each pulls from a different source by design** — they can legitimately
+diverge during the manual reconciliation window:
+
+| Surface                                         | Constant / source                                                                                                           | What it means                                                                                                                                                                | Bumped by                                                                                            |
+| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
+| Site footer                                     | `SITE_SPEC_VERSION` (reads `../../../content/principles/VERSION`)                                                           | The spec version the site's **prose** has been reconciled to. Honest claim of currency.                                                                                      | Manually, by the contributor who reconciles `content/principles/p*-*.md` after a `sync-spec.sh` run. |
+| Per-tool badge SVGs                             | Each scorecard's own `spec_version` field (passed to `renderBadgeSvg(score, scorecard.spec_version)`)                       | The spec version the `anc` binary was compiled against when it produced that scorecard. Each badge tracks the actual scoring context.                                        | Automatic — bumps whenever the scorecard is regenerated (which uses an `anc` build with newer spec). |
+| OG social card                                  | `anc`'s self-scorecard's `spec_version` (read from `scorecards/anc-v*.json`'s highest version, by `scripts/og/generate.ts`) | The spec version `anc` claims to score against. Same source-shape as the per-tool badges (scorecard `spec_version` field), with `anc`'s own scorecard as the representative. | Automatic on `bun run og` after the `anc` scorecard is refreshed.                                    |
+| Vendored `SPEC_VERSION` (THIS file's `VERSION`) | `SPEC_VERSION` (reads `./VERSION`)                                                                                          | The spec version we last **vendored a snapshot of**. NOT displayed anywhere on the site. Reference only.                                                                     | Automatic — `./scripts/sync-spec.sh` overwrites this file with the latest upstream tag.              |
+
+Why three sources, not one:
+
+- **`SPEC_VERSION` (vendored, this file)** moves the moment we run `sync-spec.sh`. That's a fetch, not a reconciliation.
+- **`SITE_SPEC_VERSION`** (`content/principles/VERSION`) only moves when a contributor finishes reconciling the site
+  prose to the new spec. The lag is honest — the footer correctly tells visitors that the prose hasn't caught up yet.
+- **Per-scorecard `spec_version`** moves at the scoring-pipeline cadence, which is independent of both the vendoring
+  cadence (here) and the site-prose reconciliation cadence (`content/principles/`). The `anc` binary that scored
+  `bird-v0.1.3.json` last week may have been compiled against an older spec than the one we just vendored.
+
+This separation prevents a single misleading scenario: vendoring a new spec snapshot and immediately bumping the footer
+to claim the site is current to it, when the prose hasn't been touched. The footer's job is to tell the truth about
+**site currency**, not **vendor currency**.
+
+## Why both `content/principles/` AND `src/data/spec/principles/`?
+
+They serve different audiences:
+
+| Path                                 | Audience                                                                                                         | Shape                                                                                                       | Source                                          |
+| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- | ----------------------------------------------- |
+| `content/principles/p<n>-*.md`       | Humans reading anc.dev                                                                                           | Prose-first. "Why Agents Need It" framing. MUST/SHOULD/MAY blocks with code examples in multiple languages. | Hand-written by site contributors.              |
+| `src/data/spec/principles/p<n>-*.md` | The CLI's `build.rs` (in agentnative-cli, which has its own copy) and any future automated consumer in this repo | Frontmatter-heavy. Structured `requirements:` array (id, level, applicability, summary). Machine-readable.  | Vendored from agentnative-spec at a pinned tag. |
+
+They are not duplicates. Per `AGENTS.md` doctrine: *"site's principle copy in `content/principles/` is written manually
+from these files — no build-time import, no live link... Do not edit the spec to match the site; propagate in the other
+direction, deliberately."*
+
+## Workflow when spec prose changes
+
+1. agentnative-spec ships v0.X.Y with principle prose changes.
+2. Site contributor runs `./scripts/sync-spec.sh` from the repo root. The script picks up the latest v* tag from the
+   remote (or falls back to `$SPEC_ROOT`) and rewrites this directory. **Footer does NOT move yet** — `SPEC_VERSION`
+   updates here, but `SITE_SPEC_VERSION` (`content/principles/VERSION`) is unchanged. The footer correctly shows the
+   site is not yet reconciled.
+3. Inspect: `git diff src/data/spec/principles/` shows exactly what the spec changed.
+4. **Manual editorial decision**: contributor decides whether (and how) to update `content/principles/p<n>-*.md` to
+   reflect the spec change. The two file shapes are intentionally different — there is no automated 1-to-1 converter.
+   Site copy may incorporate the spec change verbatim, paraphrase it for prose flow, add a code example, or deliberately
+   not change (e.g., when the spec edit is purely a frontmatter tier shift).
+5. **Bump `content/principles/VERSION`** to the new spec version once the prose is reconciled. This is the gate that
+   moves the footer. Do this LAST — bumping before reconciliation lies to visitors about site currency.
+6. Open a PR with the vendored update (`src/data/spec/`) + any reconciled `content/principles/` edits + the
+   `content/principles/VERSION` bump.
+
+The vendored copy is a **diff target**, not a source the site renders from. Re-vendoring is a routine, low-stakes
+operation; reconciling site prose is a deliberate editorial act; bumping `content/principles/VERSION` is the explicit "I
+have caught up" signal.
+
+## When to resync
+
+After every new agentnative-spec release. The spec repo's `.github/workflows/publish.yml` fires
+`repository_dispatch:spec-release` to this repo on tag publish — a consumer-side handler that auto-PRs the resync is
+tracked as follow-up work in the sync-spec plan but not yet shipped.
+
+For now: rerun `./scripts/sync-spec.sh` manually whenever `cat src/data/spec/VERSION` shows an older version than `gh
+api repos/brettdavies/agentnative/releases/latest --jq .tag_name` (or just whenever you remember).
+
+## What does NOT live here
+
+- Site rendering source — that's `content/`.
+- Generated HTML/CSS/JS — that's `dist/` (gitignored).
+- Skill bundle metadata — that's `src/data/skill.json`, hand-edited (not vendored).
+- Coverage matrix — that's `src/data/coverage-matrix.json`, vendored from agentnative-cli via
+  `scripts/sync-coverage-matrix.sh`.
+
+## Reference
+
+- Vendoring script: `scripts/sync-spec.sh`
+- Cross-repo sync map: `scripts/SYNCS.md`
+- Plan that introduced this directory:
+  [`docs/plans/2026-04-23-001-feat-sync-spec-plan.md`](../../../docs/plans/2026-04-23-001-feat-sync-spec-plan.md)
+- Cross-repo version model:
+  [`docs/solutions/best-practices/agentnative-version-model-2026-05-01.md`](../../../docs/solutions/best-practices/agentnative-version-model-2026-05-01.md)
+- Upstream spec: <https://github.com/brettdavies/agentnative>
+- AGENTS.md doctrine on manual reconciliation: see the `~/obsidian-vault/Projects/brettdavies-agentnative/principles/`
+  paragraph in `AGENTS.md` (top-level of this repo).
diff --git a/src/data/spec/VERSION b/src/data/spec/VERSION
new file mode 100644
index 0000000..0d91a54
--- /dev/null
+++ b/src/data/spec/VERSION
@@ -0,0 +1 @@
+0.3.0
diff --git a/src/data/spec/principles/p1-non-interactive-by-default.md b/src/data/spec/principles/p1-non-interactive-by-default.md
new file mode 100644
index 0000000..f93ad5a
--- /dev/null
+++ b/src/data/spec/principles/p1-non-interactive-by-default.md
@@ -0,0 +1,130 @@
+---
+id: p1
+title: Non-Interactive by Default
+last-revised: 2026-04-22
+status: active
+requirements:
+  - id: p1-must-env-var
+    level: must
+    applicability: universal
+    summary: Every flag settable via environment variable (falsey-value parser for booleans).
+  - id: p1-must-no-interactive
+    level: must
+    applicability: universal
+    summary: "`--no-interactive` flag gates every prompt library call; when set or stdin is not a TTY, use defaults/stdin or exit with an actionable error."
+  - id: p1-must-no-browser
+    level: must
+    applicability:
+      if: CLI authenticates against a remote service
+    summary: Headless authentication path (`--no-browser` / OAuth Device Authorization Grant).
+  - id: p1-should-tty-detection
+    level: should
+    applicability: universal
+    summary: Auto-detect non-interactive context via TTY detection; suppress prompts when stderr is not a terminal.
+  - id: p1-should-defaults-in-help
+    level: should
+    applicability: universal
+    summary: Document default values for prompted inputs in `--help` output.
+  - id: p1-may-rich-tui
+    level: may
+    applicability: universal
+    summary: Rich interactive experiences (spinners, progress bars, menus) when TTY is detected and `--no-interactive` is not set.
+---
+
+# P1: Non-Interactive by Default
+
+## Definition
+
+Every automation path MUST run without human input. A CLI tool that blocks on an interactive prompt is invisible to an
+agent — the agent hangs, the user sees nothing, and the operation times out silently.
+
+**Decision record:** this principle's MUST is worded in terms of observable behavior rather than enumerated APIs.
+[`docs/decisions/p1-behavioral-must.md`](../docs/decisions/p1-behavioral-must.md) records the reasoning and names the
+verification boundary: automated checks verify behavior under non-TTY stdin; TTY-driving-agent scenarios are covered by
+the MUST but are not PTY-probed at the current scale.
+
+## Why Agents Need It
+
+An agent calling a CLI cannot type. When the tool prompts for a confirmation or a credential, the agent's process stalls
+until timeout: no tokens recovered, no structured signal that interaction was requested, and no way to distinguish
+"waiting for input" from "still processing." Interactive prompts in automation paths are the single most common cause of
+agent-tool deadlock.
+
+## Requirements
+
+**MUST:**
+
+- Every flag settable via environment variable. Use a falsey-value parser for booleans so that `TOOL_QUIET=0` and
+  `TOOL_QUIET=false` correctly disable the flag rather than being treated as truthy non-empty strings. In Rust / clap:
+
+  ```rust
+  #[arg(long, env = "TOOL_QUIET", global = true,
+        value_parser = FalseyValueParser::new())]
+  quiet: bool,
+  ```
+
+- A `--no-interactive` flag gating every prompt library call (`dialoguer`, `inquire`, `read_line`, `TTY::Prompt`,
+  `inquirer`, equivalents in other frameworks, or any TUI event loop that takes over the terminal). When the flag is
+  set, or when stdin is not a TTY, the tool uses defaults, reads from stdin, or exits with an actionable error. It never
+  blocks.
+- A headless authentication path if the CLI authenticates. The canonical flag is `--no-browser`, which triggers the
+  OAuth 2.0 Device Authorization Grant ([RFC 8628](https://www.rfc-editor.org/rfc/rfc8628)): the CLI prints a URL and a
+  code; the user authorizes on another device. Agents cannot open browsers. Non-canonical alternatives (`--device-code`,
+  `--remote`, `--headless`) are acceptable but should migrate toward `--no-browser`.
+
+**SHOULD:**
+
+- Auto-detect non-interactive context via TTY detection (`std::io::IsTerminal` in Rust 1.70+, `process.stdin.isTTY` in
+  Node, `sys.stdout.isatty()` in Python) and suppress prompts when stderr is not a terminal, even without an explicit
+  `--no-interactive` flag.
+- Document default values for prompted inputs in `--help` output so agents can pass them explicitly instead of accepting
+  whatever default ships.
+
+**MAY:**
+
+- Offer rich interactive experiences — spinners, progress bars, multi-select menus — when a TTY is detected and
+  `--no-interactive` is not set, provided the non-interactive path remains fully functional.
+
+## Evidence
+
+- `--no-interactive` flag in the CLI struct with an env-var binding.
+- Boolean env vars parsed with a falsey-value parser (not the default string parser).
+- TTY guard wrapping every `dialoguer`, `inquire`, or equivalent prompt call.
+- `--no-browser` flag present on authenticated CLIs.
+- `env = "TOOL_..."` attribute on every flag that takes user input.
+
+## Anti-Patterns
+
+- Bare `dialoguer::Confirm::new().interact()` with no TTY check and no `--no-interactive` override — agents hang
+  indefinitely.
+- Boolean environment variables parsed as plain strings, so `TOOL_QUIET=false` is truthy because the string is
+  non-empty.
+- `stdin().read_line()` in a code path reached during normal operation without a TTY check first.
+- Hard-coded credentials prompts with no env-var or config-file alternative.
+- OAuth flow that unconditionally opens a browser with no headless escape hatch.
+
+Measured by check IDs `p1-non-interactive` (behavioral) and `p1-non-interactive-source` (source). Run `agentnative check
+--principle 1 .` against your CLI to see both.
+
+## Pressure test notes
+
+### 2026-04-27 — Show HN launch red-team pass
+
+Adversarial review via `compound-engineering:ce-adversarial-document-reviewer` ahead of the v0.3.0 launch. Findings
+recorded verbatim per `principles/AGENTS.md` § "Pressure-test protocol".
+
+- **[edit]** *Internal inconsistency.* "The `--no-interactive` MUST bullet says 'uses defaults, reads from stdin, or
+  exits with an actionable error' but the principle's behavioral framing (per decision record) covers TUI session init
+  too. The prose bullet only enumerates prompt libraries (`dialoguer`, `inquire`, `read_line`, `TTY::Prompt`,
+  `inquirer`), not TUI frameworks (`ratatui`, `bubbletea`) — readers will infer the MUST excludes TUIs, contradicting
+  the decision record's explicit 'blocking-interactive surface includes... TUI session initialization.'" Resolved: prose
+  bullet's parenthetical now includes "or any TUI event loop that takes over the terminal." Mirrors the behavioral
+  framing in [`docs/decisions/p1-behavioral-must.md`](../docs/decisions/p1-behavioral-must.md). No frontmatter change;
+  the summary already says "gates every prompt library call" and stays.
+- **[wontfix]** *Prior art.* "RFC 8628 citation is correct in name but incomplete in framing. The prose says Device
+  Authorization Grant means 'the CLI prints a URL and a code; the user authorizes on another device' — this still
+  requires a human on another device, which an unattended agent does not have. An HN commenter will note this is a
+  *human-assisted* headless path, not an agent-headless path; true unattended agents need service-account / API-token
+  auth (which the principle doesn't mention)." Rationale: P1 scopes "headless" as "no local browser required," not "no
+  human anywhere." A human-in-the-loop is acceptable here. Service-account auth is orthogonal and would belong to a
+  separate principle if it were added.
diff --git a/src/data/spec/principles/p2-structured-parseable-output.md b/src/data/spec/principles/p2-structured-parseable-output.md
new file mode 100644
index 0000000..4f1ef7b
--- /dev/null
+++ b/src/data/spec/principles/p2-structured-parseable-output.md
@@ -0,0 +1,124 @@
+---
+id: p2
+title: Structured, Parseable Output
+last-revised: 2026-04-22
+status: active
+requirements:
+  - id: p2-must-output-flag
+    level: must
+    applicability: universal
+    summary: "`--output text|json|jsonl` flag selects output format; `OutputFormat` enum threaded through output paths."
+  - id: p2-must-stdout-stderr-split
+    level: must
+    applicability: universal
+    summary: Data goes to stdout; diagnostics/progress/warnings go to stderr — never interleaved.
+  - id: p2-must-exit-codes
+    level: must
+    applicability: universal
+    summary: Exit codes are structured and documented (0 success, 1 general, 2 usage, 77 auth, 78 config).
+  - id: p2-must-json-errors
+    level: must
+    applicability: universal
+    summary: When `--output json` is active, errors are emitted as JSON (to stderr) with at least `error`, `kind`, and `message` fields.
+  - id: p2-should-consistent-envelope
+    level: should
+    applicability: universal
+    summary: JSON output uses a consistent envelope — a top-level object with predictable keys — across every command.
+  - id: p2-may-more-formats
+    level: may
+    applicability: universal
+    summary: Additional output formats (CSV, TSV, YAML) beyond the core three.
+  - id: p2-may-raw-flag
+    level: may
+    applicability: universal
+    summary: "`--raw` flag for unformatted output suitable for piping to other tools."
+---
+
+# P2: Structured, Parseable Output
+
+## Definition
+
+CLI tools MUST separate data from diagnostics and offer machine-readable output formats. Mixing status messages with
+data forces agents into fragile regex extraction that breaks on any format change.
+
+## Why Agents Need It
+
+An agent calling a CLI needs three things from each invocation: the data, the error (if any), and the exit code. When
+data goes to stdout, diagnostics go to stderr, and errors carry machine-readable fields, the agent parses the result
+reliably without heuristics. Mix these channels or ship human-formatted output only, and the agent falls back to
+best-effort text parsing that fails unpredictably across versions, locales, and edge cases — silently at first,
+catastrophically later.
+
+## Requirements
+
+**MUST:**
+
+- A `--output text|json|jsonl` flag selects the output format. Text is the default for humans; JSON and JSONL are the
+  agent-facing formats. Implementation surfaces an `OutputFormat` enum and an `OutputConfig` struct threaded through
+  every function that produces output.
+- Data goes to stdout. Diagnostics, progress indicators, and warnings go to stderr. An agent consuming JSON from stdout
+  must never encounter an interleaved progress message.
+- Exit codes are structured and documented:
+
+| Code | Meaning                           |
+| ---: | --------------------------------- |
+|    0 | Success                           |
+|    1 | General command error             |
+|    2 | Usage error (bad arguments)       |
+|   77 | Authentication / permission error |
+|   78 | Configuration error               |
+
+  These codes blend the bash 0/1/2 convention with BSD `sysexits.h` 77/78 (`EX_NOPERM`, `EX_CONFIG`); the result is the
+  de-facto agent-facing dialect, not strict `sysexits.h` compliance.
+
+- When `--output json` is active, errors are emitted as JSON (to stderr) with at least `error`, `kind`, and `message`
+  fields. Plain-text errors in a JSON run break the agent's parser on the only output it was told to expect.
+
+**SHOULD:**
+
+- JSON output uses a consistent envelope — a top-level object with predictable keys — across every command so agents can
+  rely on the same shape.
+
+**MAY:**
+
+- Additional output formats (CSV, TSV, YAML) beyond the core three. The core three remain mandatory.
+- A `--raw` flag for unformatted output suitable for piping to other tools.
+
+## Evidence
+
+- `OutputFormat` enum with `Text`, `Json`, `Jsonl` variants deriving `ValueEnum`.
+- `OutputConfig` struct with `format`, `use_color`, and `quiet` fields.
+- `serde_json` in `Cargo.toml`.
+- No `println!` in `src/` outside the output module — every print goes through `OutputConfig`.
+- Exit-code constants or match arms mapping error variants to distinct numeric codes.
+- `eprintln!` (or an equivalent diagnostic macro) for every diagnostic line.
+
+## Anti-Patterns
+
+- `println!` scattered across handlers instead of routing through the output config.
+- A single exit code (1) for everything — agents cannot distinguish auth failures from config errors.
+- Status lines ("Fetching data…") printed to stdout where they contaminate JSON output.
+- `process::exit()` in library code, bypassing structured error propagation.
+- Human-formatted tables as the only output mode with no JSON alternative.
+
+Measured by check IDs `p2-output-json`, `p2-output-format`, `p2-stderr-diagnostics`. Run `agentnative check --principle
+2 .` against your CLI to see each.
+
+## Pressure test notes
+
+### 2026-04-27 — Show HN launch red-team pass
+
+Adversarial review via `compound-engineering:ce-adversarial-document-reviewer` ahead of the v0.3.0 launch. Findings
+recorded verbatim per `principles/AGENTS.md` § "Pressure-test protocol".
+
+- **[edit]** *Prior art.* "The exit-code table conflicts with `sysexits.h`. `EX_NOPERM=77` is 'permission denied'
+  (close), but `EX_CONFIG=78` is correct. However, `sysexits.h` reserves `EX_USAGE=64`, `EX_DATAERR=65`,
+  `EX_NOINPUT=66`, `EX_UNAVAILABLE=69`, `EX_SOFTWARE=70` — P2 puts 'usage error' at 2 (bash convention), not 64. HN will
+  note the principle straddles two conventions (bash 0/1/2 + sysexits 77/78) without naming the hybrid." Resolved: added
+  one sentence under the exit-code table acknowledging the bash + `sysexits.h` blend. The same citation now appears in
+  P4's exit-code table (per Row #13 of the same review pass) so both files agree.
+- **[later]** *Must-vs-should.* "A single-number-emitting CLI (e.g., `epoch`, `uuidgen`) plausibly violates the
+  `--output text|json|jsonl` MUST for a defensible reason. Universal applicability is a strong claim." Deferred: revisit
+  whether `applicability` should soften when the launch landscape clarifies actual single-number agent-facing CLIs. The
+  applicability change would fire coupled-release (CLI registry impact), so it is held for a v0.4.0 cleanup PR rather
+  than churned during launch week.
diff --git a/src/data/spec/principles/p3-progressive-help-discovery.md b/src/data/spec/principles/p3-progressive-help-discovery.md
new file mode 100644
index 0000000..55bf47b
--- /dev/null
+++ b/src/data/spec/principles/p3-progressive-help-discovery.md
@@ -0,0 +1,106 @@
+---
+id: p3
+title: Progressive Help Discovery
+last-revised: 2026-04-22
+status: active
+requirements:
+  - id: p3-must-subcommand-examples
+    level: must
+    applicability:
+      if: CLI uses subcommands
+    summary: Every subcommand ships at least one concrete invocation example (`after_help` in clap).
+  - id: p3-must-top-level-examples
+    level: must
+    applicability: universal
+    summary: The top-level command ships 2–3 examples covering the primary use cases.
+  - id: p3-should-paired-examples
+    level: should
+    applicability: universal
+    summary: Examples show human and agent invocations side by side (text then `--output json` equivalent).
+  - id: p3-should-about-long-about
+    level: should
+    applicability: universal
+    summary: Short `about` for command-list summaries; `long_about` reserved for detailed descriptions visible with `--help`.
+  - id: p3-may-examples-subcommand
+    level: may
+    applicability: universal
+    summary: Dedicated `examples` subcommand or `--examples` flag for curated usage patterns.
+---
+
+# P3: Progressive Help Discovery
+
+## Definition
+
+Help text MUST be layered so agents (and humans) can drill from a short summary to concrete usage examples without
+reading the entire manual. The critical layer is the one that appears **after** the flags list, because that is where
+readers look for invocation patterns.
+
+## Why Agents Need It
+
+Agents discover how to use a tool by calling `--help` and scanning the output. They skip past flag definitions (which
+describe what is *possible*) and hunt for examples (which describe what to *do*). A flags list alone is enough rope to
+produce a failed invocation; examples are what turn discovery into action. Without examples in the help output, an agent
+trial-and-errors its way into a working call, burning tokens and sometimes landing on a wrong-but-silent success.
+
+## Requirements
+
+**MUST:**
+
+- Every subcommand ships at least one concrete invocation example showing the command with realistic arguments, rendered
+  in the section that appears after the flags list. In clap this is the `after_help` attribute.
+- The top-level command ships 2–3 examples covering the primary use cases.
+
+**SHOULD:**
+
+- Examples show human and agent invocations side by side — a text-output example followed by its `--output json`
+  equivalent. Readers see the pair; agents see the JSON form.
+- Short `about` for command-list summaries; `long_about` reserved for detailed descriptions visible with `--help` but
+  not `-h`.
+
+**MAY:**
+
+- A dedicated `examples` subcommand or `--examples` flag that outputs a curated set of usage patterns for agent
+  consumption.
+
+## Evidence
+
+- `after_help` (or `after_long_help`) attribute on the top-level parser struct.
+- `after_help` attribute on every subcommand variant.
+- Example invocations in `after_help` text that include realistic arguments, not placeholder `<foo>` tokens.
+- Both `about` (short) and `after_help` (examples) present on each subcommand.
+
+## Anti-Patterns
+
+- Relying solely on `///` doc comments — those populate `about` / `long_about`, not `after_help`, so no examples render
+  after the flags list.
+- A single `about` string serving as both summary and usage documentation.
+- Examples buried in a README or man page but absent from `--help` output.
+- `after_help` text that describes the flags in prose instead of demonstrating them in code.
+
+Measured by check IDs `p3-help`, `p3-after-help`, `p3-version`. Run `agentnative check --principle 3 .` against your CLI
+to see each.
+
+## Pressure test notes
+
+### 2026-04-27 — Show HN launch red-team pass
+
+Adversarial review via `compound-engineering:ce-adversarial-document-reviewer` ahead of the v0.3.0 launch. Findings
+recorded verbatim per `principles/AGENTS.md` § "Pressure-test protocol".
+
+- **[later]** *Internal inconsistency.* "The SHOULD on paired examples ('text then `--output json` equivalent')
+  implicitly gates P3 conformance on a `--output json` mode, which is P2's territory. A CLI without structured output
+  cannot satisfy this SHOULD even in spirit, yet `applicability: universal`." Deferred: narrowing `applicability` from
+  `universal` to conditional (`if: CLI exposes a structured-output mode`) fires the coupled-release norm (CLI registry
+  parses `applicability`). Bundled with other applicability cleanups for a v0.4.0 PR with explicit registry
+  coordination.
+- **[later]** *Must-vs-should.* "'Top-level command ships 2–3 examples' as a universal MUST is too strong for genuinely
+  single-purpose CLIs (e.g., `cat`, `true`, a one-shot wrapper) where one canonical invocation is the entire surface.
+  The '2–3' count baked into a MUST will draw HN fire as cargo-culted." Deferred: softening to "at least one example,
+  and 2–3 when the tool has multiple primary use cases" is a MUST-content change that drifts the frontmatter summary.
+  Bundled with other MUST-content softenings for a v0.4.0 PR.
+- **[later]** *Prior art.* "Principle is clap-flavored throughout (`after_help`, `about`/`long_about`, `///` doc
+  comments in Anti-Patterns) without a single sentence acknowledging the non-Rust analog (docopt usage block, `argparse`
+  epilog, `cobra` Example field, `gh`/`kubectl` Examples convention). HN will call this 'a clap style guide, not a CLI
+  standard.'" Deferred: a cross-framework analog appendix is a meaningful addition. The Definition / Why-Agents-Need-It
+  sections are framework-agnostic; the Evidence section is intentionally clap-keyed. Worth revisiting in v0.4.0 once the
+  standard's multi-language reach is clearer; site copy may also be a better home than the principle file itself.
diff --git a/src/data/spec/principles/p4-fail-fast-actionable-errors.md b/src/data/spec/principles/p4-fail-fast-actionable-errors.md
new file mode 100644
index 0000000..8e91deb
--- /dev/null
+++ b/src/data/spec/principles/p4-fail-fast-actionable-errors.md
@@ -0,0 +1,141 @@
+---
+id: p4
+title: Fail Fast with Actionable Errors
+last-revised: 2026-04-22
+status: active
+requirements:
+  - id: p4-must-try-parse
+    level: must
+    applicability: universal
+    summary: Parse arguments with `try_parse()` instead of `parse()` so `--output json` can emit JSON parse errors.
+  - id: p4-must-exit-code-mapping
+    level: must
+    applicability: universal
+    summary: Error types map to distinct exit codes (0, 1, 2, 77, 78).
+  - id: p4-must-actionable-errors
+    level: must
+    applicability: universal
+    summary: Every error message contains what failed, why, and what to do next.
+  - id: p4-should-structured-enum
+    level: should
+    applicability: universal
+    summary: Error types use a structured enum (via `thiserror` in Rust) with variant-to-kind mapping for JSON serialization.
+  - id: p4-should-gating-before-network
+    level: should
+    applicability:
+      if: CLI makes network calls
+    summary: Config and auth validation happen before any network call, failing at the earliest possible point.
+  - id: p4-should-json-error-output
+    level: should
+    applicability: universal
+    summary: "Error output respects `--output json`: JSON-formatted errors go to stderr when JSON output is selected."
+---
+
+# P4: Fail Fast with Actionable Errors
+
+## Definition
+
+CLI tools MUST detect invalid state early, exit with a structured error, and tell the caller three things: what failed,
+why, and what to do next. An error that says "operation failed" gives an agent nothing to act on.
+
+## Why Agents Need It
+
+Agents operate in a retry loop: attempt, observe, decide. When an error is vague or unstructured — a bare stack trace, a
+one-word failure, a mixed-channel splurge — the agent cannot tell whether to retry, re-authenticate, fix configuration,
+or escalate to the user. Distinct exit codes with actionable messages let the agent act correctly on the first read. The
+difference between exit code 77 (re-authenticate) and exit code 78 (fix config) determines whether the agent retries
+OAuth or asks the user to check their config file. Getting that wrong wastes entire conversation turns.
+
+## Requirements
+
+**MUST:**
+
+- Parse arguments with `try_parse()` instead of `parse()`. Clap's `parse()` calls `process::exit()` directly, bypassing
+  custom error handlers — which means `--output json` cannot emit JSON parse errors. `try_parse()` returns a `Result`
+  the tool can format:
+
+  ```rust
+  let cli = Cli::try_parse()?;
+  ```
+
+- Error types map to distinct exit codes. Use 77 when the CLI has an auth surface and 78 when it has a config surface;
+  0/1/2 are universal:
+
+| Code | Meaning                 |
+| ---: | ----------------------- |
+|    0 | Success                 |
+|    1 | General command error   |
+|    2 | Usage / argument error  |
+|   77 | Auth / permission error |
+|   78 | Configuration error     |
+
+  These codes blend the bash 0/1/2 convention with BSD `sysexits.h` 77/78 (`EX_NOPERM`, `EX_CONFIG`); the result is the
+  de-facto agent-facing dialect, not strict `sysexits.h` compliance.
+
+- Every error message contains **what failed**, **why**, and **what to do next**. Example:
+
+  ```text
+  Authentication failed: token expired (expires_at: 2026-03-25T00:00:00Z).
+  Run `tool auth refresh` or set TOOL_TOKEN.
+  ```
+
+**SHOULD:**
+
+- Error types use a structured enum (via `thiserror` in Rust) with variant-to-kind mapping for JSON serialization.
+  Agents match on error kinds programmatically rather than parsing message text.
+- Config and auth validation happen before any network call, failing at the earliest possible point. The structural
+  three-tier definition (meta-commands, local-only commands, network commands) lives in P6 (`p6-should-tier-gating`);
+  this requirement specifies the network-call ordering consequence.
+- Error output respects `--output json`: JSON-formatted errors go to stderr when JSON output is selected.
+
+## Evidence
+
+- `Cli::try_parse()` in `main()`, not `Cli::parse()`.
+- Error enum with `#[derive(Error)]` and distinct variants for config, auth, and command errors.
+- `exit_code()` method on the error type returning variant-specific codes.
+- `kind()` method returning a machine-readable string for JSON serialization.
+- `run()` function returning `Result<(), AppError>`, not calling `process::exit()` internally.
+- Error messages containing remediation steps ("run X" or "set Y") alongside the cause.
+
+## Anti-Patterns
+
+- `Cli::parse()` anywhere in the codebase — it silently prevents JSON error output.
+- `process::exit()` in library code or command handlers. Only `main()` may call it, after all error handling.
+- A single catch-all error variant that maps everything to exit code 1.
+- Error messages that state the symptom without the cause or fix ("Error: request failed").
+- Panics (`unwrap()`, `expect()`) on recoverable errors in production code paths.
+
+Measured by check IDs `p4-bad-args`, `p4-process-exit`, `p4-unwrap`, `p4-exit-codes`. Run `agentnative check --principle
+4 .` against your CLI to see each.
+
+## Pressure test notes
+
+### 2026-04-27 — Show HN launch red-team pass
+
+Adversarial review via `compound-engineering:ce-adversarial-document-reviewer` ahead of the v0.3.0 launch. Findings
+recorded verbatim per `principles/AGENTS.md` § "Pressure-test protocol".
+
+- **[edit]** *Internal inconsistency.* "Three-tier gating is labeled identically as a SHOULD in both P4
+  (`p4-should-gating-before-network`) and P6 (`p6-should-tier-gating`) — same pattern, two homes, no cross-reference.
+  Readers can't tell which is canonical, and a CLI that satisfies one auto-satisfies the other." Resolved: P4's bullet
+  now focuses on the network-call ordering consequence and points to P6 as the canonical home of the structural
+  three-tier definition. Frontmatter summary tightened to match. Requirement ID is unchanged so CLI registry pinning is
+  unaffected.
+- **[edit]** *Must-vs-should.* "`p4-must-exit-code-mapping` is `applicability: universal` and the prose says 'At
+  minimum' 0/1/2/77/78 — but a CLI with no auth surface and no config file legitimately has nothing to assign to either
+  77 or 78, and the MUST forces empty-by-construction error variants. Same shape as P6, which correctly gates
+  `p6-must-timeout-network` behind `if: CLI makes network calls`." Resolved: prose now reads "Use 77 when the CLI has an
+  auth surface and 78 when it has a config surface; 0/1/2 are universal." Frontmatter summary stays universal because
+  the *mapping discipline* is universal even if the specific 77/78 codes are conditional. The summary-prose drift is a
+  known launch-week tradeoff; full alignment of the summary text is on the v0.4.0 punch list.
+
+- **[edit]** *Prior art.* "77/78 align with BSD `sysexits.h` (`EX_NOPERM`, `EX_CONFIG`) — the alignment is a strength
+  but neither P2 nor P4 cites BSD sysexits, leaving an HN commenter to 'discover' it as a gotcha." Resolved: added a
+  one-liner under the P4 exit-code table acknowledging the `sysexits.h` alignment. Same sentence added to P2's exit-code
+  table for consistency.
+- **[later]** *Must-vs-should.* "`p4-must-try-parse` names a clap-specific Rust API in a `applicability: universal`
+  MUST. A Go/Python/Node CLI has no `try_parse()`. The underlying requirement — 'argument-parse failures route through
+  the same error/output formatter as runtime errors, not a library-internal `process::exit()`' — is universal; the API
+  name is not." Deferred: language-neutralizing the bullet ("Argument parsing returns a structured error rather than
+  calling `process::exit()` internally; in Rust+clap, this means `try_parse()` not `parse()`") drifts the frontmatter
+  summary. Bundled with P6's SIGPIPE and `global = true` rewrites for a coordinated v0.4.0 language-neutralization PR.
diff --git a/src/data/spec/principles/p5-safe-retries-mutation-boundaries.md b/src/data/spec/principles/p5-safe-retries-mutation-boundaries.md
new file mode 100644
index 0000000..882769b
--- /dev/null
+++ b/src/data/spec/principles/p5-safe-retries-mutation-boundaries.md
@@ -0,0 +1,118 @@
+---
+id: p5
+title: Safe Retries and Explicit Mutation Boundaries
+last-revised: 2026-04-22
+status: active
+requirements:
+  - id: p5-must-force-yes
+    level: must
+    applicability:
+      if: CLI has destructive operations
+    summary: Destructive operations (delete, overwrite, bulk modify) require an explicit `--force` or `--yes` flag.
+  - id: p5-must-read-write-distinction
+    level: must
+    applicability:
+      if: CLI has both read and write operations
+    summary: The distinction between read and write commands is clear from the command name and help text alone.
+  - id: p5-must-dry-run
+    level: must
+    applicability:
+      if: CLI has write operations
+    summary: A `--dry-run` flag is present on every write command; dry-run output respects `--output json`.
+  - id: p5-should-idempotency
+    level: should
+    applicability:
+      if: CLI has write operations
+    summary: Write operations are idempotent where the domain allows it — running the same command twice produces the same result.
+---
+
+# P5: Safe Retries and Explicit Mutation Boundaries
+
+## Definition
+
+Every CLI with write operations MUST support `--dry-run` so agents can preview a mutation before committing it. Commands
+MUST make the read-vs-write distinction visible from name and `--help` alone, and destructive writes MUST require
+explicit confirmation. An agent that cannot distinguish a safe read from a dangerous write will either avoid the tool or
+execute mutations blindly — both are failure modes.
+
+## Why Agents Need It
+
+Agent harnesses commonly retry failed operations. If a write operation is not idempotent, a retry creates duplicates,
+corrupts data, or trips rate limits. When destructive operations require explicit confirmation (`--force`, `--yes`) and
+support preview (`--dry-run`), an agent can safely explore what a command would do before committing to it. Read-only
+tools are inherently safe for retries, but they still benefit from help text that names the mutation contract — "this
+does not modify state" is a better sentence to put in `--help` than to assume.
+
+## Requirements
+
+**MUST:**
+
+- Destructive operations (delete, overwrite, bulk modify) require an explicit `--force` or `--yes` flag. Without it, the
+  tool refuses the operation or enters dry-run mode — never mutates silently.
+- The distinction between read and write commands is clear from the command name and help text alone. An agent reading
+  `--help` immediately knows whether a command mutates state.
+- A `--dry-run` flag is present on every write command. When set, the command validates inputs and reports what it would
+  do without executing. Dry-run output respects `--output json` so agents can parse the preview programmatically.
+
+**SHOULD:**
+
+- Write operations are idempotent where the domain allows it — running the same command twice produces the same result
+  rather than doubling the effect.
+
+## Evidence
+
+- `--dry-run` flag on commands that create, update, or delete resources.
+- `--force` or `--yes` flag on destructive commands.
+- Command names that signal intent: `add`, `remove`, `delete`, `create` for writes; `list`, `show`, `get`, `search` for
+  reads.
+- Dry-run output that shows what *would* change without executing.
+
+## Anti-Patterns
+
+- A `delete` command that executes immediately without `--force` or confirmation.
+- Write commands sharing a name pattern with read commands (e.g., a `sync` that silently overwrites local state).
+- No `--dry-run` option on bulk operations, where a preview prevents costly mistakes.
+- Operations that fail on retry because the first attempt partially succeeded — non-idempotent writes without rollback.
+
+Measured by check IDs `p5-dry-run`, `p5-destructive-guard`. Run `agentnative check --principle 5 .` against your CLI to
+see each.
+
+## Pressure test notes
+
+### 2026-04-27 — Show HN launch red-team pass
+
+Adversarial review via `compound-engineering:ce-adversarial-document-reviewer` ahead of the v0.3.0 launch. Findings
+recorded verbatim per `principles/AGENTS.md` § "Pressure-test protocol".
+
+- **[edit]** *Internal inconsistency.* "Definition opens 'Every CLI MUST support `--dry-run`' as universal, but
+  `p5-must-dry-run` is gated on 'CLI has write operations' — read-only CLIs would falsely fail this prose claim."
+  Resolved: Definition sentence 1 narrowed to "Every CLI with write operations MUST support `--dry-run`..." Read-only
+  CLIs are no longer falsely accused by the prose.
+- **[edit]** *Internal inconsistency.* "Definition's 'Write operations MUST clearly separate destructive actions from
+  read-only queries' garbles the read/write MUST. The actual requirement is read-vs-write distinction; 'destructive vs
+  read-only' is a different axis (writes can be non-destructive, e.g., `create`)." Resolved: Definition sentence 2
+  rewritten to "Commands MUST make the read-vs-write distinction visible from name and `--help` alone, and destructive
+  writes MUST require explicit confirmation." The two axes are now stated separately.
+- **[later]** *Internal inconsistency.* "`--force`/`--yes` MUST + P1 `--no-interactive` MUST should compose (agent path
+  is `--force --no-interactive`); composition isn't called out, leaving the 'without it, the tool refuses or enters
+  dry-run' clause ambiguous when stdin is non-TTY." Deferred: tightening the MUST to specify error-vs-dry-run behavior
+  under `--no-interactive` modifies the bullet's contract semantics. Bundled with other MUST-content cleanups for a
+  v0.4.0 PR.
+- **[later]** *Must-vs-should.* "`read-write-distinction` MUST hinges on 'clear from command name and help text alone' —
+  subjective and unverifiable by `anc`. The `sync` anti-pattern proves the bar is taste, not a checkable property."
+  Deferred: rewriting to a verifiable form ("Help text for every write command MUST contain an explicit mutation
+  statement; command names SHOULD signal intent") creates a new SHOULD-shape claim, which is a `requirements[]` change.
+  Coupled-release fires firmly. Defer to v0.4.0 with explicit registry-coordination plan.
+- **[later]** *Prior art.* "Principle prescribes flag *names* (`--dry-run`, `--force`, `--yes`) without naming the
+  contract behind them. kubectl `--dry-run=server|client`, Terraform `plan`/`apply`, apt `--simulate`, rsync `-n` all
+  satisfy the contract under different surfaces." Deferred: worth revisiting whether to add a
+  'name-or-contract-equivalent' clause that names the contract first and treats canonical flag spelling as one
+  realization. Hold for v0.4.0 alongside the verifiability rewrite above.
+- **[wontfix]** *Must-vs-should.* "'Why Agents Need It' leans on retry-safety, then idempotency lands as SHOULD. If
+  retries are the framing, idempotency-where-domain-allows is the load-bearing property; `--dry-run` is mitigation, not
+  cure." Rationale: domain-gated idempotency genuinely cannot be a universal MUST (some domains forbid it: append-only
+  logs, payment capture). The current SHOULD is correct; the prose framing in "Why Agents Need It" is fine because it
+  explains *why* idempotency matters when it is available, not that it is universally required.
+- **[edit]** *Vague agent-native.* "'Agents retry failed operations by default' — true for Claude Code/Cursor/Aider tool
+  loops; not universally true for one-shot harnesses or human-in-the-loop agents." Resolved: "Why Agents Need It" hedged
+  to "Agent harnesses commonly retry failed operations." Same operational point; more accurate across harness shapes.
diff --git a/src/data/spec/principles/p6-composable-predictable-command-structure.md b/src/data/spec/principles/p6-composable-predictable-command-structure.md
new file mode 100644
index 0000000..0448d8e
--- /dev/null
+++ b/src/data/spec/principles/p6-composable-predictable-command-structure.md
@@ -0,0 +1,161 @@
+---
+id: p6
+title: Composable and Predictable Command Structure
+last-revised: 2026-04-22
+status: active
+requirements:
+  - id: p6-must-sigpipe
+    level: must
+    applicability: universal
+    summary: SIGPIPE is handled so piping to `head`/`tail` does not crash the process (Rust example below; Python/Go/Node have language-specific equivalents).
+  - id: p6-must-no-color
+    level: must
+    applicability: universal
+    summary: TTY detection plus support for `NO_COLOR` and `TERM=dumb` — color codes suppressed when stdout/stderr is not a terminal.
+  - id: p6-must-completions
+    level: must
+    applicability: universal
+    summary: Shell completions available via a `completions` subcommand (Tier 1 meta-command — needs no config/auth/network).
+  - id: p6-must-timeout-network
+    level: must
+    applicability:
+      if: CLI makes network calls
+    summary: Network CLIs ship a `--timeout` flag with a sensible default (e.g., 30 seconds).
+  - id: p6-must-no-pager
+    level: must
+    applicability:
+      if: CLI invokes a pager for output
+    summary: If the CLI uses a pager (`less`, `more`, `$PAGER`), it supports `--no-pager` or respects `PAGER=""`.
+  - id: p6-must-global-flags
+    level: must
+    applicability:
+      if: CLI uses subcommands
+    summary: Agentic flags (`--output`, `--quiet`, `--no-interactive`, `--timeout`) propagate to every subcommand (e.g., `global = true` in clap).
+  - id: p6-should-stdin-input
+    level: should
+    applicability:
+      if: CLI has commands that accept input data
+    summary: Commands that accept input read from stdin when no file argument is provided.
+  - id: p6-should-consistent-naming
+    level: should
+    applicability:
+      if: CLI uses subcommands
+    summary: Subcommand naming follows a consistent `noun verb` or `verb noun` convention throughout the tool.
+  - id: p6-should-tier-gating
+    level: should
+    applicability: universal
+    summary: "Three-tier dependency gating: Tier 1 (meta) needs nothing, Tier 2 (local) needs config, Tier 3 (network) needs config + auth."
+  - id: p6-should-subcommand-operations
+    level: should
+    applicability:
+      if: CLI performs multiple distinct operations
+    summary: Operations are modeled as subcommands, not flags (`tool search "q"`, not `tool --search "q"`).
+  - id: p6-may-color-flag
+    level: may
+    applicability: universal
+    summary: "`--color auto|always|never` flag for explicit color control beyond TTY auto-detection."
+---
+
+# P6: Composable and Predictable Command Structure
+
+## Definition
+
+CLI tools MUST integrate cleanly with pipes, scripts, and other tools. That means handling SIGPIPE, detecting TTY for
+color and formatting decisions, supporting stdin for piped input, and maintaining a consistent, predictable subcommand
+structure.
+
+## Why Agents Need It
+
+Agents compose CLI tools into pipelines:
+
+```bash
+tool list --output json | jaq '.[] | .id' | xargs tool get
+```
+
+Every link in that chain has to behave predictably. A tool that panics on SIGPIPE when piped to `head` breaks the
+pipeline. A tool that emits ANSI color codes into a pipe pollutes downstream JSON parsing. A tool with inconsistent
+subcommand naming forces the agent to memorize exceptions rather than apply patterns. Composability is what makes a CLI
+tool a building block rather than a dead end.
+
+## Requirements
+
+**MUST:**
+
+- SIGPIPE is handled so that piping to `head`, `tail`, or any tool that closes the pipe early does not crash the
+  process. In Rust, restore the default SIGPIPE handler as the first executable statement in `main()`:
+
+  ```rust
+  unsafe { libc::signal(libc::SIGPIPE, libc::SIG_DFL); }
+  ```
+
+  Equivalents in other languages: Python — restore the default `SIGPIPE` handler at startup
+  (`signal.signal(signal.SIGPIPE, signal.SIG_DFL)`); Go — the runtime's default handling already exits cleanly on
+  EPIPE writes; Node.js — handle `EPIPE` on `process.stdout`.
+
+- TTY detection, plus support for `NO_COLOR` and `TERM=dumb`. When stdout or stderr is not a terminal, color codes are
+  suppressed automatically.
+- Shell completions available via a `completions` subcommand (clap_complete in Rust; equivalents elsewhere). This is a
+  Tier 1 meta-command — it works without config, auth, or network.
+- Network CLIs ship a `--timeout` flag with a sensible default (30 seconds). Agents operating under their own time
+  budgets need to fail fast rather than block on a slow upstream.
+- If the CLI uses a pager (`less`, `more`, `$PAGER`), it supports `--no-pager` or respects `PAGER=""`. Pagers block
+  headless execution indefinitely.
+- When the CLI uses subcommands, agentic flags (`--output`, `--quiet`, `--no-interactive`, `--timeout`) propagate to
+  every subcommand automatically (e.g., `global = true` in clap).
+
+**SHOULD:**
+
+- Commands that accept input read from stdin when no file argument is provided. Pipeline composition depends on it.
+- Subcommand naming follows a consistent `noun verb` or `verb noun` convention throughout the tool. Mixing patterns
+  (e.g., `list-users` alongside `user show`) forces agents to learn exceptions.
+- A three-tier dependency gating pattern: Tier 1 (meta-commands like `completions`, `version`) needs nothing; Tier 2
+  (local commands) needs config; Tier 3 (network commands) needs config + auth. `completions` and `version` always work,
+  even in broken environments.
+- Operations are modeled as subcommands, not flags. `tool search "query"` is correct; `tool --search "query"` is wrong.
+  Flags modify behavior (`--quiet`, `--output json`); subcommands select operations.
+
+**MAY:**
+
+- A `--color auto|always|never` flag for explicit color control beyond TTY auto-detection.
+
+## Evidence
+
+- `libc::signal(libc::SIGPIPE, libc::SIG_DFL)` (or the equivalent in the target language) as the first statement of
+  `main()`.
+- `IsTerminal` trait usage (`std::io::IsTerminal` or the `is-terminal` crate).
+- `NO_COLOR` and `TERM=dumb` checks.
+- `clap_complete` in `Cargo.toml`.
+- A `completions` subcommand in the CLI enum.
+- Tiered match arms in `main()` separating meta-commands from config-dependent commands.
+
+## Anti-Patterns
+
+- Missing SIGPIPE handler — `cargo run -- list | head` panics with "broken pipe".
+- Hard-coded ANSI escape codes without TTY detection.
+- Color output in JSON mode — ANSI codes inside JSON string values break downstream parsing.
+- A `completions` command that requires auth or config to run.
+- No stdin support on commands where piped input is a natural use case.
+
+Measured by check IDs `p6-sigpipe`, `p6-no-color`, `p6-completions`, `p6-timeout`, `p6-agents-md`. Run `agentnative
+check --principle 6 .` against your CLI to see each.
+
+## Pressure test notes
+
+### 2026-04-27 — Show HN launch red-team pass
+
+Adversarial review via `compound-engineering:ce-adversarial-document-reviewer` ahead of the v0.3.0 launch. Findings
+recorded verbatim per `principles/AGENTS.md` § "Pressure-test protocol".
+
+- **[edit]** *Prior art / vague agent-native.* "The SIGPIPE MUST prescribes `unsafe { libc::signal(libc::SIGPIPE,
+  libc::SIG_DFL); }` as the first `main()` statement — that is a Rust-specific remedy. Python raises `BrokenPipeError`
+  by default (different fix), Go's runtime already exits cleanly on EPIPE writes (no fix needed), Node.js needs
+  `process.stdout.on('error')`. The MUST as written is correct in spirit but the prescription leaks Rust into a
+  universal-applicability rule." Resolved: prose bullet now leads with the language-neutral MUST ("SIGPIPE is handled so
+  that piping to `head`, `tail`, or any tool that closes the pipe early does not crash the process"); the Rust snippet
+  stays as the canonical example; per-language one-liners cover Python, Go, and Node. Frontmatter summary updated to
+  match.
+- **[edit]** *Must-vs-should.* "The `global = true` MUST is a clap-API artifact — the behavioral requirement is 'agentic
+  flags propagate to every subcommand,' which is what the prose actually says. The frontmatter summary baking `global =
+  true` into a universal contract overfits to one library." Resolved: frontmatter summary and prose bullet now lead with
+  the behavioral requirement ("propagate to every subcommand"), with `global = true` cited as the clap-specific example.
+  Behavior unchanged; language-neutrality restored.
diff --git a/src/data/spec/principles/p7-bounded-high-signal-responses.md b/src/data/spec/principles/p7-bounded-high-signal-responses.md
new file mode 100644
index 0000000..a77da84
--- /dev/null
+++ b/src/data/spec/principles/p7-bounded-high-signal-responses.md
@@ -0,0 +1,133 @@
+---
+id: p7
+title: Bounded, High-Signal Responses
+last-revised: 2026-04-22
+status: active
+requirements:
+  - id: p7-must-quiet
+    level: must
+    applicability: universal
+    summary: A `--quiet` flag suppresses non-essential output; only requested data and errors appear.
+  - id: p7-must-list-clamping
+    level: must
+    applicability:
+      if: CLI has list-style commands
+    summary: "List operations clamp to a sensible default maximum; when truncated, indicate it (`\"truncated\": true` in JSON, stderr note in text)."
+  - id: p7-should-verbose
+    level: should
+    applicability: universal
+    summary: A `--verbose` flag (or `-v` / `-vv`) escalates diagnostic detail when agents need to debug failures.
+  - id: p7-should-limit
+    level: should
+    applicability:
+      if: CLI has list-style commands
+    summary: A `--limit` or `--max-results` flag lets callers request exactly the number of items they want.
+  - id: p7-should-timeout
+    level: should
+    applicability: universal
+    summary: A `--timeout` flag bounds execution time so agents are not blocked indefinitely.
+  - id: p7-may-cursor-pagination
+    level: may
+    applicability:
+      if: CLI returns paginated results
+    summary: Cursor-based pagination flags (`--after`, `--before`) for efficient traversal of large result sets.
+  - id: p7-may-auto-verbosity
+    level: may
+    applicability: universal
+    summary: Automatic verbosity reduction in non-TTY contexts (same behavior `--quiet` explicitly requests).
+---
+
+# P7: Bounded, High-Signal Responses
+
+## Definition
+
+CLI tools MUST provide mechanisms to control output volume. Agent context windows are finite and expensive — a tool that
+dumps 10,000 lines of unfiltered output wastes tokens and may exceed the context limit entirely, breaking the
+conversation that invoked it.
+
+## Why Agents Need It
+
+Unbounded CLI output is expensive for any agent — token cost and context-window capacity for LLM agents, parse cost and
+memory pressure for scripts, schedulers, and other automation. Either way, the agent ends up truncating (losing
+potentially important data) or consuming the full response (wasting cycles on noise). Bounded output with `--quiet`,
+`--verbose`, and `--limit` flags gives the agent precise control over how much data arrives, keeping responses
+high-signal and inside budget.
+
+## Requirements
+
+**MUST:**
+
+- A `--quiet` flag suppresses non-essential output: progress indicators, informational messages, decorative formatting.
+  When `--quiet` is set, only requested data and errors appear. Implementations typically route diagnostics through a
+  macro that short-circuits when quiet is on:
+
+  ```rust
+  macro_rules! diag {
+      ($cfg:expr, $($arg:tt)*) => {
+          if !$cfg.quiet { eprintln!($($arg)*); }
+      }
+  }
+  ```
+
+- List operations clamp to a sensible default maximum. A `list` without `--limit` does not return more than a
+  configurable ceiling (e.g., 100 items). If more items exist, the output indicates truncation — `"truncated": true` in
+  JSON, a stderr note in text mode.
+
+**SHOULD:**
+
+- A `--verbose` flag (or `-v` / `-vv`) escalates diagnostic detail when agents need to debug failures.
+- A `--limit` or `--max-results` flag lets callers request exactly the number of items they want.
+- A `--timeout` flag bounds execution time. An agent waiting indefinitely on a hung network call cannot proceed.
+
+**MAY:**
+
+- Cursor-based pagination flags (`--after`, `--before`) for efficient traversal of large result sets.
+- Automatic verbosity reduction in non-TTY contexts (the same behavior `--quiet` explicitly requests).
+
+## Evidence
+
+- `--quiet` flag with a falsey-value parser and env-var binding.
+- A diagnostic macro (or equivalent gate) that short-circuits when `quiet` is true.
+- `--limit` or `--max-results` on every list / search command.
+- Pagination clamping logic (e.g., `min(requested, MAX_RESULTS)`).
+- `--timeout` flag with a sensible default.
+- `--verbose` flag for diagnostic escalation.
+- A `suppress_diag()` method that returns true when quiet is set or when the output format is JSON / JSONL.
+
+## Anti-Patterns
+
+- List commands that return all results with no default limit — an agent listing 50,000 items floods its context window.
+- No `--quiet` flag — agents consuming JSON output still receive interleaved diagnostic text on stderr.
+- `--verbose` as the only output control. If there is no way to reduce output, bounded responses do not exist.
+- Progress bars or spinners that write to stderr in non-TTY contexts, adding noise to agent logs.
+- No `--timeout` on network operations. A stalled request blocks the agent indefinitely.
+
+Measured by check IDs `p7-quiet`, `p7-limit`, `p7-timeout`. Run `agentnative check --principle 7 .` against your CLI to
+see each.
+
+## Pressure test notes
+
+### 2026-04-27 — Show HN launch red-team pass
+
+Adversarial review via `compound-engineering:ce-adversarial-document-reviewer` ahead of the v0.3.0 launch. Findings
+recorded verbatim per `principles/AGENTS.md` § "Pressure-test protocol".
+
+- **[later]** *Internal inconsistency.* "`--timeout` is universal SHOULD in P7 but conditional MUST in P6
+  (`p6-must-timeout-network`). For network CLIs the two compose (MUST wins), but P7's prose ('An agent waiting
+  indefinitely on a hung network call cannot proceed') only motivates the network case — the universal scope is
+  unjustified by its own rationale." Deferred: narrowing P7's `applicability` from `universal` to non-network
+  long-running operations only — or to `if: CLI has long-running operations` — fires the coupled-release norm (CLI
+  registry parses `applicability`). Bundled with other applicability cleanups for a v0.4.0 PR with explicit registry
+  coordination.
+- **[later]** *Must-vs-should.* "The list-clamping MUST fires on every CLI with 'list-style commands' regardless of
+  natural cardinality. A tool whose list operation returns a bounded small set by construction (e.g., `anc principles
+  list` → exactly 7) gains nothing from a clamp + `\"truncated\": true` contract — the clamp is unreachable and the
+  truncation flag is dead schema." Deferred: narrowing the `if:` clause from "CLI has list-style commands" to "CLI has
+  list-style commands whose result set is unbounded or user-data-driven" changes the registry-parsed applicability
+  value. Bundled with the P3 / P7 applicability cleanups for v0.4.0.
+- **[edit]** *Vague agent-native.* "'Every token of CLI output an agent consumes has a cost' plus 'context window'
+  framing dates the principle to current LLM-agent assumptions. Non-LLM agents (scripts, schedulers, future
+  architectures) still benefit from bounded output, but for throughput/parsing reasons, not tokens." Resolved: "Why
+  Agents Need It" generalized to acknowledge both costs ("token cost and context-window capacity for LLM agents, parse
+  cost and memory pressure for scripts, schedulers, and other automation"). Keeps the LLM example without making it the
+  sole rationale.
diff --git a/tests/build.test.ts b/tests/build.test.ts
index b0035d0..e725a7a 100644
--- a/tests/build.test.ts
+++ b/tests/build.test.ts
@@ -22,7 +22,7 @@ import {
 } from '../src/build/scorecards-render.mjs';
 import { emitShell } from '../src/build/shell.mjs';
 import { loadSkillData } from '../src/build/skill.mjs';
-import { escHtml, parseFilename, SPEC_VERSION, sortedGlob } from '../src/build/util.mjs';
+import { escHtml, parseFilename, SITE_SPEC_VERSION, SPEC_VERSION, sortedGlob } from '../src/build/util.mjs';
 
 describe('sortedGlob', () => {
   test('sorts principles by numeric prefix, not lexicographic', async () => {
@@ -308,6 +308,19 @@ describe('emitShell — OG image alt text', () => {
     expect(twMatch).not.toBeNull();
     expect(ogMatch![1]).toBe(twMatch![1]);
   });
+
+  test('footer renders v${SITE_SPEC_VERSION} from content/principles/VERSION (not a hardcoded literal)', () => {
+    // Regression guard against the v0.1.0 footer drift that shipped with
+    // anc.dev v0.1 — the footer must always read SITE_SPEC_VERSION from
+    // content/principles/VERSION (the version the site's PROSE has been
+    // reconciled to), never the vendored snapshot version (which can be
+    // ahead during the manual reconciliation window) and never a hardcoded
+    // literal.
+    const html = shell();
+    expect(html).toContain(`<span>v${SITE_SPEC_VERSION}</span>`);
+    // Negative assertion: the prior stub literal must never come back.
+    expect(html).not.toContain('<span>v0.1.0</span>');
+  });
 });
 
 // -------------------------------------------------------------------
diff --git a/tests/regression.test.ts b/tests/regression.test.ts
index bf37e6a..bd2c8fb 100644
--- a/tests/regression.test.ts
+++ b/tests/regression.test.ts
@@ -298,11 +298,21 @@ describe('regression #6 — /install (CLI install page) — HTML+MD only, no JSO
   test('inline brew/cargo copy lives only in content/install.md (no source-tree duplicates)', async () => {
     // Build-time guard for the dedup goal of Unit 2. Render-stage HTML
     // duplicates would re-grow if a future edit re-inlines the commands.
+    // Vendored spec content (src/data/spec/) is excluded — it's a verbatim
+    // mirror of agentnative-spec, may legitimately mention install commands
+    // in CHANGELOG entries, and is not a duplicate this test is guarding
+    // against.
     const repoRoot = join(import.meta.dir, '..');
     const { execFileSync } = await import('node:child_process');
     const matches = execFileSync(
       'grep',
-      ['-rlE', 'brew install brettdavies/tap/agentnative|cargo install agentnative', 'src/', 'content/'],
+      [
+        '-rlE',
+        '--exclude-dir=spec',
+        'brew install brettdavies/tap/agentnative|cargo install agentnative',
+        'src/',
+        'content/',
+      ],
       { cwd: repoRoot, encoding: 'utf8' },
     )
       .trim()

From d0ab223e238eb38af4bc9d884ab267b19b57a8be Mon Sep 17 00:00:00 2001
From: Brett <brettdavies@users.noreply.github.com>
Date: Fri, 1 May 2026 02:05:33 -0500
Subject: [PATCH 3/9] fix(scorecards): tag /score/<tool>.md repro fence as bash
 (#65)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary

The "Reproduce locally" code block in each per-tool scorecard's markdown
twin (`/score/<tool>.md`) was emitted with a
bare ` ``` ` fence, so markdown renderers treated the command as plain
text. Tag the fence ` ```bash ` so Shiki
(build-time) + GitHub + hosted previews fetched over the `.md`
content-negotiation channel all syntax-highlight the
shell command.

The HTML twin (rendered via the CommonMark pipeline) was already styled
through the badge-callout block above; this
aligns the `.md` twin with the same visual signal on the channels that
consume the markdown directly.

## Changelog

### Fixed

- Per-tool scorecard markdown (`/score/<tool>.md`) now tags the
"Reproduce locally" code block as `bash` so
renderers syntax-highlight the `anc check --command <tool>` invocation
instead of rendering it as plain text.

## Type of Change

- [ ] `feat`: New feature (non-breaking change which adds functionality)
- [x] `fix`: Bug fix (non-breaking change which fixes an issue)
- [ ] `refactor`: Code refactoring (no functional changes)
- [ ] `perf`: Performance improvement
- [ ] `docs`: Documentation update
- [ ] `test`: Adding or updating tests
- [ ] `chore`: Maintenance tasks (dependencies, config, etc.)
- [ ] `ci`: CI/CD configuration changes
- [ ] `style`: Code style/formatting changes
- [ ] `build`: Build system changes
- [ ] `BREAKING CHANGE`: Breaking API change (requires major version
bump)

## Related Issues/Stories

- Story: cosmetic markdown-rendering bug spotted on the live
`/score/<tool>.md` channel.
- Issue: n/a
- Architecture: n/a (one-line emitter change).
- Related PRs: #64 (the spec-vendoring + version-model PR that just
landed; unrelated except both touch
  scorecard-rendering pipeline).

## Testing

- [x] Unit tests added/updated
- [ ] Integration tests added/updated
- [x] Manual testing completed
- [x] All tests passing

**Test Summary:**

- Unit/regression tests: 206 passing / 0 fail / 569 expect calls (was
568; new assertion in
`tests/build.test.ts` confirms the ` ```bash ` fence wraps the
synthesized invocation).
- Lint: Biome (37 files clean) + markdownlint (19 files clean).
- Build: 111 HTML pages, 111 MD pages, 7 extras, 97 scorecards, 96 badge
SVGs, 0 orphans (unchanged).
- Manual: spot-checked `dist/score/anc.md` — fence now reads ` ```bash
`.

## Files Modified

**Modified:**

- `src/build/scorecards-render.mjs` — one-character change: ` ``` ` → `
```bash ` on the "Reproduce locally" fence.
- `tests/build.test.ts` — new regression assertion preventing silent
removal of the `bash` tag.

**Created:**

- None.

**Renamed:**

- None.

**Deleted:**

- None.

## Key Features

- Cosmetic markdown channel parity with the HTML render. No code-path or
runtime change.

## Breaking Changes

- [x] No breaking changes
- [ ] Breaking changes described below:

## Deployment Notes

- [x] No special deployment steps required
- [ ] Deployment steps documented below:

Standard pipeline: squash-merge to `dev` → `deploy.yml` publishes to
staging Worker
(`agentnative-site-staging.*.workers.dev`). Promotion to `anc.dev`
follows the standard `release/*` flow per
RELEASES.md.

## Checklist

- [x] Code follows project conventions and style guidelines
- [x] Commit messages follow [Conventional
Commits](https://www.conventionalcommits.org/)
- [x] Self-review of code completed
- [x] Tests added/updated and passing
- [x] No new warnings or errors introduced
- [x] Changes are backward compatible
---
 src/build/scorecards-render.mjs | 2 +-
 tests/build.test.ts             | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/build/scorecards-render.mjs b/src/build/scorecards-render.mjs
index 3d46dda..2b46af2 100644
--- a/src/build/scorecards-render.mjs
+++ b/src/build/scorecards-render.mjs
@@ -715,7 +715,7 @@ export function buildScorecardMarkdown(tool, scorecard, _topIssues, principleSco
   }
   lines.push('## Reproduce locally');
   lines.push('');
-  lines.push('```');
+  lines.push('```bash');
   lines.push(reproMd);
   lines.push('```');
   lines.push('');
diff --git a/tests/build.test.ts b/tests/build.test.ts
index e725a7a..b719779 100644
--- a/tests/build.test.ts
+++ b/tests/build.test.ts
@@ -2085,6 +2085,10 @@ describe('buildScorecardMarkdown — v0.4 metadata mirrors HTML', () => {
     );
     expect(md).toContain('## Reproduce locally');
     expect(md).toContain('anc check --command rg --output json');
+    // The repro fence is tagged `bash` so renderers (Shiki, GitHub markdown,
+    // hosted previews) syntax-highlight the command instead of treating it
+    // as plain text.
+    expect(md).toContain('```bash\nanc check --command rg --output json\n```');
   });
 
   test('project-mode invocation falls back to the synthesized form (no path leak)', () => {

From 0cf7653a9f199584f8b45f2cf85bc5d595aebd69 Mon Sep 17 00:00:00 2001
From: Brett <brettdavies@users.noreply.github.com>
Date: Fri, 1 May 2026 03:15:02 -0500
Subject: [PATCH 4/9] fix(scorecards): brew-install anc + drop commit-SHA link
 from render (#66)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary

Per-tool scorecard pages have been linking `anc.commit` to a commit URL
on `agentnative-cli` that points at whatever
branch the operator's local CLI checkout was on at compose-build time —
not at a release commit. This PR closes the
gap on both ends:

1. The scoring docker image installs `anc` via `brew install
brettdavies/tap/agentnative` (parity with every other
tool already brewed). No more `cargo build` from the operator's local
checkout, no more operator-state coupling,
   no more wrong-SHA risk by construction.
2. The per-tool scorecard pages render `anc.version` only — the
abbreviated commit link is gone. Today's wrong-SHA
links disappear immediately; any future build-time drift never surfaces
to a viewer.

The 96 existing scorecards are not regenerated as part of this PR —
their stale `anc.commit` values stay in the JSON,
ignored at render time. The `anc.commit` field itself stays in the
schema; its removal is deferred to a future
scorecard schema revision.

## Changelog

### Fixed

- Per-tool scorecard pages no longer link to an incorrect commit SHA on
the agentnative-cli repo.

### Changed

- `anc` is now brew-installed inside the scoring docker image (replaces
a local `cargo build` path).

## Type of Change

- [x] `fix`: Bug fix (non-breaking change which fixes an issue)

## Related Issues/Stories

- Story: n/a
- Issue: n/a
- Architecture:
\`docs/plans/2026-05-01-001-fix-brew-anc-strip-sha-render-plan.md\`
(committed to dev directly per the planning-doc exception)
- Related PRs: \`chore/remove-skill-sha-pinning\` — sibling cleanup,
same theme of removing dead SHA-pin ceremony

## Testing

- [x] Unit tests added/updated
- [x] All tests passing

**Test Summary:**

- 204/204 unit + regression tests pass (consolidated three
commit-related render tests into one)
- \`bun run build\` clean
- Visual verification: \`dist/score/anc.html\` renders \`<dt>Anc
build</dt><dd>0.2.0</dd>\` (was \`0.2.0 <a class=\"anc-build__commit\"
href=\"…/commit/06a307c\"><code>06a307c</code></a>\`)
- Audit: \`grep -c 'agentnative-cli/commit' dist/score/*.{html,md}\`
returns zero across all 97 scorecard pages

## Files Modified

**Modified:**

- \`docker/score/Dockerfile\` — replace \`COPY\` of staged \`anc\`
binary with \`brew install brettdavies/tap/agentnative\`
- \`docker/score/build.sh\` — drop \`cargo build\` preamble +
\`ANC_CLI_ROOT\` plumbing; collapses to image build + optional \`--run\`
- \`docker/score/README.md\` — update layout, prereqs, layer order,
update workflow to reflect the brew-install path
- \`src/build/scorecards-render.mjs\` — \`renderAncBuildHtml\` and
\`renderAncBuildMarkdown\` collapse to version-only;
\`ANC_COMMIT_SHA_RE\`, \`ANC_REPO_URL\`, and the allowlist comment block
removed
- \`tests/build.test.ts\` — three commit-related render tests
consolidate into one (\`Anc build renders version-only regardless of
commit field shape\`); markdown-twin assertion drops the linked-commit
form
- \`content/scorecard-schema.md\` — \`anc.commit\` field row notes the
field is captured but no longer surfaced

**Created:** None.

**Renamed:** None.

**Deleted:** None.

## Key Features

n/a — bug fix + docker simplification, no new features.

## Benefits

- **Correctness**: scorecards no longer link to incorrect commits.
- **Operator state decoupling**: docker image always uses a published
release, regardless of the operator's local CLI checkout state.
- **Schema-render coherence**: schema doc accurately describes what's
rendered today.
- **Dead-ceremony reduction**: the SHA-allowlist regex, the GitHub URL
constant, and the XSS-defense test for the URL-construction path all go
away alongside the path itself.

## Breaking Changes

- [x] No breaking changes

The \`anc.commit\` JSON-schema field stays for back-compat. Existing
scorecards are not regenerated.

## Deployment Notes

- [x] No special deployment steps required

The next time \`bash docker/score/build.sh --run\` is invoked,
scorecards will emit \`anc.commit: null\` (brewed binary
has no \`.git/\` checkout, so \`build.rs\` hits the
\`released-from-tarball case\`). This is expected and matches the
schema-doc note added in this PR.

## Screenshots/Recordings

n/a — text-only render change. The visible diff:

Before: \`**Anc build:** 0.2.0
([06a307c](https://github.com/brettdavies/agentnative-cli/commit/06a307c))\`

After: \`**Anc build:** 0.2.0\`

## Checklist

- [x] Code follows project conventions and style guidelines
- [x] Commit messages follow [Conventional
Commits](https://www.conventionalcommits.org/)
- [x] Self-review of code completed
- [x] Tests added/updated and passing
- [x] No new warnings or errors introduced
- [x] Changes are backward compatible

## Additional Context

The plan for this work lives at
\`docs/plans/2026-05-01-001-fix-brew-anc-strip-sha-render-plan.md\`
(committed
directly to \`dev\` per the planning-doc exception in \`RELEASES.md\`).
---
 content/scorecard-schema.md     | 46 ++++++++++++++++-----------------
 docker/score/Dockerfile         | 17 ++++++------
 docker/score/README.md          | 16 ++++++------
 docker/score/build.sh           | 39 ++++++----------------------
 src/build/scorecards-render.mjs | 29 ++++-----------------
 tests/build.test.ts             | 37 +++++++++++++-------------
 6 files changed, 71 insertions(+), 113 deletions(-)

diff --git a/content/scorecard-schema.md b/content/scorecard-schema.md
index 41c7e90..7c1295b 100644
--- a/content/scorecard-schema.md
+++ b/content/scorecard-schema.md
@@ -67,10 +67,10 @@ registry.
 }
 ```
 
-| Field     | Type           | Meaning                                                                                                                                                                                                                          |
-| --------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `name`    | string         | The literal `--command` argv passed to anc. For tools where the registry name differs from the binary (e.g., registry `ripgrep` → binary `rg`), this is the binary, not the registry slug. The filename slug owns the registry-name side of the join. |
-| `binary`  | string         | Executable name resolved from `$PATH` at scoring time. Usually equals `tool.name` for command-mode runs.                                                                                                                         |
+| Field     | Type           | Meaning                                                                                                                                                                                                                                                                                                                                                            |
+| --------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `name`    | string         | The literal `--command` argv passed to anc. For tools where the registry name differs from the binary (e.g., registry `ripgrep` → binary `rg`), this is the binary, not the registry slug. The filename slug owns the registry-name side of the join.                                                                                                              |
+| `binary`  | string         | Executable name resolved from `$PATH` at scoring time. Usually equals `tool.name` for command-mode runs.                                                                                                                                                                                                                                                           |
 | `version` | string \| null | Best-effort version string. The CLI dumps the first line of `<binary> --version` here without further parsing — it may carry the marketing string ("eza - A modern, maintained replacement for ls"), the full multi-line block, or `null` when the binary doesn't print anything parseable. **The filename's `<version>` is canonical**; this field is a courtesy. |
 
 **Build-time invariant:** when `tool.version` contains a SemVer-shaped token (`X.Y` or `X.Y.Z`), it must equal the
@@ -88,13 +88,13 @@ Provenance for the scorecard: which `anc` build produced it.
 }
 ```
 
-| Field     | Type           | Meaning                                                                                                                                                                                                                                |
-| --------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `version` | string         | Self-reported version of the `anc` binary that ran the score. Read from `Cargo.toml` at build time.                                                                                                                                    |
-| `commit` | string \| null | Abbreviated git SHA (7-40 hex chars) captured by `build.rs` from the working tree at compile time. `null` for `cargo install`-style builds outside a git checkout. The site links the abbreviation to the upstream commit when present. |
+| Field     | Type           | Meaning                                                                                                                                                                                                                                                                                             |
+| --------- | -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `version` | string         | Self-reported version of the `anc` binary that ran the score. Read from `Cargo.toml` at build time.                                                                                                                                                                                                 |
+| `commit`  | string \| null | Abbreviated git SHA (7-40 hex chars) captured by `build.rs` from the working tree at compile time. `null` for `cargo install`-style and brew-bottle builds outside a git checkout. Captured but no longer surfaced on the rendered scorecard page; planned for removal in a future schema revision. |
 
-The per-tool page renders `anc.version` plus an abbreviated commit link when the SHA passes the hex allowlist; non-SHA
-strings fall through to a plain version with no link (security gate before URL interpolation).
+The per-tool page renders `anc.version` only. The `commit` field stays in the JSON for back-compat; its removal is
+deferred to a future schema revision.
 
 ## `run`
 
@@ -109,13 +109,13 @@ Run-context: the literal invocation, when it ran, how long it took, and what pla
 }
 ```
 
-| Field             | Type    | Meaning                                                                                                                                                                                       |
-| ----------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `invocation`      | string  | The verbatim argv that produced this scorecard, joined with single spaces. The per-tool "Reproduce locally" CTA renders this directly for command-mode runs.                                  |
-| `started_at`      | string  | RFC 3339 timestamp of when the run started. UTC. Validated as parseable by `Date` at build time.                                                                                              |
-| `duration_ms`     | integer | Wall-clock duration of the entire scoring run in milliseconds.                                                                                                                                |
-| `platform.os`     | string  | OS the binary ran on (`linux`, `darwin`, `windows`).                                                                                                                                          |
-| `platform.arch`   | string  | CPU architecture the binary ran on (`x86_64`, `aarch64`, …).                                                                                                                                  |
+| Field           | Type    | Meaning                                                                                                                                                      |
+| --------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `invocation`    | string  | The verbatim argv that produced this scorecard, joined with single spaces. The per-tool "Reproduce locally" CTA renders this directly for command-mode runs. |
+| `started_at`    | string  | RFC 3339 timestamp of when the run started. UTC. Validated as parseable by `Date` at build time.                                                             |
+| `duration_ms`   | integer | Wall-clock duration of the entire scoring run in milliseconds.                                                                                               |
+| `platform.os`   | string  | OS the binary ran on (`linux`, `darwin`, `windows`).                                                                                                         |
+| `platform.arch` | string  | CPU architecture the binary ran on (`x86_64`, `aarch64`, …).                                                                                                 |
 
 **Security note — `run.invocation`:** for command-mode runs the invocation is the canonical `anc check --command <name>
 [--audit-profile <X>] [--output json]` shape, which is safe to embed publicly. For project-mode runs (`target.kind:
@@ -135,11 +135,11 @@ What the run was scoring: a command, a binary on disk, or a project tree.
 }
 ```
 
-| Field     | Type           | Meaning                                                                                                                                                                                                                                            |
-| --------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Field     | Type           | Meaning                                                                                                                                                                                                                                                    |
+| --------- | -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `kind`    | string         | One of `command`, `binary`, or `project`. Drives whether the per-tool page's reproduce CTA renders `run.invocation` verbatim (`command`) or falls back to the synthesized form (others). Future schema-version source-layer scorecards will use `project`. |
-| `path`    | string \| null | Filesystem path when `kind` is `project` or `binary`; `null` for `command`-mode runs.                                                                                                                                                              |
-| `command` | string \| null | The `--command` argv string when `kind` is `command`; `null` otherwise. For command-mode runs this equals `tool.name`.                                                                                                                             |
+| `path`    | string \| null | Filesystem path when `kind` is `project` or `binary`; `null` for `command`-mode runs.                                                                                                                                                                      |
+| `command` | string \| null | The `--command` argv string when `kind` is `command`; `null` otherwise. For command-mode runs this equals `tool.name`.                                                                                                                                     |
 
 **Security note — `target.path`:** when `kind` is `project`, this can carry a local directory path (`/home/me/dev/foo`).
 It is not currently rendered on any per-tool page (every leaderboard entry today is command-mode), but downstream
@@ -236,8 +236,8 @@ Array of one object per check the runner attempted. Order is stable across runs
 
 ## What is *not* in the scorecard (yet)
 
-The site is transparent about gaps that future schema bumps may fill. Schema 0.4 closed the
-tool-identity / generated-at gap (see `tool`, `anc`, `run`, `target` above). Still outstanding today:
+The site is transparent about gaps that future schema bumps may fill. Schema 0.4 closed the tool-identity / generated-at
+gap (see `tool`, `anc`, `run`, `target` above). Still outstanding today:
 
 - **Per-check timing** — `run.duration_ms` is the wall-clock total for the run, not per-check. Individual check timings
   are observable from the runner's stdout but not captured in the JSON.
diff --git a/docker/score/Dockerfile b/docker/score/Dockerfile
index ed5bbec..7d14db2 100644
--- a/docker/score/Dockerfile
+++ b/docker/score/Dockerfile
@@ -91,14 +91,15 @@ RUN --mount=type=cache,target=/home/runner/.cache/Homebrew,uid=1000,gid=1000 \
 RUN --mount=type=cache,target=/home/runner/.cache/Homebrew,uid=1000,gid=1000 \
     brew install yq jaq
 
-# ---- The anc binary (glibc, built from CLI dev RC) -------------------------
-# Staged into the build context by docker/score/build.sh (which runs
-# `cargo build --release` in ~/dev/agentnative-cli first, then copies the
-# binary to docker/score/anc). The build context is the repo root, so the
-# file path is docker/score/anc.
-COPY --chown=runner:runner docker/score/anc /home/runner/.local/bin/anc
-RUN chmod +x /home/runner/.local/bin/anc \
-    && /home/runner/.local/bin/anc --version
+# ---- The anc binary (glibc, brew-installed from the published tap) ---------
+# Same install path users get on macOS / Linux. The fully-qualified
+# brettdavies/tap/agentnative spec auto-taps the formula (mirrors the
+# oven-sh/bun/bun pattern above). The brewed binary lives in
+# /home/linuxbrew/.linuxbrew/bin and resolves to a release tag's bottle —
+# no local cargo build, no operator-state coupling, no wrong-SHA risk.
+RUN --mount=type=cache,target=/home/runner/.cache/Homebrew,uid=1000,gid=1000 \
+    brew install brettdavies/tap/agentnative \
+    && anc --version
 # uv tool install drops binaries in ~/.local/bin; bun add -g drops them in
 # ~/.bun/bin; cargo-binstall in ~/.cargo/bin. All three need to be on PATH so
 # the post-install `command -v <binary>` check (in install-tools.sh) and the
diff --git a/docker/score/README.md b/docker/score/README.md
index eb1c9ea..35837f4 100644
--- a/docker/score/README.md
+++ b/docker/score/README.md
@@ -7,12 +7,11 @@ Pre-bakes every tool from `registry.yaml`, then runs `anc check` against each to
 
 ```text
 docker/score/
-├── Dockerfile          # Debian-slim + Linuxbrew + uv + bun + cargo-binstall
+├── Dockerfile          # Debian-slim + Linuxbrew + uv + bun + cargo-binstall + anc
 ├── compose.yml         # Bind-mounts + NVIDIA GPU passthrough
-├── build.sh            # Wrapper: build anc, build image, optionally run
+├── build.sh            # Wrapper: build image, optionally run
 ├── install-tools.sh    # First-stage: install every registry tool
 ├── score-anc100.sh     # Second-stage: iterate registry, write scorecards
-├── anc                 # (gitignored) staged anc binary, written by build.sh
 ├── out/                # (gitignored) per-run logs from inside the container
 ├── setup-host.sh       # One-time: install Docker Engine + nvidia-container-toolkit
 └── README.md           # this file
@@ -22,11 +21,12 @@ docker/score/
 
 - **Docker Engine + Compose v2.** Engine only — NOT Docker Desktop. Install via `bash docker/score/setup-host.sh`
   (Ubuntu) or follow Docker's apt-repo instructions for your distro.
-- **A `~/dev/agentnative-cli/` checkout** with `cargo` available. Override path with `ANC_CLI_ROOT=…`.
 - **For `nvidia-smi` scoring:** NVIDIA driver + `nvidia-container-toolkit` configured against the Docker daemon. The
   setup-host.sh script handles this if a host GPU is detected. Without it, `nvidia-smi` falls back to `install-missing`
   and the other 99 tools still score.
 
+`anc` is brew-installed inside the image from `brettdavies/tap/agentnative` — no local CLI checkout required.
+
 ## One-time host setup
 
 ```bash
@@ -63,8 +63,7 @@ Layer order:
 3. Linuxbrew (the heaviest single layer; cached aggressively).
 4. Other package managers: `uv`, `bun`, `cargo-binstall` — all installed via brew so they're prebuilt + cached.
 5. Tooling for the runner: `yq`, `jaq`.
-6. The `anc` binary, copied in from the build context (built by `build.sh` from
-   `~/dev/agentnative-cli/target/release/anc`).
+6. The `anc` binary, brew-installed from `brettdavies/tap/agentnative` (same install path users get on macOS / Linux).
 7. `install-tools.sh` runs once at image build time, reading the build-time registry baked at `/build/registry.yaml` and
    installing every entry. Failures are logged to `/build/install-log.txt` but do NOT abort the build — tools that fail
    to install simply end up missing from PATH and the runner records them as `install-missing`.
@@ -104,8 +103,9 @@ This image is intentionally a strict subset of the v2 sandbox image. The v2 path
 
 ## Update workflow
 
-1. **CLI changed (new release):** rerun `bash docker/score/build.sh --run`. The `anc` binary gets rebuilt; the install
-   layer is cached; only scoring runs again. Faster than a full image rebuild.
+1. **CLI changed (new release):** rerun `bash docker/score/build.sh --run`. The `anc` brew layer is invalidated when the
+   formula's pinned version moves; brew pulls the new bottle and only scoring runs again. Faster than a full image
+   rebuild.
 2. **Registry changed (added/removed/edited a tool):** rerun the same command. The install layer is invalidated for the
    affected tool; brew re-resolves; scoring re-runs.
 3. **Tool released a new version:** the runner's version-extract logic pulls the actually-installed version at score
diff --git a/docker/score/build.sh b/docker/score/build.sh
index c23d532..5777814 100755
--- a/docker/score/build.sh
+++ b/docker/score/build.sh
@@ -1,15 +1,13 @@
 #!/usr/bin/env bash
 # Build the anc-scorer image and (optionally) run it.
 #
+# `anc` is brew-installed inside the image from brettdavies/tap/agentnative
+# (see Dockerfile §"The anc binary"). No local cargo build, no operator-state
+# coupling — the image always uses a published release.
+#
 # Steps:
-#   1. Build the `anc` binary from the local agentnative-cli dev checkout.
-#      We use the dev RC because no further substantive changes to scoring
-#      logic are expected before v0.2.0 — only the spec re-vendor (content)
-#      and release ceremony.
-#   2. Copy the built binary into docker/score/ so the Dockerfile build
-#      context can pick it up.
-#   3. Build the docker image.
-#   4. (Optional, with --run) Run the scorer with bind-mounts to write
+#   1. Build the docker image via compose.
+#   2. (Optional, with --run) Run the scorer with bind-mounts to write
 #      scorecards back to the host.
 #
 # Usage (from repo root):
@@ -19,35 +17,14 @@
 set -euo pipefail
 
 REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
-CLI_ROOT="${ANC_CLI_ROOT:-$HOME/dev/agentnative-cli}"
 
 cd "$REPO_ROOT"
 
-if [[ ! -d "$CLI_ROOT" ]]; then
-  echo "error: agentnative-cli checkout not found at $CLI_ROOT" >&2
-  echo "       set ANC_CLI_ROOT to override" >&2
-  exit 1
-fi
-
-# 1. Build the anc binary from CLI dev (release profile, glibc target).
-echo "==> Building anc from $CLI_ROOT (release)..."
-( cd "$CLI_ROOT" && cargo build --release )
-ANC_BIN="$CLI_ROOT/target/release/anc"
-if [[ ! -x "$ANC_BIN" ]]; then
-  echo "error: expected $ANC_BIN to exist after cargo build" >&2
-  exit 1
-fi
-echo "    built: $ANC_BIN ($("$ANC_BIN" --version))"
-
-# 2. Stage the binary into the build context.
-cp "$ANC_BIN" "$REPO_ROOT/docker/score/anc"
-chmod +x "$REPO_ROOT/docker/score/anc"
-
-# 3. Build the image via compose.
+# 1. Build the image via compose.
 echo "==> Building anc-scorer image..."
 docker compose -f docker/score/compose.yml build
 
-# 4. Optionally run.
+# 2. Optionally run.
 if [[ "${1:-}" == "--run" ]]; then
   echo "==> Running anc-scorer..."
   mkdir -p docker/score/out
diff --git a/src/build/scorecards-render.mjs b/src/build/scorecards-render.mjs
index 2b46af2..9bb7684 100644
--- a/src/build/scorecards-render.mjs
+++ b/src/build/scorecards-render.mjs
@@ -28,14 +28,6 @@ function groupToPrincipleNum(group) {
 // out downstream site renderers as pinned consumers of this exact string.
 const AUDIT_PROFILE_SUPPRESSION_PREFIX = 'suppressed by audit_profile: ';
 
-// SHA-shape allowlist for `anc.commit`. CLI v0.4 emits a 7-char abbreviation
-// from build.rs; the long-form 40-char SHA is also acceptable. The regex is
-// the security gate before interpolating into a GitHub commit URL — anything
-// outside the hex alphabet falls through to a plain version string with no
-// link, regardless of how the CLI emitted the field.
-const ANC_COMMIT_SHA_RE = /^[0-9a-f]{7,40}$/;
-const ANC_REPO_URL = 'https://github.com/brettdavies/agentnative-cli';
-
 // Format `run.duration_ms` as a human-readable interval. Granularity matches
 // what's useful at a glance: sub-second runs in ms, multi-second runs in
 // tenths, multi-minute runs in `Xm Ys`.
@@ -58,28 +50,17 @@ function formatStartedAt(rfc3339) {
   return `${d.toISOString().replace('T', ' ').slice(0, 19)} UTC`;
 }
 
-// Build an HTML fragment for the `Anc build` detail row: version + abbreviated
-// commit link when the SHA passes the allowlist, version-only otherwise.
+// Build an HTML fragment for the `Anc build` detail row: version-only.
+// The `anc.commit` field is captured by the CLI's build.rs but no longer
+// surfaced here — see content/scorecard-schema.md.
 function renderAncBuildHtml(anc) {
   if (!anc || typeof anc.version !== 'string') return null;
-  const versionHtml = escHtml(anc.version);
-  if (typeof anc.commit === 'string' && ANC_COMMIT_SHA_RE.test(anc.commit)) {
-    const abbrev = anc.commit.slice(0, 7);
-    // escHtml on the SHA defensively even after the regex check — same posture
-    // as the existing escHtml-everywhere convention in this module.
-    return `${versionHtml} <a class="anc-build__commit" href="${ANC_REPO_URL}/commit/${escHtml(anc.commit)}"><code>${escHtml(abbrev)}</code></a>`;
-  }
-  return versionHtml;
+  return escHtml(anc.version);
 }
 
-// Markdown twin of renderAncBuildHtml. No escHtml needed (markdown is the
-// authoring layer); the SHA regex is still the security gate.
+// Markdown twin of renderAncBuildHtml.
 function renderAncBuildMarkdown(anc) {
   if (!anc || typeof anc.version !== 'string') return null;
-  if (typeof anc.commit === 'string' && ANC_COMMIT_SHA_RE.test(anc.commit)) {
-    const abbrev = anc.commit.slice(0, 7);
-    return `${anc.version} ([${abbrev}](${ANC_REPO_URL}/commit/${anc.commit}))`;
-  }
   return anc.version;
 }
 
diff --git a/tests/build.test.ts b/tests/build.test.ts
index b719779..9626746 100644
--- a/tests/build.test.ts
+++ b/tests/build.test.ts
@@ -1948,14 +1948,16 @@ describe('buildScorecardBody — v0.4 metadata rendering', () => {
     expect(longRun).toContain('<dt>Duration</dt><dd>2m 25s</dd>');
   });
 
-  test('Anc build links the commit when SHA is hex-shaped (7-40 chars)', () => {
-    const html = buildScorecardBody(tool('rg'), sc(), [], { met: 7, total: 7, details: [] }, '15.1.0', v04Meta());
-    expect(html).toContain('href="https://github.com/brettdavies/agentnative-cli/commit/fff3f13"');
-    expect(html).toContain('<code>fff3f13</code>');
-  });
-
-  test('Anc build skips the commit link when commit is null', () => {
-    const html = buildScorecardBody(
+  test('Anc build renders version-only regardless of commit field shape', () => {
+    // The commit field is captured in the JSON schema but no longer surfaced
+    // on the rendered scorecard. Render is version-only across hex, null,
+    // and malicious-string inputs alike — the field is never interpolated
+    // into HTML, so there is no URL-construction surface to gate.
+    const hex = buildScorecardBody(tool('rg'), sc(), [], { met: 7, total: 7, details: [] }, '15.1.0', v04Meta());
+    expect(hex).toContain('<dt>Anc build</dt><dd>0.1.0</dd>');
+    expect(hex).not.toContain('agentnative-cli/commit/');
+
+    const nullCommit = buildScorecardBody(
       tool('rg'),
       sc(),
       [],
@@ -1963,13 +1965,10 @@ describe('buildScorecardBody — v0.4 metadata rendering', () => {
       '15.1.0',
       v04Meta({ anc: { version: '0.1.0', commit: null } }),
     );
-    expect(html).toContain('<dt>Anc build</dt><dd>0.1.0</dd>');
-    expect(html).not.toContain('agentnative-cli/commit/');
-  });
+    expect(nullCommit).toContain('<dt>Anc build</dt><dd>0.1.0</dd>');
+    expect(nullCommit).not.toContain('agentnative-cli/commit/');
 
-  test('Anc build skips the commit link when SHA fails the hex allowlist (security)', () => {
-    // Defense against an upstream CLI bug that ever puts non-SHA bytes into anc.commit.
-    const html = buildScorecardBody(
+    const malicious = buildScorecardBody(
       tool('rg'),
       sc(),
       [],
@@ -1977,8 +1976,9 @@ describe('buildScorecardBody — v0.4 metadata rendering', () => {
       '15.1.0',
       v04Meta({ anc: { version: '0.1.0', commit: '<script>alert(1)</script>' } }),
     );
-    expect(html).not.toContain('agentnative-cli/commit/');
-    expect(html).not.toContain('<script>');
+    expect(malicious).toContain('<dt>Anc build</dt><dd>0.1.0</dd>');
+    expect(malicious).not.toContain('agentnative-cli/commit/');
+    expect(malicious).not.toContain('<script>');
   });
 
   test('reproduce CTA renders run.invocation verbatim for command-mode runs', () => {
@@ -2177,9 +2177,8 @@ describe('buildScorecardMarkdown — v0.4 metadata mirrors HTML', () => {
     expect(md).toContain('**Duration:** 53ms');
     expect(md).toContain('**Platform:** `linux/x86_64`');
     expect(md).toContain('**Mode:** command');
-    expect(md).toContain(
-      '**Anc build:** 0.1.0 ([fff3f13](https://github.com/brettdavies/agentnative-cli/commit/fff3f13))',
-    );
+    expect(md).toContain('**Anc build:** 0.1.0');
+    expect(md).not.toContain('agentnative-cli/commit/');
   });
 });
 

From 16344a11d9436cf96dc02ad0ecb3365468138af5 Mon Sep 17 00:00:00 2001
From: Brett <brettdavies@users.noreply.github.com>
Date: Fri, 1 May 2026 03:16:36 -0500
Subject: [PATCH 5/9] chore(skill): drop deprecated SHA-pin enforcement surface
 (#67)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary

Removes the dead SHA-pin enforcement surface for the `agent-native-cli`
skill. The pin was deprecated upstream in
[`agentnative-skill` PR
#11](https://github.com/brettdavies/agentnative-skill/pull/11)
(2026-04-29) when update
detection moved to the skill bundle's `bin/check-update` (compares the
local bundle's `VERSION` against `main` on
GitHub). The site repo carried the full enforcement surface — manifest
fields, build validation, schema docs,
release runbook, tests, e2e probe, prose — as dead ceremony that
surfaced on every skill release as a SHA bump that
no longer carried a contract.

Audit assertion: across shipping content (excluding `docs/plans/`,
`docs/brainstorms/`, `docs/reviews/`,
`docs/solutions/`, `CHANGELOG.md`), zero matches remain for
`source.commit`, `verify.expected`, `COMMIT_RE`,
`47a76cce…`, `re-pin`, `pinned commit`, `pinned at commit`, or `commit
pin`. The four surviving SHA references in
shipping content are unrelated domains (scorecard `anc.commit`
rendering, font supply chain, CLI registry version
parsing) and intentionally untouched.

## Changelog

### Removed

- Skill SHA-pin fields (`source.commit`, `verify` block) and their
build-time enforcement.

### Changed

- Skill-release procedure no longer requires a manifest re-pin; updates
are detected by the skill bundle's
  `bin/check-update` against `main` on GitHub.

## Type of Change

- [x] `chore`: Maintenance tasks (dependencies, config, etc.)

## Related Issues/Stories

- Story: n/a
- Issue: n/a
- Architecture: agentnative-skill PR #11 (the upstream deprecation that
this site-side PR completes)
- Related PRs: #66 (\`fix/scorecard-anc-render\` — sibling cleanup, same
theme of removing dead SHA-pin ceremony)

## Testing

- [x] Unit tests added/updated
- [x] All tests passing

**Test Summary:**

- 203/203 unit + regression tests pass (4 SHA-pin-specific assertions
deleted; no new failures)
- \`bun run build\` clean
- E2E \`skill\` Playwright project structurally untouched — the two
pin-freshness checks (HEAD == \`source.commit\`,
remote-HEAD == \`source.commit\`) are dropped; the
install-clone-lands-\`SKILL.md\` check stays

## Files Modified

**Modified:**

- \`src/data/skill.json\` — \`source.commit\` and \`verify\` object
removed
- \`src/build/skill.mjs\` — \`COMMIT_RE\`, verify validation,
\`REQUIRED_VERIFY\` list, "pinned at commit" prose, \`## Verify\`
markdown section all removed
- \`docs/DESIGN.md\` §3.9 — schema-table rows for \`source.commit\` and
\`verify.*\` removed; build-validation prose, source-repo-coupling
paragraph, release runbook bullet updated
- \`RELEASES.md\` §"Skill releases" — re-pin step rewritten as
conditional manifest bump
- \`scripts/SYNCS.md\` — re-pin language scrubbed from the skill-release
flow + reference list
- \`tests/build.test.ts\` — non-hex / uppercase-hex commit rejection
tests + \`source.commit\` / \`verify\` fixture fields removed
- \`tests/regression.test.ts\` — \`source.commit\` / \`verify.expected\`
invariants removed; required-keys list updated
- \`tests/e2e/skill.e2e.ts\` — pin-freshness checks dropped (HEAD ==
\`source.commit\` and remote-HEAD == \`source.commit\`)

**Created:** None.

**Renamed:** None.

**Deleted:** None.

## Key Features

n/a — pure removal of dead enforcement surface.

## Benefits

- **Dead-ceremony reduction**: skill releases no longer think about a
SHA bump that doesn't carry a contract.
- **Schema-render coherence**: \`/skill.json\`'s shape now matches the
documented update model (\`bin/check-update\` against \`main\`).
- **Release-runbook simplification**: \`RELEASES.md\` skill-release
procedure becomes a conditional manifest bump rather than a mandatory
re-pin step.

## Breaking Changes

- [x] No breaking changes (consumer-side)

\`agentnative-cli\`'s \`src/skill_install/skill.json\` fixture pulls
\`src/data/skill.json\` from this repo. The shape
change here will surface in CLI's \`skill-fixture-drift\` workflow on
its next PR — coordinated CLI-side update should
land in lockstep.

## Deployment Notes

- [x] No special deployment steps required

After deploy, \`https://anc.dev/skill.json\` will lose \`source.commit\`
and the \`verify\` object. The
\`schema_version: 1\` field stays — agents reading the JSON should
already tolerate field removal within v1 since
the schema doc described \`verify.expected\` as advisory only.

## Checklist

- [x] Code follows project conventions and style guidelines
- [x] Commit messages follow [Conventional
Commits](https://www.conventionalcommits.org/)
- [x] Self-review of code completed
- [x] Tests added/updated and passing
- [x] No new warnings or errors introduced
- [x] Changes are backward compatible (consumer-side; cross-repo
coordination noted above)

## Additional Context

This PR ships in parallel with #66 (\`fix/scorecard-anc-render\`) —
sibling cleanup of skill-shaped SHA-pin ceremony
that lived in the scorecard render. The two branches were cut
independently to keep concerns tight; either can
land first.
---
 RELEASES.md              | 28 +++++++++---------
 docs/DESIGN.md           | 61 +++++++++++++++++++---------------------
 scripts/SYNCS.md         | 23 ++++++++-------
 src/build/skill.mjs      | 34 +++-------------------
 src/data/skill.json      |  8 +-----
 tests/build.test.ts      | 22 ++-------------
 tests/e2e/skill.e2e.ts   | 27 ++++--------------
 tests/regression.test.ts | 14 ++-------
 8 files changed, 72 insertions(+), 145 deletions(-)

diff --git a/RELEASES.md b/RELEASES.md
index bf93993..4b42b84 100644
--- a/RELEASES.md
+++ b/RELEASES.md
@@ -210,12 +210,13 @@ Committing the JSON alongside the code means ruleset changes land via the same r
 
 `/skill.json` and `/skill` advertise the `agent-native-cli` skill, hosted at
 [`brettdavies/agentnative-skill`](https://github.com/brettdavies/agentnative-skill). This site vendors the skill's
-upstream commit SHA in `src/data/skill.json`; the skill repo holds the actual content. Surface contract in
-`docs/DESIGN.md` §3.9.
+manifest (per-host install commands, version, surface metadata) in `src/data/skill.json`; the skill repo holds the
+actual content. Surface contract in `docs/DESIGN.md` §3.9. Update detection at install sites is delegated to the skill
+bundle's `bin/check-update`, which compares the local bundle's `VERSION` against `main` on GitHub.
 
 The skill repo's branch model: `main` is the published-release pointer (default branch); `dev` is the integration
-branch. The bare `git clone --depth 1` in each install command lands on `main` — so each release REQUIRES the skill
-maintainer to fast-forward `main` to the new tag before the site re-pins.
+branch. The bare `git clone --depth 1` in each install command lands on `main` — so each release requires the skill
+maintainer to fast-forward `main` to the new tag.
 
 ### Skill-release procedure
 
@@ -223,17 +224,18 @@ maintainer to fast-forward `main` to the new tag before the site re-pins.
    `git push origin dev --follow-tags`. Fast-forward `main` to the new tag and push: `git checkout main && git merge
    --ff-only v0.x.y && git push origin main`. The site's bare `git clone --depth 1` lands on `main`, so the fast-forward
    is what makes the new release reachable.
-2. **Re-pin in this repo**: edit `src/data/skill.json` — bump `version`, `source.commit`, and `verify.expected`
-   (`source.commit` and `verify.expected` are the same SHA until v2 schema decouples them). `loadSkillData()` will
-   reject a non-hex / non-lowercase / non-40-char SHA at build time, so a typo fails fast.
+2. **Bump the manifest in this repo (only when user-facing fields changed)**: edit `src/data/skill.json` to bump
+   `version` and update any per-host install commands, description, or other surface fields the release modified. If
+   nothing user-facing changed, skip the manifest bump entirely — the skill bundle's `bin/check-update` is what tells
+   installed users a new release exists.
 3. **PR to `dev`**: CI runs the unit + worker tests on the bumped manifest. Squash-merge on green.
 4. **Release `dev` → `main`** via the standard `release/*` flow above. Site deploys to `anc.dev`.
-5. **Cache-purge** `/skill`, `/skill.json`, and `/skill.md` via the Cloudflare cache-purge API. Required for
-   security-relevant pin updates so users don't pick up the old SHA from the 24h `s-maxage` window. Use the API token
-   stored in 1Password (`secrets-dev` vault, `Cloudflare API Token - Wrangler (bigdaddy)`). First-deploy-after-rename
-   note (cutover from `/install*` → `/skill*`): also purge `/install`, `/install.json`, and `/install.md` once to evict
-   any cached skill content under the old paths. Skip this on subsequent deploys.
-6. **Verify the deployed pin**: `curl -s https://anc.dev/skill.json | jq -r .source.commit` matches the new SHA. The
+5. **Cache-purge** `/skill`, `/skill.json`, and `/skill.md` via the Cloudflare cache-purge API after a manifest bump, so
+   users don't pick up the old shape from the 24h `s-maxage` window. Use the API token stored in 1Password
+   (`secrets-dev` vault, `Cloudflare API Token - Wrangler (bigdaddy)`). First-deploy-after-rename note (cutover from
+   `/install*` → `/skill*`): also purge `/install`, `/install.json`, and `/install.md` once to evict any cached skill
+   content under the old paths. Skip this on subsequent deploys.
+6. **Verify the deployed manifest**: `curl -s https://anc.dev/skill.json | jq -r .version` matches the new version. The
    Playwright `skill` project (`bun x playwright test --project=skill`) re-runs the live 4-host clone against the
    advertised hosts; run it locally before tagging if anything in the manifest's host commands changed.
 
diff --git a/docs/DESIGN.md b/docs/DESIGN.md
index 71b5d18..d0739d9 100644
--- a/docs/DESIGN.md
+++ b/docs/DESIGN.md
@@ -463,41 +463,37 @@ for the single advertised skill (`agent-native-cli`); per-skill `/skill/<name>`
 second skill ships, `/skill` becomes an index and per-skill content moves under `/skill/<name>` — the Worker's
 JSON-extension dispatch is already shape-agnostic, so no Worker code change is anticipated for that transition.
 
-**Source repo coupling.** This site vendors a single string — the upstream commit SHA — committed at site build time
-into `src/data/skill.json`. No fetch-on-build, no submodule, no `marketplace.json` machinery. Per
+**Source repo coupling.** This site vendors the skill manifest's per-host install commands and metadata at site build
+time into `src/data/skill.json`. No fetch-on-build, no submodule, no `marketplace.json` machinery. Per
 `docs/solutions/architecture-patterns/cross-repo-artifact-sync-commit-over-fetch-20260420.md`. The skill repo
 (`brettdavies/agentnative-skill`) holds `main` as the published-release pointer and `dev` as the integration branch; the
 install command's bare `git clone --depth 1` lands on the skill repo's default branch (`main`), which the skill
-maintainer fast-forwards to each new release tag.
+maintainer fast-forwards to each new release tag. Update detection is delegated to the skill bundle's
+`bin/check-update`, which compares the local bundle's `VERSION` against `main` on GitHub.
 
 **`/skill.json` shape (v1):**
 
-| Key                | Type                       | Notes                                                                                               |
-| ------------------ | -------------------------- | --------------------------------------------------------------------------------------------------- |
-| `schema_version`   | integer                    | `1`. Bump on incompatible structural change.                                                        |
-| `type`             | string                     | `"agent-skill"`.                                                                                    |
-| `name`             | string                     | `"agent-native-cli"`. Slug, kebab-case.                                                             |
-| `version`          | string                     | Semver. Bumped per skill release.                                                                   |
-| `description`      | string                     | One sentence.                                                                                       |
-| `principles_url`   | string                     | `https://anc.dev/p1`.                                                                               |
-| `license`          | string                     | `"MIT"`.                                                                                            |
-| `source.type`      | string                     | `"git"`.                                                                                            |
-| `source.url`       | string                     | `https://github.com/brettdavies/agentnative-skill.git`.                                             |
-| `source.commit`    | string (40-char lower hex) | The pinned commit. Validated at build time.                                                         |
-| `install`          | object                     | Per-host map: `claude_code`, `codex`, `cursor`, `opencode` → `git clone --depth 1 …` command.       |
-| `verify.command`   | string                     | `git -C <install-dir> rev-parse HEAD`. Agent substitutes `<install-dir>`.                           |
-| `verify.expected`  | string                     | Same SHA as `source.commit` until v2 schema decouples them. Mismatch = upstream moved past the pin. |
-| `verify.semantics` | string                     | Free-form description of what mismatch means.                                                       |
-| `update`           | string                     | `cd <install-dir> && git pull --ff-only`.                                                           |
-| `uninstall`        | string                     | `rm -rf <install-dir>`.                                                                             |
-| `skill_page_html`  | string                     | `https://anc.dev/skill`.                                                                            |
-
-**Build-emitter validation (`src/build/skill.mjs`).** `loadSkillData()` is fail-fast: missing required keys, non-hex or
-non-lowercase `source.commit`, non-semver `version`, empty `install` map, install commands not starting with `git clone
---depth 1`, and bare-clone commands (no explicit destination path) all reject the build at startup. The
-explicit-destination invariant is non-optional defense for the repo-name asymmetry: the skill repo is named
-`agentnative-skill` but the skill itself is named `agent-native-cli`; a bare `git clone` lands on the repo name and
-breaks every host's skill-discovery convention.
+| Key               | Type    | Notes                                                                                         |
+| ----------------- | ------- | --------------------------------------------------------------------------------------------- |
+| `schema_version`  | integer | `1`. Bump on incompatible structural change.                                                  |
+| `type`            | string  | `"agent-skill"`.                                                                              |
+| `name`            | string  | `"agent-native-cli"`. Slug, kebab-case.                                                       |
+| `version`         | string  | Semver. Bumped per skill release.                                                             |
+| `description`     | string  | One sentence.                                                                                 |
+| `principles_url`  | string  | `https://anc.dev/p1`.                                                                         |
+| `license`         | string  | `"MIT"`.                                                                                      |
+| `source.type`     | string  | `"git"`.                                                                                      |
+| `source.url`      | string  | `https://github.com/brettdavies/agentnative-skill.git`.                                       |
+| `install`         | object  | Per-host map: `claude_code`, `codex`, `cursor`, `opencode` → `git clone --depth 1 …` command. |
+| `update`          | string  | `cd <install-dir> && git pull --ff-only`.                                                     |
+| `uninstall`       | string  | `rm -rf <install-dir>`.                                                                       |
+| `skill_page_html` | string  | `https://anc.dev/skill`.                                                                      |
+
+**Build-emitter validation (`src/build/skill.mjs`).** `loadSkillData()` is fail-fast: missing required keys, non-semver
+`version`, empty `install` map, install commands not starting with `git clone --depth 1`, and bare-clone commands (no
+explicit destination path) all reject the build at startup. The explicit-destination invariant is non-optional defense
+for the repo-name asymmetry: the skill repo is named `agentnative-skill` but the skill itself is named
+`agent-native-cli`; a bare `git clone` lands on the repo name and breaks every host's skill-discovery convention.
 
 **Header contract (`src/worker/headers.ts`).** The Worker's HTML/markdown branches are joined by a JSON-extension branch
 detected by URL ending in `.json` (extension, not prefix — any `/<slug>.json` endpoint reuses the branch, so the v2
@@ -524,9 +520,10 @@ twin.
 `/skill` enters `sitemap.xml` and `llms.txt` (under a `## Skill` section); `/skill.json` enters `llms.txt` but NOT the
 sitemap because `X-Robots-Tag: noindex` keeps it out of search engines.
 
-**Release runbook entry.** The skill-release procedure lives in `RELEASES.md`. Each skill release bumps `version`,
-`source.commit`, and `verify.expected` in `src/data/skill.json` (cache-purge `/skill`, `/skill.json`, and `/skill.md`
-against the Cloudflare cache-purge API after deploy).
+**Release runbook entry.** The skill-release procedure lives in `RELEASES.md`. Each skill release bumps `version` in
+`src/data/skill.json` if the manifest's user-facing fields changed (cache-purge `/skill`, `/skill.json`, and `/skill.md`
+against the Cloudflare cache-purge API after deploy). Update detection at install sites is handled by the skill bundle's
+`bin/check-update`, not by a manifest field.
 
 ### 3.10 CLI install — `/install`
 
diff --git a/scripts/SYNCS.md b/scripts/SYNCS.md
index c244da0..28990ea 100644
--- a/scripts/SYNCS.md
+++ b/scripts/SYNCS.md
@@ -7,7 +7,7 @@ but not built*. Update this file whenever a sync script, workflow, endpoint, or
 
 Existing top-level docs cover adjacent concerns but none give a single map:
 
-- `RELEASES.md` documents the skill-release procedure (the downstream-facing `/skill.json` re-pin) and the deploy
+- `RELEASES.md` documents the skill-release procedure (the downstream-facing `/skill.json` manifest bump) and the deploy
   pipeline, but treats syncs as one step in a larger runbook.
 - `docs/DESIGN.md` §3.9 / §3.10 cover the `/skill` and `/install` build contracts, not the cross-repo data flow.
 - `AGENTS.md` describes endpoints and content authorship, not sync direction.
@@ -95,9 +95,9 @@ site-own version (`package.json` is `"0.0.0"` deliberately — the spec version
 
 ### Build-time vendoring by other repos
 
-| Consumer                                                     | Mechanism                                                                          | What's exported               | Trigger / cadence                                                                                   | Drift check                                                                                                                                                                                                                                                                  |
-| ------------------------------------------------------------ | ---------------------------------------------------------------------------------- | ----------------------------- | --------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `brettdavies/agentnative-cli` `src/skill_install/skill.json` | CLI's `scripts/sync-skill-fixture.sh` pulls from this repo's `src/data/skill.json` | Skill bundle metadata fixture | When this repo bumps `src/data/skill.json` (skill release re-pin per RELEASES.md §"Skill releases") | CLI's `skill-fixture-drift` GitHub Actions workflow runs the fixture's `--check` equivalent on every PR; CLI side fails if its vendored copy lags this repo. Effectively the inverse of the coverage-matrix arrangement: source-of-truth lives here, drift gate lives there. |
+| Consumer                                                     | Mechanism                                                                          | What's exported               | Trigger / cadence                                                                                          | Drift check                                                                                                                                                                                                                                                                  |
+| ------------------------------------------------------------ | ---------------------------------------------------------------------------------- | ----------------------------- | ---------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `brettdavies/agentnative-cli` `src/skill_install/skill.json` | CLI's `scripts/sync-skill-fixture.sh` pulls from this repo's `src/data/skill.json` | Skill bundle metadata fixture | When this repo bumps `src/data/skill.json` (skill release manifest bump per RELEASES.md §"Skill releases") | CLI's `skill-fixture-drift` GitHub Actions workflow runs the fixture's `--check` equivalent on every PR; CLI side fails if its vendored copy lags this repo. Effectively the inverse of the coverage-matrix arrangement: source-of-truth lives here, drift gate lives there. |
 
 ### Deploy-time emission to Cloudflare Workers
 
@@ -128,10 +128,13 @@ The four flows interact, but each is independently triggered:
    for the workflow). Spec's `repository_dispatch:spec-release` event already fires here on tag publish; a consumer-side
    handler that auto-PRs the resync is tracked as follow-up work.
 
-4. **Skill repo cuts a release** → maintainer fast-forwards `agentnative-skill:main` to the new tag → edits this repo's
-   `src/data/skill.json` (`version`, `source.commit`, `verify.expected`) → PR to `dev` → release flow to `main` →
-   `wrangler deploy` updates `/skill.json` on `anc.dev` → Cloudflare cache purge → CLI's next PR exercises
-   `skill-fixture-drift` against the new fixture. Full runbook in `RELEASES.md` §"Skill-release procedure".
+4. **Skill repo cuts a release** → maintainer fast-forwards `agentnative-skill:main` to the new tag → if any user-facing
+   manifest fields changed (per-host install commands, version, description), edits this repo's `src/data/skill.json` to
+   bump `version` plus the changed fields → PR to `dev` → release flow to `main` → `wrangler deploy` updates
+   `/skill.json` on `anc.dev` → Cloudflare cache purge → CLI's next PR exercises `skill-fixture-drift` against the new
+   fixture. If the release didn't change any manifest fields, skip the manifest bump entirely — installed users learn
+   about the new release via the skill bundle's `bin/check-update`, not via a manifest change here. Full runbook in
+   `RELEASES.md` §"Skill-release procedure".
 
 5. **Site code/content change** → push to `dev` (auto-deploys to staging Worker) → PR `dev` → `main` → push to `main`
    (auto-deploys to `anc.dev`).
@@ -145,8 +148,8 @@ The four flows interact, but each is independently triggered:
   and runs `score-anc100.sh` inside the container, writing scorecards back to the host via bind mount. The container is
   the single source of truth for scoring; host-side `regen-scorecards.sh` is deprecated.
 - `src/data/spec/README.md` — what's vendored, why, and the manual reconciliation workflow when spec prose drifts.
-- `RELEASES.md` §"Skill releases" — the downstream re-pin procedure for `src/data/skill.json` end-to-end (commit →
-  cache-purge → live verify).
+- `RELEASES.md` §"Skill releases" — the downstream manifest-bump procedure for `src/data/skill.json` end-to-end
+  (manifest edit → cache-purge → live verify).
 - `docs/DESIGN.md` §3.9 (`/skill` + `/skill.json` build contract) and §3.10 (`/install` HTML-only contract).
 - `AGENTS.md` — repo conventions and the `content/principles/` vs `src/data/spec/principles/` separation rule.
 - `docs/plans/2026-04-23-001-feat-sync-spec-plan.md` (dev branch only, gated off main) — the plan that introduced
diff --git a/src/build/skill.mjs b/src/build/skill.mjs
index 5f021c0..d2bb03d 100644
--- a/src/build/skill.mjs
+++ b/src/build/skill.mjs
@@ -6,8 +6,7 @@
 // §"/install.json shape", relocated to /skill.json by 2026-04-28-003):
 //
 //   - skill.json IS the source of truth. The emitter validates and copies;
-//     it does not synthesize fields. verify.expected and source.commit are
-//     hand-co-edited at release time.
+//     it does not synthesize fields.
 //   - dist/skill.json is byte-stable across runs: keys sorted, two-space
 //     indent, trailing newline.
 //   - Per-host commands MUST start with `git clone --depth 1` and terminate
@@ -19,7 +18,6 @@ import { readFile, writeFile } from 'node:fs/promises';
 import { join } from 'node:path';
 import { renderMarkdown } from './render.mjs';
 
-const COMMIT_RE = /^[0-9a-f]{40}$/;
 const SEMVER_RE = /^\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?$/;
 const REQUIRED_TOP_LEVEL = [
   'schema_version',
@@ -31,13 +29,11 @@ const REQUIRED_TOP_LEVEL = [
   'license',
   'source',
   'install',
-  'verify',
   'update',
   'uninstall',
   'skill_page_html',
 ];
-const REQUIRED_SOURCE = ['type', 'url', 'commit'];
-const REQUIRED_VERIFY = ['command', 'expected', 'semantics'];
+const REQUIRED_SOURCE = ['type', 'url'];
 
 /**
  * Read + validate src/data/skill.json. Fail-fast on missing/malformed
@@ -71,15 +67,6 @@ export async function loadSkillData(dataPath) {
       throw new Error(`${dataPath}: missing required key "source.${key}"`);
     }
   }
-  if (!COMMIT_RE.test(data.source.commit)) {
-    throw new Error(`${dataPath}: "source.commit" must be a 40-char lowercase hex SHA, got "${data.source.commit}"`);
-  }
-
-  for (const key of REQUIRED_VERIFY) {
-    if (!data.verify[key]) {
-      throw new Error(`${dataPath}: missing required key "verify.${key}"`);
-    }
-  }
 
   if (!data.install || typeof data.install !== 'object' || Array.isArray(data.install)) {
     throw new Error(`${dataPath}: "install" must be a non-empty object mapping host → command`);
@@ -195,7 +182,7 @@ export function buildSkillMarkdown(data) {
   lines.push('## What this does');
   lines.push('');
   lines.push(
-    `Clones \`${data.source.url}\` (pinned at commit \`${data.source.commit}\`) into your host's skills directory. \`.git/\` is preserved so future updates are a \`git pull\`.`,
+    `Clones \`${data.source.url}\` into your host's skills directory. \`.git/\` is preserved so future updates are a \`git pull\`.`,
   );
   lines.push('');
 
@@ -233,20 +220,7 @@ export function buildSkillMarkdown(data) {
   lines.push('## Trust model');
   lines.push('');
   lines.push(
-    "Piping a remote shell script into the local shell is the failure mode this install path rejects. Installation runs `git clone` against a content-addressed commit on a specific repository — the scripts are open-source and visible at the producer repo before they execute on the user's machine. The site advertises a single upstream commit SHA in `/skill.json`; agents that care about provenance can verify it.",
-  );
-  lines.push('');
-
-  lines.push('## Verify');
-  lines.push('');
-  lines.push("After install, confirm the local checkout matches the site's advertised pin:");
-  lines.push('');
-  lines.push('```bash');
-  lines.push(data.verify.command);
-  lines.push('```');
-  lines.push('');
-  lines.push(
-    `Expected: \`${data.verify.expected}\`. ${data.verify.semantics.charAt(0).toUpperCase()}${data.verify.semantics.slice(1)}.`,
+    "Piping a remote shell script into the local shell is the failure mode this install path rejects. Installation runs `git clone` against a specific repository on a specific host — the scripts are open-source and visible at the producer repo before they execute on the user's machine.",
   );
   lines.push('');
 
diff --git a/src/data/skill.json b/src/data/skill.json
index d0b2033..1db85ea 100644
--- a/src/data/skill.json
+++ b/src/data/skill.json
@@ -8,8 +8,7 @@
   "license": "MIT",
   "source": {
     "type": "git",
-    "url": "https://github.com/brettdavies/agentnative-skill.git",
-    "commit": "47a76cceb8b7b1bc013c19ee18a5e38179b1dd0e"
+    "url": "https://github.com/brettdavies/agentnative-skill.git"
   },
   "install": {
     "claude_code": "git clone --depth 1 https://github.com/brettdavies/agentnative-skill.git ~/.claude/skills/agent-native-cli",
@@ -19,11 +18,6 @@
     "kiro": "git clone --depth 1 https://github.com/brettdavies/agentnative-skill.git ~/.kiro/skills/agent-native-cli",
     "opencode": "git clone --depth 1 https://github.com/brettdavies/agentnative-skill.git ~/.config/opencode/skills/agent-native-cli"
   },
-  "verify": {
-    "command": "git -C <install-dir> rev-parse HEAD",
-    "expected": "47a76cceb8b7b1bc013c19ee18a5e38179b1dd0e",
-    "semantics": "advisory freshness probe; mismatch means upstream has moved past the site's pin"
-  },
   "update": "cd <install-dir> && git pull --ff-only",
   "uninstall": "rm -rf <install-dir>",
   "skill_page_html": "https://anc.dev/skill"
diff --git a/tests/build.test.ts b/tests/build.test.ts
index 9626746..31c050f 100644
--- a/tests/build.test.ts
+++ b/tests/build.test.ts
@@ -1550,17 +1550,11 @@ describe('loadSkillData — fail-fast validation', () => {
       source: {
         type: 'git',
         url: 'https://github.com/brettdavies/agentnative-skill.git',
-        commit: '47a76cceb8b7b1bc013c19ee18a5e38179b1dd0e',
       },
       install: {
         claude_code:
           'git clone --depth 1 https://github.com/brettdavies/agentnative-skill.git ~/.claude/skills/agent-native-cli',
       },
-      verify: {
-        command: 'git -C <install-dir> rev-parse HEAD',
-        expected: '47a76cceb8b7b1bc013c19ee18a5e38179b1dd0e',
-        semantics: 'advisory',
-      },
       update: 'cd <install-dir> && git pull --ff-only',
       uninstall: 'rm -rf <install-dir>',
       skill_page_html: 'https://anc.dev/skill',
@@ -1580,8 +1574,8 @@ describe('loadSkillData — fail-fast validation', () => {
   }
 
   test('happy path: valid manifest loads', async () => {
-    const data = (await writeAndLoad(validManifest())) as { source: { commit: string } };
-    expect(data.source.commit).toBe('47a76cceb8b7b1bc013c19ee18a5e38179b1dd0e');
+    const data = (await writeAndLoad(validManifest())) as { source: { url: string } };
+    expect(data.source.url).toBe('https://github.com/brettdavies/agentnative-skill.git');
   });
 
   test('missing top-level key fails with the key name', async () => {
@@ -1590,18 +1584,6 @@ describe('loadSkillData — fail-fast validation', () => {
     await expect(writeAndLoad(m)).rejects.toThrow(/missing required key "license"/);
   });
 
-  test('non-hex commit rejected', async () => {
-    const m = validManifest();
-    m.source.commit = 'NOT-A-SHA';
-    await expect(writeAndLoad(m)).rejects.toThrow(/40-char lowercase hex SHA/);
-  });
-
-  test('uppercase-hex commit rejected (must be lowercase)', async () => {
-    const m = validManifest();
-    m.source.commit = '47A76CCEB8B7B1BC013C19EE18A5E38179B1DD0E';
-    await expect(writeAndLoad(m)).rejects.toThrow(/40-char lowercase hex SHA/);
-  });
-
   test('non-semver version rejected', async () => {
     const m = validManifest();
     m.version = '0.1';
diff --git a/tests/e2e/skill.e2e.ts b/tests/e2e/skill.e2e.ts
index 3e457da..2bfd493 100644
--- a/tests/e2e/skill.e2e.ts
+++ b/tests/e2e/skill.e2e.ts
@@ -1,8 +1,8 @@
 // 4-host skill-distribution install verification + bare-clone footgun
 // check. This is the live-network e2e: it fetches /skill.json from the
 // local Worker, runs every advertised host's clone command into a sandbox
-// HOME, and asserts SKILL.md lands at the expected path with the pinned
-// commit checked out.
+// HOME, and asserts SKILL.md lands at the expected path on the skill
+// repo's default branch.
 //
 // Isolation: this spec runs only under the `skill` Playwright project
 // (see playwright.config.ts). It is excluded from the default `bun run
@@ -16,8 +16,8 @@
 // Post-cutover usage (producer is public — HTTPS works as advertised):
 //   bun x playwright test --project=skill
 //
-// The URL override only swaps the clone source; the destination paths,
-// commit pin, and host names are still drawn from /skill.json.
+// The URL override only swaps the clone source; the destination paths and
+// host names are still drawn from /skill.json.
 
 import { execFileSync } from 'node:child_process';
 import { mkdtempSync, rmSync, statSync } from 'node:fs';
@@ -29,7 +29,7 @@ const BASE = 'http://localhost:8787';
 const URL_OVERRIDE = process.env.ANC_SKILL_URL;
 
 interface Manifest {
-  source: { url: string; commit: string };
+  source: { url: string };
   install: Record<string, string>;
 }
 
@@ -73,7 +73,7 @@ function runInSandbox(command: string, sandboxHome: string): void {
 }
 
 test.describe('skill-distribution install — 4-host live clone', () => {
-  test('every advertised host clones, lands SKILL.md, and pins commit', async ({ request }) => {
+  test('every advertised host clones and lands SKILL.md', async ({ request }) => {
     const manifest = await fetchManifest(request);
     expect(Object.keys(manifest.install).length).toBeGreaterThanOrEqual(1);
 
@@ -88,21 +88,6 @@ test.describe('skill-distribution install — 4-host live clone', () => {
         // canonical entry point.
         const skillPath = join(dest, 'SKILL.md');
         expect({ host, exists: statSync(skillPath).isFile() }).toEqual({ host, exists: true });
-
-        // Pin freshness: the local checkout's HEAD must match source.commit.
-        const head = execFileSync('git', ['-C', dest, 'rev-parse', 'HEAD']).toString().trim();
-        expect({ host, head }).toEqual({ host, head: manifest.source.commit });
-
-        // Pin freshness: the skill repo's default-branch HEAD must equal the
-        // pin. This is the actual invariant — if upstream has moved past the
-        // pin, the install is stale and the next site release is overdue.
-        // (`git ls-remote --exit-code <commit>` would NOT work — ls-remote
-        // resolves ref names, not SHAs.)
-        const remoteHead = execFileSync('git', ['-C', dest, 'ls-remote', 'origin', 'HEAD'])
-          .toString()
-          .trim()
-          .split(/\s+/)[0];
-        expect({ host, remoteHead }).toEqual({ host, remoteHead: manifest.source.commit });
       } finally {
         rmSync(sandboxHome, { recursive: true, force: true });
       }
diff --git a/tests/regression.test.ts b/tests/regression.test.ts
index bd2c8fb..7e8d74a 100644
--- a/tests/regression.test.ts
+++ b/tests/regression.test.ts
@@ -143,21 +143,12 @@ describe('regression #5 — /skill.json (skill-distribution canonical surface)',
     expect(parsed).toBeDefined();
   });
 
-  test('dist/skill.json source.commit matches src/data/skill.json', async () => {
+  test('dist/skill.json mirrors src/data/skill.json byte-for-byte', async () => {
     const distRaw = await readFile(join(DIST, 'skill.json'), 'utf8');
     const sourceRaw = await readFile(join(REPO_ROOT, 'src', 'data', 'skill.json'), 'utf8');
     const dist = JSON.parse(distRaw);
     const source = JSON.parse(sourceRaw);
-    expect(dist.source.commit).toBe(source.source.commit);
-    // Pin-freshness invariant: verify.expected mirrors source.commit until
-    // a v2 schema decouples them.
-    expect(dist.verify.expected).toBe(dist.source.commit);
-  });
-
-  test('dist/skill.json source.commit is 40-char lowercase hex', async () => {
-    const raw = await readFile(join(DIST, 'skill.json'), 'utf8');
-    const parsed = JSON.parse(raw);
-    expect(parsed.source.commit).toMatch(/^[0-9a-f]{40}$/);
+    expect(dist).toEqual(source);
   });
 
   test('dist/skill.json has every required key', async () => {
@@ -173,7 +164,6 @@ describe('regression #5 — /skill.json (skill-distribution canonical surface)',
       'license',
       'source',
       'install',
-      'verify',
       'update',
       'uninstall',
       'skill_page_html',

From 2ab6fefd575fe9a51934f667cc790d3beed1a92f Mon Sep 17 00:00:00 2001
From: Brett <brettdavies@users.noreply.github.com>
Date: Fri, 1 May 2026 04:19:17 -0500
Subject: [PATCH 6/9] chore(scorecards): drop anc.commit from schema + tests;
 add triple-diff to release runbook (#69)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary

Two threads landing together — schema-side cleanup paired with the
agentnative-cli companion change, plus the
triple-diff verification we used today getting promoted from "ad-hoc
command we ran once" to "documented runbook
step every release uses."

## Changelog

### Removed

- \`anc.commit\` from the scorecard schema documentation and invariant
tests. The field is no longer emitted by
agentnative-cli (companion change) or surfaced in any rendered
scorecard. Existing scorecards retain their values
until next regen but the field is no longer part of the documented
schema contract.

### Documentation

- Release runbook now uses a triple-diff verification (main → release /
release → dev / dev → main) plus a
patch-id cherry sweep, replacing the original single-axis leaked-paths
check. Catches both directions of drift:
  guarded paths leaking IN and real feature commits being missed OUT.

## Type of Change

- [x] \`chore\`: Maintenance tasks (dependencies, config, etc.)
- [x] \`docs\`: Documentation update

## Related Issues/Stories

- Story: Pairs with agentnative-cli companion change (in-flight) that
drops \`ANC_COMMIT\` from \`build.rs\` and stops emitting
\`"anc.commit"\` in the JSON envelope.
- Issue: n/a
- Architecture: n/a
- Related PRs: #66 (render-side anc.commit strip — shipped to dev), #68
(release/2026-05-01-spec-vendoring-and-cleanup — open to main; this PR
cherry-picks into it).

## Testing

- [x] Unit tests added/updated
- [x] All tests passing

**Test Summary:**

- 200 / 0 fail unit + regression tests pass (was 201 — dropped the
now-irrelevant \`admits null anc.commit\` test).
- \`bun run build\` clean.

## Files Modified

**Modified:**

- \`content/scorecard-schema.md\` — \`commit\` row removed from \`anc\`
table; trailing prose simplified; top-level JSON example updated.
- \`tests/build.test.ts\` — \`expect(entry.metadata.anc.commit)\`
assertion dropped from the \`loadScoredTools\` happy-path test;
\`'admits null anc.commit (build outside a git checkout)'\` test block
dropped entirely.
- \`RELEASES.md\` — release-runbook \`Releasing dev to main\` section:
triple-diff procedure + guarded-paths regex sweep + \`git cherry\`
patch-id check, with squash-merge false-positive triage notes.

**Created:** None.
**Renamed:** None.
**Deleted:** None.

## Breaking Changes

- [x] No breaking changes for end users.

The schema field removal lands in lockstep with the CLI's emission
removal. Until both ship to main, existing
agents/consumers that read \`anc.commit\` will continue seeing it —
after both ship, the field will simply be missing
from new scorecards (no rename, no aliasing, just absence).

## Deployment Notes

- [x] No special deployment steps required.

## Checklist

- [x] Code follows project conventions and style guidelines
- [x] Commit messages follow [Conventional
Commits](https://www.conventionalcommits.org/)
- [x] Self-review of code completed
- [x] Tests added/updated and passing
- [x] No new warnings or errors introduced
- [x] Changes are backward compatible

## Additional Context

These commits will also be cherry-picked into
\`release/2026-05-01-spec-vendoring-and-cleanup\` (PR #68) so the
schema cleanup ships in the same release as the render-side cleanup it
pairs with.
---
 RELEASES.md                 | 57 ++++++++++++++++++++++++++++++++++---
 content/scorecard-schema.md | 15 ++++------
 tests/build.test.ts         | 16 -----------
 3 files changed, 59 insertions(+), 29 deletions(-)

diff --git a/RELEASES.md b/RELEASES.md
index 4b42b84..87df488 100644
--- a/RELEASES.md
+++ b/RELEASES.md
@@ -75,10 +75,59 @@ git log --oneline dev --not origin/main
 # 3. Cherry-pick the ones you want to ship. Docs commits stay on dev.
 git cherry-pick <sha1> <sha2> ...
 
-# 4. Verify no guarded paths leaked through:
-git diff origin/main --stat
-# If anything under docs/plans/, docs/solutions/, or docs/brainstorms/
-# shows up, you cherry-picked a docs commit by mistake — reset and redo.
+# 4. Triple-diff verification — belt-and-suspenders sweep that catches both
+#    directions of drift before the release tag goes out:
+#
+#    A. main → release  (what users will see; the intended ship surface)
+#    B. release → dev   (should be empty for non-doc paths until the
+#                        bump/CHANGELOG commits land, and even then should
+#                        only list those release-prep files — anything else
+#                        is a missed cherry-pick)
+#    C. dev → main      (sanity: phantom commits dev "appears ahead" on
+#                        because cherry-pick rewrites SHAs post-squash)
+git diff origin/main..HEAD --stat                                                # A
+git diff HEAD..origin/dev --name-only | grep -v '^docs/' || echo "(none)"        # B
+git diff origin/dev..origin/main --stat | tail -5                                # C
+#
+# Re-confirm no guarded paths leaked (this caught the original miss class):
+git diff origin/main..HEAD --name-only \
+  | grep -E '^(docs/plans|docs/brainstorms|docs/ideation|docs/reviews|docs/solutions|\.context)' \
+  && echo "LEAKED — reset and redo" || echo "(clean — no guarded paths)"
+#
+# Patch-id cherry check — catches commits on dev that have NO patch-id
+# equivalent on release. The file-level diff in B misses this class when
+# the same content happens to land via a different commit.
+#
+# IMPORTANT: in a squash-merge workflow this output is noisy. Every '+'
+# line needs human triage — it does NOT auto-block the release. Expected
+# sources of '+' lines that are NOT real misses:
+#
+#   1. Historical commits squash-merged in prior releases. The squash
+#      commit on main has a different patch-id than the dev commits it
+#      consolidates, so old commits show as '+' forever. Anything older
+#      than the previous release tag is almost always this.
+#   2. Cherry-picks where conflict resolution stripped guarded paths
+#      (docs/plans, docs/brainstorms, etc.) or otherwise altered the
+#      tree. Same source-code intent, different patch-id.
+#   3. Intentionally skipped commits — docs-only commits, release-prep
+#      backports, revert-and-redo prep steps.
+#
+# A real miss looks like: a recent feat/fix/chore commit on dev whose
+# *file content* is not yet on main. To triage a '+' line:
+#
+#   git show <sha> --stat                       # what did it touch?
+#   git diff origin/main..HEAD -- <those-files> # already on release?
+#
+# If every touched file is guarded (docs/plans/, docs/brainstorms/, etc.)
+# OR the content is already on main via a prior squash, it's a false
+# positive — no action. Otherwise cherry-pick the commit and re-run the
+# triple-diff.
+git cherry HEAD origin/dev | grep '^+' || echo "(none — release is patch-equivalent through dev)"
+#
+# If B lists any non-docs path you didn't expect, fetch dev, identify the
+# commit (`git log dev --not origin/main`), cherry-pick it, re-run the
+# triple-diff. Missed cherry-picks have shipped to main on this and sibling
+# repos before — this step is the cheap way to catch them.
 
 # 5. Push and open the PR:
 git push -u origin release/<slug>
diff --git a/content/scorecard-schema.md b/content/scorecard-schema.md
index 7c1295b..4fe9685 100644
--- a/content/scorecard-schema.md
+++ b/content/scorecard-schema.md
@@ -26,7 +26,7 @@ informational; when both are present and disagree, the build aborts with an inte
   "schema_version": "0.4",
   "spec_version": "...",
   "tool":   { "name": "...", "binary": "...", "version": "..." },
-  "anc":    { "version": "...", "commit": "..." },
+  "anc":    { "version": "..." },
   "run":    { "invocation": "...", "started_at": "...", "duration_ms": 0,
               "platform": { "os": "...", "arch": "..." } },
   "target": { "kind": "...", "path": null, "command": "..." },
@@ -83,18 +83,15 @@ Provenance for the scorecard: which `anc` build produced it.
 
 ```json
 "anc": {
-  "version": "0.2.1",
-  "commit": "fff3f13"
+  "version": "0.2.1"
 }
 ```
 
-| Field     | Type           | Meaning                                                                                                                                                                                                                                                                                             |
-| --------- | -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `version` | string         | Self-reported version of the `anc` binary that ran the score. Read from `Cargo.toml` at build time.                                                                                                                                                                                                 |
-| `commit`  | string \| null | Abbreviated git SHA (7-40 hex chars) captured by `build.rs` from the working tree at compile time. `null` for `cargo install`-style and brew-bottle builds outside a git checkout. Captured but no longer surfaced on the rendered scorecard page; planned for removal in a future schema revision. |
+| Field     | Type   | Meaning                                                                                             |
+| --------- | ------ | --------------------------------------------------------------------------------------------------- |
+| `version` | string | Self-reported version of the `anc` binary that ran the score. Read from `Cargo.toml` at build time. |
 
-The per-tool page renders `anc.version` only. The `commit` field stays in the JSON for back-compat; its removal is
-deferred to a future schema revision.
+The per-tool page renders `anc.version`.
 
 ## `run`
 
diff --git a/tests/build.test.ts b/tests/build.test.ts
index 31c050f..87f3f8c 100644
--- a/tests/build.test.ts
+++ b/tests/build.test.ts
@@ -847,7 +847,6 @@ describe('loadScoredTools — schema 0.4 metadata', () => {
       expect(entry.metadata).not.toBeNull();
       expect(entry.metadata.tool.name).toBe('fixture');
       expect(entry.metadata.anc.version).toBe('0.1.0');
-      expect(entry.metadata.anc.commit).toBe('abc1234');
       expect(entry.metadata.run.duration_ms).toBe(42);
       expect(entry.metadata.run.platform.os).toBe('linux');
       expect(entry.metadata.target.kind).toBe('command');
@@ -1090,21 +1089,6 @@ describe('runScorecardInvariants — v0.4 corpus invariants', () => {
       },
     );
   });
-
-  test('admits null anc.commit (build outside a git checkout)', async () => {
-    await withCorpus(
-      [
-        {
-          name: 'fixture-v1.2.3.json',
-          content: makeV04Scorecard({ anc: { version: '0.1.0', commit: null } }),
-        },
-      ],
-      async (dir) => {
-        const registry = makeRegistry([{ name: 'fixture', binary: 'fixture' }]);
-        await runScorecardInvariants(dir, registry);
-      },
-    );
-  });
 });
 
 describe('computePrincipleScore', () => {

From b63a8d2e3818a743f4e7dacd0cedf2c802bb5bb3 Mon Sep 17 00:00:00 2001
From: Brett <brettdavies@users.noreply.github.com>
Date: Fri, 1 May 2026 05:27:50 -0500
Subject: [PATCH 7/9] chore(scorecards): rescore all 96 tools with brewed anc
 v0.3.0 (#70)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary

First scoring run since both halves of the SHA-pin cleanup landed — this
PR captures fresh scorecards for the entire
ANC 100 registry, scored by the just-released \`agentnative-cli v0.3.0\`
(no more \`ANC_COMMIT\` capture, no more
\`anc.commit\` field in the JSON envelope) installed via brew inside the
docker scoring image (no operator-local
working-tree state coupling).

96/96 scored, 0 install-missing, 0 score-failed, 0 skipped.

## Changelog

### Changed

- All 96 per-tool scorecards on anc.dev refreshed against \`anc
v0.3.0\`. The JSON envelope no longer carries
\`anc.commit\`; the per-tool page's "Anc build" row reads \`0.3.0\` (was
\`0.2.0\`).

### Updated tool versions

Upstream releases since the last scoring run, picked up in this rescore:

- \`act\` v0.2.87 → v0.2.88
- \`anc\` v0.2.0 → v0.3.0 *(self-scorecard rolls forward to match the
now-installed binary)*
- \`claude-code\` v2.1.123 → v2.1.126
- \`flyctl\` v0.4.44 → v0.4.45
- \`ollama\` v0.22.0 → v0.22.1
- \`opencode\` v1.14.30 → v1.14.31
- \`starship\` v1.25.0 → v1.25.1

## Type of Change

- [x] \`chore\`: Maintenance tasks (regenerated artifacts).

## Related Issues/Stories

- Story: Closes the loop after agentnative-cli v0.3.0 (#44 over there)
and site PRs #66, #67, #69 — first rescore against the new
no-\`anc.commit\` JSON shape.
- Issue: n/a
- Architecture: n/a (regenerated artifacts; no schema or code changes
here).
- Related PRs: #66, #67, #69 (already on dev); #68 (release branch —
open against main).

## Testing

- [x] Unit tests added/updated
- [x] All tests passing

**Test Summary:**

- 200 / 0 fail unit + regression tests pass.
- \`bun run build\` clean: 111 pages, 97 scorecard pages, 96 badges, 0
orphans.
- \`rg 'anc.commit\\|\"commit\":' dist/\` returns zero — confirms no
rendered surface still leaks the dropped field.
- Spot-check on a handful of fresh scorecards: \`jq '.anc' <file>\`
returns \`{\"version\":\"0.3.0\"}\` (no \`commit\` key).

## Files Modified

**Modified:**

- \`scorecards/*.json\` — 89 same-version files refreshed (anc.commit
dropped, anc.version bumped to 0.3.0, run.started_at refreshed).

**Renamed:**

- \`scorecards/act-v0.2.87.json\` → \`scorecards/act-v0.2.88.json\`
- \`scorecards/anc-v0.2.0.json\` → \`scorecards/anc-v0.3.0.json\`
- \`scorecards/claude-code-v2.1.123.json\` →
\`scorecards/claude-code-v2.1.126.json\`
- \`scorecards/flyctl-v0.4.44.json\` →
\`scorecards/flyctl-v0.4.45.json\`
- \`scorecards/ollama-v0.22.0.json\` →
\`scorecards/ollama-v0.22.1.json\`
- \`scorecards/opencode-v1.14.30.json\` →
\`scorecards/opencode-v1.14.31.json\`
- \`scorecards/starship-v1.25.0.json\` →
\`scorecards/starship-v1.25.1.json\`

(The 7 superseded old-version files were trashed rather than left for
the auto-discovery silent-supersede path —
keeps the disk in sync with what \`/score/<tool>\` will actually
render.)

**Created / Deleted:** None as net-new in the working tree (the 7
renames net to 0; the 96 modifications stay
in-place).

## Breaking Changes

- [x] No breaking changes.

## Deployment Notes

- [x] No special deployment steps required.

After merge, staging at
\`agentnative-site-staging.brettdavies.workers.dev\` will serve the
refreshed scorecards.
The \`/score/<tool>\` pages will render \`<dt>Anc
build</dt><dd>0.3.0</dd>\` for every tool.

## Known follow-up

- \`scorecards/cf-v0.0.5.json\`'s \`tool.version\` JSON field captured a
row of Unicode \`▄\` block characters from
cf's ASCII-art logo banner. The rendered \`/score/cf\` page is fine
(filename version \`0.0.5\` is canonical), but
  the JSON's courtesy field is decorative junk. Captured in

\`.context/compound-engineering/todos/020-pending-p3-cf-tool-version-decorative-first-line.md\`
(local-only) with
  three fix-path options. Not blocking this rescore.

## Checklist

- [x] Code follows project conventions and style guidelines
- [x] Commit messages follow [Conventional
Commits](https://www.conventionalcommits.org/)
- [x] Self-review of code completed
- [x] Tests added/updated and passing
- [x] No new warnings or errors introduced
- [x] Changes are backward compatible

## Additional Context

The docs changes from PR #69 (\`content/scorecard-schema.md\` +
\`tests/build.test.ts\` + \`RELEASES.md\`) are
already on \`dev\`; this rescore PR rides on top of them and only adds
the regenerated \`scorecards/*.json\`
content.

After this lands on \`dev\`, the same scorecard regeneration can be
cherry-picked into the open
\`release/2026-05-01-spec-vendoring-and-cleanup\` (PR #68) so that the
production deploy to anc.dev ships fresh
scorecards in the same release as the supporting code/schema changes.
---
 .../{act-v0.2.87.json => act-v0.2.88.json}    |  7 +++---
 scorecards/actionlint-v1.7.12.json            |  5 ++--
 scorecards/age-v1.3.1.json                    |  7 +++---
 .../{anc-v0.2.0.json => anc-v0.3.0.json}      |  5 ++--
 scorecards/ast-grep-v0.42.1.json              |  7 +++---
 scorecards/atuin-v18.16.0.json                |  7 +++---
 scorecards/aws-cli-v2.34.40.json              |  7 +++---
 scorecards/bandwhich-v0.23.1.json             |  5 ++--
 scorecards/bat-v0.26.1.json                   |  5 ++--
 scorecards/biome-v2.4.13.json                 |  7 +++---
 scorecards/bird-v0.1.3.json                   |  5 ++--
 scorecards/bottom-v0.12.3.json                |  5 ++--
 scorecards/broot-v1.56.2.json                 |  5 ++--
 scorecards/bun-v1.3.13.json                   |  7 +++---
 scorecards/cargo-binstall-v1.18.1.json        |  5 ++--
 scorecards/cf-v0.0.5.json                     |  7 +++---
 ...2.1.123.json => claude-code-v2.1.126.json} |  9 +++----
 scorecards/cmake-v4.3.2.json                  |  5 ++--
 scorecards/codex-v0.128.0.json                |  7 +++---
 scorecards/cosign-v3.0.6.json                 |  7 +++---
 scorecards/curl-v8.20.0.json                  |  5 ++--
 scorecards/dasel-v3.8.1.json                  |  7 +++---
 scorecards/datasette-v0.65.2.json             |  7 +++---
 scorecards/delta-v0.19.2.json                 |  5 ++--
 scorecards/deno-v2.7.14.json                  |  7 +++---
 scorecards/direnv-v2.37.1.json                |  5 ++--
 scorecards/docker-v29.4.1.json                |  5 ++--
 scorecards/doggo-v1.1.5.json                  |  5 ++--
 scorecards/dust-v1.2.4.json                   |  5 ++--
 scorecards/eza-v0.23.4.json                   |  5 ++--
 scorecards/fd-v10.4.2.json                    |  5 ++--
 scorecards/ffmpeg-v8.1.json                   |  5 ++--
 scorecards/files-to-prompt-v0.6.json          |  7 +++---
 ...lyctl-v0.4.44.json => flyctl-v0.4.45.json} |  9 +++----
 scorecards/fzf-v0.72.0.json                   |  5 ++--
 scorecards/gemini-cli-v0.40.1.json            |  7 +++---
 scorecards/gh-v2.92.0.json                    |  7 +++---
 scorecards/git-cliff-v2.13.1.json             |  5 ++--
 scorecards/git-v2.54.0.json                   |  5 ++--
 scorecards/gitleaks-v8.30.1.json              |  5 ++--
 scorecards/gitui-v0.28.1.json                 |  5 ++--
 scorecards/glow-v2.1.2.json                   |  7 +++---
 scorecards/goose-v3.27.1.json                 |  7 +++---
 scorecards/gum-v0.17.0.json                   |  5 ++--
 scorecards/helm-v4.1.4.json                   |  7 +++---
 scorecards/hyperfine-v1.20.0.json             |  5 ++--
 scorecards/jj-v0.40.0.json                    |  7 +++---
 scorecards/jnv-v0.7.1.json                    |  5 ++--
 scorecards/jq-v1.8.1.json                     |  5 ++--
 scorecards/just-v1.50.0.json                  |  7 +++---
 scorecards/kubectl-v1.36.0.json               |  7 +++---
 scorecards/lazygit-v0.61.1.json               |  7 +++---
 scorecards/llm-v0.31.json                     | 25 +++++++++----------
 scorecards/lsd-v1.2.0.json                    |  5 ++--
 scorecards/make-v4.4.1.json                   |  5 ++--
 scorecards/miller-v6.18.1.json                |  7 +++---
 scorecards/miniserve-v0.35.0.json             |  5 ++--
 scorecards/mise-v2026.4.28.json               |  5 ++--
 scorecards/mods-v1.8.1.json                   |  7 +++---
 scorecards/navi-v2.24.0.json                  |  5 ++--
 scorecards/nushell-v0.112.2.json              |  5 ++--
 scorecards/nvidia-smi-v570.211.01.json        |  5 ++--
 ...llama-v0.22.0.json => ollama-v0.22.1.json} |  7 +++---
 ...e-v1.14.30.json => opencode-v1.14.31.json} |  9 +++----
 scorecards/pandoc-v3.9.0.json                 |  5 ++--
 scorecards/pastel-v0.12.0.json                |  5 ++--
 scorecards/pixi-v0.67.2.json                  |  7 +++---
 scorecards/procs-v0.14.11.json                |  7 +++---
 scorecards/qmd-v2.1.0.json                    |  7 +++---
 scorecards/rclone-v1.73.5.json                |  7 +++---
 scorecards/ripgrep-v15.1.0.json               |  7 +++---
 scorecards/rsync-v3.4.2.json                  |  5 ++--
 scorecards/ruff-v0.15.12.json                 |  5 ++--
 scorecards/scc-v3.7.0.json                    |  5 ++--
 scorecards/sd-v1.0.0.json                     |  5 ++--
 scorecards/shell-gpt-v3.14.json               |  7 +++---
 scorecards/shellcheck-v0.11.0.json            |  7 +++---
 scorecards/sqlite-utils-v3.39.json            |  7 +++---
 ...hip-v1.25.0.json => starship-v1.25.1.json} |  9 +++----
 scorecards/supabase-v2.95.4.json              |  7 +++---
 scorecards/tealdeer-v1.8.1.json               |  5 ++--
 scorecards/terraform-v1.15.0.json             |  7 +++---
 scorecards/tmux-v3.6.json                     |  5 ++--
 scorecards/tokei-v14.0.0.json                 |  5 ++--
 scorecards/trivy-v0.70.0.json                 |  7 +++---
 scorecards/typst-v0.14.2.json                 |  5 ++--
 scorecards/uv-v0.11.8.json                    |  7 +++---
 scorecards/vhs-v0.11.0.json                   |  5 ++--
 scorecards/watchexec-v2.5.1.json              |  5 ++--
 scorecards/wrangler-v4.86.0.json              |  7 +++---
 scorecards/xh-v0.25.3.json                    |  7 +++---
 scorecards/xr-v1.2.0.json                     |  5 ++--
 scorecards/xsv-v0.13.0.json                   |  7 +++---
 scorecards/yazi-v26.1.22.json                 |  5 ++--
 scorecards/yq-v4.53.2.json                    |  7 +++---
 scorecards/zoxide-v0.9.9.json                 |  7 +++---
 96 files changed, 253 insertions(+), 349 deletions(-)
 rename scorecards/{act-v0.2.87.json => act-v0.2.88.json} (96%)
 rename scorecards/{anc-v0.2.0.json => anc-v0.3.0.json} (97%)
 rename scorecards/{claude-code-v2.1.123.json => claude-code-v2.1.126.json} (95%)
 rename scorecards/{flyctl-v0.4.44.json => flyctl-v0.4.45.json} (95%)
 rename scorecards/{ollama-v0.22.0.json => ollama-v0.22.1.json} (96%)
 rename scorecards/{opencode-v1.14.30.json => opencode-v1.14.31.json} (96%)
 rename scorecards/{starship-v1.25.0.json => starship-v1.25.1.json} (95%)

diff --git a/scorecards/act-v0.2.87.json b/scorecards/act-v0.2.88.json
similarity index 96%
rename from scorecards/act-v0.2.87.json
rename to scorecards/act-v0.2.88.json
index 3dbe962..090335c 100644
--- a/scorecards/act-v0.2.87.json
+++ b/scorecards/act-v0.2.88.json
@@ -129,15 +129,14 @@
   "tool": {
     "name": "act",
     "binary": "act",
-    "version": "act version 0.2.87"
+    "version": "act version 0.2.88"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command act --output json",
-    "started_at": "2026-04-30T23:01:14.143189506Z",
+    "started_at": "2026-05-01T10:09:13.24557317Z",
     "duration_ms": 76,
     "platform": {
       "os": "linux",
diff --git a/scorecards/actionlint-v1.7.12.json b/scorecards/actionlint-v1.7.12.json
index f742f6c..08b8450 100644
--- a/scorecards/actionlint-v1.7.12.json
+++ b/scorecards/actionlint-v1.7.12.json
@@ -132,12 +132,11 @@
     "version": "1.7.12"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command actionlint --output json",
-    "started_at": "2026-04-30T23:01:14.077924424Z",
+    "started_at": "2026-05-01T10:09:13.183113941Z",
     "duration_ms": 53,
     "platform": {
       "os": "linux",
diff --git a/scorecards/age-v1.3.1.json b/scorecards/age-v1.3.1.json
index 010129d..0a8253b 100644
--- a/scorecards/age-v1.3.1.json
+++ b/scorecards/age-v1.3.1.json
@@ -132,13 +132,12 @@
     "version": "v1.3.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command age --output json",
-    "started_at": "2026-04-30T23:01:16.426705448Z",
-    "duration_ms": 94,
+    "started_at": "2026-05-01T10:09:15.44500559Z",
+    "duration_ms": 93,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/anc-v0.2.0.json b/scorecards/anc-v0.3.0.json
similarity index 97%
rename from scorecards/anc-v0.2.0.json
rename to scorecards/anc-v0.3.0.json
index de7c87d..14a3777 100644
--- a/scorecards/anc-v0.2.0.json
+++ b/scorecards/anc-v0.3.0.json
@@ -132,12 +132,11 @@
     "version": null
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command anc --output json",
-    "started_at": "2026-04-30T23:01:51.951099824Z",
+    "started_at": "2026-05-01T10:09:43.214467634Z",
     "duration_ms": 93,
     "platform": {
       "os": "linux",
diff --git a/scorecards/ast-grep-v0.42.1.json b/scorecards/ast-grep-v0.42.1.json
index 8592928..ea4c97c 100644
--- a/scorecards/ast-grep-v0.42.1.json
+++ b/scorecards/ast-grep-v0.42.1.json
@@ -132,13 +132,12 @@
     "version": "ast-grep 0.42.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command sg --output json",
-    "started_at": "2026-04-30T23:00:56.921194633Z",
-    "duration_ms": 115,
+    "started_at": "2026-05-01T10:08:57.739913718Z",
+    "duration_ms": 114,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/atuin-v18.16.0.json b/scorecards/atuin-v18.16.0.json
index 1c3b938..623f615 100644
--- a/scorecards/atuin-v18.16.0.json
+++ b/scorecards/atuin-v18.16.0.json
@@ -133,13 +133,12 @@
     "version": "atuin 18.16.0 ()"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command atuin --audit-profile human-tui --output json",
-    "started_at": "2026-04-30T23:01:52.425911295Z",
-    "duration_ms": 2145,
+    "started_at": "2026-05-01T10:09:43.587218972Z",
+    "duration_ms": 244,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/aws-cli-v2.34.40.json b/scorecards/aws-cli-v2.34.40.json
index 60bd52e..9582ad3 100644
--- a/scorecards/aws-cli-v2.34.40.json
+++ b/scorecards/aws-cli-v2.34.40.json
@@ -132,13 +132,12 @@
     "version": "aws-cli/2.34.40 Python/3.14.4 Linux/6.8.0-106-generic source/x86_64.debian.13"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command aws --output json",
-    "started_at": "2026-04-30T23:01:10.619446455Z",
-    "duration_ms": 1669,
+    "started_at": "2026-05-01T10:09:09.854281882Z",
+    "duration_ms": 1590,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/bandwhich-v0.23.1.json b/scorecards/bandwhich-v0.23.1.json
index 4a4863f..bdde646 100644
--- a/scorecards/bandwhich-v0.23.1.json
+++ b/scorecards/bandwhich-v0.23.1.json
@@ -133,12 +133,11 @@
     "version": "bandwhich 0.23.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command bandwhich --audit-profile human-tui --output json",
-    "started_at": "2026-04-30T23:00:57.847221701Z",
+    "started_at": "2026-05-01T10:08:58.657064348Z",
     "duration_ms": 41,
     "platform": {
       "os": "linux",
diff --git a/scorecards/bat-v0.26.1.json b/scorecards/bat-v0.26.1.json
index 38fb2f3..048ea84 100644
--- a/scorecards/bat-v0.26.1.json
+++ b/scorecards/bat-v0.26.1.json
@@ -132,12 +132,11 @@
     "version": "bat 0.26.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command bat --output json",
-    "started_at": "2026-04-30T23:00:57.214192546Z",
+    "started_at": "2026-05-01T10:08:58.031703309Z",
     "duration_ms": 54,
     "platform": {
       "os": "linux",
diff --git a/scorecards/biome-v2.4.13.json b/scorecards/biome-v2.4.13.json
index 7004925..b46dd9f 100644
--- a/scorecards/biome-v2.4.13.json
+++ b/scorecards/biome-v2.4.13.json
@@ -132,13 +132,12 @@
     "version": "Version: 2.4.13"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command biome --output json",
-    "started_at": "2026-04-30T23:01:14.971383779Z",
-    "duration_ms": 54,
+    "started_at": "2026-05-01T10:09:14.056897358Z",
+    "duration_ms": 55,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/bird-v0.1.3.json b/scorecards/bird-v0.1.3.json
index df2c07a..b32507e 100644
--- a/scorecards/bird-v0.1.3.json
+++ b/scorecards/bird-v0.1.3.json
@@ -132,12 +132,11 @@
     "version": "bird 0.1.3"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command bird --output json",
-    "started_at": "2026-04-30T23:01:52.050150264Z",
+    "started_at": "2026-05-01T10:09:43.313198492Z",
     "duration_ms": 93,
     "platform": {
       "os": "linux",
diff --git a/scorecards/bottom-v0.12.3.json b/scorecards/bottom-v0.12.3.json
index ff5e457..349ccea 100644
--- a/scorecards/bottom-v0.12.3.json
+++ b/scorecards/bottom-v0.12.3.json
@@ -133,12 +133,11 @@
     "version": "bottom 0.12.3"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command btm --audit-profile human-tui --output json",
-    "started_at": "2026-04-30T23:00:57.597989043Z",
+    "started_at": "2026-05-01T10:08:58.411623761Z",
     "duration_ms": 41,
     "platform": {
       "os": "linux",
diff --git a/scorecards/broot-v1.56.2.json b/scorecards/broot-v1.56.2.json
index 43f87e3..5402c34 100644
--- a/scorecards/broot-v1.56.2.json
+++ b/scorecards/broot-v1.56.2.json
@@ -133,12 +133,11 @@
     "version": "broot 1.56.2"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command broot --audit-profile human-tui --output json",
-    "started_at": "2026-04-30T23:01:16.376517735Z",
+    "started_at": "2026-05-01T10:09:15.396632926Z",
     "duration_ms": 41,
     "platform": {
       "os": "linux",
diff --git a/scorecards/bun-v1.3.13.json b/scorecards/bun-v1.3.13.json
index 9bd7350..5eeb002 100644
--- a/scorecards/bun-v1.3.13.json
+++ b/scorecards/bun-v1.3.13.json
@@ -132,13 +132,12 @@
     "version": "1.3.13"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command bun --output json",
-    "started_at": "2026-04-30T23:01:15.03276085Z",
-    "duration_ms": 299,
+    "started_at": "2026-05-01T10:09:14.117573398Z",
+    "duration_ms": 298,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/cargo-binstall-v1.18.1.json b/scorecards/cargo-binstall-v1.18.1.json
index a3ecbb7..b46d682 100644
--- a/scorecards/cargo-binstall-v1.18.1.json
+++ b/scorecards/cargo-binstall-v1.18.1.json
@@ -132,12 +132,11 @@
     "version": "1.18.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command cargo-binstall --output json",
-    "started_at": "2026-04-30T23:01:15.79103723Z",
+    "started_at": "2026-05-01T10:09:14.868299338Z",
     "duration_ms": 63,
     "platform": {
       "os": "linux",
diff --git a/scorecards/cf-v0.0.5.json b/scorecards/cf-v0.0.5.json
index 6f754bc..5b5230c 100644
--- a/scorecards/cf-v0.0.5.json
+++ b/scorecards/cf-v0.0.5.json
@@ -132,13 +132,12 @@
     "version": "▄▄▄▄▄▄▄▄▄▄▄"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command cf --output json",
-    "started_at": "2026-04-30T23:01:06.016665708Z",
-    "duration_ms": 1780,
+    "started_at": "2026-05-01T10:09:06.543481738Z",
+    "duration_ms": 1678,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/claude-code-v2.1.123.json b/scorecards/claude-code-v2.1.126.json
similarity index 95%
rename from scorecards/claude-code-v2.1.123.json
rename to scorecards/claude-code-v2.1.126.json
index 6f53cf5..b1e7571 100644
--- a/scorecards/claude-code-v2.1.123.json
+++ b/scorecards/claude-code-v2.1.126.json
@@ -129,16 +129,15 @@
   "tool": {
     "name": "claude",
     "binary": "claude",
-    "version": "2.1.123 (Claude Code)"
+    "version": "2.1.126 (Claude Code)"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command claude --output json",
-    "started_at": "2026-04-30T23:01:17.206434944Z",
-    "duration_ms": 1609,
+    "started_at": "2026-05-01T10:09:16.210909425Z",
+    "duration_ms": 1514,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/cmake-v4.3.2.json b/scorecards/cmake-v4.3.2.json
index 22f21d6..6a89365 100644
--- a/scorecards/cmake-v4.3.2.json
+++ b/scorecards/cmake-v4.3.2.json
@@ -132,12 +132,11 @@
     "version": "cmake version 4.3.2"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command cmake --output json",
-    "started_at": "2026-04-30T23:00:56.509362077Z",
+    "started_at": "2026-05-01T10:08:57.334520377Z",
     "duration_ms": 54,
     "platform": {
       "os": "linux",
diff --git a/scorecards/codex-v0.128.0.json b/scorecards/codex-v0.128.0.json
index 993f63b..76987c4 100644
--- a/scorecards/codex-v0.128.0.json
+++ b/scorecards/codex-v0.128.0.json
@@ -132,13 +132,12 @@
     "version": "codex-cli 0.128.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command codex --output json",
-    "started_at": "2026-04-30T23:01:18.899167552Z",
-    "duration_ms": 897,
+    "started_at": "2026-05-01T10:09:17.800252242Z",
+    "duration_ms": 804,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/cosign-v3.0.6.json b/scorecards/cosign-v3.0.6.json
index 7f1baf0..6f4677f 100644
--- a/scorecards/cosign-v3.0.6.json
+++ b/scorecards/cosign-v3.0.6.json
@@ -132,13 +132,12 @@
     "version": null
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command cosign --output json",
-    "started_at": "2026-04-30T23:01:16.542765649Z",
-    "duration_ms": 219,
+    "started_at": "2026-05-01T10:09:15.559732382Z",
+    "duration_ms": 218,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/curl-v8.20.0.json b/scorecards/curl-v8.20.0.json
index 99042fe..dea42a8 100644
--- a/scorecards/curl-v8.20.0.json
+++ b/scorecards/curl-v8.20.0.json
@@ -132,12 +132,11 @@
     "version": "curl 8.20.0 (x86_64-pc-linux-gnu) libcurl/8.20.0 OpenSSL/3.6.2 zlib/1.3.1.zlib-ng brotli/1.2.0 zstd/1.5.7 libidn2/2.3.8 libssh2/1.11.1 nghttp2/1.69.0 ngtcp2/1.22.1 nghttp3/1.15.0 mit-krb5/1.22.2 OpenLDAP/2.6.13"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command curl --output json",
-    "started_at": "2026-04-30T23:00:55.895446534Z",
+    "started_at": "2026-05-01T10:08:56.725654216Z",
     "duration_ms": 97,
     "platform": {
       "os": "linux",
diff --git a/scorecards/dasel-v3.8.1.json b/scorecards/dasel-v3.8.1.json
index 2f99226..1e8d8fd 100644
--- a/scorecards/dasel-v3.8.1.json
+++ b/scorecards/dasel-v3.8.1.json
@@ -132,13 +132,12 @@
     "version": null
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command dasel --output json",
-    "started_at": "2026-04-30T23:00:58.09179582Z",
-    "duration_ms": 116,
+    "started_at": "2026-05-01T10:08:58.896154691Z",
+    "duration_ms": 115,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/datasette-v0.65.2.json b/scorecards/datasette-v0.65.2.json
index 3705ff9..da36204 100644
--- a/scorecards/datasette-v0.65.2.json
+++ b/scorecards/datasette-v0.65.2.json
@@ -132,13 +132,12 @@
     "version": "datasette, version 0.65.2"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command datasette --output json",
-    "started_at": "2026-04-30T23:01:37.018259881Z",
-    "duration_ms": 8647,
+    "started_at": "2026-05-01T10:09:31.168775544Z",
+    "duration_ms": 8528,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/delta-v0.19.2.json b/scorecards/delta-v0.19.2.json
index f073a88..d0af3e7 100644
--- a/scorecards/delta-v0.19.2.json
+++ b/scorecards/delta-v0.19.2.json
@@ -132,12 +132,11 @@
     "version": "delta 0.19.2"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command delta --output json",
-    "started_at": "2026-04-30T23:00:59.040195495Z",
+    "started_at": "2026-05-01T10:08:59.806828774Z",
     "duration_ms": 66,
     "platform": {
       "os": "linux",
diff --git a/scorecards/deno-v2.7.14.json b/scorecards/deno-v2.7.14.json
index 822e543..ca56b4b 100644
--- a/scorecards/deno-v2.7.14.json
+++ b/scorecards/deno-v2.7.14.json
@@ -132,13 +132,12 @@
     "version": "deno 2.7.14 (stable, release, x86_64-unknown-linux-gnu)"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command deno --output json",
-    "started_at": "2026-04-30T23:01:15.343366967Z",
-    "duration_ms": 436,
+    "started_at": "2026-05-01T10:09:14.427159211Z",
+    "duration_ms": 434,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/direnv-v2.37.1.json b/scorecards/direnv-v2.37.1.json
index 6a85ae0..8e7cd59 100644
--- a/scorecards/direnv-v2.37.1.json
+++ b/scorecards/direnv-v2.37.1.json
@@ -132,12 +132,11 @@
     "version": "2.37.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command direnv --output json",
-    "started_at": "2026-04-30T23:01:14.45531002Z",
+    "started_at": "2026-05-01T10:09:13.545791597Z",
     "duration_ms": 53,
     "platform": {
       "os": "linux",
diff --git a/scorecards/docker-v29.4.1.json b/scorecards/docker-v29.4.1.json
index 7c01077..7bdf633 100644
--- a/scorecards/docker-v29.4.1.json
+++ b/scorecards/docker-v29.4.1.json
@@ -132,12 +132,11 @@
     "version": "Docker version 29.4.1, build 055a478ea9"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command docker --output json",
-    "started_at": "2026-04-30T23:01:00.296205888Z",
+    "started_at": "2026-05-01T10:09:01.052502751Z",
     "duration_ms": 160,
     "platform": {
       "os": "linux",
diff --git a/scorecards/doggo-v1.1.5.json b/scorecards/doggo-v1.1.5.json
index 1779752..348517b 100644
--- a/scorecards/doggo-v1.1.5.json
+++ b/scorecards/doggo-v1.1.5.json
@@ -132,12 +132,11 @@
     "version": "1.1.5 - 2026-02-24T09:04:51Z"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command doggo --output json",
-    "started_at": "2026-04-30T23:01:55.055729968Z",
+    "started_at": "2026-05-01T10:09:44.316107459Z",
     "duration_ms": 64,
     "platform": {
       "os": "linux",
diff --git a/scorecards/dust-v1.2.4.json b/scorecards/dust-v1.2.4.json
index 87c93fa..84171f6 100644
--- a/scorecards/dust-v1.2.4.json
+++ b/scorecards/dust-v1.2.4.json
@@ -132,12 +132,11 @@
     "version": "Dust 1.2.4"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command dust --output json",
-    "started_at": "2026-04-30T23:00:57.338359455Z",
+    "started_at": "2026-05-01T10:08:58.152112779Z",
     "duration_ms": 93,
     "platform": {
       "os": "linux",
diff --git a/scorecards/eza-v0.23.4.json b/scorecards/eza-v0.23.4.json
index bba4fec..9b5010b 100644
--- a/scorecards/eza-v0.23.4.json
+++ b/scorecards/eza-v0.23.4.json
@@ -132,12 +132,11 @@
     "version": "eza - A modern, maintained replacement for ls"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command eza --output json",
-    "started_at": "2026-04-30T23:00:57.27575311Z",
+    "started_at": "2026-05-01T10:08:58.092645572Z",
     "duration_ms": 53,
     "platform": {
       "os": "linux",
diff --git a/scorecards/fd-v10.4.2.json b/scorecards/fd-v10.4.2.json
index 23daa29..464d310 100644
--- a/scorecards/fd-v10.4.2.json
+++ b/scorecards/fd-v10.4.2.json
@@ -132,12 +132,11 @@
     "version": "fd 10.4.2"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command fd --audit-profile file-traversal --output json",
-    "started_at": "2026-04-30T23:00:56.771523113Z",
+    "started_at": "2026-05-01T10:08:57.59222725Z",
     "duration_ms": 94,
     "platform": {
       "os": "linux",
diff --git a/scorecards/ffmpeg-v8.1.json b/scorecards/ffmpeg-v8.1.json
index 76f4254..782c33f 100644
--- a/scorecards/ffmpeg-v8.1.json
+++ b/scorecards/ffmpeg-v8.1.json
@@ -132,12 +132,11 @@
     "version": null
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command ffmpeg --output json",
-    "started_at": "2026-04-30T23:00:56.170584248Z",
+    "started_at": "2026-05-01T10:08:56.999566825Z",
     "duration_ms": 69,
     "platform": {
       "os": "linux",
diff --git a/scorecards/files-to-prompt-v0.6.json b/scorecards/files-to-prompt-v0.6.json
index 5c9780f..8e83cff 100644
--- a/scorecards/files-to-prompt-v0.6.json
+++ b/scorecards/files-to-prompt-v0.6.json
@@ -132,13 +132,12 @@
     "version": "files-to-prompt, version 0.6"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command files-to-prompt --output json",
-    "started_at": "2026-04-30T23:01:50.811371054Z",
-    "duration_ms": 451,
+    "started_at": "2026-05-01T10:09:42.207278933Z",
+    "duration_ms": 440,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/flyctl-v0.4.44.json b/scorecards/flyctl-v0.4.45.json
similarity index 95%
rename from scorecards/flyctl-v0.4.44.json
rename to scorecards/flyctl-v0.4.45.json
index e7b2e7b..82b61c6 100644
--- a/scorecards/flyctl-v0.4.44.json
+++ b/scorecards/flyctl-v0.4.45.json
@@ -129,16 +129,15 @@
   "tool": {
     "name": "fly",
     "binary": "fly",
-    "version": "flyctl version 0.4.44"
+    "version": "flyctl version 0.4.45"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command fly --output json",
-    "started_at": "2026-04-30T23:01:01.370955785Z",
-    "duration_ms": 175,
+    "started_at": "2026-05-01T10:09:02.142225363Z",
+    "duration_ms": 173,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/fzf-v0.72.0.json b/scorecards/fzf-v0.72.0.json
index d2920cb..961f32f 100644
--- a/scorecards/fzf-v0.72.0.json
+++ b/scorecards/fzf-v0.72.0.json
@@ -133,12 +133,11 @@
     "version": "0.72.0 (Homebrew)"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command fzf --audit-profile human-tui --output json",
-    "started_at": "2026-04-30T23:00:56.872591266Z",
+    "started_at": "2026-05-01T10:08:57.692216861Z",
     "duration_ms": 41,
     "platform": {
       "os": "linux",
diff --git a/scorecards/gemini-cli-v0.40.1.json b/scorecards/gemini-cli-v0.40.1.json
index 8299577..f3c04c3 100644
--- a/scorecards/gemini-cli-v0.40.1.json
+++ b/scorecards/gemini-cli-v0.40.1.json
@@ -132,13 +132,12 @@
     "version": "0.40.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command gemini --output json",
-    "started_at": "2026-04-30T23:01:55.790183342Z",
-    "duration_ms": 6818,
+    "started_at": "2026-05-01T10:09:45.009599774Z",
+    "duration_ms": 6380,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/gh-v2.92.0.json b/scorecards/gh-v2.92.0.json
index 3cb1edb..0553d93 100644
--- a/scorecards/gh-v2.92.0.json
+++ b/scorecards/gh-v2.92.0.json
@@ -132,13 +132,12 @@
     "version": "gh version 2.92.0 (2026-04-28)"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command gh --output json",
-    "started_at": "2026-04-30T23:00:58.555799299Z",
-    "duration_ms": 143,
+    "started_at": "2026-05-01T10:08:59.352899777Z",
+    "duration_ms": 119,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/git-cliff-v2.13.1.json b/scorecards/git-cliff-v2.13.1.json
index f8353c7..54373dd 100644
--- a/scorecards/git-cliff-v2.13.1.json
+++ b/scorecards/git-cliff-v2.13.1.json
@@ -132,12 +132,11 @@
     "version": "git-cliff 2.13.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command git-cliff --output json",
-    "started_at": "2026-04-30T23:00:58.936721616Z",
+    "started_at": "2026-05-01T10:08:59.704381878Z",
     "duration_ms": 95,
     "platform": {
       "os": "linux",
diff --git a/scorecards/git-v2.54.0.json b/scorecards/git-v2.54.0.json
index 3f6ad9a..5bd8ada 100644
--- a/scorecards/git-v2.54.0.json
+++ b/scorecards/git-v2.54.0.json
@@ -132,12 +132,11 @@
     "version": "git version 2.54.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command git --output json",
-    "started_at": "2026-04-30T23:00:56.002266629Z",
+    "started_at": "2026-05-01T10:08:56.831575678Z",
     "duration_ms": 53,
     "platform": {
       "os": "linux",
diff --git a/scorecards/gitleaks-v8.30.1.json b/scorecards/gitleaks-v8.30.1.json
index 44ca4f4..5e97d51 100644
--- a/scorecards/gitleaks-v8.30.1.json
+++ b/scorecards/gitleaks-v8.30.1.json
@@ -132,12 +132,11 @@
     "version": "gitleaks version 8.30.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command gitleaks --output json",
-    "started_at": "2026-04-30T23:00:59.119464067Z",
+    "started_at": "2026-05-01T10:08:59.881452787Z",
     "duration_ms": 55,
     "platform": {
       "os": "linux",
diff --git a/scorecards/gitui-v0.28.1.json b/scorecards/gitui-v0.28.1.json
index cdc88e8..dae9f05 100644
--- a/scorecards/gitui-v0.28.1.json
+++ b/scorecards/gitui-v0.28.1.json
@@ -133,12 +133,11 @@
     "version": "gitui 0.28.1-nightly 2026-03-24 ()"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command gitui --audit-profile human-tui --output json",
-    "started_at": "2026-04-30T23:00:59.182293815Z",
+    "started_at": "2026-05-01T10:08:59.943077186Z",
     "duration_ms": 41,
     "platform": {
       "os": "linux",
diff --git a/scorecards/glow-v2.1.2.json b/scorecards/glow-v2.1.2.json
index 74c0631..9028d2b 100644
--- a/scorecards/glow-v2.1.2.json
+++ b/scorecards/glow-v2.1.2.json
@@ -132,13 +132,12 @@
     "version": "glow version 2.1.2"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command glow --output json",
-    "started_at": "2026-04-30T23:00:57.667679314Z",
-    "duration_ms": 114,
+    "started_at": "2026-05-01T10:08:58.480203451Z",
+    "duration_ms": 113,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/goose-v3.27.1.json b/scorecards/goose-v3.27.1.json
index 5ff9d72..a7e8c9e 100644
--- a/scorecards/goose-v3.27.1.json
+++ b/scorecards/goose-v3.27.1.json
@@ -132,13 +132,12 @@
     "version": "goose version: v3.27.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command goose --output json",
-    "started_at": "2026-04-30T23:01:19.807515443Z",
-    "duration_ms": 415,
+    "started_at": "2026-05-01T10:09:18.615010426Z",
+    "duration_ms": 414,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/gum-v0.17.0.json b/scorecards/gum-v0.17.0.json
index 0763579..22269ab 100644
--- a/scorecards/gum-v0.17.0.json
+++ b/scorecards/gum-v0.17.0.json
@@ -132,12 +132,11 @@
     "version": "gum version 0.17.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command gum --output json",
-    "started_at": "2026-04-30T23:01:51.383225905Z",
+    "started_at": "2026-05-01T10:09:42.673726389Z",
     "duration_ms": 324,
     "platform": {
       "os": "linux",
diff --git a/scorecards/helm-v4.1.4.json b/scorecards/helm-v4.1.4.json
index df55211..8b82f2f 100644
--- a/scorecards/helm-v4.1.4.json
+++ b/scorecards/helm-v4.1.4.json
@@ -132,13 +132,12 @@
     "version": null
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command helm --output json",
-    "started_at": "2026-04-30T23:01:00.724148944Z",
-    "duration_ms": 207,
+    "started_at": "2026-05-01T10:09:01.473696903Z",
+    "duration_ms": 204,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/hyperfine-v1.20.0.json b/scorecards/hyperfine-v1.20.0.json
index c3e5974..8a3eed0 100644
--- a/scorecards/hyperfine-v1.20.0.json
+++ b/scorecards/hyperfine-v1.20.0.json
@@ -132,12 +132,11 @@
     "version": "hyperfine 1.20.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command hyperfine --output json",
-    "started_at": "2026-04-30T23:00:59.74765287Z",
+    "started_at": "2026-05-01T10:09:00.506450332Z",
     "duration_ms": 93,
     "platform": {
       "os": "linux",
diff --git a/scorecards/jj-v0.40.0.json b/scorecards/jj-v0.40.0.json
index d1a41a4..d50ccc1 100644
--- a/scorecards/jj-v0.40.0.json
+++ b/scorecards/jj-v0.40.0.json
@@ -132,13 +132,12 @@
     "version": "jj 0.40.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command jj --output json",
-    "started_at": "2026-04-30T23:00:59.234107725Z",
-    "duration_ms": 507,
+    "started_at": "2026-05-01T10:08:59.99436346Z",
+    "duration_ms": 506,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/jnv-v0.7.1.json b/scorecards/jnv-v0.7.1.json
index 47766d9..949ca89 100644
--- a/scorecards/jnv-v0.7.1.json
+++ b/scorecards/jnv-v0.7.1.json
@@ -133,12 +133,11 @@
     "version": "jnv 0.7.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command jnv --audit-profile human-tui --output json",
-    "started_at": "2026-04-30T23:01:55.007198824Z",
+    "started_at": "2026-05-01T10:09:44.267538803Z",
     "duration_ms": 41,
     "platform": {
       "os": "linux",
diff --git a/scorecards/jq-v1.8.1.json b/scorecards/jq-v1.8.1.json
index 28af1d1..6e39c0f 100644
--- a/scorecards/jq-v1.8.1.json
+++ b/scorecards/jq-v1.8.1.json
@@ -132,12 +132,11 @@
     "version": "jq-1.8.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command jq --output json",
-    "started_at": "2026-04-30T23:00:57.04231777Z",
+    "started_at": "2026-05-01T10:08:57.860165307Z",
     "duration_ms": 52,
     "platform": {
       "os": "linux",
diff --git a/scorecards/just-v1.50.0.json b/scorecards/just-v1.50.0.json
index 4919bb2..674818e 100644
--- a/scorecards/just-v1.50.0.json
+++ b/scorecards/just-v1.50.0.json
@@ -132,13 +132,12 @@
     "version": "just 1.50.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command just --output json",
-    "started_at": "2026-04-30T23:01:13.613071518Z",
-    "duration_ms": 289,
+    "started_at": "2026-05-01T10:09:12.727412796Z",
+    "duration_ms": 288,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/kubectl-v1.36.0.json b/scorecards/kubectl-v1.36.0.json
index 3b564f5..a7771dc 100644
--- a/scorecards/kubectl-v1.36.0.json
+++ b/scorecards/kubectl-v1.36.0.json
@@ -132,13 +132,12 @@
     "version": null
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command kubectl --output json",
-    "started_at": "2026-04-30T23:01:00.486205726Z",
-    "duration_ms": 206,
+    "started_at": "2026-05-01T10:09:01.239976136Z",
+    "duration_ms": 204,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/lazygit-v0.61.1.json b/scorecards/lazygit-v0.61.1.json
index f6a6030..881cec5 100644
--- a/scorecards/lazygit-v0.61.1.json
+++ b/scorecards/lazygit-v0.61.1.json
@@ -133,13 +133,12 @@
     "version": "commit=, build date=, build source=Homebrew, version=0.61.1, os=linux, arch=amd64, git version=2.54.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command lazygit --audit-profile human-tui --output json",
-    "started_at": "2026-04-30T23:00:58.71305818Z",
-    "duration_ms": 215,
+    "started_at": "2026-05-01T10:08:59.482160137Z",
+    "duration_ms": 214,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/llm-v0.31.json b/scorecards/llm-v0.31.json
index e4ed996..2e14de1 100644
--- a/scorecards/llm-v0.31.json
+++ b/scorecards/llm-v0.31.json
@@ -60,8 +60,8 @@
       "label": "Non-interactive by default",
       "group": "P1",
       "layer": "behavioral",
-      "status": "warn",
-      "evidence": "binary may be waiting for interactive input",
+      "status": "pass",
+      "evidence": null,
       "confidence": "high"
     },
     {
@@ -69,8 +69,8 @@
       "label": "Non-interactive gate flag advertised in --help",
       "group": "P1",
       "layer": "behavioral",
-      "status": "warn",
-      "evidence": "no non-interactive flag found in --help; expected one of: --no-interactive, --non-interactive, -p, --print, --no-input, --batch, --headless, -y, --yes, --assume-yes",
+      "status": "skip",
+      "evidence": "target satisfies P1 via alternative gate (help-on-bare or stdin-primary)",
       "confidence": "high"
     },
     {
@@ -103,10 +103,10 @@
   ],
   "summary": {
     "total": 11,
-    "pass": 5,
-    "warn": 5,
+    "pass": 6,
+    "warn": 3,
     "fail": 0,
-    "skip": 1,
+    "skip": 2,
     "error": 0
   },
   "coverage_summary": {
@@ -123,7 +123,7 @@
       "verified": 0
     }
   },
-  "audience": "human-primary",
+  "audience": "mixed",
   "audit_profile": null,
   "spec_version": "0.3.0",
   "tool": {
@@ -132,13 +132,12 @@
     "version": "llm, version 0.31"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command llm --output json",
-    "started_at": "2026-04-30T23:01:23.733592219Z",
-    "duration_ms": 11357,
+    "started_at": "2026-05-01T10:09:22.57262722Z",
+    "duration_ms": 7696,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
@@ -151,7 +150,7 @@
   },
   "badge": {
     "eligible": false,
-    "score_pct": 50,
+    "score_pct": 67,
     "embed_markdown": null,
     "scorecard_url": "https://anc.dev/score/llm",
     "badge_url": "https://anc.dev/badge/llm.svg",
diff --git a/scorecards/lsd-v1.2.0.json b/scorecards/lsd-v1.2.0.json
index 254272d..caf4411 100644
--- a/scorecards/lsd-v1.2.0.json
+++ b/scorecards/lsd-v1.2.0.json
@@ -132,12 +132,11 @@
     "version": "lsd 1.2.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command lsd --output json",
-    "started_at": "2026-04-30T23:00:57.788366606Z",
+    "started_at": "2026-05-01T10:08:58.598826113Z",
     "duration_ms": 52,
     "platform": {
       "os": "linux",
diff --git a/scorecards/make-v4.4.1.json b/scorecards/make-v4.4.1.json
index a896fb5..473a2aa 100644
--- a/scorecards/make-v4.4.1.json
+++ b/scorecards/make-v4.4.1.json
@@ -132,12 +132,11 @@
     "version": "GNU Make 4.4.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command make --output json",
-    "started_at": "2026-04-30T23:00:56.061271106Z",
+    "started_at": "2026-05-01T10:08:56.890763193Z",
     "duration_ms": 93,
     "platform": {
       "os": "linux",
diff --git a/scorecards/miller-v6.18.1.json b/scorecards/miller-v6.18.1.json
index 18f498d..1f3c926 100644
--- a/scorecards/miller-v6.18.1.json
+++ b/scorecards/miller-v6.18.1.json
@@ -132,13 +132,12 @@
     "version": "mlr 6.18.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command mlr --output json",
-    "started_at": "2026-04-30T23:00:57.968342658Z",
-    "duration_ms": 115,
+    "started_at": "2026-05-01T10:08:58.774005353Z",
+    "duration_ms": 113,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/miniserve-v0.35.0.json b/scorecards/miniserve-v0.35.0.json
index 7691629..7c39a4e 100644
--- a/scorecards/miniserve-v0.35.0.json
+++ b/scorecards/miniserve-v0.35.0.json
@@ -132,12 +132,11 @@
     "version": "miniserve 0.35.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command miniserve --output json",
-    "started_at": "2026-04-30T23:01:00.231184327Z",
+    "started_at": "2026-05-01T10:09:00.988409096Z",
     "duration_ms": 53,
     "platform": {
       "os": "linux",
diff --git a/scorecards/mise-v2026.4.28.json b/scorecards/mise-v2026.4.28.json
index 703f704..356e1e4 100644
--- a/scorecards/mise-v2026.4.28.json
+++ b/scorecards/mise-v2026.4.28.json
@@ -132,12 +132,11 @@
     "version": "2026.4.28 linux-x64 (2026-04-30)"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command mise --output json",
-    "started_at": "2026-04-30T23:01:14.348144272Z",
+    "started_at": "2026-05-01T10:09:13.438905685Z",
     "duration_ms": 100,
     "platform": {
       "os": "linux",
diff --git a/scorecards/mods-v1.8.1.json b/scorecards/mods-v1.8.1.json
index 3860325..2360212 100644
--- a/scorecards/mods-v1.8.1.json
+++ b/scorecards/mods-v1.8.1.json
@@ -132,13 +132,12 @@
     "version": "mods version 1.8.1 (Homebre)"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command mods --output json",
-    "started_at": "2026-04-30T23:01:21.642822721Z",
-    "duration_ms": 236,
+    "started_at": "2026-05-01T10:09:20.426052739Z",
+    "duration_ms": 245,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/navi-v2.24.0.json b/scorecards/navi-v2.24.0.json
index 64feadf..9f03d64 100644
--- a/scorecards/navi-v2.24.0.json
+++ b/scorecards/navi-v2.24.0.json
@@ -133,12 +133,11 @@
     "version": "navi 2.24.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command navi --audit-profile human-tui --output json",
-    "started_at": "2026-04-30T23:01:54.576817832Z",
+    "started_at": "2026-05-01T10:09:43.837198966Z",
     "duration_ms": 82,
     "platform": {
       "os": "linux",
diff --git a/scorecards/nushell-v0.112.2.json b/scorecards/nushell-v0.112.2.json
index 800c779..fb3b03c 100644
--- a/scorecards/nushell-v0.112.2.json
+++ b/scorecards/nushell-v0.112.2.json
@@ -132,12 +132,11 @@
     "version": "0.112.2"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command nu --output json",
-    "started_at": "2026-04-30T23:01:52.303570329Z",
+    "started_at": "2026-05-01T10:09:43.515326737Z",
     "duration_ms": 65,
     "platform": {
       "os": "linux",
diff --git a/scorecards/nvidia-smi-v570.211.01.json b/scorecards/nvidia-smi-v570.211.01.json
index f4eb9da..cc600ad 100644
--- a/scorecards/nvidia-smi-v570.211.01.json
+++ b/scorecards/nvidia-smi-v570.211.01.json
@@ -132,12 +132,11 @@
     "version": "NVIDIA-SMI version  : 570.211.01"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command nvidia-smi --output json",
-    "started_at": "2026-04-30T23:00:56.254832323Z",
+    "started_at": "2026-05-01T10:08:57.082018617Z",
     "duration_ms": 244,
     "platform": {
       "os": "linux",
diff --git a/scorecards/ollama-v0.22.0.json b/scorecards/ollama-v0.22.1.json
similarity index 96%
rename from scorecards/ollama-v0.22.0.json
rename to scorecards/ollama-v0.22.1.json
index 01bc42e..3432a07 100644
--- a/scorecards/ollama-v0.22.0.json
+++ b/scorecards/ollama-v0.22.1.json
@@ -129,15 +129,14 @@
   "tool": {
     "name": "ollama",
     "binary": "ollama",
-    "version": "ollama version is 0.22.0"
+    "version": "ollama version is 0.22.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command ollama --output json",
-    "started_at": "2026-04-30T23:01:21.897709096Z",
+    "started_at": "2026-05-01T10:09:20.685066005Z",
     "duration_ms": 563,
     "platform": {
       "os": "linux",
diff --git a/scorecards/opencode-v1.14.30.json b/scorecards/opencode-v1.14.31.json
similarity index 96%
rename from scorecards/opencode-v1.14.30.json
rename to scorecards/opencode-v1.14.31.json
index e84804e..2fa846d 100644
--- a/scorecards/opencode-v1.14.30.json
+++ b/scorecards/opencode-v1.14.31.json
@@ -129,16 +129,15 @@
   "tool": {
     "name": "opencode",
     "binary": "opencode",
-    "version": "1.14.30"
+    "version": "1.14.31"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command opencode --output json",
-    "started_at": "2026-04-30T23:02:03.126913379Z",
-    "duration_ms": 8278,
+    "started_at": "2026-05-01T10:09:51.892415056Z",
+    "duration_ms": 8164,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/pandoc-v3.9.0.json b/scorecards/pandoc-v3.9.0.json
index 5843eaf..996907f 100644
--- a/scorecards/pandoc-v3.9.0.json
+++ b/scorecards/pandoc-v3.9.0.json
@@ -132,12 +132,11 @@
     "version": "pandoc 3.9.0.2"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command pandoc --output json",
-    "started_at": "2026-04-30T23:00:58.319785662Z",
+    "started_at": "2026-05-01T10:08:59.121591694Z",
     "duration_ms": 96,
     "platform": {
       "os": "linux",
diff --git a/scorecards/pastel-v0.12.0.json b/scorecards/pastel-v0.12.0.json
index 7833cfe..2497078 100644
--- a/scorecards/pastel-v0.12.0.json
+++ b/scorecards/pastel-v0.12.0.json
@@ -132,12 +132,11 @@
     "version": "pastel 0.12.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command pastel --output json",
-    "started_at": "2026-04-30T23:01:54.722979942Z",
+    "started_at": "2026-05-01T10:09:43.983599562Z",
     "duration_ms": 277,
     "platform": {
       "os": "linux",
diff --git a/scorecards/pixi-v0.67.2.json b/scorecards/pixi-v0.67.2.json
index 1deb5e7..8833676 100644
--- a/scorecards/pixi-v0.67.2.json
+++ b/scorecards/pixi-v0.67.2.json
@@ -132,13 +132,12 @@
     "version": "pixi 0.67.2"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command pixi --output json",
-    "started_at": "2026-04-30T23:01:15.865087526Z",
-    "duration_ms": 128,
+    "started_at": "2026-05-01T10:09:14.941017441Z",
+    "duration_ms": 127,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/procs-v0.14.11.json b/scorecards/procs-v0.14.11.json
index 49b2aa5..bf70bb7 100644
--- a/scorecards/procs-v0.14.11.json
+++ b/scorecards/procs-v0.14.11.json
@@ -132,13 +132,12 @@
     "version": "procs 0.14.11"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command procs --output json",
-    "started_at": "2026-04-30T23:00:57.438138095Z",
-    "duration_ms": 153,
+    "started_at": "2026-05-01T10:08:58.251290093Z",
+    "duration_ms": 154,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/qmd-v2.1.0.json b/scorecards/qmd-v2.1.0.json
index 82c151d..f424120 100644
--- a/scorecards/qmd-v2.1.0.json
+++ b/scorecards/qmd-v2.1.0.json
@@ -132,13 +132,12 @@
     "version": "qmd 2.1.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command qmd --output json",
-    "started_at": "2026-04-30T23:02:11.703648937Z",
-    "duration_ms": 1689,
+    "started_at": "2026-05-01T10:10:00.349364522Z",
+    "duration_ms": 1651,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/rclone-v1.73.5.json b/scorecards/rclone-v1.73.5.json
index ffbf71b..8653005 100644
--- a/scorecards/rclone-v1.73.5.json
+++ b/scorecards/rclone-v1.73.5.json
@@ -132,13 +132,12 @@
     "version": "rclone v1.73.5"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command rclone --output json",
-    "started_at": "2026-04-30T23:01:16.021001551Z",
-    "duration_ms": 173,
+    "started_at": "2026-05-01T10:09:15.094898063Z",
+    "duration_ms": 121,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/ripgrep-v15.1.0.json b/scorecards/ripgrep-v15.1.0.json
index eef2994..877bcf9 100644
--- a/scorecards/ripgrep-v15.1.0.json
+++ b/scorecards/ripgrep-v15.1.0.json
@@ -132,13 +132,12 @@
     "version": "ripgrep 15.1.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command rg --output json",
-    "started_at": "2026-04-30T23:00:56.708445322Z",
-    "duration_ms": 55,
+    "started_at": "2026-05-01T10:08:57.531460539Z",
+    "duration_ms": 54,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/rsync-v3.4.2.json b/scorecards/rsync-v3.4.2.json
index 8acb0b0..43c4872 100644
--- a/scorecards/rsync-v3.4.2.json
+++ b/scorecards/rsync-v3.4.2.json
@@ -132,12 +132,11 @@
     "version": "rsync  version 3.4.2  protocol version 32"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command rsync --output json",
-    "started_at": "2026-04-30T23:00:56.570319675Z",
+    "started_at": "2026-05-01T10:08:57.394957564Z",
     "duration_ms": 73,
     "platform": {
       "os": "linux",
diff --git a/scorecards/ruff-v0.15.12.json b/scorecards/ruff-v0.15.12.json
index 5e51567..5faf164 100644
--- a/scorecards/ruff-v0.15.12.json
+++ b/scorecards/ruff-v0.15.12.json
@@ -132,12 +132,11 @@
     "version": "ruff 0.15.12"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command ruff --output json",
-    "started_at": "2026-04-30T23:01:14.858719852Z",
+    "started_at": "2026-05-01T10:09:13.944915194Z",
     "duration_ms": 104,
     "platform": {
       "os": "linux",
diff --git a/scorecards/scc-v3.7.0.json b/scorecards/scc-v3.7.0.json
index 2b667c9..15d53af 100644
--- a/scorecards/scc-v3.7.0.json
+++ b/scorecards/scc-v3.7.0.json
@@ -132,12 +132,11 @@
     "version": "scc version 3.7.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command scc --output json",
-    "started_at": "2026-04-30T23:00:59.947662675Z",
+    "started_at": "2026-05-01T10:09:00.705613967Z",
     "duration_ms": 135,
     "platform": {
       "os": "linux",
diff --git a/scorecards/sd-v1.0.0.json b/scorecards/sd-v1.0.0.json
index 878a1f9..168cc4b 100644
--- a/scorecards/sd-v1.0.0.json
+++ b/scorecards/sd-v1.0.0.json
@@ -132,12 +132,11 @@
     "version": "sd 1.0.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command sd --output json",
-    "started_at": "2026-04-30T23:00:57.89703235Z",
+    "started_at": "2026-05-01T10:08:58.70427808Z",
     "duration_ms": 52,
     "platform": {
       "os": "linux",
diff --git a/scorecards/shell-gpt-v3.14.json b/scorecards/shell-gpt-v3.14.json
index e4460d0..8f164f0 100644
--- a/scorecards/shell-gpt-v3.14.json
+++ b/scorecards/shell-gpt-v3.14.json
@@ -132,13 +132,12 @@
     "version": null
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command sgpt --output json",
-    "started_at": "2026-04-30T23:01:20.70044998Z",
-    "duration_ms": 921,
+    "started_at": "2026-05-01T10:09:19.541040477Z",
+    "duration_ms": 866,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/shellcheck-v0.11.0.json b/scorecards/shellcheck-v0.11.0.json
index 352ecd8..55f5c63 100644
--- a/scorecards/shellcheck-v0.11.0.json
+++ b/scorecards/shellcheck-v0.11.0.json
@@ -132,13 +132,12 @@
     "version": "ShellCheck - shell script analysis tool"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command shellcheck --output json",
-    "started_at": "2026-04-30T23:01:13.976121593Z",
-    "duration_ms": 94,
+    "started_at": "2026-05-01T10:09:13.083007629Z",
+    "duration_ms": 93,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/sqlite-utils-v3.39.json b/scorecards/sqlite-utils-v3.39.json
index cdfe0d8..be59637 100644
--- a/scorecards/sqlite-utils-v3.39.json
+++ b/scorecards/sqlite-utils-v3.39.json
@@ -132,13 +132,12 @@
     "version": "sqlite-utils, version 3.39"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command sqlite-utils --output json",
-    "started_at": "2026-04-30T23:01:47.423595482Z",
-    "duration_ms": 2207,
+    "started_at": "2026-05-01T10:09:39.976850005Z",
+    "duration_ms": 2117,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/starship-v1.25.0.json b/scorecards/starship-v1.25.1.json
similarity index 95%
rename from scorecards/starship-v1.25.0.json
rename to scorecards/starship-v1.25.1.json
index fd1c4ae..3e89934 100644
--- a/scorecards/starship-v1.25.0.json
+++ b/scorecards/starship-v1.25.1.json
@@ -129,16 +129,15 @@
   "tool": {
     "name": "starship",
     "binary": "starship",
-    "version": "starship 1.25.0"
+    "version": "starship 1.25.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command starship --output json",
-    "started_at": "2026-04-30T23:01:14.515564629Z",
-    "duration_ms": 166,
+    "started_at": "2026-05-01T10:09:13.604925831Z",
+    "duration_ms": 165,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/supabase-v2.95.4.json b/scorecards/supabase-v2.95.4.json
index 43fb81a..5042133 100644
--- a/scorecards/supabase-v2.95.4.json
+++ b/scorecards/supabase-v2.95.4.json
@@ -132,13 +132,12 @@
     "version": "2.95.4"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command supabase --output json",
-    "started_at": "2026-04-30T23:01:12.463235011Z",
-    "duration_ms": 1143,
+    "started_at": "2026-05-01T10:09:11.620731761Z",
+    "duration_ms": 1100,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/tealdeer-v1.8.1.json b/scorecards/tealdeer-v1.8.1.json
index 10816ae..e17d9af 100644
--- a/scorecards/tealdeer-v1.8.1.json
+++ b/scorecards/tealdeer-v1.8.1.json
@@ -132,12 +132,11 @@
     "version": "tealdeer 1.8.1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command tldr --output json",
-    "started_at": "2026-04-30T23:01:54.664806325Z",
+    "started_at": "2026-05-01T10:09:43.925540939Z",
     "duration_ms": 52,
     "platform": {
       "os": "linux",
diff --git a/scorecards/terraform-v1.15.0.json b/scorecards/terraform-v1.15.0.json
index 10669e9..93008f1 100644
--- a/scorecards/terraform-v1.15.0.json
+++ b/scorecards/terraform-v1.15.0.json
@@ -132,13 +132,12 @@
     "version": "Terraform v1.15.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command terraform --output json",
-    "started_at": "2026-04-30T23:01:01.220455516Z",
-    "duration_ms": 120,
+    "started_at": "2026-05-01T10:09:01.995362703Z",
+    "duration_ms": 118,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/tmux-v3.6.json b/scorecards/tmux-v3.6.json
index 24974a6..a057c47 100644
--- a/scorecards/tmux-v3.6.json
+++ b/scorecards/tmux-v3.6.json
@@ -133,12 +133,11 @@
     "version": "tmux 3.6a"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command tmux --audit-profile human-tui --output json",
-    "started_at": "2026-04-30T23:00:56.650544357Z",
+    "started_at": "2026-05-01T10:08:57.474013172Z",
     "duration_ms": 51,
     "platform": {
       "os": "linux",
diff --git a/scorecards/tokei-v14.0.0.json b/scorecards/tokei-v14.0.0.json
index 74b4f7a..b627623 100644
--- a/scorecards/tokei-v14.0.0.json
+++ b/scorecards/tokei-v14.0.0.json
@@ -132,12 +132,11 @@
     "version": "tokei 14.0.0 compiled with serialization support: json, cbor, yaml"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command tokei --output json",
-    "started_at": "2026-04-30T23:00:59.847122737Z",
+    "started_at": "2026-05-01T10:09:00.605335672Z",
     "duration_ms": 93,
     "platform": {
       "os": "linux",
diff --git a/scorecards/trivy-v0.70.0.json b/scorecards/trivy-v0.70.0.json
index fca3d70..776a889 100644
--- a/scorecards/trivy-v0.70.0.json
+++ b/scorecards/trivy-v0.70.0.json
@@ -132,13 +132,12 @@
     "version": "Version: 0.70.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command trivy --output json",
-    "started_at": "2026-04-30T23:01:16.805926373Z",
-    "duration_ms": 320,
+    "started_at": "2026-05-01T10:09:15.819712508Z",
+    "duration_ms": 317,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/typst-v0.14.2.json b/scorecards/typst-v0.14.2.json
index 9a164ca..e4ed89a 100644
--- a/scorecards/typst-v0.14.2.json
+++ b/scorecards/typst-v0.14.2.json
@@ -132,12 +132,11 @@
     "version": "typst 0.14.2 (unknown hash)"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command typst --output json",
-    "started_at": "2026-04-30T23:00:58.424178101Z",
+    "started_at": "2026-05-01T10:08:59.224514175Z",
     "duration_ms": 105,
     "platform": {
       "os": "linux",
diff --git a/scorecards/uv-v0.11.8.json b/scorecards/uv-v0.11.8.json
index 47f4db3..c9cb649 100644
--- a/scorecards/uv-v0.11.8.json
+++ b/scorecards/uv-v0.11.8.json
@@ -132,13 +132,12 @@
     "version": "uv 0.11.8 (Homebrew 2026-04-27 x86_64-unknown-linux-gnu)"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command uv --output json",
-    "started_at": "2026-04-30T23:01:14.69366541Z",
-    "duration_ms": 158,
+    "started_at": "2026-05-01T10:09:13.780778287Z",
+    "duration_ms": 157,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/vhs-v0.11.0.json b/scorecards/vhs-v0.11.0.json
index 8903f96..e27d090 100644
--- a/scorecards/vhs-v0.11.0.json
+++ b/scorecards/vhs-v0.11.0.json
@@ -132,12 +132,11 @@
     "version": "vhs version 0.11.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command vhs --output json",
-    "started_at": "2026-04-30T23:01:51.724928287Z",
+    "started_at": "2026-05-01T10:09:43.014553591Z",
     "duration_ms": 194,
     "platform": {
       "os": "linux",
diff --git a/scorecards/watchexec-v2.5.1.json b/scorecards/watchexec-v2.5.1.json
index d3f28c3..5450a39 100644
--- a/scorecards/watchexec-v2.5.1.json
+++ b/scorecards/watchexec-v2.5.1.json
@@ -132,12 +132,11 @@
     "version": "watchexec 2.5.1 (2026-03-30) +pid1"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command watchexec --output json",
-    "started_at": "2026-04-30T23:01:13.90990815Z",
+    "started_at": "2026-05-01T10:09:13.022514641Z",
     "duration_ms": 54,
     "platform": {
       "os": "linux",
diff --git a/scorecards/wrangler-v4.86.0.json b/scorecards/wrangler-v4.86.0.json
index 0f11575..d5a6196 100644
--- a/scorecards/wrangler-v4.86.0.json
+++ b/scorecards/wrangler-v4.86.0.json
@@ -132,13 +132,12 @@
     "version": "4.86.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command wrangler --output json",
-    "started_at": "2026-04-30T23:01:02.131812807Z",
-    "duration_ms": 3581,
+    "started_at": "2026-05-01T10:09:02.861825665Z",
+    "duration_ms": 3402,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/xh-v0.25.3.json b/scorecards/xh-v0.25.3.json
index 9f5a1a1..cba79de 100644
--- a/scorecards/xh-v0.25.3.json
+++ b/scorecards/xh-v0.25.3.json
@@ -132,13 +132,12 @@
     "version": "xh 0.25.3"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command xh --output json",
-    "started_at": "2026-04-30T23:01:00.089824786Z",
-    "duration_ms": 135,
+    "started_at": "2026-05-01T10:09:00.847538306Z",
+    "duration_ms": 134,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/xr-v1.2.0.json b/scorecards/xr-v1.2.0.json
index 362bb6d..173c376 100644
--- a/scorecards/xr-v1.2.0.json
+++ b/scorecards/xr-v1.2.0.json
@@ -132,12 +132,11 @@
     "version": "xr 1.2.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command xr --output json",
-    "started_at": "2026-04-30T23:01:52.168332797Z",
+    "started_at": "2026-05-01T10:09:43.412889991Z",
     "duration_ms": 93,
     "platform": {
       "os": "linux",
diff --git a/scorecards/xsv-v0.13.0.json b/scorecards/xsv-v0.13.0.json
index bdd080d..0602d68 100644
--- a/scorecards/xsv-v0.13.0.json
+++ b/scorecards/xsv-v0.13.0.json
@@ -132,13 +132,12 @@
     "version": "0.13.0"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command xsv --output json",
-    "started_at": "2026-04-30T23:00:57.101777521Z",
-    "duration_ms": 105,
+    "started_at": "2026-05-01T10:08:57.919600824Z",
+    "duration_ms": 104,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/yazi-v26.1.22.json b/scorecards/yazi-v26.1.22.json
index 4f30a1d..c17a647 100644
--- a/scorecards/yazi-v26.1.22.json
+++ b/scorecards/yazi-v26.1.22.json
@@ -133,12 +133,11 @@
     "version": "Yazi 26.1.22 (Homebrew 2026-01-22)"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command yazi --audit-profile human-tui --output json",
-    "started_at": "2026-04-30T23:01:16.207785814Z",
+    "started_at": "2026-05-01T10:09:15.228804711Z",
     "duration_ms": 41,
     "platform": {
       "os": "linux",
diff --git a/scorecards/yq-v4.53.2.json b/scorecards/yq-v4.53.2.json
index 2761c66..0f20a71 100644
--- a/scorecards/yq-v4.53.2.json
+++ b/scorecards/yq-v4.53.2.json
@@ -132,13 +132,12 @@
     "version": "yq (https://github.com/mikefarah/yq/) version v4.53.2"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command yq --output json",
-    "started_at": "2026-04-30T23:00:58.215718726Z",
-    "duration_ms": 95,
+    "started_at": "2026-05-01T10:08:59.019259718Z",
+    "duration_ms": 94,
     "platform": {
       "os": "linux",
       "arch": "x86_64"
diff --git a/scorecards/zoxide-v0.9.9.json b/scorecards/zoxide-v0.9.9.json
index 1c13126..490e2e1 100644
--- a/scorecards/zoxide-v0.9.9.json
+++ b/scorecards/zoxide-v0.9.9.json
@@ -132,13 +132,12 @@
     "version": "zoxide 0.9.9"
   },
   "anc": {
-    "version": "0.2.0",
-    "commit": "06a307c"
+    "version": "0.3.0"
   },
   "run": {
     "invocation": "anc check --command zoxide --output json",
-    "started_at": "2026-04-30T23:01:16.255763733Z",
-    "duration_ms": 114,
+    "started_at": "2026-05-01T10:09:15.276332527Z",
+    "duration_ms": 113,
     "platform": {
       "os": "linux",
       "arch": "x86_64"

From e47d394c49929bf4ac17cf0250227272a53404c5 Mon Sep 17 00:00:00 2001
From: Brett <brettdavies@users.noreply.github.com>
Date: Sat, 2 May 2026 23:43:35 -0500
Subject: [PATCH 8/9] docs(releases): document status-check context pitfall
 (#71)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary

Adds a "Status-check context pitfall" subsection under the "Branch
protection"
section of `RELEASES.md`. Captures the exact-match rule for
`required_status_checks[].context` strings in `protect-main.json` and
the
`gh api .../check-runs` diagnostic command for confirming real check
contexts after a first CI run.

The pitfall: inline jobs publish their context as just `<job-name>`;
reusable-workflow callers publish as `<caller-job-id> /
<reusable-job-id-or-name>`. Mixing these produces a stuck-but-green PR —
every check reports green but the ruleset waits forever on a context
that
never appears.

## Changelog

### Documentation

- Document the `protect-main.json` status-check context format gotcha
and
  the `gh api .../check-runs` diagnostic.

## Type of Change

- [x] `docs`: Documentation update

## Related Issues/Stories

- Story: n/a
- Issue: n/a
- Architecture: n/a
- Related PRs: n/a

## Testing

- [x] Manual testing completed
- [x] All tests passing

**Test Summary:**

- Pre-push hook: 200/200 unit + regression tests pass
- Markdown-only change; no code paths affected

## Files Modified

**Modified:**

- `RELEASES.md` — adds "Status-check context pitfall" subsection (15
lines)

**Created:** None.

**Renamed:** None.

**Deleted:** None.

## Key Features

n/a — pure documentation.

## Benefits

- Future ruleset edits avoid the stuck-PR class of bug.
- Diagnostic command is captured next to the rule that motivates it.

## Breaking Changes

- [x] No breaking changes

## Deployment Notes

- [x] No special deployment steps required

Root-level `*.md` change — `ci-stub.yml` fires (heavy pipeline skipped
via
`paths-ignore`). `deploy.yml` skips this commit on push (root `*.md`
ignored).

## Checklist

- [x] Code follows project conventions and style guidelines
- [x] Commit messages follow [Conventional
Commits](https://www.conventionalcommits.org/)
- [x] Self-review of code completed
- [x] Tests added/updated and passing
- [x] No new warnings or errors introduced
- [x] Changes are backward compatible

## Additional Context

Will be cherry-picked into the in-flight `release/2026-05-02-*` cut to
main alongside the dev backlog.
---
 RELEASES.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/RELEASES.md b/RELEASES.md
index 87df488..087a397 100644
--- a/RELEASES.md
+++ b/RELEASES.md
@@ -255,6 +255,21 @@ gh api -X PUT repos/brettdavies/agentnative-site/rulesets/<id> \
 Committing the JSON alongside the code means ruleset changes land via the same review process as workflow changes — a
 `chore(ci): tighten protect-main` release goes through dev → release/* → main like anything else.
 
+### Status-check context pitfall
+
+The `required_status_checks[].context` strings in `protect-main.json` must match exactly what GitHub publishes for each
+check:
+
+- **Inline job** (with `name:` field): published as just `<job-name>` (no workflow-name prefix).
+- **Reusable-workflow caller** (`uses: .../foo.yml@ref`): published as `<caller-job-id> / <reusable-job-id-or-name>`.
+
+Mixing these produces a stuck-but-green PR: all actual checks report green, but the ruleset waits forever on a context
+that will never appear. Confirm the real contexts after a first CI run with:
+
+```bash
+gh api repos/brettdavies/agentnative-site/commits/<sha>/check-runs --jq '.check_runs[].name'
+```
+
 ## Skill releases
 
 `/skill.json` and `/skill` advertise the `agent-native-cli` skill, hosted at

From 6a8801f4cd1ef6296c1ba43ff6b7beaba8faa2b2 Mon Sep 17 00:00:00 2001
From: Brett <brettdavies@users.noreply.github.com>
Date: Sun, 3 May 2026 00:36:58 -0500
Subject: [PATCH 9/9] chore(skill): bump manifest version 0.1.0 to 0.2.0 (#72)

## Summary

Tracks the `agentnative-skill` repo's already-shipped v0.2.0 release
(tag `v0.2.0` at `2b10c84`, no commits ahead of main since). Was `0.1.0`
since site launch; the skill repo moved to v0.2.0 alongside PR #67's
deprecation of the SHA-pin surface, but the site's manifest was never
bumped.

The skill bundle's `bin/check-update` reads its own local `VERSION`, not
`/skill.json.version`, so this drift didn't break update detection. But
`/skill.json` consumers reading the `version` field saw a stale value
that didn't track the published skill state.

## Changelog

### Changed

- Bump `src/data/skill.json.version` from `0.1.0` to `0.2.0` to match
the published skill bundle.

## Type of Change

- [x] `chore`: Maintenance tasks (dependencies, config, etc.)

## Related Issues/Stories

- Story: Surface alignment between `/skill.json` and the published skill
bundle.
- Issue: n/a
- Architecture: n/a
- Related PRs: #67 (the PR that should have bumped this; missed it).

## Testing

- [x] All tests passing

**Test Summary:**

- Pre-push hook: 200/200 unit + regression tests pass
- `bun run lint` clean, `bun run build` clean

## Files Modified

**Modified:**

- `src/data/skill.json`: `version` 0.1.0 to 0.2.0

**Created:** None.

**Renamed:** None.

**Deleted:** None.

## Key Features

n/a (1-line metadata bump).

## Benefits

- `/skill.json.version` now tracks the published skill state, removing a
silent drift.

## Breaking Changes

- [x] No breaking changes.

## Deployment Notes

- [x] No special deployment steps required.

Will be cherry-picked into
`release/2026-05-01-spec-vendoring-and-cleanup` (PR #68) so it ships in
the same release as the SHA-pin cleanup arc that motivated the skill
v0.2.0 release.

## Checklist

- [x] Code follows project conventions and style guidelines
- [x] Commit messages follow [Conventional
Commits](https://www.conventionalcommits.org/)
- [x] Self-review of code completed
- [x] Tests added/updated and passing
- [x] No new warnings or errors introduced
- [x] Changes are backward compatible

## Additional Context

The same root cause produced concern (1) on PR #68's review:
shape-changing PRs (#67 dropped `source.commit` and `verify`) should
bump `version` per RELEASES.md step 2. That step was missed, hence this
catch-up commit.
---
 src/data/skill.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/data/skill.json b/src/data/skill.json
index 1db85ea..272bd29 100644
--- a/src/data/skill.json
+++ b/src/data/skill.json
@@ -2,7 +2,7 @@
   "schema_version": 1,
   "type": "agent-skill",
   "name": "agent-native-cli",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Build CLI tools that AI agents can operate reliably.",
   "principles_url": "https://anc.dev/p1",
   "license": "MIT",