From 44583db67099afc6a95776378f7ef7a322cb2b1a Mon Sep 17 00:00:00 2001
From: Anton Filonenko <phil@yellow.org>
Date: Thu, 18 Jun 2026 17:56:35 +0300
Subject: [PATCH 1/5] feat(blockchain): carry an ADR-015 deposit reference
 cross-chain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SubmitDeposit now takes a DepositDestination{Account, Ref}: the opaque
ADR-015 sub-account reference travels alongside the account as side-data,
never interpreted on-chain, so deposits are filterable per (account, ref).

- EVM / SOL emit it in the deposit call / instruction; the Solana program
  artifact + binding are refreshed to the reference-carrying
  deposit_sol/deposit_spl.
- XRPL moves from a DestinationTag to a ynet-account memo (20-byte account
  followed by the 32-byte reference), matching the observe-side decoder.
- BTC has no side-data channel on a plain send — the account is encoded in
  the per-account deposit address — so a non-zero reference is rejected.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 pkg/blockchain/btc/depositor.go               |  16 ++++--
 pkg/blockchain/btc/vault_integration_test.go  |   2 +-
 pkg/blockchain/evm/depositor.go               |  10 ++--
 pkg/blockchain/evm/vault_integration_test.go  |   2 +-
 pkg/blockchain/sol/artifacts/custody.json     |  37 ++++++++++++-
 pkg/blockchain/sol/artifacts/custody.so       | Bin 367320 -> 368016 bytes
 pkg/blockchain/sol/custody/instructions.go    |  16 +++++-
 pkg/blockchain/sol/custody/types.go           |  15 ++++-
 pkg/blockchain/sol/depositor.go               |  11 ++--
 pkg/blockchain/sol/vault_integration_test.go  |   2 +-
 pkg/blockchain/xrpl/depositor.go              |  48 ++++++++++++----
 pkg/blockchain/xrpl/depositor_test.go         |  52 ++++++++++++++++++
 pkg/blockchain/xrpl/vault_integration_test.go |   4 +-
 pkg/blockchain/xrpl/wire.go                   |  23 --------
 pkg/core/blockchain.go                        |  17 +++++-
 15 files changed, 191 insertions(+), 64 deletions(-)
 create mode 100644 pkg/blockchain/xrpl/depositor_test.go

diff --git a/pkg/blockchain/btc/depositor.go b/pkg/blockchain/btc/depositor.go
index c3cecea..23aa881 100644
--- a/pkg/blockchain/btc/depositor.go
+++ b/pkg/blockchain/btc/depositor.go
@@ -63,20 +63,26 @@ func NewDepositor(net *chaincfg.Params, rpc RPC, signer sign.Signer, vaultPubkey
 // DepositorAddress returns the depositor's own P2WPKH funding address.
 func (d *Depositor) DepositorAddress() string { return d.depositAddr.EncodeAddress() }
 
-// SubmitDeposit sends `amount` satoshis from the depositor's wallet to the per-account
-// deposit address for `account`. asset must be native BTC ("" or "BTC"). Builds,
-// signs (P2WPKH), and broadcasts the funding tx.
-func (d *Depositor) SubmitDeposit(ctx context.Context, asset string, amount decimal.Decimal, account string) (core.TxRef, error) {
+// SubmitDeposit sends `amount` satoshis from the depositor's wallet to the
+// per-account deposit address for dest.Account. asset must be native BTC ("" or
+// "BTC"). Builds, signs (P2WPKH), and broadcasts the funding tx. A non-zero
+// dest.Ref is rejected: the account is encoded in the deposit address and a
+// plain BTC send has no side-data channel for a sub-account (ADR-015 has no BTC
+// reference).
+func (d *Depositor) SubmitDeposit(ctx context.Context, asset string, amount decimal.Decimal, dest core.DepositDestination) (core.TxRef, error) {
 	if a := strings.ToUpper(strings.TrimSpace(asset)); a != "" && a != "BTC" {
 		return core.TxRef{}, fmt.Errorf("btc: only native BTC deposits supported, got asset %q", asset)
 	}
+	if dest.Ref != ([32]byte{}) {
+		return core.TxRef{}, fmt.Errorf("btc: deposit reference not supported")
+	}
 	amt := amount.BigInt()
 	if !amt.IsInt64() || amt.Int64() <= 0 {
 		return core.TxRef{}, fmt.Errorf("btc: amount %s not a positive int64 satoshi value", amount.String())
 	}
 	sats := amt.Int64()
 
-	depositAddr, _, err := DepositAddress(account, d.threshold, d.vaultPubkeys, d.net)
+	depositAddr, _, err := DepositAddress(dest.Account, d.threshold, d.vaultPubkeys, d.net)
 	if err != nil {
 		return core.TxRef{}, fmt.Errorf("btc: derive deposit address: %w", err)
 	}
diff --git a/pkg/blockchain/btc/vault_integration_test.go b/pkg/blockchain/btc/vault_integration_test.go
index 856d171..3ac4afc 100644
--- a/pkg/blockchain/btc/vault_integration_test.go
+++ b/pkg/blockchain/btc/vault_integration_test.go
@@ -93,7 +93,7 @@ func TestIntegrationBTC_DepositAndWithdraw(t *testing.T) {
 	node.generateToAddress(ctx, t, 1, miner)
 
 	// ── Deposit flow ──────────────────────────────────────────────────────────
-	depRef, err := depositor.SubmitDeposit(ctx, "BTC", decimal.NewFromInt(20_000_000), account) // 0.2 BTC
+	depRef, err := depositor.SubmitDeposit(ctx, "BTC", decimal.NewFromInt(20_000_000), core.DepositDestination{Account: account}) // 0.2 BTC
 	if err != nil {
 		t.Fatalf("Deposit: %v", err)
 	}
diff --git a/pkg/blockchain/evm/depositor.go b/pkg/blockchain/evm/depositor.go
index 3b4bb75..9a03748 100644
--- a/pkg/blockchain/evm/depositor.go
+++ b/pkg/blockchain/evm/depositor.go
@@ -40,13 +40,13 @@ func NewDepositor(client *ethclient.Client, custodyAddr common.Address, signer s
 // non-zero hex address) it approves the vault then calls
 // Custody.deposit(account, asset, amount); for the zero address it sends native
 // ETH with msg.value == amount. Blocks until the deposit tx mines.
-func (d *Depositor) SubmitDeposit(ctx context.Context, asset string, amount decimal.Decimal, account string) (core.TxRef, error) {
+func (d *Depositor) SubmitDeposit(ctx context.Context, asset string, amount decimal.Decimal, dest core.DepositDestination) (core.TxRef, error) {
 	assetAddr, err := depositAssetAddress(asset)
 	if err != nil {
 		return core.TxRef{}, err
 	}
 	amt := amount.BigInt()
-	accountAddr := common.HexToAddress(account)
+	accountAddr := common.HexToAddress(dest.Account)
 
 	if assetAddr == (common.Address{}) {
 		opts, _, err := signerTransactOpts(ctx, d.client, d.signer)
@@ -54,9 +54,7 @@ func (d *Depositor) SubmitDeposit(ctx context.Context, asset string, amount deci
 			return core.TxRef{}, err
 		}
 		opts.Value = amt
-		// Zero depositReference: this depositor models no sub-account; the
-		// reference is opaque, log-only, and bytes32(0) means "none" (ADR-015).
-		tx, err := d.custody.Deposit(opts, accountAddr, common.Address{}, amt, [32]byte{})
+		tx, err := d.custody.Deposit(opts, accountAddr, common.Address{}, amt, dest.Ref)
 		if err != nil {
 			return core.TxRef{}, fmt.Errorf("ETH deposit: %w", err)
 		}
@@ -87,7 +85,7 @@ func (d *Depositor) SubmitDeposit(ctx context.Context, asset string, amount deci
 	if err != nil {
 		return core.TxRef{}, err
 	}
-	tx, err := d.custody.Deposit(depositOpts, accountAddr, assetAddr, amt, [32]byte{})
+	tx, err := d.custody.Deposit(depositOpts, accountAddr, assetAddr, amt, dest.Ref)
 	if err != nil {
 		return core.TxRef{}, fmt.Errorf("ERC20 deposit: %w", err)
 	}
diff --git a/pkg/blockchain/evm/vault_integration_test.go b/pkg/blockchain/evm/vault_integration_test.go
index 992d32f..af01072 100644
--- a/pkg/blockchain/evm/vault_integration_test.go
+++ b/pkg/blockchain/evm/vault_integration_test.go
@@ -102,7 +102,7 @@ func TestIntegrationEVM_DepositAndWithdraw(t *testing.T) {
 	account := crypto.PubkeyToAddress(deployerKey.PublicKey)
 	const zeroAsset = "0x0000000000000000000000000000000000000000" // native ETH
 	depositAmt := decimal.NewFromInt(1_000_000_000_000)            // 1e12 wei
-	depRef, err := depositor.SubmitDeposit(ctx, zeroAsset, depositAmt, account.Hex())
+	depRef, err := depositor.SubmitDeposit(ctx, zeroAsset, depositAmt, core.DepositDestination{Account: account.Hex()})
 	if err != nil {
 		t.Fatalf("Deposit: %v", err)
 	}
diff --git a/pkg/blockchain/sol/artifacts/custody.json b/pkg/blockchain/sol/artifacts/custody.json
index 3e9f1c3..21e3d34 100644
--- a/pkg/blockchain/sol/artifacts/custody.json
+++ b/pkg/blockchain/sol/artifacts/custody.json
@@ -10,7 +10,8 @@
     {
       "name": "deposit_sol",
       "docs": [
-        "Native SOL deposit crediting the 20-byte clearnet `account`."
+        "Native SOL deposit crediting the 20-byte clearnet `account`, with an",
+        "optional ADR-015 sub-account `reference` ([0u8; 32] for none)."
       ],
       "discriminator": [
         108,
@@ -93,6 +94,15 @@
             ]
           }
         },
+        {
+          "name": "reference",
+          "type": {
+            "array": [
+              "u8",
+              32
+            ]
+          }
+        },
         {
           "name": "amount",
           "type": "u64"
@@ -102,7 +112,8 @@
     {
       "name": "deposit_spl",
       "docs": [
-        "SPL token deposit crediting the 20-byte clearnet `account`."
+        "SPL token deposit crediting the 20-byte clearnet `account`, with an",
+        "optional ADR-015 sub-account `reference` ([0u8; 32] for none)."
       ],
       "discriminator": [
         224,
@@ -371,6 +382,15 @@
             ]
           }
         },
+        {
+          "name": "reference",
+          "type": {
+            "array": [
+              "u8",
+              32
+            ]
+          }
+        },
         {
           "name": "amount",
           "type": "u64"
@@ -922,7 +942,9 @@
         "watcher decodes these from the self-CPI inner instructions and turns each",
         "into a `chains.DepositEvent`. `mint == Pubkey::default()` denotes native",
         "SOL (the analogue of EVM's `asset == address(0)`). `account` is the 20-byte",
-        "clearnet account the deposit credits."
+        "clearnet account the deposit credits. `reference` is the ADR-015 opaque",
+        "sub-account selector ([0u8; 32] when absent); never interpreted on-chain,",
+        "the watcher folds it into the account URI as a /tag/<reference> suffix."
       ],
       "type": {
         "kind": "struct",
@@ -940,6 +962,15 @@
               ]
             }
           },
+          {
+            "name": "reference",
+            "type": {
+              "array": [
+                "u8",
+                32
+              ]
+            }
+          },
           {
             "name": "mint",
             "type": "pubkey"
diff --git a/pkg/blockchain/sol/artifacts/custody.so b/pkg/blockchain/sol/artifacts/custody.so
index b5668340aed1352a09d761b5b196452073d62903..e36b12d0b991f7fe4bee568b62f476842a5a96f7 100755
GIT binary patch
delta 51131
zcmcG%3tUyj+Q7YL_TGp$1QNup!1jiOa#0iUhFFSZidae1NkUB{OGHg&w-e|hQYR75
z3Lo+$p()a-h~ns`i%93Z8mAJ`yr3r0MdO@`sJxID{GM5}*4}%@bKcJT`@V1ee)902
zXXcq_W}cZf>%y{mPhjx}fyF`otplmTjs)$eqNMzJb42Xu`cKRn8`4|X5|m!}uk}-|
zcgxLx3iI!bwrKg>a`Pu){z-bOTdI^iKpt1;lSfF2dVoAa3;U{3G>i7yqL$GRdS|0r
zM*|1f_T|=?$sqi-*@M^nD#|+rst@MoWyw$KdXtkhtCP*I(z#pI7V{;tOFeFRm4<9l
z*LY=7-!1BS6qq~SJBvmYsRz6L*ERJjP(!@6npj!CqM9o25JJ*x4t3u|XvQHmy=NfV
zpswyYoNhm*L7uv&=QwIjSKE7@AS=}ay@r#^>W}#Iq8iY99KC(9n%p~=l&Xh%=h0zl
zYO+teVWy|2851)@%G5)BPSQ*FsRw(75r<~Ru3q#VM-HlyetBfF`WF6tU5)gAgltty
z{2$RxQS~KtP0ujHr9Z0kZW%|z=Bq`woFKXC;=aSF>0z~~Zx|)>)xCXVY4XErd*57=
zuPzG!8g-xQ71%=izoecIj3qy)!TpBQfQQw@ep%LrqkQPuusBVM!a{=$$M96Ov0pAZ
zr_K(VL48uyEkTLYlB%`@Z6S}UtNZ5>r+TsfIP!uTX&p{#)OptB{hR)SsRQa+>#HPB
zT{mD8c~$K_a0&r+_P{x0qq=S24Dy_M4u3k-$lymvmRb`0DmkK#4cTopyPv8x+olZ*
z?W3x(p|RvI>ax(2l%}eQwlEy3WwzmDy;@=$M~<q8Y<V<(rkXscfc#ZGK4=puR~HZ7
zU|1{plZQ2QVET}8H2e>0?vNAMQ}c!nr<R3k?$9u5`h!|AG?u0;R9lAT(ph(^>B9=>
z=y~e-VOezWpVZW_gNDUE++zM`EK+DU)ZG$GcBpR+KS{2r>%)iByajAn$U60S_&D;3
z+WXc#Qmt;hbpv@*4T!jGnAyD9V|3~Bo7KHNW9iTbSj5q%?q#t;$pW<<#f|&bz}~TR
z)&drEbVj1uh$8x4kEo*og0bG4nNPIxeikcKxmR6+QL;Wm3zlc^*Mg-fg9QuS6|H6k
zY(e)fjyg<vi!cVyj-G*iJZ#Kb?DlPAHjt$?!)^;Dx3(Vg2pn8=!r8pW0BXI(J<nMn
zeV{HI`!=1vTn&j$^$(IJedsc^AhwEzF0Y9l=S3)4uExj3`^mXl)Qxfd)K~8I?amfA
zX7o#SUtBZ|-JrI|B@YVUq$m~ztJamPHZo>w8_!&(&L7{8{6k$mejHmcs>UzD&<L1t
z-+#L@eUPVi#l;V9EfT9a|Dsrp??y=8Ndx^0r8bUzwkB%g5-)#SfY>p$>!9p;(>?0T
zaXsnrMhJP`6iDZ-uL-$*3r2R4x_4Ryom!-(Pfw?Fm(|ow5257enzJ+RGtpNccZR%8
z1Bp6oRybYzIOMLOWiW8IxrZ7udoR69OBka5HoGT%`LODh9A$m~uzRR13O_*vp{P2n
zCMSoGPt|3~(e&V9wJbT%KSlB~=sERZaslnNu_k#=1)=69@Og(O($h_9{M>l@WRseU
zBISr$H#e5<M&-LSmOg((jk-IQPHBQ%hBunjvb&?0GmR*A9#OmQ4x=ee5MM*X=%6EN
z@;!<4r^8THLj(QtrRweKzI*!7s>9G;gC_?oR`6FW)ZV0q+#5z0HbFYW=p$+tqS^#i
z4A-DHh#xdT7sEdvQGMox(Tj&6c@K@JjZILr2ZyO#s%i4GYT3L%I<g5G_h6~_534Qn
z0?Fx`i}N;^{IaDnU8HWjf6h&*_o+YLpGRw#sv#tv-hQu|PL|+lCEyQVntBXhin9Yl
zvi26WD?QQLAWf1dp7d1v$4S0rKB;D9#FLlRiw`-;GwNFzPVyN390KK2NswB;;6-}(
zJ!;g#y=0=68e=0pRR2ZK&|&weTNZ60*=pp&4^gjs)S`#C&?U3gtVa^bztm-m=a5!)
z-{Oa;zPLuepyp<#6I`w{?^AzRl23zq*6mtW(6Z`h#PjO9%!kNRnDZn#rY?JA21(O0
zC2N^lwZ)KZ(=v_G%sus3KKY}Tu@7b(s4jSXgkQbX%8fPK9$!nXKP^&}5^eG-%KqE=
zFKo`+GS#T%$+)VnTMp=cK=wFV&nx<;x;Q)9|H2V>l(YPE`l#uvw9|a<s&qeD+oX<N
zv6db?qE@X)C$FfzSDqwQ>baGV`1SQTi!n2u>ikuqY~5g1WTjpGan*f(L!~08Jd4Q6
z2h?*<XcecgPN!jasdcMUZ!-I;rvbT6o4RL>W*};9I{87}xYp^{A@!uAW?oJoa#Qks
zHLLBLi2pRnUE-rwJrzi&9aW<ofvihfo(fSPb|m15ewX9&P0lr{Z#~t|DtlFO`Nj<v
z;9Bu?8aq>sUspgUZ%_}ei}H_=YJ9D?=g`R7p=wF)oSUj$&#I+;kE%X-E+?nuC6FK0
z^?5&$@6^@#mq~-V?CCte$EDhas@I>^Mlj@=^qZ8s)Q!)C>SuyMzqd!NQO`Z|2<xHb
zXVXch`qs0X7{ou9PG{b!mOU5cA1+nh(2I4gRZiY?$<<jt>(gn>ood$lDE}O(a1}2s
zC$DxFZo$HVcdGFPxy+Bcf^?i6!5gCeQzT0{+>)F;#cio*Lpm-7KW>QjYnEauUyUs6
zcT*_gehpLQyld2Th5g3M(YRtYPUOveBHMSQTxY+roq}BYarIDPzeKt8BdqkO-!Hw8
z<?F}u&9kTx&s+VkNh`wmUTXSQz9MW*ze)SPk6QGMaS`#mq0pdCe&G@N+)=f0bD;X+
z3rUZzOHvg3j+`#$fqi?nCN0Xpv~7r8_dkHVr8(%tRHg_Z?`rILGJ}^J&aceuYjEMg
z!~Uqwdhc~(<sdlEG+?qlQ_G<^UP#c2I{I^-hlZJHwshUV!=9;|dYbFqCT@2`r17Fb
zVo{57@ditAJekD3%I11I;odl`nLOQ3{p7{4ycLf`XnMz!L0a;PM{d>GrgON?;k?)*
zHl1TQFX8n&md0`Jrl}Qs1+T^t$ax;+Ewd<Rb@vpO-=x^R;4cr8=(#U=Yvmm?Q@Gsf
z%kAytoom>!?@rRv-S!$ad-f;v&Yr5vAocV{Y#!B{7tyLk?h2|mFQQFny?GHG8r!K&
z^Vbp4sWWe$JwZ!W96g$~bca45^ST?&dXG0NqKTJF&<0LDxp7QN15eqZH!Po9a+iFQ
zH{cGvrX-t|Va1)?vlX{<k5^3NEm<{Fy}Kwn&zi(bZP)#=Cg{xDxym|0XWq_L*6}*?
zcCNC<>CD^du*T@j{dZWyHFhku>FN4#T7xvsvv1eNPjOg%^$a|IR#|)K%;RU3wY$#Y
z+PJN<dh5*N$6-};=JDgOcJguGuE&G5LuVcj4r?1@GtSZk_1R6S5vja8_us=Mn>l~I
zi%sHkt=v3vm$qlNue8CK`6M#Wo}&kBgx(^5-M|7a?XU51vhOs;EsYzpBxqC9qAcVN
zkK%zgkIdDWtqSZ|5W}bJJSAC64<KA&;jBhKAK;%Rt?<)(dMs^&W$nS<xYlTOvrCqq
zXjP4WVF_Qo(#QR223xrb^-jvyq=ok>rdRUx-5GlNHO)u6Jsj@pL8jzcH5XS59;783
zOUjCseB<Vb;A6OA<y2iCu9;b}GC^lPhW3?lI`c8KuZ+<-fmgp$L&ZK=m&5cS81z6Z
z&oGSlnd5<Goq69n9#Chh!}EsmVooj;C*Jg8eY*c{p3n_1hS+Kuc{lHArf0`IFV6dI
z8Y=9fNy+2Cv+K<Oi>_zsc(D6g`s$@!k4E0ja$#?GsC@(T7x4^Q3jSa!$1pWww=Ivi
z!9i`B&R)*j;Gp_^E^pG><e<Eb_VNauc^h3T3+40Oo}jm#@=jbZjh9<=JMU!sZF*nb
zK8x3vcbi_|_GvufHccpw+b3}zqxZJ|QyM!)->b<d>4Um_SeK9M@(E2E0nP3!;l;9Y
zz_eRSx6jpt)?G?Ic2DO^E6Eo1u@XDG8&vW(y>*egWlKfg_EYX1y%T?BHrVVm&1bWd
zN7gFq*IESHxAVwaW&KKL9$Blbtvd6_a#)*n=8@&FHfikG+Q8F|v(D0bwFaj4>-3mt
z4r{4iHcjnW`ZOiUYEkJOCY&1TwKpDC<6a(#Hx?GZJV{HL^w0Sd_0zdS-<B9xHBJl{
zqb)THF%0kI{juLT(^=vbb=GS^H*Hb6_wbnIH)&t!^?%vGl&aJJtZiVb{v1X|sK@_2
zE^l@sTL_Z)1lrE~$D%}Q!R_9{v}(?}w=m~4#$}$D3)h44=>%TRS7&`*bVJD|jWGoS
z*oK62p7x8quO<{nHkWJ;vMjC*O`smV#&+Qmp6`D#tYvUS_;Lq#=z*XwDTaNElJ~0~
z2|+yLh77HseWgA-BJ{OtuwEgyPiP75PuO8B9xM9m8;7m>MxnpHaoEaFpey=^Yxx~p
z^^L+E{cU=J!X5C_r=8WCvt3hT=yOLLgE+feaOMUKEGA>~mhw}$vEy;?bdK=&eVSdV
z;aK|{E#q^?SY6q2_`kKxu~k3C&*WQ&6?UVgmD)xnZ-w1xYPFWI!frIRmhWWjHqCX%
z)_Trs^_D)VpE30b<9M>1>vwYp9mBO^+Pcgfv?xyApng0i?0ifYDXtcD=Pd~^#s--k
z`(wGZ@8o0cGVI!n@hz3(g-q_i^D#V{OL>pkpMfV;5|-!aQL5=z`072-BU@*^1A64>
ztam_<d~VOzra9o~QOMaf)Ww|j4ZnjIQ|6hBO=1ae@Sn5>=PC9fydm9iiPeS-k;woo
zzz*Y#=XfB48{VZ)(_MTvIF_bq>5kD_cEz}SuqcJRB9)Jfy~L(vSh0nBw4#_bFi%ld
zysU33w=UHRtm^S7mrFA>i4}7>A&tw36fR##;?lM4<UQx!cJiKcZ##L<xwoCzb9v~4
zd*8{s&b9A+(xz2loERMXz7w}~yv43<XQjsOZD+O4#<sIoXK&qJy<T3q!Rp89*q|qL
z@@cxgRp$<!_36s@otVE#*SG5WHjP(VPwU*F^C_J>b#B&~FAsR;8m}kt^}%6n&^b<%
z4r{&6rFw<6IyYZeZ`+YNIzvk~<^o$_E8<vtvbAjU$Sl6^Ezi{Q*=aL@+vbyzd3Nt6
zExH^LdPV-MA8=MJ;L`qD5U*%w8ZWtn2irVLf)<<>C5m^YYXcmjv9VupZ-57A>Fy1%
z#_F8cZr%WY?d@@DylDfxsHf)!xEZ}u6aTDjfOB_-k&)`Io#W!7r?azPn%+eznzSf>
zT1#CQ_7!~kSQH<g-o2H;tR5sj@4S}Zy$|MNZrA&61-+v87$3_O^f#UPSgxR*I`g5l
z(+-_^&)I34&U_)XQ+++s&qek;V?+EvHE)1xKU}FZU$`6(lylY#IwDFr(==`Dj8lN!
zWv@fB*CyF()i}>6=!jswi#uIyz2xzLYm;LC|91;MK-sTXc=H}y{g-OZ^Iw4RS<d~z
zEr`<Gg}2~vyKWrJM~CiX5N`jMZ?r}--S#05k9REOx$G6Za~%t9T7tcTcdlchzDQQ^
z&UGx*Pe&EJa~%u4wUt6ykjNE_7UDd^!=9**%EB1V(=>q_Z@$XfZ!=imh~KnP=k^@N
zPTtt4>l<`CYZV@j(HVTFZa3)_j(%8E*iE{D(R}A_H}RG@M)MuKL*MZmGt=0~+x2<i
z-qEZ7dMV#?505+H1F!G?k6ZYn2iQVmENsRWo=*n%7T#M6CHEGdPX_lEK3vngx9~a}
zTlv@Hy73HK)vy0@`+wNV$EXwEc$)t4F5JqGPzSv^&TQWi-le`cc~Vc-Xckl!rJwrP
zo41m9wdBoJYU|5`)KPB@=x%J_<JEa@EvL4p)q`(E(Tt<&B^3CyAnU_)Mg>(-|LtSO
zfE6|EReK3JR<o;m93}VHoPBo_!6!P){`w^y`?;FDCzpoitBrfgjOR7p`D(%5z2swc
zvU4~-2w3clrkzLBEzU4&r*z}9e+R$c-2HPk>QIP!!I?nbSI5?Fzz6aBYR8eo>c!eT
zips9KF!h!9;z)sd{Jm&;?TG62zN;}vTi!2Vxk5fjCv(+xA8aD`sl7jpX3dQM(3KCV
z@xxg9@KM!kpDPh*%RXMXE}i_WuB+4QODD(G`TIX6|5S(7N7G(M)zo@dA*A#5TA{3u
z((w`Wp^r|Imuq(YZMT`ct<L`VKJsPFu8%{Bf1Af88e4YSj;bdb3djI;{y&D3h3fi$
z0DEg9<dYDL&&i)e;{&v1pNylON7af?ipaK_v7bIf=)gEN-Wf)ws{1~RrcWGI+dm7l
zKH*`PogA}%^ytNO+9yFRI+TmgA9^>Aqr(!^#Kw3^64ZjmI{N)jYU1HAdj2Oh>u?D9
zTHSa!l(eXC9UhLYJ$`sO`Bt6Yw4BBrRrfZr)<RVWNoSaN#E6#Pz5l#Vee1|@R^|kj
z@i4LEXaSw@x!Qg-9Y<&O=i}%k48qUdSr7w{X<5pSrPD!E)UIQ(R5_}~9(U(KJa}Bo
zlYAnbe6PNBVh;IDy?z47d9~zZG&Q6Cq&queYV#JY*5-8fZpW!S292lE*=rrAqiM=f
zHT`s$Ret<X|2^+d%v*Lkoh+!ietHg}=YCd`zo;U2)?EJr2>H6Eq-6sk2Wo;_KPE)2
zIrr5ZGaYun8hgIN-}CkW8z1E!wf%er8`v%1Z6RH1WZOydj%xX*bMQNOa$}b~-hu8F
zpOq-d<mvcSw&kCR{_<1VtC?!ubgP>3ufLMQ8q4<&Q8Gzg{Nt-MJgvs7y^4@u)IC3K
z!pA1lJ2sKVn&bErpCm5+WfOU!=Hf4X2tFaQT-ZcXYf3Kc_GW8B{PlwWb}<<9h}w0%
z0%!HEuC?@?V`|8aSZY6^rlM#%sTSRcqHB+<btqy^s_iJo94`qWQS|EZl4KMQH<#p+
z5ZZX6qzpyNv64CzZyhgbL9ys$Nf(L>Cjno23ZcqLh-b3baY$!!|8dA=GVTPFF`0i1
z>X@8+99ozxJPBP)MmIb0jfC@rX3m4$Y!c`kXeMohJPZ~uav!-L=6jJmawnYiB5O$(
z%<D#?X;Cx8pCf^TY#yV)PQeKt%tqxZ?CVCRkWp~G8<|17S|HIIpQp!v4^i=SAnfoa
zr|HRN$n8!7$z~|&PR8N#2#pLkz`5>N(WPeSnuwU|jO;-|DNPH6<X*_{!Qx)zBptOH
z;(L==@)@k|O@<qV&Aq?8aYM}?Vuc<Lka5u6hb*GDILPuL>0~<`^1+;~SSz#pHT3R7
z=8#P=zYnJV)C|d!F|`S{^&$7srzS)0Bz%FuaB-h=tS|Nf%?yMpKkT?($<XLW8p(Rt
z=1->3(8<u^Pr_WbGa&dD;v}o!_$_1{`3-vab-PF=IA`}oTO<b#1dthI4fGB~6ZuCW
zIgkX>%V%LpAc-|<razvAy@8~Nd<WC}k!Ug+R`<i)=2MV00Nwor4)r4sp@<A3%jvIQ
zKv@t;BxX1lgqi$K@&0`UCilk<HTqYD_5HDo3g`Nh<v6<AtYjEGX(fZnQTF=`?BR1(
zEN*nvgD`mj79Xuwc@L~d>~HnFt%u{!wj6BSXTqTY<ZV&_>jvVu8{Hc2JUfu}pU)~t
z4M7ig!?qCY61^F;?F(oLA$!SHC<(<5dm0XfqSomAzd>&s`Ix)}$8BiiZJ0d>^UQ?x
zgWML#AK}0t?C~<^y202s7A!48NC-Iy*N2dkBp!|rB_GpaE1_%{#!NjNABJU({vi+$
zMx3<oSZEAG?N+c1N3GFaXJGnpwA>EYhhw!*z}Rq)YWKkEaPn%m7e}&<P&S;gkrmjs
zjkjXX+u^{i9+f-`mIySn1@=W?zhE3`{(S|*Mv%kg0k}8<i(G`rkyym&_*hsrlI$l*
z5E+TeMpzu_VXqJDiX`9RtlSudVbKZuqHwCVIVVSxFA44~AY>Fa{~ee-iVU|DjKRC$
z;1@-2fu}|hU+lt-qsS&w1i_<mW*M0`!u-)_Y5{B<O@@;fSf1%{Wi**d9);;+FanJJ
zx*Il*!TD;$V3PCf7@RU>DU6N92{jJZqo8-6f|gv2=kuqaJ(k4!%P-$-o(aijnuUR~
zYaEuoQ;*e;ARvzHr$02qi8xY5X2I(57?F3tzVTS&f>RJO7o+|e=sm$BpzSbk0(q5o
zd<&N*U~E;v<cS{PI~PhOVp$RgjT3QIHI|jB5HJaCr0Mm>!Td=WwogFs$ynA1+kUWk
zG7e88jE%?lV!L1)3OeN!cugUxIB4^yU}qnJ$q6_-kHhK&93E7bC7_FM!JY(+**fRC
zsU(k*6u5o|nc_F=D}0u_J>v@7wzJ974zs6WmrsLr(?}?}4%?<-Y}_#s%4U#n;gjiP
zA=v|wiD*{u9(w5{WF=zVJKz9I)@!5RoCL2KxWt`vE}nso;us!Ea;q_S?>n&za7YsG
zBunVH8Bld6xkR3WT{AH`G!|NB;^L)`7{SHsE_8hboVyF#bs2(Zp(#U&{WJ^vz*vm`
z0%vEDFX^CVP&XT=&WCVuHfGkR4#mwzY%-~%ePW!K@QjALVi=Z!-BHfp`1uI-rC<#Y
z!o?IUWDM>$7&{lI?3>X0Zgg(+SV+7Zoik?RDp-FvdB`<v55x7laaOH`J@=rc>+s_}
zXvrAUc!<0gP2gP9P8@q--M!>6jeZ=G=b^8k!1{TZ*_doS;lMl$yx?eOK`Kcm<hb+r
zeXJ`}VDkNFBrnd{^&E*O7<+pjz_^)<CzS#+&`JM5{$j#$a8{+`X@T||1&tXbw(m%3
z*Livr-mI`)AILWl4?yt(V)mCa6_3GN|AFw~0^<E&zsmyG7vOMo{~VSq#PQFB0}HV`
za-HiIkr`%E?mX}aPDK_bxg}(!vv4UHN$80v=-Ps=AAOAcOVib5;Y|A+<}b(dHJ$>N
zV^1E3<IAy?Ml{z$a5h<s8*tc?jmyg4U{5w?DuExfaiyq(fE8qU|7MRSd%lB=XH-;U
zncge0%m*-iB~IvfVdF{yG;kDzts-kkI&53zQQZtUw+f4Nz`Q3=l)`~0(6dQkS*>j-
zrlX)M^`*cUwynmJ%TDpVLpM0L8b?c?zx4VMh+TvGo5vt{EtY*9=C8#uJp~8WVi{v4
zK+kfp4|8~!(A%a$Q4Tpl-+Y9{bQrv7#}#u1Y_nsq7_*=d&f0Nh-s;@;B-u^;?mB(r
zhVgC;o7O+Vyr)RC`3_8m($QofxdywQ!hx828x-Z?%s#yiXLb!t&P9{D=kx-;XPJv(
zxfAxVWW6SOt_d#X;>dpIoR^0uHr$%+$#<*CF1VPFz3LB<Pm>!s4I-bxb$v1Hdj@MW
zy67Po_ACybv8K(2J&1VzjC_s&`4SF1haKiKhKD!xTLSR~I8|Gn%L>TbCiKG@@&fUp
z<PC^?k&L@3u(R;Y_q%~TG)fNa-~B^^8S|iP0j^aOK8J%F@w)2Ta5%V-?4|zU&XyvQ
zZl<F~IOA2^Q8EuPxN`|v=DfazTxJP?5uFH=wvrUG3^s1X_MK~lgIh_m(XAM8k$=YS
zOoxqsCL3@U7w`%WXDb|k1v~Q;^xlSDY%B~`n7s|7#Ta@&XUR4)j&%$)mgB(8fXMB*
zgwKKb+damm7`AQ4h0a*h*1^~v7-GXmK-msl%#5MPbe_dzw#H1~i4}hj>vnqB7zz7!
zqF3>-ZWsAZUo&a<g^*i;>(FbkuLASx70_=#g{}&6g8T}{ccUdc^se-<^ghh4#6^>B
zUMq2x8aWXfD{=F>3%0$EnG@jn>zLVS@6!<Q7hFSLavu5%8E)#E?J=!cY)`_QTJnJR
zlQaE-&lLg`KlP34{r}r*rGUABS7RaMW$67j_FV2MD0&;m{qIA-r!RKdpZRtI7n{gx
zvca!Vy4q-j1J$_q$cKP;$l;sz8sjJ8Tf-y}dc8}0>9|`V<XuwdS1y@&-udIZIBRZt
zAGi@_@4;0LuQT@G`GLPWOZ#LvllS6YgA_uE6Z;T%tWF%sFJWvgp2#ma=P^O1!0Pv~
z-+T6e6YpVLy7h$E_elkDI?uk3dku0QZ2S<fWU>Qb$v#r%7a#Aw`ObQ}5d!K+=uM4z
zdpz4XrNhoTT$gaQsKayhx3F$Mo-?g5uO6d%AMB|o%l$f}*PZKO>_?cl7_NVWEAZpa
z>3_o|gB);9{~ywaQ0faIpAxGx`v5T$tLIhu{+HNxg>P8e{sBb?aTk?+2I>yt?(Ux-
z!-<1<b+Q;1e~ed*&9Lud@+!vj{05v8Ght%`!FTqZyBaW{26;>GB))-n4~+-Vti3P8
zx=*n1oe=yf`MCdo@?Zj7{}iXvJRj!nKzQaeypY^}3epeZrmH8cK7><McaHReeTQ&4
z`~+q<;`ZLibOM48<51PW`okD8c%nOu;fBi8CXBu}V09BN7l>6&XmC3mX!0<K`=}$>
z$`)9B1dF~5dyb$d-aVZmM{$LuOV4OKUNRA;AHy@0;YAE=JBC4EXa_k1j+1WG&nET8
zzaa7?&cZLy5xia@=b_{zR+R)lp2W5Lw^OjB8E3BFSSV=52wD!2r?3sLLdhu%zNv8N
z6rP42g4L%nfHCjE(->_pje)uc$r$JTXUL}(jLczQq0d>c`YVjgSD@r8JhNT^%hz}g
z$c1fRV}wtG17BlcWJB+7aJX<Q@eS&lVg9#d105R-=f5Q(@Z6`=m!v|#Ids*y6VTx?
zk=UJpS`TL9It^Bz!^;fQY1ncOr_85t7Lj}m*U#Z;s1{bA$55$<UFUJAK8CU1Vd8pt
z>pOJzsPp=FWVjg@wP8PChxW3;k{@tuc0cU-0bPn12=PDaF7+6k#P0#wPD9y8ra-Ig
z!ysLsdK&6}#d%WyBk4<5YA_If`H`%oMW<m&J8p_E!u+4e3_saG2kiL?C!?Hfz8lW}
zg!}OZnA}08_}?onmfwf!f25|}9K1=reUQhy9>04^{GTM%r)wx|{h8cOKf>kkXFU7Z
zVe&5+0gbTw7d!>A(V?qnsEyqMU8CdM&waP--;GWY4Eq%?I`qMu(Bv_A|1NtjcI5sr
zz91Mc>av@1uW5a`hVDNNu@`WZ=fb)R<i4A_aVDI*fb(laID}jzi8pm;++0|5k%Zh-
zY!>Xgh)(*aLHk7#*4J0+=D5(C&q@Arrgj_Kgs2~0H#XP5+u?pm;By)GAlTV>E((Mf
zFOwvC(8^9ogQ4>>=}QJc?@scz(RqV@uk((<#ZFvKnomQ>bu2seH*yE=%GdvfTT|S-
z9k@dF|Hoyo61H8%jx%;4iSXl95_;3Q>H-8`!}-$&CD+J<k@xAtghR%T{o{414<Eh=
zr9D_-!}k++DKFc*gJs%<Z#MNsX@5e|*gh2>rs1*R_CA_iG2<34@9@#&D&xHXD}OIw
zzy8RIz0mLjzLK}g^o(M|oc7oFOOlQW#ah+&=~ms&U`^(^3_ZXNv4?!0F$2nz+8;GO
zf(bTEo1?$?v;PjQoWd&794_Y-*k|0PDI8B0Y85>?1K&Ku<FO}y&>luFn4zJv=*c$D
z<22601pegn(J^{~314UiR?NVAD0r-T@;j}7eZ~ll9Z!DAdD;-pGf!&#*o4nCx#|J_
zUb3UdVT~8O#_cbf(4g^tUQAhw4X`P5u!0F!HN~Qc%iMsqU6c0hyvrQcpEO?D;~+l#
z#HWHUG-(dvt8bdzzg_b~VQ*v|gvc(^&o2c#aQ|z1GS<@ovp**N2K8Y#BP#g|9roS4
zzgN8eH_duL_dh5U=53*&@VGzq&STF`*;;-UU$b4X{qI_yMb^7Cxnldrnp|a_!{yeQ
znsmItpDH`_F2#JBhpVhB^l}Gv&ej-Tso*WKX6npa<gjMI-;YwiJodELVb$M2S*k~x
zM{}!Dzki3`PJDzUx4Vt?!%kg~!`pyt-^BxjHSTf~^6qNQ3HC-Cn!v|~eAeK5&ib1p
zJ38Tw8Dwqu81Ceb@REsi%`l8ho}Et&HmBq}UJ0Z4#%)#~;yq`H-l1bdaaL4TYIWLo
z^C!>t?R;W7p7z$9b*$h%8*d)kD{FcF?fm^-`%NxEPfBxtfBrXXH=>xYUT3r=$vyuQ
z|Bv%OUw=6zhrf-2QN|AU{GX)QknOM8dA<ovTGjt%{_BPw;D+4u|F-{f{__gl^S?o>
z=>IVP!>=;W-SdB>#{b{Ve{TQZ&;OMFZT|BvbI<?4t9<_3GzT49gEZ+m{{yc=R2K>K
z&$%ux06|wF`C}4zXD6-z3wHCKb_YCPlJQ+~{@TxWJ|Y(7KS%anm~EyH<+Wb9af7`T
zYsB^&AvoeY+W1IsZ{_ke9(0Z&dTev6uD=yru>C1LlJp39omX$K<nDMjF9AEiW4`Ap
z#n?`E>nRSMU=zAy9$O#d^!|y_B(5@=Ba5tjU>7~f2V}+eewu!j^<~Y0725-KF4g-%
z?`JE2L(RUO_qW4pIF`ra24fzlQ#g9&u<D__RG$;u-FijzT#*Op->+0Wlv%?j9%c8D
z70p5RUX`}=Kz}cKOG*b0f=8!luIyjLt7b(9oWr88dGj{yRJfe3yM|juToZ5Lf}#&v
z#}#<Wi!SLNr{|A>@4e`K^z9q!waEhqSd=&PMbMk~t=ld*y3w^#F|rZv@uuTx@EK>3
zH!U-fkDQUc=tG3;hmF1I3^KrZyf^JeXm(#`iw|ulbkrGW^rh)|`#;i;en-1HoPqun
zFS_@`{9EW0KhH}<*0jgrty`#jkJQ6?{TAJvR{-^*c>lxc(~rgy*R76R=lmdwPo<1o
zAG6@c{&YWyalU1xp(d&vgT`Qbp0<7rdqe0N;s=qT^f0~a41ZL(0Rn6kZw#H`Pub9z
zjs8Sj>dDT<gXuUz|A2b-yzv&;GlZ^nsfly?Q0io#s&IA<!{;C_#mlgMIDLqjEgMby
z;Zr9B!-m7TI-CM^<sF8PkLZ1P4{F^Ax`D)kWh9EluyG{)*tp=NU%U@lku=K1pT7@#
z85@`IpS%xUk@yGRdOK+S`;Z(((_Q)Bc^?i&(E=ks*#?WF>1F13dJOf!(c-rP$o<as
zqi8>3*db$J&uDDm^RR3TcA8=R#(R)@8$Cg51D#Q0*;we;#q|C6AUBpS!D8oPaSV3h
zV<9@lyzOsz3pINb-mNyr(M;A`kTssJG0fpDhU??$6vGJKaG5s&yUV!Nj&UBEKu@~s
z_@x%=CebR=9hObTp_uS@_Aq)dc*oPBWR5d3o<?gmq)+jv;YIjy3I>(Y%4hItkH?_f
zVLe0RR&q8RO2GP!%nO{;r?M_Fcp|L6o&Mx<-U{pPpfhOv-yv%<J`?}?4*CFD?wmZ0
z70J*(l>v`Wr{zX*dcX-`i8yjbUw-Jshe0?}x_SDR(|JA-KPg}&;FI)#By6XipR9K7
zN}{_>bfEsI`TAbxl3CP?kVl-$W>dTev<gEtnFdnlUf7b1eQ+Dkh=Va~4$gX`mEbIy
zgMPczcR4T4Wsz>&)*R%Veh-@oMm?>2@QDlE;xhlq9%t7)8e(!4SOjD5$3AX2>dd;I
zo;T6#qmViu8>+o+!5@~ewDT;De~8Ba=0Ea<_;gyuuGQMpF<MvS^kL88N@3$e*afwL
z;FUq!+0t?;gL+x;p{KKJF^%o7zlP<Ul}9VhG^QV1dX^^Aq<+r$=jcI7Gx|BbHqaAZ
zG$ROFHqt<A3cD!Q4@X3~w*0Zzm2&!lPZ7FTTLJM*mTrQqBK&+#X+LPu(|tB!x>Dne
z-$cv&X>C7e%XT(@I{P`>ci^f<51xV8otPy*$hl-EZ86ilFSPGTI3IkSR(GQZztBF~
z0N-AszUr*GF?7;d?XwO3E!t-r9zDxH+i+Kl_Spt<mVdV4qqEv)8=m_@`)tFK7VWbQ
z{%84T8@@TKeYWA9FSO4#Q1AY5kbTYJ<uCY$8ot09*|!&}&uSlP7<!g}sNv_c+J_qE
zo#h{Dh{O8vLk;WB@((r4Z_z%~;QWGrsG<0*_Mrya76cXSiwx~w@Gmp$`htC#!P#ps
zZLsLU?)>2cn%$Fz_jjg$Oyjkcv8(}?Uu$-Mcb~I$eh5BuV4K#o{!sQQhHFB9*!wBk
z#wDrcQyOok%@ZJ`2^C5W#5Q4%X4JrvCd^RSABviA@xixI8k;FT+Bt&vOH5xv*%4Y{
zZJwZST5)t8)?z-gSPL3SKgx|19c4x;z~?j#fn!IpaJZFOjD>-p(|T5I%jY!Eq|}&U
z|724z^gV`Iu=22DST6rvNIu5wR6s714gI0&7;U6ER>(b$jCQMz(>hvcb!MHwSxHN+
zkba6z>XqYi1x?hQ#H?{O(0-D(=<SHrn-Bs+PtiCUH-HsOWc5{?qEV)}8VYmH&|z@x
z6newGub|D`IQ(*&4rcZO&)_M5xyU4UF#@X3(4D$}A@IZ(ym-MEnv=}w5a+{ZX@@Ue
z`6Z;bW0gI=fwFcQPnVv9mUguBQ7Z)ggtGc`NM_RU6%;Vp|2)(&`4T>{{|Vc(s1?FG
zP!9bXQkl#?1_ey6J`a1D{P|lr&*bqhA@FCE-M)fECO`TH)-ajS3KdKq{|ZhpxwRF%
ze!(uU`Wm8sL4NZbq%(QPc_?D?r*lxp<j3csoymWE3n9Ov9DNRwne5jJxlGRc3aXf#
z^ewdfiuPXr61*;;Y;A=oCbPbQ)C>4UlcBA!hRH2o!4@Xhw!&T}@A(=|F!{_mxWr__
zAqc!kL#!vy@tX^59kD2Lnb2OfE;<j%sHd-e3t3Fkb5O+Os8*<Avid7%WU`<Y?}MRy
z>TB@1gtGJ;L@^nK<(c$723btLjqSaJ^Pv25s9^l?S8$NYdt2c=lbv6I*JYGHe+gks
z4#s|EGWi@VVbXja3Ygq?4l0<Oe;y8A#&-YpTWDw8_Z;|iqRjjjqL@7MEhIDf&u<`$
z$&4?dh{<=+e<nA635`r1MgN&JwSv!YD5rb{QA~dOH6$}R9?LWNcP!83uUMYR{@+3)
zlj=9n{u|B3l@hY9;9~#l8TN59|7wr5nf=-n<P5or`!-rS0JdDixa<su6W1{A!b8F5
zI?9HDka!)(H+&$hVKOZkDwu2tg%eB`hJaTWwl`-WUPqy<42D#VLm`*RARAOL*&G6m
znj8R^nDh>YkQ*rDLLiaJw1JStWMMFDVX|@{)G^tNchxn0Xo-(0jCO{W#G<GSElEd_
zWGg8^Q5#ZHg~B_u<OCA~OS(|R1w$A?nHd7f#1ukn2S65+Z3Cf*$)FIZB6u4-ZlHVR
zv?$N=K*KdHGZ^0kM17&4U+2=-27?b}<wHHouXX90Lm{5&3k5yDO~F>?a2sSXeQAhi
z`Nv%4+d`m>>63)|7rXR1!O*Cc7xWLg^bNt#rIi=zzu%>A3xy~Xt6$LH<I>03Af4%h
z1pBjH`lMheV){%$&+i$s_LT-h9n-hrC6IAgl&P-rLBY_j*%#`c=+f7QLWr5!7xZIY
zdT$%vDnfmw(0|b`eP;;dGJTGq=YOrn{A<ARXZj>TKg3nOZ~(M0eXY>GV3)pf0Qgu?
z-z@0+x%8a_AfD;NgFV~t=hC+YLl)C}3-#ll@8F^NHvr0*zEiNzZ83csPAJsV@DTja
z(r9Opm+4*~nr3rm^)(exT4;kyfu<!i+vZH~XTmdOIX)Q*G8NG#R0NsgX|2r}+uwu}
zzs=^XvYJw<RT<=Vlx-mf#&Ac120255O+|z%gP<w|Ys7?uA*Lt`tsd;WG{jWoZOtDn
z79APIi<S<CvXR(^49RquuFn|+ji`r*XPA6@*!0B8LD0nt)k}q}y1sc3L`9;$L(=!v
z_1=Rao#}0oQ$D&rZZH%veTt;_*7cc#p^oWeB>Pm?Ck=A8N1B$HX~SSh9c@act%IRr
zwCOzU9PBI_W4dIfy)HsQoGFp6y9|wS*w=k7fzNo9TRI_myeXD$zXSzLp6G<S@un#1
zxCrfx&tHbH3CMjeLn@QqeuIJuxP-lT5vrIR*$F2w-Bdrp1bHPS7=}(Xg;U=lkUY^;
zMW<cHmw_=?>_rHhgwlB#l9~MHMOee++)gNCa=|4y$mB<z(9YzMOAt62<*%I(&t%gD
zSi+=j2oz05FN!BX-DHfZ2QNZmJf{ESvNJ2*bjh104RtP=Van~remQ@SsVjgE`AvKA
zxqHkIJsx0Nxv3uvTxu$%nMc8Axj7I%TWX4<2}dEm97Cyc2!uRlO0|X$bqA1RLQID?
z32?93`5P2HhWWgQLd9dIc<Z;nxpxKZE>?FoSup9x-<(~Knf6-f1HVDmDlAYq1R7VE
zV&SD-CST~g(v(13e&aj%wjq$U5}TF(8<efY=Is9s4z9$(O8X6bSjo&G_`VhLGTjoo
zSg;E7HDLKwINIuO(8cmK3~>fNVLGVo!CO|F0!?gheJO`c6#S*&Nz)STmv)B<uQoBo
zYn|ylPQ%ZjJ=au0W3D*2<e8EQEgTBx^Rc?pq0XqMO)Z#pDEn|4%^vDZeb&@vp-uS9
z^QI*x8a@o_UNohfa)wzTS~W%C<N4%`7&X;Lp<tsa)zpmXhl6P(P1uCjS*CQ_d<Czs
zFznvG0#!w(HKtO`a3jVXNsCJ$brUw_L48O*+++%(Yp%eFP1rBrT>-CRQ>-b?Fqgjq
zvWoG9`N0(^VhUEjR!`--aEU4YaRmZ5W651tAd$%nT1I>pxY=Yg)w*&!pk*_L(PvlK
zRSi7#CsVb4_Xw{Dw?n#WS|jmjNWizqVcJXR9X3AwC2TCc>fG{@$*Vif41=<5I7@@B
zx+4Pr@|8ypE|1<}(74T%X!ZBdvxs32=~%?rjzUzKDT@Xjg|ad<jQLNL;W+fZ3L&o|
zqh5<pOwW218|ifwikM6agQ{1tx6N10@OHU500x$uY}8xN-8KwT%f-?a<)%8Tm*fSz
zXV11@;bD-w9p`Q>db0zA%61GAci@l>yaok3(9VWyP{-t^t8j_QQ`aEsHSFTVYmm-l
zI(o(AKdwR@lhxOtoynMM5V8~H>TCF^MwFAULN1flSD}i@m}Ahw<dv)7vkT>=YY@K+
zTUUa1nXEqwxx3Jx`PX0z<KU~Xm&uo}!U-mqqd!cZz6yaADF1#9VwpUD4N{rheht<z
zIULI~`RFy+%VZRmXR-pzGwHzcyHWmd6=G3ZJ3O9RTa*E88PIn9zSkg&<(qg7ikN&3
z+ri|ltI){gzN^sAWaBmPsYLlR_EROE)J)f*pc4D7FbwJ{aY~H3&TbdrjxkJ|WDQ}?
zBK#Vq7t>d~ZOV#Rbln|I>^A)vRzD`ShPl@#Z3jKv8DDL}`wzBg2-$-jSZ{GA?_sM!
z-!2GrvJvd!%iZHnT%t#I!4{U7)WxPyApGFOn90W+wU~$|l55eY0XLwl7L^yS;F9%9
zEe8F#8&Gw{)Q=2@##*f7UOmImK4xF%(DzI^-t^cF{w{}ixZ6K=?mmUz!C{+(Z8xA1
z-}Qid2bg_(e6A;Eqa947#lxL}e>2tfMGu@OPGE1rEUVcUCY>^+FsF)6p;MK^VectZ
z2#iEck6(Ilt3ULC_ERicqrvMm&Kbk=m#`Li;xzZX=rrbt3x|r+XhwIPri44spEgCA
z4aaF`I7EGk8Ffc#YdEBTiQAMPu0#8mrZDReUw6aUfUuBYpH#!Dqgt^~(Dn3I(<Oh}
z5bjL<)f7fx=$&TY-7j7+QLPP^Fc_-Cp^C}OaA;(*G#uJ5VVxe$2)T?wqBnzv-wIim
z(P`{{tq}>gLKS195ox#LrJbqBlx)HE^dnOMExgsar4tR(s_R+_YtV4F*K9c0monIJ
z7{jGRi28SQz1|Dfwp&I08@k>Yx$Ik=saH*@g!-au*KketRV>c$u9+75(b`)f*~c70
zo3If+X1uPw6$*UJ@vg=NML>&>If}kw0iQmokBNY=KIRas!{V-zb@U*;qmv?>>3z(J
z`0m@SP~m3|(W?5`&wP%sn6J9U+>R%{2xnP8a}lLE5fEj?%8MhM$yT!$p_LJkIsj{L
zj&N=nV8-RUJ_4T?m{b2_bsZ59A7T!(_Vg0n3Dw>49s#*bA0g=n8*woL>O#y}be0!H
zg_;ZKY%kawYOZ6v#%A7vw<*DAkhzLBdqLeGbnF{1=o*CGkv#&U2BRz;3h9H*OK85%
zX&R?GXALn2QU8o%?&X0k0~yC)%`og7ly$?*xX<;__jwduVqW3cp}rmUn9u1IX3jE+
zhR`NvD7f`M8Dg6pW(fabzOGxjp}+`p1)&{LP&dNdMMJtl-AMBqdS^F?jl^~pkAO9i
zXpr3wi^Pu4sewz8*e}7|U`doYna=Cx+#6*MA@~cNh&Jca`Vo*CW3FJQ;I0_#2rLja
z%A8JHM?ldiG=#VK8rPY_;Myp228|gG>7&sNWhAT_&6FddZZ!7V<K3X@Hr(S)8e>kO
zDI=k13@XF%=3t?Dv=^HImG^?rZ5SZT`fXTXX*Yfmlc^QNv#wTVQm<;){X8rkHI_F3
zOT@w}W6^Z+NbQcXDID)2_SuA6o}3zIa;*7;nLc&Y88*=zMer9$on)@FmUVLnQUG4V
zXg!HydpC%hY%Zg(pa+w&{jYU{<aqO5T0Ii~as?UF3#MR)R&;}|DdrROb?m1E^rNyH
z_)NuEf1?|eO~o!iJA0>^57IZgLGJD57FIs}4h%3X=QGXRPLE@NO~a0_>gLRvj_Guc
z7lb5X!4xluO~S4~PEEp&z851k$(%~lFhcLdSc)6rcATvt-(TZ@L^{_C;_t++!^n<L
zF-JI??lk{E=zU(!y1UR#>l}}XaX|ZwG)4|?H?X>@WL{lkGOsRb4*G-UTIL|n_Hv>*
zA7%-X=i<z%9_c(W*L*O5zU1vJd&C?@*e?e&aRu<`3unmVX56!~MlM6&tF+D;0M9Ql
z_ksK@^TYI*H=NHhhtXL_ow)nQ6Q*w@w6DUf-qFs)Cs08<M>@0Cn70s?;+130wb1ZL
z7ILxh;X1Rg9(M&aNlGlsMISSz#H>6Vxk4?`6|v3-^Ua-JG`l;bZosKm8)<=uj?!TG
zc7r*b#i36jP6u`ayU<)<N{Z68=I6OK>UndlcC$KqusPWI9HtVQ6XmRW0Yk&oY1o>!
zk>}3Zh!K)M1S&R~qfD80Gi+kFxG!up`?_rmEizY9S{wz9#n}AHDBMGH8L}CjkL(F$
zn{oR2^?=6B7zK~^a7O`t(9RXU5BWeB%lA_+i24&o)0E!M#6Mw}nY?^0u<10Ol<>^h
z_>$Sj#7=`PfK{-wbtz^+#Tu0Od?y;tZ^MvC83E~K=0uoPhW(wPK`M=l))Jl9%FGFb
zwvNQzFqZuU=V>`cHFDW@&OSTLml%7!=F;QV|21<fOU&BI6I*tg&oe%_%OlgQ3Ud=n
z4B4$EI*WFj+qJ54U*`$!ubaIn%W>%qk77@~i5>V^Hwb$RI~!&CTR0t2w!ej8{8=|=
zautiwG+)Si2j?@&uy--T7rwCfT|5yWuc={Yq$t>1gS}E8<!nJYKZ5<25d7|p*2&7x
z$eH|Ch253XKmDS3H$s%3CCXG>ZGtI&mSF$dYTS?DfeD)IyakH<EO_He=gO&CvQn$d
zk&RI2XTehpehNL%5=cWEA>JSJhc=oO+@Wd5>-aN3|NV3$WTBqkaTp5xEwS|YVW{)B
zB-6b|z~>e$cMQLQz)p|s2*-aDwBOhViXk5L^wG~D^%hIi((G5cfA2M$6@2SNJD9{}
zSv$slZpJ(9?t^_0&a*@A#=mC8bD8VNMdr7|6b08OmmU1GgmzXhK4$dlYgt3{@QG<(
z^mFqWv(ig1%|4~1zty5_J_A*#pS}(C{MAXG=}lxF@SL5$qtD-s%Q{T$Yq_OoE1t*L
zk+hpaDBA9&4+XLk1S@W_^u1Rav}XMk;MTwJlAXFV2GL0G(9_SLGwg(H964y&7q<Ib
zZt0y+!uz>UtBfTDH&t<~wl}%-Wv=4kcDYB#8$2ljA82A!n9v}+>Te0?8KbwwNElqd
zi|5Q~agWbHG^TG8l;>NZ2rXEjN4*hGOlQM?>_B}T>hrdseh5#}es<vavvD+z_dM*g
zv`>(YSYiArGQZu)NKw9)^xq)+aFzB`vY)5?UIq2|A1~NE4E&D4-?jHMI^+)EJbalE
z6WEowadiLEtPC~)rR4GNRxkp~>t8n1to*M%g7yEOE0~HE7*n0q@c*VqSpCY8^JXQC
z{h}Y2k%t<9a=>?Hg}?U86Yoamx8ON%Kpy3hzZMyvJiCr>k*Bx_A4|8H75>(-{&ms&
zFu_<vSiUEa2YD38mtvqq%3m(&-$gxJ1dZb~vS*L|hCEDDYVB8)kbjz8D<(@%L*^N{
ziFL^Q!*85-BYPS=i0m0NZ4&qRm)N6G$eMk<e&rrah~&1lpZUoADF#n`8+o{g{sgk8
z0~e+8gTEJt=ssl6A$b;gD%vyZSN;bRJjd`NGJg!iYmNCq9K+?vaUKrsM!wyH|B0OF
z!O=gu##~EXgdFctzp@<@rh61Pk9?~K_h~mPlRbDAvi?~^E%h1XDIWTdkUbmp3$kZ}
zB7ZU~Gu`c1l(m@P8FZz{p0nUXWKW0AA$!J1j}9?LZbSAgpN8z2e;x98SO25udojVY
zf-jLhr&-^hMF+<sd&a=M$T1#0knx$gaz2N8&mQ_aa-OjVVCBBT1kWCzzqt1ZOm9Qh
z=Pg6!US!WM-GuBJv~|dy4fqw=a~+BJ)tn~;N%pVUC7Nme<8@^IDKO6GkY{-4M_v$n
z;4Wm(7%4=?yH(opcl>G5fB%y!9S#Ote5`KfCrIOj`KJre9*ieZPd$q%V^fCukPu0q
z;Guuz0wgp2E3Wz!<ssA?K2==6`xvON@X*_d+fUS2$@&*WeT%GrN!0s<O7^#k`gmEt
zL)2%<`Zq*<nXIoC^^LOrEb5K^#rAbEeYHpX@5KJ;kN?<FeF36umcWUg`X!idY#QIk
za-OH!RhQl4&B}K!H)-3a9v!RrZY&ue_n<*jhpy<^l*JWBLhp`ct^~y!$Y4v~UXOdG
z90{=W?XldIqM7gA=C*=`-uX9KMkncZ$rbm0=ofUcJM$BdKA7&gj|#hjx27zCBc@}z
z=Q0+CY=qBXbi<~V#y$UwCSj9{tZ#CsNt@hi{V7`-=3qy*E{#pDk)Eli7jH7*rgl(Y
zOW!=;C0a|l%tQ@4^3f-w9gLqx#!+@1FZ_-^<(RnVl*_AFo?QdnWmuFmlwk(XEu3wu
z2|swx4?{AlewjNQz7?<9`dR{dSMKBqF<2l-+qn14z+c%Bgn8Z$umtwd%P?kJ@!n~A
zLg^cNnZDEZ@*)ZB(Gnh+s9{GeK1cA=e&au8AhSI>J6MPt%TY1QuU)hBXwZvpxem!g
zab|pqMFwdF6lE4lqnkgy4!KPKLzjEWUF~7=hc2j+^=n0ai>&|1!#<Yx87A2$IHtxK
z7xnS7K1Z~lCF^@)d85f#zD(AyK)rFoM17;Ie^#u&OV;0odSerY<)gwR|9gAXZ?ix;
z)7$WdH$KtVj@Lc>M}3j3e?!#Q$@;fNeY>n@^&8`d_CtnC^}i*SPnPvxi2mow`W8`N
zCF}9Scb@gP$og+kpNu}R1O4*}m;Cz-^)tCzX|q5))3;&&4bju~p)|%9^;xK&>8a1d
z^2W-)4sTEzQ-KwK8F`Ryhl!t&je9MOO?ZPg+!8V@7;ofaGhK(w8Egt_Q)z^4s6O=%
ziQAx5G~sDF&B-VBva}jrp#F1lIa-AUJeTGdkd1L<j>!2Fq~%PN@@wVcNVsJ{z$>W2
zUU41hi@pw7Gskmpvg5hTzn9Cm@s@Q2_Wb+ULj&}JOVAyw{`>o0kdFGiQ{G}TzegVI
zst6xuO0AUjy}Mh4bL$XfWAvDr7-VA~#CSUL2=)s<@|5G~pyyDn#tfc!0+NoJU5hj;
z(<C|cEavwt{~R(q3mC^HWY4SCR<y_eREp(zTv7I51}`Hw%HK2i0p|DIP00C=px)?l
z_CH}5*Hb@qhn5jIB0r#hm|h<{MH{{GVju7siTW4&SX@`752D_v>#uzvp6UOJdSevX
zF2|TxjeQ^s^)%iW3PxH6)1cAtmys5HNi!P$HPV7FBaDI`k(N|zj*W*>gYE<CY=7*+
z)`89^BQ0J%^ID6!#^@#A%_3(@+$nK6i1{;0MXui}a)-!+@xSL4GvrHL3ZuqbLi22|
zh}k+{6FGdR$b}O7?h^G$Y~{wo)$TV%ZmtqIPw{3;IUYuVOo>Y+u9mo7;+Vany%eX&
zIkldQuN#yL3HYT5iPPTqEP&sDh0PNzp>uOS5R;V;MYgde8V{pgDH2yp+y-PKjz><N
zSWMY3a;wB~ABp-*i5nzN`J0%(@*e`{DYaq(-gOi*D1{O?9TN4O68koa`qCpJHwb(O
z?yirD8PX)qmN;MHT39g25;`d9bJ0wb#F?-iv*mRj6SL(X7dhyJ$Vn1cN*r@i%wO3o
za<j;JO57<iLzBeSr$v3j8Idz3&X>6UJ28Jwn<wYt6XJh)Cg3SnV(;%oy{$`R{%7Lu
zK(Ckd{O{-8dgHl;HZib%ytRc3JRZhO$(FcW;wFg|wpsQlA0u&w#Q7e~>Q~A=5*XJ@
z+$ym`#R_c_CrF$jalV_i`jv8b0;^xCm$+48MgK22j2_GM79Gl$xLD$h9!7p%zf$c=
z(CSw@C5~bHX*`Sy^L<2a?jv%hugLoUb>J#r?62$f`jxg@!~#J9BFFR-IbY&Z_O646
zgWgt=QzZ5t$n|+fi&FFigG(i@3>FPmhKk&56S;V>$n`@-ZVl5I&wrZV_&_gQ%#d)a
z$W0L<w~Y`vE>h&|D3O)XBHP9=#{M@PNV`qUP$@Bf&0TZV$nPB|a;wD66GXjjqR1JO
zklFYf23uKz2Zv7<IVN7@wkaa#PZc?ChR974H{VJ4J!!*%@R?$PHg=Wk>CkMED<xLu
zi2B00A}jj;0cX^gau4D0ZzMF_BNphqSLCF5A{VDh{E*0P3q%fDD00riJTakC%1|$H
zlf+4j#PXd>MJ``1a$B~@IeF|xghv-=t`xcY36V3`h+HkPvR2eL=ZKufZuxrDmsk0u
zn2;p(NWIKYi}^d)oe~d&`Ok^0{88kjjRNN>Ibwp+EU|ZyP(ZOs93ye1#2H(}^37X4
z8RM_>&z=c*Gp<bJ42i3^i~7tRA}g<nTq$wkE)PA6|D@d>3CIl+2fZ%pizROTi>Pm|
z650E0kuyD5n}4Mq32ZE@C9an^o85QE!<e?65|_Rs>Kon_xxU85eE!?^x)L<QK~9mA
z>O{_wIB379_x_v6X&;MR?qXiQlJKdRq2V);6B<P>l(_A%sE<1$a<RnC2J7`JzQ@G^
znG&~3tTc=H<0MWxCF(2Bh}?FLv+MkCJ1=I4lQ>D@9ElU!#qwzqXG>hj*?s=6l`<s#
zBpNL25V=<3jGsk)vBVt`+kRpBvHy)Ij?)s{oFs9*#Ff8_6*fuSCUK|4DHpIj-a2wQ
zkjWA}I7i}giGwbR`D-Okx+Lmz;G>y%#TR~AOfHnTR^ld!TP05G6z!Gs|9{KXtXh%t
zlm;<D@xCG&$h;<Ut;8J?D_vs#V#@DL83UVd_GBFKRxi&4MM>x>a<QMt`L~Fig6|=F
z4pgbcwf#hWeSZ&TGrrU6k$_w{P~?35?wZkpYMBR%`8y?6hKc%=FgI%}POC=(Ye{vu
zI|E}|gvg~5`;HLx^^qcb^Z!H56$2@5*6LSE-3hEdrA^|DQKCU*w8*|=M7G@~a>`hd
zJJ<sWJiPgi7h_<Yk)Wk3LE}ZXO%l0O;tq*3CyV*hriko&yUx7*IOawIuU~1F*mj3#
zAXDO2iG8Pw`GXQg_D<sLTJh`k1S812?-UE<OI$ru)F<2}vNA{Hn7Ja?b9S%zF?Wj@
zitiP<b)Lv=_laDZCUVmsM7BLBvUdjKiS7kAPD^lesl*Kuw*pDQ1+;vDXg7SJ$h8tz
zE)w<CnIgA6Eplan$Q>f%Ez0M`48_GFS4vzjafigV&0_gtiR%Skgl`cF3HT!NPSHTQ
z{=%pcT5T1gK1hEX)zEk9uc8`U4}<Pzw=n-I7Ausv9-d~|V)lsHG9@mBBX?V(^Mdw@
z*)k-~k+@vqdWqX4_GN#>gon|HIFa*|3^73|l(<^rW{H(rv4RAN(<IIp7}uRjApw`5
zI?<r-CnBeODso(-$SD$MN?h#8Y~5=*DjH~$IOuaxpCED2F;Sl)ai_$-$KCn0bvMBy
zfsIwB#HA7!pKu#s`70%EmRLC{=8thRU-vWI3Cx}n(<~Oqkl1!g)Q6uIIa}g#iSy4G
z`FZ_Htt&yRU-A9I$iO*G;zEh*CC)r6mT!<)Y0>q1{YspX!0S`IzZ4C`N!%&1_s?Sf
z6p4!^ZqOMTQY}GwaleSAvn8&SxLIQFU&Zoq5@$+WD)K_5K}=9OB@VwJR*)ufp~STk
zx5Cf&;W;YdqG%>t;&O?bBvvko<zpnykhoZ6s?@?)X_n9h-j_u?;SwiFoGEdk#FY{^
zz=Hd+xk{&4jZNYNi8Cb5m$+QwdWl;_#@PN%azNq)iPI#`k+@XiT8Wzl#`-&j1iXuN
zMRX`m;xvhKBrcb@UgB0y*5>wAu|k`~2@+>WoG)>?#Pt%ldN5yGu1O9^oFH+A#Q74J
zOKiI?+OKpofAgar{Qh7Gotkt*%vUIJy~LdohlAgPICBaWleR({+lg9<TP5};V*VJ3
z(<IJ^?O4s!CMmg7VjC6BCP|zPQ|DVk{pzJ;d`W;M$C<>^8SoWLu9lLUVN^OM+stC_
z1m_A&CV8C}G2Pco<Zy`-Bu<k!TjD~A%SFZwx0s+bN!%u}_K9sAJ!9;G*eAC=I7Z?m
zi8BPo=*|%maKkNerNs3TH%r_hvA4JApv{xn?27YDKu(c3Q{sGyOC`4T6DzFjFS4)I
z&D!h^8sJV~U0Eq{o5UHxV*c7tk((sW7$oX*+{{;($}llQT(rn35@$-BFL9~F)e<+j
znAfkgx)NCXamAO|H%4?QT;c?Y(<IK8xX@s|ex=+<;PorsW5o*7Bu>D;V`hgj3*sh<
zoG)>`#L6U|zq`u-JiQRF_saEjBe_{(Z#c5hGAB=o7ptq5xLIOlikLrK;uMK<BrX>j
z?{kU?N{7Tj31Wo_5@$=?DY0#;SUzZ`C*!D<rg|nIKQ3~$#Pt$q>VHRIbabu6O%jLe
zf104>XHk>jnSh)oajC@B5@$XkI-D<Yt;F7|-TAeswRt44P)w0HN8);kn<cibaaX|X
z#YvpuW<G1G-3cte(jakhj%cvbA#&V0k;`*MuFVs<{Aq(9(dtu@o-q<Qmp&_UtHkx|
zMZI@{#QI-q7%`CzbC+1A;QwE?eF-~*Zx(ZB0C@zr=iYx3lhY(Fl(<&n4vB55XfHwH
z9FcEVD#Zk)LE=t{!(S3B$bc2B9YG~xa;wC?TSR@K#I+Lpf|x%^;*@ehpQmJs2}-`i
z4HCCXoU&aos1!=vB(e7n&;0ni4L-`mEgA0PGA+@5-miJ8alV7!qn1#}c+}#%AV&Xl
z7b8$wCGM0sZkK2)TjENITVc>r^dtf1GEojsGoipcDDpCPi?)g-u9vt&V&6)!e2m0N
z5@(8>rxc0_N~OdN61Pe0{krHtxWq{kX9|p8FtqsRRSIdi^hn$$vG-rZI&BgsNSq;Y
zzQ}n>xtO5TOWZ1Poc{MnM#N-G+$3?Q#0hVDHUQV(w0Audum>b=mAFIVCj1Ktb{GyR
zwIVmXC$jhZ9?aJNB+mroLW%1oRzC1Bfce8EPLMcL;(QO*&Og;2320AgkT~Uk#0oPd
z&X>4U;%bQ-+|18^g{Q;{TF;1_@P){k5*JEbE^)2I%2~r6uU`prC9wA65+!k(#Q74J
zO5E_3Q31EtDsiX5di{#;*J6Qki5nztmDu+ivAp*skz+24obVfG*K@uMJ;8|Le2L2?
zu9dh+V(%+rg*J(kIJ=+oWk?wcB`%jZ=BijhlEfL;MSYIM#TsM(8!fJsGSo}lEOCd#
z-d$pa88<{Om00n^KcAX}@nJY%V+kG{CvlF%xSPtx(^#{V+$piIzi2kCugEzPX9SA+
z6syRs0|mw&3>Fd;?+}rbB+j>q`euncBn}!R=8q8=>rWFB@b8BuZk0H5uxK!Rh{*L4
zXX}5rXAD%eC$kyc>Y0G-J4`f~BXOm~LE&QlaEY@eF7#klzf$gzz_?c8@R4E#aT4cC
zTq<$3#0_rN>Q}O(#0s*bMQ)QgJVw-KOI#^&&?qr~ri*#~O5tcRgZCJbt0iugIN>%i
zf1$*_V?}+q!Fv5lwvoX4ACG2<6JkXJg%a0G+$wR>II(<&&aM@_RLamQaZsFSpj_f6
zi530NJ&mYuo-CI4o}#gP1#jR9uJx={;`{{BfHGC&T8ZOs7xmQ=7v912*#Cxy^;&|P
zQ>KXqG9`|gF6w;~MXr~)dWNXCB_Xr%Hymi1DQ0Ms*!wO~pDA&@#LW_SNSrnczn8*-
z&2S()S*##wuE-e@=S$owaq-<^`3{Mdd+~cIo(>e=D;7vuDss+aB9~@~+$3>zwy5`B
z@&9ynHX&|RQ5=5}9z0qX3AGpmX(Fhvpq)$wdAQJI7eQ#c3$7-+tYq4SL>J9uED}4@
zHsch}vqjAK`4q7;QtbmbGrOm5GAQ~)p);<soVt3r@|@(}NzQ*@a`OA1`}IC=-p9R1
zb9kw%g<VK6d{g@~;L=;#AHS_RSkb%!>~(uOK?67iF0JbHL*Oy6cTK170C#sm$gk-P
zA@Bikab2fhx~@6Bskt;z+;y5-aQeV8@XDqtfN#5K9sxIQY5$61-v2@+@Oz5D2f!I{
zo1g;V!ENo2=UMiD|Bg-&4mHQX`7P~l10Q{&{Y#%}ZhSW5$?>;4C&=L#e?Chf?0=!T
z^rhwja3|9KG4SZCWB>H{uYP?jNPSM_8_h%D=v(bC-qoA}=eM<gc+AuK9cM=;DBaVX
z0=K`{e*Xu}ZQucLd}=zegcnSfmoJ*FVE6zy1Lj#7ueh%is*jm+Otw1hU*UUZOCY!D
z;T67f+6Q?^<*qy_1v#b~%ej<VVm#XDx(m4m9kQX)ikqhfe-wtNb=5p1cx94ni%rcl
z(d2E{QUVTutH4bv^tiMRE%w|C9M-%i<k6NGpZ3Jm=^>k1$INkQYw81sz!5OFdzDK|
zsmG?Afj2*y7k}187HLOPa}&e_v@fPkhpW7bI#hUvi3k0QiKr%qUmg*|&#J}nWJ+Ru
z+85KL+*Q5=>zgQdb_qh@2sj2#fK%WxaHg4mf<2)(Wf9m14uI>xP2e_gM=>9QeI@WI
z88`xtffL{qcnqA)vz!7v6VAzQf+DaF901pWo4{@0&KyrpLH#*Fj^z+I0*-+b;1qZa
zoXvQ83iM1srsFjL>;nhDHlUZy-vqx6sAc_~WB;^%9-p9h!VowDj)4>46nG4rSvK`M
zo(XAXTUZ3PA+M}I0Dm303ET$m7(QzY>_dVOn9nGEK3yju^Lbk23}labBKsx~m#rkA
zEs>ibw`ou0KFA>*iX4NSQ0_gJ#~^1^7P)9*o7pOTs)<|&xk)XNJ0SO|CvpUGOj{zS
zAdhKJWUr)mo+2HJ9DrP>+%@;i;xfp6;305Km#%TIYD0<H<toy?$Tkd^mATJaa~Enh
z(3h3dvTmXc^kw~?3EX9wpMtHqXFgcx{<gv&xfN=y^K-9(d{1bHzjJ6V`e)sJgIyP|
zb9XYNOJa6uL(Bo~u%V;t+*f;Mio99bxf||<)-uR_;1Jl(v}cP+z&`@!PVWZy&>6_i
z(|S#Kz<FTqbGewZ4{{ZlfBSGU?o<!i6gZyK<TsIRYoBsAS&l%CsmyXM1$hkYJflnV
zfJ@Z6=`JkRL0$rG1M~ZFoUIUnyiI%DsB!|b4cB8ADZBrWbLVo~w74<Z;1|W@smG>V
zJ*!*X1YV{?Nj;>(`)o$ED8``{o5hL=<YFtT11|x0XkT(il-p#(FWQOms3j(#jZOCg
z9c{W*-X+VocpEs+>82H_CUOPjDz!vj0(qHwEO&<>Zv!X5Bj6PH05}8AKd&0yb$l&2
z0dO6-3ET$m0QZ4I#oTE{O5m$D-~>1Y9s_5<-Z{0zPH~>4)AZ*B<^Y((PN+k$3ET$m
z01tqpIi7UdyK{onlmZ_CdkeZjCEx(KWFG#?<YzMcvm;;lj}85J%RSwV){X^79@msU
z(p<c!dGtVY^~7{ksgx`E<JUD;-_;y{thnnm{#JssJk~sTYWkkAtspdGDlPl3X}|yM
z^r_Rae{Kzkr=plQLc@#+mke?VJTODHEf39zYs(|xB{Krs`eQTx*mA{;H?~|d<9H`5
zJ3-M5%(V$ZGZ5Eu^W<y^rGeoo&6Tp|(XW~-ziDpI@#N;A|GQ3b^apUNdGx2|;4jS~
z@CdkJ2EXtEb|<SmF@s&~5+@IIfzg5H{M<H_HIm$)-n)?ea(qNT&C<(D=gV_`;n9<J
zAK~>cv(zRpSYdjd?7uW)nO8ELD?qq!UI&v3<v+VROMjBNWL^go-=q9ry)pC4jEzT@
z>DAD^`^fIk^k3+nJ0YP?<nQ1YI{%^j;t6|?B|b%$h3n?%t}oDc!kJ;7cJSYce{p(t
i;OPg?-)4XD{FHfm!ppbamkZt<<Db;RA2Q|T<NpJs@gPnB

delta 49980
zcmcG%3s_av*6_dP+<PP52v9C=1-2-NsEDS3rihkEri6F0M65J2CD1g81iFaiNyL^q
z$db^MsFdiKZn}tcGfpLLJBfHBvLw#wNK{@>6TdOnW$!ho@A=pJf4*-$PY!-_%sJ+5
z%(=$8?TSD2ZQSo$?C%|Br4l>hlz%0uq-0Zg)JXR_v%*fPX$eX<{4eYus@^3xy%g#l
zH_W2sbIDC#hI$tdRa0G3rer?xkr$9hNUZ!hd4xK=<OrHh_ivF)X&~M7m0Ux8gC%dZ
z95d;Uf7%SZ)>D$^7swu%TP;gU<h3R{c}5;@evMw+A~%^YlSKKr<u&@n7J0Q>I(>hO
z+=2pg$GWG}6C32iUH)=S``5~W?n+Ip><1h6Rk{Zf(q-R~t{Vxh_)<>k?n@%&Row^C
ze>Er&ChzYaO+Q^Aw{>qIedW)43?gOn1^l;E_URc-e|}g_?3qg@%13(U(fWCEqDPx%
zhQ7C1Ufn%ZvqSf6mJf7~B2(lex1FG`&65xJ2qgm*L&5ST&uH?vJj^SP*yO$V?@W1^
z_ao#^d5iZWy0LLaV`P*(r&lyR`hZ;2tAPxX7xx}S_dFyQ^$w+PJs=<G9YwD^B)9d>
zB@fBVeSn^rE4%qN(NAP3%_RL~>SrZe<N&`xwB{k`%p^nQ6@HVbrvuVg5I-_UuJ_9&
zMe=n2Dbzkk-s&GuE9b~f{#%K+ysA$gP1US;Tdm}Fd6;z&eL%DFtaTFgSFHGwbos3H
zH4-MT>AR66$UXZ_AaU~ae)p0nd3(PpWSD#&{~ag~3wVV1$y)+mBTvbr1K-g5TKkeR
zaB0eH(CU}usGuk^OI{vyg1$XRj<<#43@x_}A`$WyTQtd$kJ$3)Pj}0S{R_wf`FQ`0
z<ZgL!@H*XEtkD`aVDf-ydThR&JD`CKmgfu{L@O7`xdTJ#p80b5z$kikk=!&emtIPc
zQ$h;p>Dh8iNILy$lRP){ux_z>lhVGre=rB3RjBI~MedRJ4mv?zm)C|3qG5~JT#!)t
zcvv)9Dfb+lNA8n13|@zW>l1!OH#1f>qxu;gxrzA)J#rs&G#WCSIS73#Rc=F3ai8ql
zGm2hHWxht+C(HFH8fO`ut)|%MYzK;2o9K-Dn1j$aXUR*@H6l_K4;gx&;vv~+x_2%u
z94@E(Y{lkX8gZ1WJwnGjJ8}w+amejY;;?VOeI4nwFJx2@865VNx>c}cY{$JOj4fvq
zN-x*)X3P0udHLvfXj{4*7&X^BRZ!L~lMA9MX<fS9xz#EsMgNDsl`hA|#CnMt*U1}V
z{OHE7AQ4Qyq)<K>Go02H$Zau+{f`w%l10Lr@n9A9+rXIZXev*U7mV?vD{`S|AF;~C
zWBRepqH@d<0<zE8d4F|RdN@z+jEN0?L8xrwi+pA8zX&NCO}^d^p`%UD?u)o%iJNzt
zu-PqI15IzyS@O#<-D$wr(D^p?rJc|33!Jo-(wiHgvXZWrhfa>9|K1>{OirQKmhG#V
z97xHweP^f4Gtq=)_T0TV9`dwlVbrz^5QgmAG3|CjFFpny15E?utJAyF@4uGa5+khi
zh-<<ul6rRVM{)UUIWaMiJRvVn98Nus$fb$C-X%gaKYmU=oLE5jzql{)-f}{x9g#05
z#na$=Id(=Y{p5(8i=w1nu9*=<e?c9JWA$>x%qY6<h`eNGl)Nj(Q{FSv#+p(;GlKr7
zUhbS3N=uH&p|e8iqxEv)tauuI1Uy!me7)*~x`X9|v-~KwvSC&reGsi<k*In(a5gT9
zBXT^7C+p>O6sM2KTT#?tJ5ZSF<rWk_)XN@oLh1M;a@3sIaNl~@7}(KedZ3T6b5N^L
zXUns4=^S7B#1Z)b7N$q!ra8XkxqX-BtTTC43sc)e-f-W&x1>t)h5Pd8qNQ>miKRc!
zl2gbMJhS-R|DCCu<58@X`KOoMnG$dH6zl~&WmJ3T3r+KSN={FWC6nY!3+-fxyf@WO
zdgH$Xpely=%VmpRq}ON45f2`qKhBgZQ-h(_kGRX84?R!oXUbb2+DiJ!!yaBp-<c^F
zJ-n6NCNF<v3X$dIi|-{b$OjiMr0PaX8s#-<3)#+{Hc$S~l6-o2nw<VfJejKGj8k%I
z=fsUl&JfIbg04|>5tfTynIYFKPN8Ayc{HA7qi1HwO=)xGryt9wqm;a~dWM|7xUalu
z*$^-HUi{7xwQu{fC#kjMAxYZ87Be1)CaIFG^M5=dM?9X0yX>0B0lVOn5l!9Ix?YkO
zXAJiqchoi4EdR*c<dl`l**<q=ikGO}Cy&m2lJ+|)S7xS=$#TyXC&)bc{EA1s9uUl&
zmKUrHVp|BaA}Sw{FRYyBwM;1Tk+F!V950`LLa8`qRSG>iRjyez_ZG9y8V!hbn&kbf
z6$24Zrr^1J!;^Ne7-1v_?wgZ!8@VM}+P5luBk_7sXzq{l-lzTOi$~>%9A7pfO-~2P
z59h?;Ie&M~m0Q~OF3W8d8@1)i&6~`}mEtM%ySwGsH3hV#Kt8-C!aGZ-u%M@LW<+fl
zc}woSw^W;^H1dI?vPYh?k$2_Ak*)IDykAJMyej_+$&{BrljrrGP+J%I#xu$U20oi|
zi?UGO@NAHFPU!z<k?I5T`DY(tBb4}D3h|QnKDUuU?DHw~_XN50`3Ua}q3XAL$dym~
zTE*mzmz{&<u{MRCOpw#pMtIi>g*T~%#pG44!cAECP=Xv=kjvUpQ;>p-BVgTd?-Ie%
z{i-D~d4kJQ(Yh4e4=$`5?qw5PX|O!3(C-#c!tf1K#k@iCnnJ%ZqBB}o;X2-=uH)>T
zNjKPEEN~D@`^ZNM{o=*ao~-nUKQG;#<?~nb%`wa2FIc_r5{98)57}dvdZDo^<reLB
z54q@B{ZisjT_IB*zy1;W^-;NVldt^I`h>jD1WC%?nbpZ!ki8>AkrwHU5|(6Z?e`&X
zC=Ik@DpUB7Jql+Ja#!Ul+_vz@PSRK@ElFLp{C2!#Q_HCe#!CMCq&(%19JRbO$Bif%
z**16+kL($$BFCDhHqc8g_-BT5wk4_g-&D)x^ij*{_AS!yH<bottMyCSo79%)SX2LZ
z6@@1&`7>vRs~riC)OfJQF&c+y9H-i!X;XP(c!HWRNA-d1my~oVCp=6|->Ehz$6HNz
z_29JHgRSzHFAmR}@2}*}>1I>q`ewylb9}W@R2^4~bW|;ssZErRCX>{BT~M$ovSYF`
zVamTMvmBW(>D}y5>}S5DcJslUa7n2+^Ci8X?rQU2vaxd59Z!w5ZfX;fv#niisCGu3
z<E}UK1Erxk;jM~3+f)AchM0s#HFLgVQ<~FN&s?eYs+VTm-=<{9?4vd&(_3w2rkC3K
zl~#F05sq1cT55;Z1Z$keYTs5`$7-y0ZKZXL#%kAAT4OX;yOv{()L3nDjx|i-oTWA`
zU7Ja(zruOhJJc!8v3hD5RNq-??WVEnJ1ebSHI7rpaHZ8<;{=6stdho>6IeUcvEGrU
z>Dx87Y23=B8JByK{QAbZdGYFS9=cPNZ1F9+hwTPsO8z<IZY2uO&af#NveiZGTHP4F
zD9%Dug<T70va{6b&=>ciMXLSm*VSpv-kGe}ziW;;PBCDSmZ%*Wp?c*UGEZT)?XY9f
zXmvN3W0|d_`)Czfq}ey+p)dG*mkAqZM0dl+87ykw>4`g;=HM2|3r)(g>zAl|V@mAA
zDQsUXR9cw5BVUmg>59^j?41>AdWE{oEYd|aJzI6S?9KAnZlQUHv~4cuZbd82vFQF9
zptL_TxWA&v30Eg7bA=i;=7g&gow;J7rcY3+%Ultsagtj7iWrU6fy`bJsc|aP-yvnM
zP*}<i*5p8KMy58a1_r7FnlrUgV|CzjrphbiL3sn!Qg&@^+7a1I=&@}Vye4D2^sq_l
z{4hN`=4fMjC`4s;?WXPX%GIxrS<QcFrlv=KVH*!S@boGTo5cRbBKqluU9~ft%rPS#
z!jrJ(U@Q~Mnxi$8T_8Qa!8(kk?-=m#m>jKw?A>)r_i|>c-OJwX&{*w$_HMQNIWx8W
zW4AIqc~XwHOJ|Q}Cb6QK+Wd~z#%ZQH;EQfo4Lvkcn-K2@l>AT8ahkkKlhZUgTamhB
zvn#x1nDV))TuINK$b{Tk@ifNCId5i@hvn&8-=W_<h<6{#^ZwP~>OWg+tRx$n_p#FK
z9jfcBw4PI3EPIFQIxDT;YplA?N^7&ms_W!f8#Pv3N6N7}6wcXJr^=<Zs$5?!4=EYr
z7w2%bA;(&xl}(d#N}i$B)8)>RJ4pph-GjIJ9)0;S@|b-5<#8rlEb>Qt7mNtg22UMq
z=Oq)HWxXp)A4E6P&s}Eut!=jkMc2C;*7hwy(bGNtH$hR7eDD<|C<=Ww6z~5{e>Hlp
z1vka)o$BD}gKClbGf$LUVbK|elJ2KI<a>pkVNqtBn!k_ccg3)?j0_r~bv&o5lH0j0
zID;M^)thqW$Ed3^i4_Z-loRf*@=i59M=_4;&AF|pK~2s!o9f={!_@q%Qq^Y7l(%gU
zg3KPoFE7(yJCSRFLZ-iZip*KBp1d;sRZq`Zubv#UwNq-&diCU(?WJ}C&pm1#_o;o!
z-Vv$R-Cye)u3KEWc%SQ(>LW=?-(W%$2_Mr<JDscDmF75u6xH{#GnJbUQnt6|Fya1c
zUBU2R4-%S}nXLDrN)1Mm^*&T<toNZ-jUke4N~3bt*Qu<9TsiX{Dr@tSy<4p(N87*H
zex~-}eQhmxvUb4m0o2My(?4&0nPMPkTZL+<TpjpBQA&N%t%lxK2O}#|^^bhbKeP#D
z8!M}jZ3|3hzo|~B4-ODJSUNj0`=|r(aL%?YrQ*y!+6ZjR*H{~YZG~#X`q-3$Iopa=
zcFtmn%FifjDM!sF%`xdc-*OYCeMbWF&}CU0d{Ds-J2E?Rre>%Hb}2(6W$#j5HD_s>
zlAbeC&F6~P3e^#KP95{?=WR-c%mTH+nJ=gv$t=_&w)IPu{CO+4J*xb%a%q|(bEc-M
za%{3H!;@6mEkTvepiUhjS5T*pkSnNDN5~b_sUzeH>XZ?}Q-U7V&9^BPWbe?NMT_b%
zXi|IZ4C<;Bb_I3S8tXw_t;X(}y*jPDq_IQe4s^Oaw!=4S3GM1?&{v$bRpSax->h-7
z!Yi$(G;Y=Sq{i(UH)`CWm3L^YuJ9adU8gh%XDNF}jH1Y~)@m74@654QYaG@ozqfO4
zUWQ^vUj%G-TNuNNXDHcRQDvjzOMgA8bSU|6jVjZW`m%Sbt~cjSXH+>t9Z6?Y8LY5=
z@^wX(K}xzSstmd*@7d<>CB}`7a?f4LeVK?|DYpcb_jNZ0m1nT4a?LABQ0con6rbIU
z-yI$MGe!e?@QX3HG8`5qoM!1+>L`|bYUygUl%3tI4%457mZ}%HLQ8eBGFMzvM@>72
zWUjcXvA<GH=86uD)yd3W(XMfr+ME@w8b>nD!_ZROyMmR4D`h)F%PO^iGqkMGSl#1t
zrk1I!mCFe)QF%qOV(8XT)gjocLuTt>pl(oeL#M%NrGOH3s%=w(#O#48{NIUYu>tI0
z8}VNaXZ0w-7|qtFVw|&^S;7z)qu1(Ayus#*toY~_^XSoSo)X^TX@VWuW$KXUP@Bf;
zkmpcsb1hScJcp_$+UzoQ$aAPVg4vNuF)4?tn{RfcHnLPzh|z8KEYF2XiJXyYIGa67
zD=-or8;|T+ijZ<fs^M?;EVUsyT3DPj^3TFw`C3Ij7y9CZzs{`%^3b<!|26!bH6Lr<
z;jT=+EBsa6+ZFz*?(GVH!<784@K<r~KM8;R<lo*7{x2bLj67t|Gj!%X7y?g%q&=iR
z2EY@#X6vgNW{f1g<YjyPiA7$!ccqyr<Z0VN<UW;syXw)eSsq{cIBm(7D=Q;t1>V<2
zf%ow}-brDU{!YYSeHM5+V_(BN2M9ie+wg8QB|-Z>-?x#FWO>g1@8}wb9CaX<p3jpH
z94OVErqKF4Io*DMZWt@)9tkCXm#0?`r*TK+-0DzkoN#R&)vn$Pp5c&ds#8e59Ps`+
ze3HHU{b-!Hv+w6oRHS^6LZ-<FKNwE$Ix4q);Oqrb?uP|x4qv(7M+x{qeep*dNq~Im
zqv5QNp$DCLkq#V;qI=MQD-kKT#%1780<p`B4{3FV$~|gh$Sd;X+AqjEa?g*4)7f~l
z`(vj?r23DYg_nJjK&H$4KRH1b?%VL`8)mXf9$hz&{IPFCT@dk(G+gJf9VHTb`;P(=
zBTxQv5XqC5e+leW3Ae8T$pdo8SHtnOfjM7A(>RA*^i>ggXkWnB3kf|Jt&C<DdH0dw
z^rNG4!;w(yN5W|S?Sf%61LaZmarF2Ed3Aj**(YDB$2T@6$Pq_l=@%2^^rJP@y<LuQ
z;FH64d9EXn+>}>2g2;7wi(?S>`k>=+@|Ha8*yA++s9btX>2>|F6h;x>=$`YZw~3#V
zw|p~*m8rop=zE%l#D5mhXB~3GKT~k7Mt>VkpGSZE)|msT^IIiH!SNLOQ>@%_Jc=e9
zl>-}`S&%9llq^vvQpmgVmJ|1qL-P3(K=#OM8i&(qsBd)UMv6VTRjKl13VPS*Q+W&y
zoJzr$SA0$nrzJ<__|u_Q@d?4%pVi^SyalII$e?}aPv1+-^tYQgWzTc|a?;t&<hFh1
z&jKM8`__E7j*xTvEZ=`Y$bI{coV(Xde@>PIe=7GjUTCxM<?u|o;iqyoySc4f>1TK1
z8XqE0{MXy$N%_LR?7>gs8H`=ABneL<?oV?*Cq4Y{crWoW>c?`x&qqn(z6(Duq=d@T
z+g_t>^Y*p1RT5GyZ*Sj7%H?6dZX}!c9mIdhgYxv>H<F}%XMewq;JYLjE^Z|K_N}?}
zhC9v@1U^XS%lVx{|LXp5bqRP>p~-}scj02+aPvue_1G3S5=B4$=ayI${>QhhCK2?|
zH(Sb4WPQ7(0Y%O?;D%MxJO2q$Ozt@jO9%<1zTZLtlcC>0Ig^*Zfx}F`{VlXGIqo>P
zQIrYaLMW57zkzrryZjTDFq!{PC}6Vg7?d;lGL~o3f#p$d*+o3<y-lPM>$G1mlbeJ*
z0~g%LJhB=lcOiLX34Gp#JV`!-@$O_eZ8#3;?!>o$nqe~7{h>kwvpM}3cDs`aBoWTL
zlPR?CcM#E)#FG1Ac~^3U1~q_(mH3iMSksL}<CY15K8U;ENH?q^wgEc3A--bw=}v+u
zE$ao9(~<LFdQWnKUU>pSJxCOJ2^M&eLC(VAu-${$X-hQBy^W-hM_~VLs10j?rrWUW
zO}KO$xtGj=$)1=R-2myHn0f)$dSXW>!C987x9XHVzzaJ}t9rp!Zycy^ro#bmQcv!I
zwY|s$dVU-n?nOeKrq_U_H?fm3aIiP_<<K~&=^(*wEZWffHP1fU2Mv-fu-BL1({{Mz
zi+1XcLfbri+oN|AB>JIKXw}nhO;GAbipX9V=1+!`dtre;=APC7rT*CDpJ2Z~SxAb(
zrw@6YdY*;YzN8=Q>_fsye>l<ybKa*7?)wm8#nIFoQ3cDbSnxhLVkM8`q>k^4P5Fh1
z5O}LE2__A2q%RiNM=Tpc`eE^>w0bjOIl~7L`(ZP1c>9re$m_5;0H;?U&&l@B1K7xY
zy8>c^NIY2%YlCoLwYF2sSvVX-4v>#wjg3T;DX`yW820brl8t;p=EK4MXk!(O4#qs5
zusqmh0q=e74aTv4*uHoG_Jw&y+Yk~+UWD@l$q8bHgCXP#`g0}}grb8Kz`;-~tB*$@
z+z3SnIW-Cn3_@)xTo{B}eRw)xSQuJ<56*{SwPPV*u%X&-V8LMW8kq?<24mBf!>Vx1
z;|_bn4d%<>LO2?D0Co?-5kcQkTJ{F?97>K78=M`AMLq<dVOT^T;#n|f7&$~dz$XHg
zn_+r{!QN2V5J7&zWw&ZLdO;2B9*%3V(jF2?z9T)-zH|k%a`Q*M>601IHj)Ng*wUK@
z(?^m)ID*@6CzIiWkz^{F4VK$U&@IKtESP*dS|0?fZpRWyti(n#9EOd;sn*Bsaac79
z9b0$6#rDrfk$IG?gMesUQL|w=3c9TUYNClRHJyTnXcBeH+c5JWAO_uT8f=Kc!kaV~
zZGsyy<Phz85^BbfQsNB@#-dYph23MZ!Z&g0jzw2{4K9r}`0-X4e+PMu_B;<wcc6=X
z1tH@MUYibU#$nknqT#?e+(Y%PBn57aLmOpUy|@jGNAKMPm&RjR-FrvD^jMs$%@8mF
zUts+V)}o;68lY_gnTs<xISxl2AY>xW)ks({5$6h(O?P7xzl7}*(RH7<FP=p5DDj2!
zcaaHRkA9C2T6d&gV?jHcm-k@wWE|{8uy`^FBA>$A$*i;XBTSGS@R@=ZwUME{8e#4f
ztTqkyvSh6yDm6me6x`k3wogyMHsZwXzuToIhv3rP*n6Ceh^b@=y%7&vr;^KLDr~q1
zlh2Qa!}s9ErOg$=jcXdVIvS2l!!8{J%XBoQD{+XXWB2vFHv>MOPQIf*ErZ0TNGN=r
zNIc22a5fQ3Xe)?XPe9<kq=p_JZg0AmL|}9bJ!jx>w6ZrN{b2VDtRxuD&cGu2)P4W~
zGjZLnfJ-y6eI279VivYfUy{YJd=^>goU~`){488x<6--3wDc()pN*FE8NDBT=Aa2&
zcFL*ZX;?gm9Ho~YQ=9w1Tx>3yn~Np%#TN#9=c4cZ5MfWBM-mC1Z4M^0A@zlj`DlN#
zeZhP@e~|>(em_o{pZ&=F<O>r{gnjEmJSWhzk#JxUI{Fhrz*z=27U4-t4H{BzQO|`9
z529Lq6Z%i1#cVkLAWp&z2P8g(vmOC^AHos1%f9$wGQ~`m*!QO4(qnDvT#CzwylUUR
zjC5g*gr;pI9{%$<NhUAD<P7Y{FR(TPyY&hj%)o`9`4c${mQ3;_hT4#uiTh|FY|q3@
z_rvi_+zy_H8<}{Hv1xDdZiTfga0wT}r4^Xx85p(__qnWad>eQmY+FfI&@++X@dQ~-
z2Ey7W40SvVN1niP2Vndv6#HTCDs0YuaDj<L7`7T$;0M}L9|mhzW6AvuYCJFyj;zK>
z)z&AqeglC|k``=%B@4?w4wJKR!d`>DSy)D2>39~wR9dS#0=*UotFuW1y4dumu+=?b
z?NjIjx|8pQ&!55#IMu#3hrB_&(oWsHslS-Q7VJJ4zlIDqr(!bX-%k3GPhi6u-1EBF
z&#qx>7Eh6RXiaM_^*RPi^6<>E6t=TutrAL)K~o;i-d_9od^~9p3{;+RsnO=yXRu|%
z!RJ|wy*7i-b7Z6C*^@VK&VgqlX)pNbITGU>pr@hd^EhAnj)gTL;z`nHEdjC{_O8X@
z`gWu}Wj@AQ^u%HaU5A@s`ADe0pY*e@SVvwmVYBRRe<L20WP;BI674NI@Tj5Cxrl{_
zO4yrni~irkpy)x=|HYU2d(MHD2XQZY)&Z48B!zx52r3^U2WaCU`{9iw#Z0e++e0_w
zE0S!y(2ZBv8@G}kgx)?FN|#}yX$d){=+L9LlG|a`E7(PP6e?dKiTV(;&GS_p+JUg@
zRkDukgd4Botd_&U?KrS_`q+-ctuOm%7+s3)qI*DueN8EeW}^ZJcHkuS1fQL_+<jp3
zPQx7Sg|$0zC)2mBZ4mG}`q+hVD0m(BD}6TB+CRr+wu21YjTOHOi+3Ar+zq>TW2?-t
zxSaf?Zi>G2=ptD126q0@aOfONL-iUc`5Ic@K(~D#4pyM432>>xVCn>neiJuF7N5R}
zGx6J4IPfOMr;owfw=lCC9DK{r;ZnHq7H%5z?fc&*gG}Dl!hS`=xasy1_0_QE9p{Gi
zr=M<|PJ$W?tl>ZJ5O=Z=F1>@JcDMmjIxy|UDw0577~l$ze^6rvavFTzCF{H#!WG13
z*!wOnw(W4^U2@c0eChV)SZMk?4*rcWaN9>}yjq3Q_u7x|!_D!Qa+{TMzA)_oo)Yj9
z;sBllw3qIWFNCHk)M`(%lc5B+rZv?#ni!;3<D~9}fcNpF{egWv6L=n5@Bz-iv93__
z0Xp@OZV>n(DJN^}pMQvP1qpyv2k}a!+8YvUNU4`O7VkzbQt#cdedTAkQA2`miIG;p
zutT^*;-Wr;r{%X`aV?%3qhb8V=-SW0_K(TqUNOSEzy%QS3Fe&(=Rd&>=>_|+Puca`
zIs35B$!&zz-DZzHjN3Zf-&4N8=*;pZto{Obgz82psz-LKgPJe!Qey~Aufyx0QrKOG
zVeWF6{14pr9;wG|FK(`>H)*kN_y@XB|0JRIOuRFw-+g8MS_q53!qDut+aU1>UX%oX
zP2SS0CiCF@*Eo)SVfqog0K^8h9mT*Y3>MVmYSh|82E*=pvXK_|Pz}sHO13$({tgxg
z8pwv_4)h8<k2%n{&`#_z>|q@&I7XuT7;h{bde}AKHL&-Xp_)T*=@@o*7fk;KO)Z4&
z-{5Ml?`C)VC+>^%?~O_*OOj#OaXdHaZJQ2jkK>f<+F1LI<D?7q65r>q0-r`)eFING
zY$I;Mdtgl?R^<W58*$&Bcmfhn;)*>n3er!azl;W-Q`o1)u;vuHS{K-V3Qt2Ju;4U$
zF6ON~jXTnOd(SiErUgB)=Q(Wc-(bNx^uPyU%{lay58%Q%-1+Z<wLjnqdlBsY0o@=9
zF8zShh0(%~s4IoZ=gB&Hy&u${CxKp4Z@gI74mM}~;Kq4uuYOq{V^FipdNF%9SkQvo
z!96D+w*{l`P4GD)*#PHT@H~_Y3x2}Qvj8^ygqIN;AfOc!?}06?*zOYh`BpN>j5}J-
z3plFZ1VQ2j47-A0`vq)WdtV4`BY{@2x>kHyh~4^0I{_(e#P=5cPny2;1QfNQV}Ec0
zYT8H<ZNP#4g<Pf|hCzA&K21(-Cqr-P`T^M9PJ+C}I=`F&_3apX7eUCcWP<mr!iM>7
zkp9gW-n+X+`$+%)&HEASVZm?cdR<Sz;ooo@nb4P=1%e^rchZ~u3=4iI_ukUFJEq9>
zU3{JMmHa33H5+<f#4t^tUjIMIeiv-GNc`x}$}skWPcD-Av`ZrdUc$NdgT<G~yjw=m
z6OLTMQ}VBa!0j@LzoosMNsw~+fABkR*l-ye);JFuE|XC2WMPy$1G&@EE&BIta#81B
z4nj^$VfW*fuz|)?Q3~EKIM{&;E(R`jkazy_;B14lS8*4yHG;=AG_ujY{2GR#ctNuF
zx^fax_E_>cto;MWLk}<>g5!Vu4}1LwV7Y;d18;!cAP)?it1iex37Q<EN%mM65B&)+
zTM5xh?S1nec5i2@-R8%o-YBylk`&G!;l`4sMI&!hWaj8zs*Lnd<jQVY%EQ<kYlb4b
z;C+Pu;JaqK%}XTqu;~$8^EQ<C>aTe1%2e`Yk7l)CQ|7DB#PSwtuWmhhyLu<$kWJA`
zPoiLduIzSQDfm$M6-7Qa_CG4mZ&hT@)L#_2(%PoTrQKTa868%zzFmECw5?T<hjyrT
z*_+8MM~+qLIGlK&c;EH9ro+dDt*FzV_#IlIrnCJmoLz)hsGZI(S38~gruq_>PuKe-
z3Tv+8E_7xjb<cYci?K2_I3J64{Ghb!A?ss`%-r#lB3D`;SLHVK&54}#>iYyaOFNYI
zVm?K#v~JSMwP;+daP|(Zf7U{c)qdt!^I^bo>g}QQQJbWvGT_7Uw10F4&d?!aXW1*<
zyVRLr4IXg}x!j>t<b$tzvj><KX$;)yM<0QIClFg#_3aIO@d~<Ax;g}%M9rgm2Xibj
zz#1?DN>}2^@rWns61PMf8UG-3wTe2WqU>_*0r3v?!Enwq%z<zQ7b(K|{#kZKV<+6@
zN0%rq>E>+7O*rFC*M|I8pYKp^oUo=PiatN&f9do3t0T(0CX&nNga3=qzpTFT;Pm-+
zr78apd_L;B>hp2em66*Pqe!FAvmCn5Kk`25nOAay_k|eD@IN_z<hh$S7nQ3$cKL)=
znHzl1R_&qoQjJCW?|$%JBnGcI3GA3hBp4Dy7Wusyh<>osU1@Fh4oQ`-cR)@T8kF~{
zVmrs$s*GCpo9gIiSEzLwJD1AZzEic$Ue2n*zOk3EV(@R~*KKpyhLEfcPLfugYWE@Q
zG=(2pnxM$c9np$hImG(D(tykzQEGy<TI;Mf%2xHwA$;HFy1eXt|9J_@5Nkg2lsaO@
zR@#JCiZjrvtVY#GSgW7^hTZqG!Kd!D|7=g8Fstm)O0~-@^PKaT`Smchg}ZF3oU9EA
zZpLW)X7)~hr6<`tJQXS1{+-$*`}Jh4P|^*#$G_*&cW=u7IT~o)t8Obh!_*=M)0pdt
zTZ)m5(7ihyLl-yN<Ga&R6S;0b??Lf4#Z`P%LZ^^9_6?r23!&9s_N`vDjnM2yDCk8~
z@b2FEUi2p#^Q*nSH;rfceSGNzFJlPK`u8a;_NA`V;UfEfU(H;NA9bU65o<r(hei?S
z1^RKjPhX195cCW7*I{=*dWbBwFAktVCR4&OGvvvpVep=fR@3M@NbgTq<89LO{pnGB
zva;Nh_>m?!5=`+LAGZzmlnE^kpuZ4ZyV)KPLZb;jyEuCrW?l-*@dHv_nQXriO6~f`
z|MsuLXtJ|lJB$yf3!P@ahy94UnQ!dFhESloou}dKFv_l|Mn}+f7z*Pf_I2bVm^_?*
zp<hDK+dqWRNE+ef@DCxKv3_;d|3f$sNu%@%so#g-HiD)&^Sgftxg%(So}XNVfRR-H
zpd5zYPCJ~cD*O0R)Q>PzrQy^MmXF3xHbY1hJ?b<+_XF^VrVUi;ZEuNYGooGUP_GXl
zY7AXM*2DHOI1_*1U3xl!T(oZ=i+$3*Ux#tyXsT|C?125_=mgyW*$O?!<G|^cPV4Mz
z$I}xo`**(&t0&M(n)(^!#?yW<DUQy^D~s)MbP6s13`*l@u-$zk#hXGE%IBRhbdsU2
zA7J++bTIug?Ic{9WSDygjK336zdQH^ti2OkqGztQ-?)<vi_R~>u*vinXE!oobUZGB
zEwCn@K1mOM0_k1xvetVFy@o9Tj|6%^FG>4VLsJ6Io#u12S2cv*jdP{XrMcQ(dN=iT
zRfRq}6^-gX`n7$*J@gF|eOP-aINNRyyqCHWTBFrEDT)3@Kg8)v#z%%8c1WB-SJS7}
z+&Cp?XV7`hUbfk%&&08Fs(0G=&PI=S-l)p5-<X37!dY4L0dPyETb<_nAFv-trhz7B
z0ldt-AII3!VGn(PwwP%3QSeB`-fH&<8J99v?+JR}`q?C0PQ?jU!*5^sXc5hz2OHIA
zC%?et2XP>z-ca)(ZDadP<wMlXf^W{)52VqkKJ1USXK0O?X7z^30vb<?d)qG;(8H8g
z^tRW$KpWhw6+Y}zRXuXTE0i6Oy;V};1C_-%UbVg9a51(|+69+UTAE+PlMEc2ZT5q>
zO>{PG?hUc|=5VOpM9nPI;Y~Eclu%`cpa)5Sz4uEr-<wK4_N}|92cdC3_VV4h<57>3
z&{mFC>wN6^a}`Zy`o&2*e!qXX3-vgqd>;SfDdqF{=T9l0$Im~ld>;QU>hSY;`LyzR
z{N1P6=kc`bX}J_Xi~sth@^yUWY31wq`KOex<A<D9zK*|oQu#WbCiz0{0lZcC{Ym9}
z_<?8+zlZNQrF;*+?3D67{Fu|q_wd_KDc{5AW5xI({O6~X@8Nf!R=$V7d6In(Z*4r~
zdXUJ@yghIb*>!)UFQimsEm5bG58yAHv{zQsCJXw#y{Lv3bf+1<cHb{4-ety=xnI#1
z3VVLX8`0D1sk^nz*EJpN98ixh8?!jB&==C{(WttN?R)BJnAvKJ!D_VwgJ5;;Fmpl`
zw0(o4TTump|HMKLUno6Jqu}X((lQ!<1_Hmut?`~SP;;6F!V}-pLTZbF&Tpx&GI4q9
z%>gj#IQ3-Z<BzlQuS5EAw3p$>>|C}e^+KkN_M%u-WrJE(Qv+tLdk5T3Fn%3kn`k(s
zo<O(oRLVuct0!m)t@Q(s@37w4jaUO(UeZWws6$J<>m+TZ&3+JZ3Y`^gtv-de@~fcy
z6m8O49twL-V@b97b7{Um%RH`!dP%^B3X7$jQHvFw!H%k}4}>4ju#Wme`dQpu&}RKv
z8fB_`#|#_K&=45f#5%0Bx?XD|E>h(0l;+txzoQ;r^n)|t@hdiMW;4wFmB!M)pM$Nx
zVjW$Zpq|MN2e|!)^3x`WWpdFEu$sv;-$UhZ*rvD7LKBnAz5|cnQC1&=SSAnt0O?GQ
zIR~Xo2AqX@Chu*6PA0p44-pqp7M_I^CIh~MA|}tBg_?^v?3cfT7RDFPf$t@hfBOOA
znT*EznY`^sC}+~^95gWb)H%H6fO6qkh+=Yk6D(o!`R`%tWwiGzItP<sP0+&RfoAZy
zf<G*@>?}ku*@Q1%FnQ=Kq%-*nwui|t&p{=Vg<nEFlR-Z~+ZEhJ8h!w`4&<M|hfpS`
zo`ZNMv(Lg3COev-fXVu^P|oCM-@#!fo6kWDldG}(Rg}rcAQYwb$`7u!XOTjcHNbYQ
zRtKc8e0!Q8m&sSpLMfAR-$4zNV{rVLT#Dn$<koW#cn#&WA0U=V%MXyk<nA9J_Zs&5
zkME(J@dM}JFiLp7gL=ZnYv?Kia0IWTW(4+#$%-=&&*U}i5tGNyKmn81CMaj}9(;j=
z$#poQOb%@Zw?9xm(+r_Zc0UX8Ox}Sr!Q`Uvp@7NL%~1Xa&BdKkd6f$CZ_uIij+5-y
zpu9T_dpFy8{C({WH!!55&Hj*h6WueeFBIKG_si%9hne)WLg!7K=8QgDB1{pq%(^87
zg=fH)A{36kTWU<9w6@Qd78LDP@E{EP;VV@rQv)D{Nn1aBrHaWuP|0MH6&je##~W}=
zmi56`sZctskjP|vA6U(#tuK@^S%ytvGA;nx6n#JNH6a%VKrE9|KUl(KQa>nCWFI)d
zWWE)en5^mxZe~*;m9QQrBdrjR(wf@WwQ*Xc0@WjMH^}b;xn`5EwaRML=R5Td><80J
zT=}P*`uu*-#PqfRWBDhXdPhI-u%JGJ)2BQ2&3z%3=_C6Y%cnW@#eE>1>1(<6J?PXo
z_kmKT_vG65fKy+LH>VZ*T>a`@F}52v_k&KR&*$_>&hn{!Ai@px#a#VUo%*UikizuM
zoc=DSKC%xKF?}khk9F!(`#}xUOI-aiPJLBBXk+>$POpBO!`hFxw*$MNK8_o|q0aKP
zeIb$QJvqI$BVhUBzL3lG4&|1-QVj3!*qr4hD^xOlJEvE#^;!Kk^gE^gKF0Y|@8~go
z2Cfr#EFa0uk9x<D>638&nckBtuioxq`Zz1T6ln6LW!R5svoFo)YcF*-6?o9H0DGvP
zsen>P095udEuqx`c3-Or<J#5$2<&SrqW*zU+1C_Hr9gXIUlT6-$Uys&0MlGb69S<o
z2#ux&+8csQMZ}sA=xRL+D}EZTh8370x4$XELOX)&m7%60cUl(&vBR;w%|U#L!4YbS
zia<zb`dY!_08QT*2&GKlF6aX^y?YSUGrdi)@2BZwf}oS>lLWn&rcVokh)C4u3;OPw
zz9a}zn7&HTTQq%EAQYjV76;nPBTY*%II)4pXj38$vq8#eQwxo=+2f;3m(6tcZxDNj
zDV~0Q5en|WVV?Ip9A>iV61a^sMbUr#4zWxIUWV1<aR2=DHz;QuaS56j&$|d7<5Avw
z8Dhud&P9HQB}_hX35r;{dkoZ!NBhY(aEmon(ibnnfmqb%{sv7<-n<BI6Ht!$9U_=~
z`4Y@!^3C5Nm&vY|p`6J+7oncXJ1)azCjEbdz&KN=Da~eqjl~$tJsfB9G&M$>;GG5<
z0Gs1XX>`|b(204d*Cl)CMAKz=THN0rIMtNfgZ)uD*VO4lAG@r)t?Hd+b2$QABPBLC
zyv$TitBykYavZn9qfoOP2ejP=4a?E_GWtVAI!-{`71t>`XRLoaTXF2CN|O3RN;(eX
z&?``i`RM2?_5<mr0~WdyD|`YI95yI;0>|;fWvF=qD+s-!M(>gRA#@dvTis=ty9(Rh
z<qG7kGR0fVF1spXaX5wnN*rEggC^9|{hD2DVC-rv=XnK|tTrWDPYdO|wQ`>Q?e(io
zhn4VrYnI8^#NzbI99%~1kJvS)CCVS=xhA|O#gv*nQwuIi<wxw`qi0OTH0z2z@mW(M
zp^pAg`W!Z)xxc;TIa3p6@6Ud=idOfxdlZ;DE!02Q?(w2&iHT+e!|IKu6j~b$xiWSV
z<7&5J9E6Ue5L=9+Y8#-Y7ruy>W0=p@0im046t7%iKd%K(Z!)FQ=3r>rgk>9F0*{w)
z;C3B_l$Vfeu0Ro!!#kknCA3+l*3q>tT^l%g&1^qv>VSyNCSQ0!HrbrbXnzMPWjxDz
zbwE99)`ct3$>caCa}<@dX0>O**3GzC_3nVcEvCcHTTN7Y4QjTUMnb|?(_LaJ`bseP
z0=8&shaG>L&aJDpYJkhx@H<D<X>gZJ?SS+$^o^teP*8>gIv?A^IPEC3l$p|L>QR`x
z0}Y|RXb0-&bU*`R)HCOV&z6}yVbo5OCr#{t_?_6J;sLN^Cl2g19F(1`q~^wv1Hj{T
zvE;JXO;xO9;4Z8)V*o_$GF4h7!*>`yq!zsg{SKWk?HF|K!l`-qD#Y$aOGmH5Y9>!~
zKqZs?uR+Uh9K)ik;9HKe99zVs7v^KK<0_OhnROK!m^^qD+}=RBwgaM=?C8K3Uzq+F
zY-MuNRXEIK>@~Rj2KMYM+O5Ed$lcIBi=;&a*uLFYArbX-F^(yd-*-R}lXh$$lfhS^
zp2_alppD6hYvA!F%70yj2qquL@=U&a71Ehpjpdna!}3giigUx{sH@P%WQ+qm-ePmG
zip{}WI0w&Nh4{Bn^ELK_$;};5z@!Cx&ZO@(ILzc29I3Z(j_$bzv2WwZIR?P$x6%2t
zuPHzF2mg5+jY$KQCFMEL9>2%r>&7yr{2g85?Q2l~cl<TMuz@a@V*6LZK>OvtoA8!H
z+E8e)<G8t->~7U;y+3dr>fdJ*cO5)FK>5UVNMy43Iuw0?)z@8z!;G<@+lRQ3JoE=d
ze25NFJP_g;=luccj4K90!G~!0RZU+z&|d$cslc7~yP-Uar%54@{uyRG{|9t_k1{3%
zN|CMAe;9T$oGJFJ5p2tBL<66hYI<YM_M($GAk-EDEvIoLuqp9pu<G`KkbVY7%sm8(
z&Y;CnJ@I-6CF*O=;Cj%Tnic|qXAMow4}lcMdQ(e6?4@T-5oW!q*0@mD=&`^dyc;$N
z7o^_wuu$+lhq1`0>rj3U4L#Nq>d&bax17T<z!v-dV7ly0JwxptmrbGgW=)7a>WT?p
z7GZ6_if!%)fh9~<g+KvHYjX%+<xf~GtJ2V?hO0OodY>{vA@rJ|Plchdgt6YIvQWH+
zGZk64QkPx!!J|I9j!=8zb!;-de2vYYAHEBhdjnaUEx7AL^xKbanB1N76*&l+FvowL
zuWIaTr)e&s$=H;erYKYL4YU2Vo2JEHRKjQdUgkin{~%Xm*tjmlnP;7B4TV^I=}GS#
zJkKiM<z=>6e-xTOP;-tfYz$hYpHk@b!T_>(klokY98X#0DZR~sO67UI&F2a8^d-LL
zHawvXvd^`eizvK!2F+jWXZD02Pvc*`1I!(?eGqsAViRm(_QXJQ6s7KAP+&99b=D9Q
z2A6H-P&&&5f&H<@q%er;kG#SJDai2rRW$W{e{(9`Y=V~l<^sCK1nI%%8paU=%v))o
z84eFHS5li9Ru9CghM3{NKr`MB34`1al+FF2GQ>O=mW7x-X`Pl>*58ha>D0U8m}{A^
z6<u)*BErn^R%7~Yz_w!?Q~Wgm)E9-BeR+Mnrbkm1$Luv>=5!NpSW!Ui(Eo44r9(x-
zk(yy#w`jP2sJWcbn4z#b!rV!hV1I|3SJO>qXd90GZVba<7UzoH>59amuEo1)k=Vt>
zW(XW%PNdt-_Vf{Ed<$*68Hz@lbE*4a@VMPvuAE7~+hiKXO0?W=#$SpY%x=TtExu7W
zVi-IWjWQQlvkY4w{-RU6G9c(=34<YGG**jp^=R`F`kon@m@L5;N2AT-del1aBxazc
zC~R2!3^*KxPKMP5#$Yx5qRo-??`HLq1#k9ZaSTGD%{H2**odcCvL#yW5|${SjY<R6
z`^2UUEb_%BI?Pn7-6)2SqRl<*kz>qz%=ELP_NMXX2!elr#{~467BdF8=x6^jL(2qn
zDgDt51#vhSKbygAqWJ*r7z{NNkug1X5{_;gdebCx1N{{T?M~KsGk9d0`@;8knpawX
zH@g;|PgmRq@L(Stq4D&)%!lbkGek``H!-95=~^KCG11%u;^NKEGqZ=|&22P5Gk0u?
zc^18_f_-9wS;m*8OfKV}>&D$MW;Q|FR2)7qfyX^KTd(4JxW_!#tIUv}ZAl?8?25?`
z{&SDnoxY5#X&R1dk7?#4TtIdPl)k2>+FwjG*HUILaRw%%{UtM0`vo&p`z<qYed#v#
z%rqykMTj=S!8XhMqizTK%{FIXU+qP+&4+#H8H;`HQZsJS_($$zxOWI+XtlSen?EDk
z5Lm&HVIHRqK@siehChpq+rVb!!ob&lCevJJrpe(@z8W`=q@niC)u^R$_|kH=c`IQl
zHBXsyEi@yX`7XMn;<k8yHy^i-Vj=PAXE3o!NSyYpIhi_?M5pW9+nzNCcA?d7;IST;
zk~9Qz*Q0Ut+{5c}NwG?z%ovdV%{-eH4}sFZsmhkWp{FEN*#loR#}isR#J*$$x)O~W
z0!<s$9Jr)HVOlZUk?>Nn7`Lga)lkGF7ON>n-=U2|pg_h>whzIuS(Obkdgdy3n7i2=
zVZD!iP_G^AQia{dV9xh$7bx9~^Y})0IKc8ncjNPgY5CT5vv+RBPMH#WTHx^yO+M`W
zS^#Db6FZx3-G)`NGyXQrf{KV&%<1?rXegAHp>LFgK}{J>M1>;b;ej34ll-Cf^d05`
zd}JIBmv^!~&|-l@J54_D^y}tEmO6KrG4;$Yb2Ce=*^O0rTOgv`e3^0R8^&CF-Y`2@
zYHo#^tF6M^!nom0LoWLRZ<!mFilg=zlRw&HZdZ~kE7j70@8BNL+X7AR;0&Skt->=G
z%JM4o^xhV`+q=wB%X&iSd$<{(Y<dqf4D^8X{a6q=;s86F4TbarI6m$}?ORbU@Mb^L
zul;nRG9zRD0rkBscsBbAT6$R`OpSX@aHW?eAY7`%nZg4T6d9-e=5WPC1*KX|R_(>}
zEgE>@D_GszvV_)s1x?7-NASnKd#YKb9Vnx;zaRMuJbX|e{IywnR7<-LHv#PgBK_@a
zi1o2V(SRec+Q*V;?Zn?-#&<`QgE@ruh8zA&EHp7Y{qQ}&AcJ1LhlkFE@wcxfVrKQL
zYWqop%T8a+k0%7>ScBIKF1N!wQ^>{v+J@zDFLNIFa(a<3)_WM!1GLnED0O@I$g;-Q
zvfBDZqgi6t*6cWjO&Fs7DV=P@k2fv8_n$;Pdv?Z-Li|sCp9VurOjqB;Q&iGLWc(!)
z=W+8-^mV%^9O`ZH=^nNVM-`7^OxTDs(oLI4#y5LeeCCKVY}4+mhgGNr<1|^N71YyX
zwDbWd&64_a5^CdWu|iMq8ffX=<0W;>9hl+|#|Bt>Tlc6o)815Nver1gwcTPg#fp=P
z`&gJUcObnjy?SQ7u9k5nb#vE~PD4Z=oQz|qUCzb^%SUaIbnG;wpgzy2$537xuj!kx
z+yL!wCSowg!m!kNkTbk9cq8i*%`){u_H*XO>jXhR1ldFRkrXY{|F!~mTtzlR1)4!;
z%3rgW=gcpS!4?_ac>;15ms*;E9BkmfR)MR)N-Xc|LUlw8^-KT%df>A70#=}}cb58B
z?By93v^a--el%;3($q>OAhQLn9}gi%>wt0_vi2&gl6n+*gh4NzH!Ej2J!$B9bDlIo
zCzOw2hEWE74O!nwSn@~6{SEp${B+l5;Il&hRzZIa^=zlqkKmR(e#j=an57V1i*gC_
zSOb>{`p=QW4f<b@jZ@(96Yn#T0?*9D1mlpdMm9F!6=Zf@svmX8c&pxdTtU|NeU=#5
z$~Ry<va$S9WaAX&y@m<u!xPo!SI85c=J6$lfAMoT9{CP~J`346g?421VUC*V7vxEX
z{3HHtmb6PPmYOF$i3!Fze;ZkSTBMfx7xH9-fry{YlKR7IYT`U(ebZtoo00W1D&sGa
zjScMjA7h8|Bxx)r7<;q|SwB@W1BZ}}PS=cVoHFwTzCpu~jZ-)i+2|urBRk7u{Zg4w
z;B#c{t#wwv)QN2D@t`(-4j(`^HgFAckWy0p=T&4qhF~cb|8T7uR=@N$W|+YK(2nlE
zxB>!}G#J@f!Bjz?hHRX|SCNe)dIH(#v~KOr4k-0YcVL2XBUyoLa1yB+**GG<BC9{!
zq_%k2uV!hA)_5kKKsJtmjBNA~2QoX^;fqU4Y!(meDJM(HexsixPyGr-Hav+M^=!2n
z^fjWMtuFmUiRIgv{zrrTg{aq~mLGq`8z!i4Gw4?n_P)7#wEYT+qP~FF=Zg9wUSBEd
zf!8;Q`chu+5iGRtZPe>g7`87~)bHWTr;GX%sK<LS%7NueMSU~s^}wU!SEy(D4#W7Q
zU`ah9M13dfL+Ee(srAE)`uwW(#4R^zAyaTnrW$~4z3j?z9&_oNWXy7?A7Jt8u}sYt
z<1E=T=CNCnY)g$vBSI~`ySd82Fa8$au1<#Z|H*9cu9}IvuR!8Ji|^QZ_>{~TH>D%1
zt|}=nG3bHw223}eThsCB8J0I?ykO#DTE;A<oh-(*9sN}=D|<ohL$xOLm{w1(($X98
zJwH#_)Z5ZKZ?jq=Y^y4(P{WQoY?3~+jE^DXWIB&;{zPALj1Muz@~5#pTRG0nRLszV
z8H^EI8bDi!#kXgN*3b+vNd!K|$hmv_4z<l$c*ledPtOX}u_G0wCuCw^-a{+JQq*|6
zdzqHhT%nc<Z{DYtDtu3sRTZkty~an!8}ZpgD9%nJ7G#$o!Jcob8JjSpex;C&!Msgr
z1bX;&2poi--|M<->rF(RKE9*=fJCMr^@nR~U5$Eu=Rkd~sAuo681$8*{u=7_>ryP=
zB<i#I@*ZJA{oQb~4fbP2eGgurF6!CNHxKJz2i9LI>KCKl(7t+6@4?&eWcoC`NsbTt
zm17P5tMA-t6e0!-`nOQ8w;%N>qP~*X7m0e-e?6SW@-?D94)yx{p}tMj@8RtSh70XG
zYv>=APZagHqyHG{&lUB{P;aQeQq=!~`l;9kcA)(xrjNuMk^|Hv=_8c-_(bB3%OQfk
zhS$fUe)Q*9zMoc}iSLp78+Z)febu)#mV6JgRav62?1<TYz+z<Vw(}6V;yrai4NL29
zRx%}g=?ZRGLa9(e8Lm`yH7_r#Qj53?`_6}0#JB~2gRGAmGb!dT6w03#@+;+Ced_fi
z>T#%@2R2FBgGN?GsST>WLzQ(iRCxspup2Y%cohHB8%NF1ITWwqsX@OGTN<q7l%)P{
z{NUb>tm{~oFrne1eh%h0Ua>xgtS>-TJ_{Kalp4dagbkQ5g#Do%0oX9(>>WfsUi3SU
z;-hB#Up%-Df1yENVSZ!zuaWiGiIqBm9IE^vyJjQIVOBmv(@oyM4908vKQm~;`?1Cz
zi~0L>f!qjm`%#!LM5~0o8m3=xjOqfFO#f{Ui}OM=3HAC#=eIqeiRu49JuAl!cD1B;
z>W?1aF&y>2JuS{#dn};R2ce)RzKmrFrm4f>!QqzJVEun0s+ZSKCHgWgj(|^wTjpA8
z15}5rQ)-lyN$^IiVOIOdNQ+x{T2&0;cUS`R;x?%{+_j8#0>=QaZx=XW8?Vn2xKUvD
zSGfG%l8sN0BH`p6mY}@U*SUOBvB2#DXYJzir?Jf)54~Tuw|Q>g%d?Gb_IPOd2T1vR
zf>b4NT_wyPhXa_fpDQS(9pJgx&U3ZE4uLb?=krS+@EplAm5O2TcuUZX7`9vEp?5e<
z;5vb&gM9u-fs5f~G&{0`ZSr{NW|L|abaKAH&9(6F@i;8Cb$mXD!2VzI`Z9rAzvlIx
zM|chsxXQulZ<m_+1S#$qmqE%9xbPUPkF^B$cL?dyH+;ENxEgB->Yx8lKDkO@PZ%@7
z5)>SHoX?gjaP4t;Y62Us6MVjQfs-0}eXGEACwYDHDW3BMF5x*(YHZ;P6#v9??Z0?#
z6xjA}ULSLV=URaqImR<eE0=&z#cuKj)K8yXj;Ma_;o@o`f2+X$+McRAa)ObuekseC
zfLtPQwZM%6cL?lH)J<HkFh*efHd5&!)3f@eEJFh05`n7)ZWOpfV1MeWfZ5AuKLdb=
z-k=f}EA>kit^_4x7XGiSj0Nfh_GAGt9=gE<7VsOmq$khqEMPb2^Ka8xtzYu@)Dx6^
zQiT`KQZJq(d-I&&%X5jqRerqQ)<<Klekn~)Q0td$efa`u0#^xK+mFv*8_08e5YH9;
zRnF6guyFvNp(BLnut7X0hw<Dxm}hAS&q+ghE*z$Co^uZUNAMY9M)I6-JI}QOJEC~K
zEt=;Jf!oJ0J&wOV0x@Ix0$F$P+#zt>I9{JHo@Z$S&n0m@C&eSP`PUoJ$`TCRp1^b5
z-8@V8@EkXd=URdN6M21E5>eN`-T?m@e1^1{JU0vMIh)s~3S2RV*H@(QEG;4vxE@C?
z;xiNrTq|(nBCy8eNi6k2zMSV$o~zS&mNIxQ7C1kX*VnD&Ie!($c~TvpAo;U9492N^
zlIM&po@=vtPR-@HQRIB1o;mSz#su8L1@>Rh>r-Fkxme(Kfo&W3{4qv`{ZlNx@@kDq
z*!Qe0e3AB-dG>sT=g93mX9-+a#_RKUaGWRk@8lAsT7k=U@%q$qo|^@Ztl;$(0(ZP=
z)Zc|44DB^0NRq9R=X`;y1jfj|+ui8Sh41j?Jga!F61e$YUf=k4o@4g&9C?7})Po%7
zNyU7E6j{S%kZd3GoN<`vYJro#<n_&8@tl0b$mq^xTmm}NQDX-DlEcAsg~06shkeWE
z&lkAE$ZSvcKfxDB5;(Py*VmrnSvt>ijKE0(ry7{mFBKaS7$;xg4Q2>jC~%p;4uMnK
zczb2PIC&ncPja{t6wYdQW>C07VE12neT=|KzrwY9EP=G~SC~HyoxJroKEL!k&z=IO
z37ju*vB1>=M_%OY=SdDeK}x;EWsr&m_PosN;{+}f*dcH$#}GB$;+>aqg|}JV!Lvi)
zW`S*2`TY6Ud3Ffw{s*VWJ@W>aAk}L33-yqoimJDBbdE9eT<FeoqX*A*_>}}Z^ztRW
zjEtV%%q3t>A7chA=*M#$`_9E+(9wtII_>_GUSWsGL5BQnrN!9{3CIb-JeLgMIcy-$
z9U(lY4dS_3;N&ouURmkxLtF{0XGz0&E)lp{;K&F*e}%va!+CwO`oF4TQ=-%_rH$Y-
zl#Jv#W)#n1qj^rnkFnUH4|&=co|^@Z8LR8Hn}}7;1jUY2HV(EW;TGYTpl4LmZE-xO
z30x&`*hD^m@+6*9@8mgYGRJsr63-<_Ndngi+%bjEUzosi!Ze<<5_xvN*U0#yLl&2S
zFM`f6X283>vv`i21E*%-$ob#Lr>6;=w1C&=3*0QQX9}M`OyC%vgQZqJLCRRj8;~G-
zCf;oASj;C!=JDMA9M3V&^DM37xp4!}?E<?Oar!(dhEI^v1a1`AeIsW;iV?VR2d{74
z$#W#WQppZ=t>F4g<q{+*PJ0JaUrg@r8Vlg=AaJq34uReO&X<of@?vaBmN5ajO5kRJ
zJ@@ejV+2kWxMCmtdzK}Tw8GU{mY|7|@A1Wx1<n_^LSP4snQaLgVcXA}Nf5YD;4;Xb
zZ5f{D_>eD_`~}Y?bv);P#dC?kRRT8(?C;>p=i&b`i%XDF1uhgg^%$SOMBun@czv?K
zg&d>5RdES;{uQ|KpS;0#fo<RN`UHWq1g<bLJKtm-=M7W{oQA(;#twY}WSro+THscJ
z>l*p|(n%LDVTO|p35?4Gb_nc#%4LA%uM*hvG_OxM4eRIO9-MTBPtO-P?kulQYU8;?
z;6{Nxf8p~d@SG>*^9fS5!0iIt+IfRX0_O`{C2%vxcjC)wzw!p-1kMn+OkfARoQx-l
zu-|wy$pRM&TrF^`!2ZAU_7Vin;(35n!6!(K0!tTR>V1~L8A%s;!x;h>3tT0zL*RCJ
z`9AD_<R#v0g1~747YbY<aGk)d0=r-4>YFKr@d;9bz-a;(3S1^|EsU9O30fpw;p&lW
z0>=rQDsaBQWdhg2`&dn$dk0@ln7|1FrwLpraD~8i0=M#vQRG#j0RkrooF;Igz!d`5
z3Eavt?zw5#_y)8K?0%is`wLwB2d{Ss?0$pS#~HadZkZXz1h(bEeG71Aq)xtEn7~N_
zX9-*;aGk*I0{h?O>U&U%;}fJbfr|yM7PwhpcjbRk>pFKu!uzbB`9gAqzz%^s1hx?q
zJMlPAi3tLy30%lCOi8hLjjZJprAC3<1$L*fG{q7)B8KvnCkdP;a6Y`8f&p5UkX$El
zv%nqj4^}M9#Mc%laI(M|aFrD+6OyY1b_m=GgBRknbbm8nTcp4V_WLj!$xG|a=WF-n
zIoXfrRQA&eh6!sIII<6~udwng1#pbFY4`-GB9O}<)e77`fY;{_<+()QDuL@b#x10o
zOOT`vfjx)u6@&>KCvdXB83Gp?nT3sI#suVQfgJ+33Y;{OZ(y0gg}3wi{1_Lr`lUKU
z0%P|vt_+M51kM+@THscJZDV<RNiJ6Em-1Z+tUjqiV28lc9lXH=fjb1YjT7=a8J>OE
z;ya?m$x8K7t-!4Ud&2t<Tkg$^i{;Ix37k5G*Ei1+_)(ra1a{Y6YuB$As(8k+)83}n
zGx!UfA#kC<Wdb(~+#zt4_TIl*AJ$*TCE(z#;CqxLaGJm+0@n)czLK|RGxB7tFU^>M
zoG);Nz#Rg6J^^DN!7G~fEWV=rr+9A7;aOV4b89Zo#d$n8=kpx)496HrJ;x<TNg``s
z5a?4~{UV>=e*@160_O|d$nh*(^hLaZG=VDwwr%9|Ckb2zkEU5Bc%>Ed*$Uy!G`v^R
zE+l(y;<LpGoFQ-poJ2D-QeWbWg~>c83+xbB(!RpbM>QGVe-xvdlI^^iDuL?+_AKS|
zhY4IFutQ+~*SPYtq$EB;N)xzH;0l4IGR~kBQwC#~S^_5)3h8A6r|#g(WeFSxCzoQ>
zkPlavT85J_81op08ilX(g{lQ^g}X7^q=a33wk&}w1a1`AeK)Ls3@=5KcMEm|E*7{-
zV28l%@DFUBS7bSFHVOX4l8c4pD(JclliP)4PZ*5Jc}Z{ZM$!Z>6u3g*I)PgScGo_Q
z(fu`y=aEuApCDBW?5}+?qZ^2WG0U;tW$*Cq_N?MLOyC%S{rB_v69o3O^ZF#7O;WKP
z)~Dk>>|V`hOb|Fj;6j0`1g;afLtxMMx%%>?l8?CrsY>8Fftv;H5ZLn*-kzg@=dhDT
zhK9%S(P<TzhR>@7ZWUNMWwe3un!u?77Yba)Grse~CrHf#dw$1P7$$I>z{vu)3hdcz
zw1;s;7?*%IHU&=l-B<wcyk6wF@G{R80@n%LYGfrQy}}#t7dT1aG=Yl+t`OKEaI1lp
z`m;Lt1{4ciagEp43fw4gyTI<(`SLawEA>k;t^_40P7=7{58gntzzH7eM=APFlO}M!
zz_m_RU(%2ooe4_)lKXAEL7TvF0w)Vx23=R;R#(xBH&f!rbC{Lq1c8(K^7>+d>jHSa
zEs$e;F2^TGsRCySTqba}z+pjL1yYs388)LHC)Zv3%1fV_YJoch4huFKz{MzVt-$R9
zr-m5HGv~@MCLmV}>=3wBU@6pKkl7o|bH2cJ23DNA*^t1Tt3zPVaNc0`5P^sC965~V
z41ud%tS+v0R|2bFN{!$RR0-@D&g+vRdF~K6Yy___bh28%<Zvb^^-IYk`2raNR|{;@
z{x5sF4;2dR5ZHZ`W?%mWf-pTntzRk@xI*COQLuhB1_-I6`G&R%?5}<Pr#CD?V4L<?
zpsr6E$J_H9&vO{hcy8nqq=Z<$fHZ;Ue1SUzcEs`d-6!%~!ZA)?6_<eLzDaz6<U4tG
zzl-M%fzu}QdjABTBaO`5C&`$ATqUsk-Mj&tz%c@s30!>-U%oie#qrEtDhvsX>jVzF
z*HwV&8wHL@g79qgCC3atU&$jp*QW8@{20&v%Xscs&T~>a&&@pJMgQY`hSrrl$34Mw
z+G?JqES~e%@LVTwQm#>tb6LVA;A_2k#te9SMc`I}BlG$EN$Ys771+Jdpl806Y)n9I
z7C7t$LjlyM3S6<C*V{JmoF;IYfm!{M!;rvOD&h^)74zIKu>U4rUm|dwz|AgZKZ1hi
z9#?|GVK4Cp<6Z*m)99>qoB8xc;8`l+IYZ#)?Ytg8>Q?I0H^O9rt9Zt^rHn67A#lkK
zUhlq>XX$mGGXzfC#p@e6#>uMP&1Z-#=h^=ao(l!edXv|;3f%rSuTR}$VCF2gz5l1H
zGl*@Y3c~QF(jup)H5@QPDh^c0DW!2Q;BY|h%{kS%Ih@SR;eht&aKPIXB%8F&idGs&
z3CKr>11uDT%gHC?NC+)LKq4fxH{71gEx9q{ePjFmK6w1i%)U2o*M84lzxQTA!CV6#
z16RJb{Ttufod3?|2-tr-w@=@!(SkxQ-YKwSHc`}T>H!ykb<;)luYtWj=V|>;bFPs3
zodCEE90GTNd%%6*XvS&%v!t*ZaXfRF#^a2EC&1^xni)>Z%bASw%6Vl|zoQB7)j?Cx
zD{K07<v<Ha<8!*e5%2(bWO%lkEdhryu=7H?Ze0V&0Ox^Az*XQz$~;(^76jnX2JQhz
zz(e2|cnqATL#JOqcHf~w%gs}x<$BqsNgS?Gh16;Bok^Y;AtIqO7Fow^IjK%Lx@fs;
zD`imEfa|mx@a@eeZ3J9M8>}I1v3jXb9TqDiuqMD`I%c;`O)904cqSvAat^o%Tmi1q
z@*NJsr`0>|ZEo(4kV6L|^7Mp7w)~>~MyS#mt2cd62f!h44>$tm885qBX+m2pWIxW2
zcHJw~-*r72$<tV#GI!m)1bde~L)u_L&AYD0m#f3Cvx!L)q-SG7$KvVHiHIUS6{o7n
z^`lO8TK<H8&j+9mfqTFa@DMl#PJkyibH8A6G-+HOa2~h_Tn4TJYYr$a-?!{se_$zi
zeGPCAI07C5$G{2jWRa)+qRG;v5o%T~<viFmtCQNxV6Ose7Bcns7wpseg9U~3QXy~;
zI07C5$G{2jWX{w29mnL!(g-zgmU15Knzu~tnukld3jTFqf5xW%V5UfW=@7UF903o3
zW8egMqHOBtE&uG^#sk(&Z`#5l*vr70xlH}*VD}BLszU${A#jg2+T5AMv?IcyV-dVD
ziU{sXIxIq37cr!55j;gvM4nDWROv!QK&zjzh-gbhLLCu29Y92xp0e2F3{lf-pn++s
zC*=_AUEm0KMC*I*+RX{5GiK{KE!G1r(2g8d1$6`12X507KJ5JgsAJ#+SU19(Mf0kC
z5^}&rTD>P@6sRk-F6tVn>$Jh@6(7`X;E=Z2ZHXtuOCdwB@|0UvKR*FACtLdIp8KJU
zPWSm>9-Tx)v@Ig04vXyMHM=$EbRbq9pYFT2Z)rjZZF_jt_U;1@flq1Y0S}0S2Ru-Y
z`Dv*{FYU9Uvd^yr+UD0B&jE`S&Eld}otvyK${t<pyKC9n>vjY_ZH4X{^+W#R6oYO2
z;~CqQvi*X6%z&0Z=Zbkc8H;RY)wbqogVnc6psoPdfg8Y0>PYEbQ1|Ir>K@UFSkJ-g
z(Nk7$=C9cy6@bgYHDDh&p!J7bTMyLyQ5SU#YW~V4YUd3*2#*d#T?BQRo;>95X(3&(
zpxPt8uo>EU#BD6mv4{qpvAERe(|hFJXm$6}Zu~L}`J1J8WOMPc&EtP;u9;m$^!Ruy
zT??sP`_$(6ON(1h<8MphwEwmFl)vi9LkmpI(m!Q?!?ycZ(|?O*cJsfqa?@fSR2pVg
zvN*`E;J#TjtUNG_ewD|-O|uAC?Xg)it6VWlWR**1x#^T;P%E0{qv|laG;fgv)XUhM
zcs4h$*qr;#<|c5oz|*^I{_pkyr9XiGv^n>e&B3Y732^Srws+0q4{mU4ddfYsszc9!
zXI6D6Pk?I+*HF%o_d|O7Lj2`ZGWmI4;d9J`@8@>m+{^kN;qxzBka{;&kxmfy-<~t?
z(B~uz1qjE%+%A=tcjqjdyEV+5DzQm!g!bOtE?e@I%$%yrv~=ixvz!^F@j25x0rblu
z?@TNCE#y%+p=XEgTbCVkKf%e;wIk;6dfFd^*XaXc-CM5wCVe%v-!S$Y^h~(EmNM@}
TckK)J-Q{XG<qG|G<i7Ghcjsa+

diff --git a/pkg/blockchain/sol/custody/instructions.go b/pkg/blockchain/sol/custody/instructions.go
index 2f50ba9..328ea9b 100644
--- a/pkg/blockchain/sol/custody/instructions.go
+++ b/pkg/blockchain/sol/custody/instructions.go
@@ -12,10 +12,11 @@ import (
 )
 
 // Builds a "deposit_sol" instruction.
-// Native SOL deposit crediting the 20-byte clearnet `account`.
+// Native SOL deposit crediting the 20-byte clearnet `account`, with an // optional ADR-015 sub-account `reference` ([0u8; 32] for none).
 func NewDepositSolInstruction(
 	// Params:
 	accountParam [20]uint8,
+	referenceParam [32]uint8,
 	amountParam uint64,
 
 	// Accounts:
@@ -39,6 +40,11 @@ func NewDepositSolInstruction(
 		if err != nil {
 			return nil, errors.NewField("accountParam", err)
 		}
+		// Serialize `referenceParam`:
+		err = enc__.Encode(referenceParam)
+		if err != nil {
+			return nil, errors.NewField("referenceParam", err)
+		}
 		// Serialize `amountParam`:
 		err = enc__.Encode(amountParam)
 		if err != nil {
@@ -70,10 +76,11 @@ func NewDepositSolInstruction(
 }
 
 // Builds a "deposit_spl" instruction.
-// SPL token deposit crediting the 20-byte clearnet `account`.
+// SPL token deposit crediting the 20-byte clearnet `account`, with an // optional ADR-015 sub-account `reference` ([0u8; 32] for none).
 func NewDepositSplInstruction(
 	// Params:
 	accountParam [20]uint8,
+	referenceParam [32]uint8,
 	amountParam uint64,
 
 	// Accounts:
@@ -101,6 +108,11 @@ func NewDepositSplInstruction(
 		if err != nil {
 			return nil, errors.NewField("accountParam", err)
 		}
+		// Serialize `referenceParam`:
+		err = enc__.Encode(referenceParam)
+		if err != nil {
+			return nil, errors.NewField("referenceParam", err)
+		}
 		// Serialize `amountParam`:
 		err = enc__.Encode(amountParam)
 		if err != nil {
diff --git a/pkg/blockchain/sol/custody/types.go b/pkg/blockchain/sol/custody/types.go
index 0827ef1..0ddeadc 100644
--- a/pkg/blockchain/sol/custody/types.go
+++ b/pkg/blockchain/sol/custody/types.go
@@ -111,10 +111,13 @@ func UnmarshalConfig(buf []byte) (*Config, error) {
 // watcher decodes these from the self-CPI inner instructions and turns each
 // into a `chains.DepositEvent`. `mint == Pubkey::default()` denotes native
 // SOL (the analogue of EVM's `asset == address(0)`). `account` is the 20-byte
-// clearnet account the deposit credits.
+// clearnet account the deposit credits. `reference` is the ADR-015 opaque
+// sub-account selector ([0u8; 32] when absent); never interpreted on-chain,
+// the watcher folds it into the account URI as a /tag/<reference> suffix.
 type Deposited struct {
 	Depositor solanago.PublicKey `json:"depositor"`
 	Account   [20]uint8          `json:"account"`
+	Reference [32]uint8          `json:"reference"`
 	Mint      solanago.PublicKey `json:"mint"`
 	Amount    uint64             `json:"amount"`
 }
@@ -130,6 +133,11 @@ func (obj Deposited) MarshalWithEncoder(encoder *binary.Encoder) (err error) {
 	if err != nil {
 		return errors.NewField("Account", err)
 	}
+	// Serialize `Reference`:
+	err = encoder.Encode(obj.Reference)
+	if err != nil {
+		return errors.NewField("Reference", err)
+	}
 	// Serialize `Mint`:
 	err = encoder.Encode(obj.Mint)
 	if err != nil {
@@ -164,6 +172,11 @@ func (obj *Deposited) UnmarshalWithDecoder(decoder *binary.Decoder) (err error)
 	if err != nil {
 		return errors.NewField("Account", err)
 	}
+	// Deserialize `Reference`:
+	err = decoder.Decode(&obj.Reference)
+	if err != nil {
+		return errors.NewField("Reference", err)
+	}
 	// Deserialize `Mint`:
 	err = decoder.Decode(&obj.Mint)
 	if err != nil {
diff --git a/pkg/blockchain/sol/depositor.go b/pkg/blockchain/sol/depositor.go
index dae9794..e2bbbf8 100644
--- a/pkg/blockchain/sol/depositor.go
+++ b/pkg/blockchain/sol/depositor.go
@@ -60,9 +60,10 @@ func NewDepositor(rpcURL string, programID solana.PublicKey, signer sign.Signer,
 func (d *Depositor) DepositorAddress() string { return d.depositorPub.String() }
 
 // SubmitDeposit transfers `amount` of `asset` into the vault, crediting clearnet
-// `account` (20-byte hex). asset is "" / "SOL" for native or a base58 mint.
-func (d *Depositor) SubmitDeposit(ctx context.Context, asset string, amount decimal.Decimal, account string) (core.TxRef, error) {
-	acct, err := parseClearnetAccount(account)
+// dest.Account (20-byte hex) with the optional ADR-015 dest.Ref sub-account
+// reference. asset is "" / "SOL" for native or a base58 mint.
+func (d *Depositor) SubmitDeposit(ctx context.Context, asset string, amount decimal.Decimal, dest core.DepositDestination) (core.TxRef, error) {
+	acct, err := parseClearnetAccount(dest.Account)
 	if err != nil {
 		return core.TxRef{}, err
 	}
@@ -79,7 +80,7 @@ func (d *Depositor) SubmitDeposit(ctx context.Context, asset string, amount deci
 	var ix solana.Instruction
 	if mint.IsZero() {
 		ix, err = custody.NewDepositSolInstruction(
-			acct, lamports,
+			acct, dest.Ref, lamports,
 			d.depositorPub, d.vaultPDA, solana.SystemProgramID, d.eventAuth, d.programID,
 		)
 	} else {
@@ -92,7 +93,7 @@ func (d *Depositor) SubmitDeposit(ctx context.Context, asset string, amount deci
 			return core.TxRef{}, fmt.Errorf("sol: vault ATA: %w", e)
 		}
 		ix, err = custody.NewDepositSplInstruction(
-			acct, lamports,
+			acct, dest.Ref, lamports,
 			d.depositorPub, mint, depositorATA, d.vaultPDA, vaultATA,
 			solana.TokenProgramID, solana.SPLAssociatedTokenAccountProgramID, d.eventAuth, d.programID,
 		)
diff --git a/pkg/blockchain/sol/vault_integration_test.go b/pkg/blockchain/sol/vault_integration_test.go
index a80da52..fe8281b 100644
--- a/pkg/blockchain/sol/vault_integration_test.go
+++ b/pkg/blockchain/sol/vault_integration_test.go
@@ -119,7 +119,7 @@ func TestIntegrationSOL_DepositAndWithdraw(t *testing.T) {
 		t.Fatalf("NewDepositor: %v", err)
 	}
 	const account = "00000000000000000000000000000000000000a1" // 20-byte clearnet addr
-	depRef, err := dep.SubmitDeposit(ctx, "SOL", decimal.NewFromInt(100_000_000), account)
+	depRef, err := dep.SubmitDeposit(ctx, "SOL", decimal.NewFromInt(100_000_000), core.DepositDestination{Account: account})
 	if err != nil {
 		t.Fatalf("Deposit: %v", err)
 	}
diff --git a/pkg/blockchain/xrpl/depositor.go b/pkg/blockchain/xrpl/depositor.go
index 2ffbb2c..10cf454 100644
--- a/pkg/blockchain/xrpl/depositor.go
+++ b/pkg/blockchain/xrpl/depositor.go
@@ -2,6 +2,7 @@ package xrpl
 
 import (
 	"context"
+	"encoding/hex"
 	"fmt"
 	"strings"
 
@@ -15,9 +16,10 @@ import (
 	"github.com/layer-3/clearnet-sdk/pkg/sign"
 )
 
-// Depositor sends a tagged Payment from the depositor's account (the key the
-// sign.Signer holds) to the vault, crediting a clearnet account via the
-// DestinationTag. It implements core.VaultDepositor. Native XRP and issued
+// Depositor sends a Payment from the depositor's account (the key the
+// sign.Signer holds) to the vault, crediting a clearnet account via a
+// `ynet-account` memo (a 20-byte account followed by a 32-byte ADR-015
+// reference). It implements core.VaultDepositor. Native XRP and issued
 // currencies ("CUR.rIssuer") are both supported.
 type Depositor struct {
 	client       *rpc.Client
@@ -44,11 +46,12 @@ func NewDepositor(rpcURL, vaultAddress string, signer sign.Signer) (*Depositor,
 // DepositorAddress returns the depositor's classic r-address.
 func (d *Depositor) DepositorAddress() string { return d.id.ClassicAddress }
 
-// SubmitDeposit sends `amount` of `asset` to the vault, crediting `account` via its
-// DestinationTag. asset is "" / "XRP" for native or "CUR.rIssuer" for an issued
-// currency; account must be of the form xrpl-<tag> (the tag the watcher credits).
-func (d *Depositor) SubmitDeposit(ctx context.Context, asset string, amount decimal.Decimal, account string) (core.TxRef, error) {
-	tag, err := parseDepositTag(account)
+// SubmitDeposit sends `amount` of `asset` to the vault, crediting dest.Account
+// via a `ynet-account` memo carrying the 20-byte account and the 32-byte
+// ADR-015 dest.Ref. asset is "" / "XRP" for native or "CUR.rIssuer" for an
+// issued currency; dest.Account is the 20-byte clearnet account (hex).
+func (d *Depositor) SubmitDeposit(ctx context.Context, asset string, amount decimal.Decimal, dest core.DepositDestination) (core.TxRef, error) {
+	memo, err := accountMemo(dest)
 	if err != nil {
 		return core.TxRef{}, err
 	}
@@ -58,12 +61,14 @@ func (d *Depositor) SubmitDeposit(ctx context.Context, asset string, amount deci
 	}
 
 	payment := transaction.Payment{
-		BaseTx:      transaction.BaseTx{Account: types.Address(d.id.ClassicAddress)},
+		BaseTx: transaction.BaseTx{
+			Account: types.Address(d.id.ClassicAddress),
+			Memos:   []types.MemoWrapper{memo},
+		},
 		Destination: types.Address(d.vaultAddress),
 		Amount:      xrplAmount,
 	}
 	flatTx := payment.Flatten()
-	flatTx["DestinationTag"] = tag
 	if err := d.client.Autofill(&flatTx); err != nil {
 		return core.TxRef{}, fmt.Errorf("xrpl: autofill: %w", err)
 	}
@@ -88,6 +93,29 @@ func (d *Depositor) SubmitDeposit(ctx context.Context, asset string, amount deci
 	}
 }
 
+// accountMemoType is the MemoType (as plain text, hex-encoded on the wire)
+// that marks the ynet-account memo carrying the deposit destination.
+const accountMemoType = "ynet-account"
+
+// accountMemo builds the ynet-account memo: MemoData is the 20-byte clearnet
+// account followed by the 32-byte ADR-015 reference (zero for no sub-account),
+// hex-encoded; MemoType is "ynet-account", hex-encoded.
+func accountMemo(dest core.DepositDestination) (types.MemoWrapper, error) {
+	raw := strings.TrimPrefix(strings.TrimSpace(dest.Account), "0x")
+	account, err := hex.DecodeString(raw)
+	if err != nil {
+		return types.MemoWrapper{}, fmt.Errorf("xrpl: account not hex: %w", err)
+	}
+	if len(account) != 20 {
+		return types.MemoWrapper{}, fmt.Errorf("xrpl: account must be 20 bytes, got %d", len(account))
+	}
+	data := append(account, dest.Ref[:]...)
+	return types.MemoWrapper{Memo: types.Memo{
+		MemoType: hex.EncodeToString([]byte(accountMemoType)),
+		MemoData: hex.EncodeToString(data),
+	}}, nil
+}
+
 // VerifyDeposit reports the on-chain status of the deposit tx in ref (matched by
 // hash, ref.Raw). XRPL finality is binary — a validated transaction cannot be
 // reorged — so minConf is not a depth here: a validated tx is DepositConfirmed,
diff --git a/pkg/blockchain/xrpl/depositor_test.go b/pkg/blockchain/xrpl/depositor_test.go
new file mode 100644
index 0000000..b8f5717
--- /dev/null
+++ b/pkg/blockchain/xrpl/depositor_test.go
@@ -0,0 +1,52 @@
+package xrpl
+
+import (
+	"bytes"
+	"encoding/hex"
+	"testing"
+
+	"github.com/layer-3/clearnet-sdk/pkg/core"
+)
+
+// TestAccountMemo verifies the ynet-account memo encodes the 20-byte account
+// followed by the 32-byte ADR-015 reference, matching what a deposit watcher
+// decodes (MemoType "ynet-account", MemoData = account || reference, both hex).
+func TestAccountMemo(t *testing.T) {
+	var ref [32]byte
+	ref[0], ref[31] = 0xAB, 0xCD
+	dest := core.DepositDestination{Account: "0x00000000000000000000000000000000000000a2", Ref: ref}
+
+	mw, err := accountMemo(dest)
+	if err != nil {
+		t.Fatalf("accountMemo: %v", err)
+	}
+
+	if got, want := mw.Memo.MemoType, hex.EncodeToString([]byte("ynet-account")); got != want {
+		t.Errorf("MemoType: got %s, want %s", got, want)
+	}
+
+	data, err := hex.DecodeString(mw.Memo.MemoData)
+	if err != nil {
+		t.Fatalf("MemoData not hex: %v", err)
+	}
+	if len(data) != 52 {
+		t.Fatalf("MemoData length: got %d, want 52 (20 account + 32 reference)", len(data))
+	}
+	wantAccount := [20]byte{18: 0x00, 19: 0xa2}
+	if !bytes.Equal(data[:20], wantAccount[:]) {
+		t.Errorf("account bytes: got %x", data[:20])
+	}
+	if !bytes.Equal(data[20:], ref[:]) {
+		t.Errorf("reference bytes: got %x, want %x", data[20:], ref[:])
+	}
+}
+
+// TestAccountMemo_RejectsBadAccount rejects an account that is not 20 bytes.
+func TestAccountMemo_RejectsBadAccount(t *testing.T) {
+	if _, err := accountMemo(core.DepositDestination{Account: "0xdead"}); err == nil {
+		t.Error("short account accepted")
+	}
+	if _, err := accountMemo(core.DepositDestination{Account: "not-hex"}); err == nil {
+		t.Error("non-hex account accepted")
+	}
+}
diff --git a/pkg/blockchain/xrpl/vault_integration_test.go b/pkg/blockchain/xrpl/vault_integration_test.go
index 5765bce..9b20d29 100644
--- a/pkg/blockchain/xrpl/vault_integration_test.go
+++ b/pkg/blockchain/xrpl/vault_integration_test.go
@@ -9,7 +9,6 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"encoding/json"
-	"fmt"
 	"net/http"
 	"os"
 	"strings"
@@ -46,7 +45,6 @@ const (
 	genesisSeed     = "snoPBrXtMeMyMHUVTgbuqAfg1SUTb" // rHb9CJAWyB4rj91VRWn96DkukG4bwdtyTh, ~100B XRP
 	xrplSignerCount = 3
 	xrplQuorum      = 2
-	depositTag      = 42
 )
 
 func TestIntegrationXRPL_DepositAndWithdraw(t *testing.T) {
@@ -89,7 +87,7 @@ func TestIntegrationXRPL_DepositAndWithdraw(t *testing.T) {
 	if err != nil {
 		t.Fatalf("NewDepositor: %v", err)
 	}
-	depRef, err := dep.SubmitDeposit(ctx, "XRP", decimal.NewFromInt(100_000_000), fmt.Sprintf("xrpl-%d", depositTag)) // 100 XRP
+	depRef, err := dep.SubmitDeposit(ctx, "XRP", decimal.NewFromInt(100_000_000), core.DepositDestination{Account: "00000000000000000000000000000000000000a2"}) // 100 XRP
 	if err != nil {
 		t.Fatalf("Deposit: %v", err)
 	}
diff --git a/pkg/blockchain/xrpl/wire.go b/pkg/blockchain/xrpl/wire.go
index f3cf52d..585bd91 100644
--- a/pkg/blockchain/xrpl/wire.go
+++ b/pkg/blockchain/xrpl/wire.go
@@ -39,29 +39,6 @@ var canonicalAllowedFields = map[string]struct{}{
 	"SigningPubKey": {}, "Flags": {},
 }
 
-// parseDepositTag extracts the XRPL DestinationTag from a crediting account.
-//
-// The custody deposit watcher derives the credited account FROM the tag —
-// `core.UserURI("xrpl-" + tag)` — so the tag is the primary identifier, not a
-// hash of anything. The account therefore must be of the form `xrpl-<tag>`
-// (optionally as the last segment of a yellow:// URI); this reverses that
-// mapping to recover the uint32 tag the depositor must set.
-func parseDepositTag(account string) (uint32, error) {
-	seg := account
-	if i := strings.LastIndex(seg, "/"); i >= 0 {
-		seg = seg[i+1:]
-	}
-	rest, ok := strings.CutPrefix(strings.ToLower(seg), "xrpl-")
-	if !ok {
-		return 0, fmt.Errorf("xrpl: account %q must be of the form xrpl-<tag> (or yellow://.../user/xrpl-<tag>)", account)
-	}
-	n, err := strconv.ParseUint(rest, 10, 32)
-	if err != nil {
-		return 0, fmt.Errorf("xrpl: bad deposit tag in account %q: %w", account, err)
-	}
-	return uint32(n), nil
-}
-
 // Identity is a signer's XRPL classic address + signing pubkey hex.
 type Identity struct {
 	ClassicAddress   string
diff --git a/pkg/core/blockchain.go b/pkg/core/blockchain.go
index 2dd4847..927eb6a 100644
--- a/pkg/core/blockchain.go
+++ b/pkg/core/blockchain.go
@@ -72,13 +72,24 @@ func (s DepositStatus) String() string {
 	}
 }
 
+// DepositDestination identifies who a deposit credits. Account is the L1 /
+// clearnet account; Ref is the opaque ADR-015 sub-account reference, carried
+// alongside the account as side-data (a zero Ref means no sub-account). The
+// reference is never interpreted on-chain — it is emitted so deposits are
+// filterable per (Account, Ref); an observer folds it into the account URI.
+// Chains without a reference channel (BTC) reject a non-zero Ref.
+type DepositDestination struct {
+	Account string
+	Ref     [32]byte
+}
+
 // VaultDepositor moves funds into the L1 vault. The implementation owns the
 // depositor's signing identity (a sign.Signer supplied at construction) and
 // executes the deposit on its chain: a contract call (EVM), a funding tx to a
-// derived address (BTC), or a tagged Payment (XRPL). It expects only the asset,
-// amount, and crediting clearnet account.
+// derived address (BTC), or a memo-tagged Payment (XRPL). It expects only the
+// asset, amount, and crediting destination.
 type VaultDepositor interface {
-	SubmitDeposit(ctx context.Context, asset string, amount decimal.Decimal, account string) (TxRef, error)
+	SubmitDeposit(ctx context.Context, asset string, amount decimal.Decimal, dest DepositDestination) (TxRef, error)
 	// VerifyDeposit reports whether the deposit identified by ref (a TxRef
 	// returned by SubmitDeposit) is present and final on chain — a pure read for
 	// replay/audit. minConf is the confirmation depth required for

From 45d37ddf6380f1a45fad03b868e1fdd492e1dd56 Mon Sep 17 00:00:00 2001
From: Anton Filonenko <phil@yellow.org>
Date: Fri, 19 Jun 2026 11:51:16 +0300
Subject: [PATCH 2/5] fix(btc): reject incomplete sweep in rotation validate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RotationFinalizer.Validate checked that every input present in the
packed sweep was a valid, confirmed vault UTXO, but never checked that
the sweep spent ALL currently-owned UTXOs. A sweep that silently omitted
some inputs would still pass, and once the rotation pivot lands the old
vault is abandoned — any unswept UTXO is stranded there with no path to
move it under the new signer set.

Add a completeness check: re-list the owned UTXO set at the configured
confirmation depth and require exact set-equality with the tx inputs,
erroring on a count mismatch or any omitted owned UTXO. Reuses the
current-vault finalizer already built for input summation.

Adds TestRotationValidateRejectsPartialSweep: a full sweep validates, a
sweep with one input dropped is rejected naming the omitted UTXO.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 pkg/blockchain/btc/rotation_finalizer.go      |  31 ++++
 pkg/blockchain/btc/rotation_finalizer_test.go | 166 ++++++++++++++++++
 2 files changed, 197 insertions(+)

diff --git a/pkg/blockchain/btc/rotation_finalizer.go b/pkg/blockchain/btc/rotation_finalizer.go
index 005f6a0..f65f649 100644
--- a/pkg/blockchain/btc/rotation_finalizer.go
+++ b/pkg/blockchain/btc/rotation_finalizer.go
@@ -186,6 +186,37 @@ func (f *RotationFinalizer) Validate(ctx context.Context, opID [32]byte, packed
 	if cap := EstimateFeeSats(len(tx.TxIn), 2, f.cfg.FeeCapSatPerVByte); f.cfg.FeeCapSatPerVByte > 0 && fee > cap {
 		return fmt.Errorf("btc rotation validate: fee %d exceeds ceiling %d", fee, cap)
 	}
+
+	// Completeness: a rotation sweep must spend every currently-owned UTXO. The
+	// checks above only prove each PRESENT input is a valid vault UTXO — they do
+	// not catch a sweep that silently omits some. An incomplete sweep would
+	// strand those funds at the old vault, which is abandoned the moment the
+	// pivot lands. Re-list the owned set and require exact set-equality with the
+	// tx's inputs.
+	unspent, err := cur.rpc.ListUnspent(ctx, int(f.cfg.ConfirmationDepth), cur.watchAddresses())
+	if err != nil {
+		return fmt.Errorf("btc rotation validate: list vault utxos: %w", err)
+	}
+	owned, err := cur.toUTXOs(unspent)
+	if err != nil {
+		return err
+	}
+	want := make(map[string]struct{}, len(owned))
+	for _, u := range owned {
+		want[fmt.Sprintf("%s:%d", u.TxID.String(), u.Vout)] = struct{}{}
+	}
+	got := make(map[string]struct{}, len(tx.TxIn))
+	for _, in := range tx.TxIn {
+		got[fmt.Sprintf("%s:%d", in.PreviousOutPoint.Hash.String(), in.PreviousOutPoint.Index)] = struct{}{}
+	}
+	if len(want) != len(got) {
+		return fmt.Errorf("btc rotation validate: spends %d inputs, expected all %d owned utxos", len(got), len(want))
+	}
+	for k := range want {
+		if _, ok := got[k]; !ok {
+			return fmt.Errorf("btc rotation validate: omits owned utxo %s", k)
+		}
+	}
 	return nil
 }
 
diff --git a/pkg/blockchain/btc/rotation_finalizer_test.go b/pkg/blockchain/btc/rotation_finalizer_test.go
index 505f587..294d509 100644
--- a/pkg/blockchain/btc/rotation_finalizer_test.go
+++ b/pkg/blockchain/btc/rotation_finalizer_test.go
@@ -2,6 +2,9 @@ package btc
 
 import (
 	"bytes"
+	"context"
+	"encoding/hex"
+	"strings"
 	"testing"
 
 	"github.com/btcsuite/btcd/chaincfg"
@@ -116,3 +119,166 @@ func TestBuildSweepTx_OpReturnMarker(t *testing.T) {
 		t.Errorf("inputs = %d, want %d", len(tx.TxIn), len(utxos))
 	}
 }
+
+// stubRotationRPC is a minimal RPC seam for exercising Validate without a node.
+// ListUnspent reports the owned UTXO set; GetTxOut answers each input as a
+// confirmed output of vaultScript so sumValidatedInputs accepts it. The other
+// methods are unused by Validate.
+type stubRotationRPC struct {
+	unspent     []Unspent
+	vaultScript string // hex pkScript every owned UTXO pays to
+	confs       int64
+}
+
+func (s *stubRotationRPC) ListUnspent(_ context.Context, _ int, _ []string) ([]Unspent, error) {
+	return s.unspent, nil
+}
+
+func (s *stubRotationRPC) GetTxOut(_ context.Context, txid string, vout uint32, _ bool) (*TxOut, error) {
+	for _, u := range s.unspent {
+		if u.TxID == txid && u.Vout == vout {
+			return &TxOut{AmountSats: u.AmountSats, ScriptPubKey: s.vaultScript, Confirmations: s.confs}, nil
+		}
+	}
+	return nil, nil
+}
+
+func (s *stubRotationRPC) SendRawTransaction(context.Context, string) (string, error) {
+	return "", nil
+}
+func (s *stubRotationRPC) EstimateSmartFeeSatPerVByte(context.Context, int, int64) (int64, error) {
+	return 5, nil
+}
+func (s *stubRotationRPC) GetBlockCount(context.Context) (int64, error)        { return 0, nil }
+func (s *stubRotationRPC) GetBlockHash(context.Context, int64) (string, error) { return "", nil }
+func (s *stubRotationRPC) GetBlockTxids(context.Context, string) ([]string, error) {
+	return nil, nil
+}
+func (s *stubRotationRPC) GetRawTransaction(context.Context, string) (*RawTx, error) {
+	return nil, nil
+}
+
+// stubVaultStore returns a fixed current vault and accepts any pivot.
+type stubVaultStore struct {
+	pubkeys   [][]byte
+	threshold int
+}
+
+func (s *stubVaultStore) Current(context.Context) ([][]byte, int, error) {
+	return s.pubkeys, s.threshold, nil
+}
+func (s *stubVaultStore) Pivot(context.Context, [][]byte, int) error { return nil }
+
+// TestRotationValidateRejectsPartialSweep proves the completeness guard: a sweep
+// that omits an owned UTXO is rejected (it would strand that UTXO at the old
+// vault), while the full sweep over the same owned set validates.
+func TestRotationValidateRejectsPartialSweep(t *testing.T) {
+	net := &chaincfg.RegressionNetParams
+	ctx := context.Background()
+
+	// Current vault: a 2-of-2 P2WSH whose first key is this node's signer.
+	keys := make([]*sign.KeySigner, 2)
+	pubs := make([][]byte, 2)
+	for i := range keys {
+		k, err := crypto.GenerateKey()
+		if err != nil {
+			t.Fatalf("gen key: %v", err)
+		}
+		keys[i] = sign.NewKeySignerFromECDSA(k)
+		pubs[i] = keys[i].PublicKey()
+	}
+	signer := keys[0]
+
+	redeem, err := RedeemScript(2, pubs)
+	if err != nil {
+		t.Fatalf("RedeemScript: %v", err)
+	}
+	vaultAddr, err := VaultAddress(redeem, net)
+	if err != nil {
+		t.Fatalf("VaultAddress: %v", err)
+	}
+	vaultScript, err := PkScript(vaultAddr)
+	if err != nil {
+		t.Fatalf("PkScript: %v", err)
+	}
+
+	// New vault: a distinct 2-of-2 set the sweep pays into.
+	newPubs := make([]string, 2)
+	for i := range newPubs {
+		k, err := crypto.GenerateKey()
+		if err != nil {
+			t.Fatalf("gen new key: %v", err)
+		}
+		newPubs[i] = hex.EncodeToString(sign.NewKeySignerFromECDSA(k).PublicKey())
+	}
+
+	// Three owned UTXOs.
+	owned := make([]UTXO, 3)
+	for i := range owned {
+		var h chainhash.Hash
+		h[0] = byte(0x10 + i)
+		owned[i] = UTXO{TxID: h, Vout: uint32(i), Amount: 1_000_000}
+	}
+	unspent := make([]Unspent, len(owned))
+	for i, u := range owned {
+		unspent[i] = Unspent{TxID: u.TxID.String(), Vout: u.Vout, AmountSats: u.Amount, Confirmations: 100}
+	}
+
+	vaultScriptHex := strings.ToLower(hex.EncodeToString(vaultScript))
+	for i := range unspent {
+		unspent[i].ScriptPubKey = vaultScriptHex // so toUTXOs resolves them as owned
+	}
+
+	cfg := Config{ConfirmationDepth: 1, FeeConfTarget: 6, FallbackFeeRate: 5, FeeCapSatPerVByte: 100}
+	rpc := &stubRotationRPC{
+		unspent:     unspent,
+		vaultScript: vaultScriptHex,
+		confs:       100,
+	}
+	store := &stubVaultStore{pubkeys: pubs, threshold: 2}
+
+	rf, err := NewRotationFinalizer(net, rpc, signer, store, cfg)
+	if err != nil {
+		t.Fatalf("NewRotationFinalizer: %v", err)
+	}
+
+	var opID [32]byte
+	opID[0], opID[31] = 0xAB, 0xCD
+
+	newVaultAddr, _, _, err := rf.newVaultAddress(newPubs, 2)
+	if err != nil {
+		t.Fatalf("newVaultAddress: %v", err)
+	}
+
+	// A full sweep over all owned UTXOs validates.
+	full, err := buildSweepTx(owned, newVaultAddr, opID, 5)
+	if err != nil {
+		t.Fatalf("buildSweepTx (full): %v", err)
+	}
+	fullBytes, err := serializeTx(full)
+	if err != nil {
+		t.Fatalf("serialize full: %v", err)
+	}
+	if err := rf.Validate(ctx, opID, fullBytes, newPubs, 2); err != nil {
+		t.Fatalf("full sweep rejected: %v", err)
+	}
+
+	// Drop one input: the sweep now omits an owned UTXO and must be rejected.
+	dropped := owned[len(owned)-1]
+	partial, err := buildSweepTx(owned[:len(owned)-1], newVaultAddr, opID, 5)
+	if err != nil {
+		t.Fatalf("buildSweepTx (partial): %v", err)
+	}
+	partialBytes, err := serializeTx(partial)
+	if err != nil {
+		t.Fatalf("serialize partial: %v", err)
+	}
+	err = rf.Validate(ctx, opID, partialBytes, newPubs, 2)
+	if err == nil {
+		t.Fatal("partial sweep accepted, want rejection")
+	}
+	missing := dropped.TxID.String()
+	if !strings.Contains(err.Error(), "owned utxo") && !strings.Contains(err.Error(), missing) {
+		t.Errorf("error %q does not mention the omitted owned utxo %s", err, missing)
+	}
+}

From bc2c38c20e6eb4ace73ddb951de782982420adf3 Mon Sep 17 00:00:00 2001
From: Anton Filonenko <phil@yellow.org>
Date: Fri, 19 Jun 2026 11:51:48 +0300
Subject: [PATCH 3/5] fix(evm): estimate gas for signer rotation submit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RotationFinalizer.Submit relied on the contract binding's implicit gas
auto-estimation for the updateSigners call. updateSigners takes
dynamic-array arguments (address[], uint256, bytes[]), and the binding's
built-in estimate trips a known go-ethereum gotcha on dynamic args that
returns a too-low gas limit (or an estimation error outright), so the
rotation transaction can revert out-of-gas — a liveness failure on the
signer-rotation path.

Estimate gas explicitly, mirroring the withdrawal path: pack the
updateSigners calldata, run a single eth_estimateGas against it, and set
opts.GasLimit to the result padded by the configured multiplier. Called
after applyFees and before the binding call. A comment documents the
dynamic-array gotcha so the explicit estimate is not removed later.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 pkg/blockchain/evm/rotation_finalizer.go | 35 ++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/pkg/blockchain/evm/rotation_finalizer.go b/pkg/blockchain/evm/rotation_finalizer.go
index 5e3b858..64e077b 100644
--- a/pkg/blockchain/evm/rotation_finalizer.go
+++ b/pkg/blockchain/evm/rotation_finalizer.go
@@ -8,6 +8,7 @@ import (
 	"math/big"
 	"sort"
 
+	ethereum "github.com/ethereum/go-ethereum"
 	"github.com/ethereum/go-ethereum/accounts/abi/bind"
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/ethclient"
@@ -165,6 +166,9 @@ func (f *RotationFinalizer) Submit(ctx context.Context, packed []byte, signature
 	if err := applyFees(ctx, f.client, f.fees, opts); err != nil {
 		return core.TxRef{}, err
 	}
+	if err := f.estimateGas(ctx, opts, addrs, big.NewInt(int64(p.NewThreshold)), sigs); err != nil {
+		return core.TxRef{}, err
+	}
 	tx, err := f.custody.UpdateSigners(opts, addrs, big.NewInt(int64(p.NewThreshold)), sigs)
 	if err != nil {
 		return core.TxRef{}, fmt.Errorf("updateSigners: %w", err)
@@ -199,6 +203,37 @@ func (f *RotationFinalizer) VerifyRotation(ctx context.Context, newSigners []str
 
 // --- helpers ---
 
+// estimateGas sets opts.GasLimit for the updateSigners call. We do NOT rely on
+// the binding's built-in gas auto-estimation: updateSigners takes dynamic-array
+// args (address[], uint256, bytes[]), and the binding's implicit estimate trips
+// a known go-ethereum gotcha on dynamic args that yields a too-low limit (or an
+// outright estimation error), so the rotation tx would revert out-of-gas. We
+// pack the calldata explicitly, run a single eth_estimateGas against it, and pad
+// by the configured multiplier — mirroring the withdrawal path.
+func (f *RotationFinalizer) estimateGas(ctx context.Context, opts *bind.TransactOpts, newSigners []common.Address, newThreshold *big.Int, sigs [][]byte) error {
+	abi, err := CustodyMetaData.GetAbi()
+	if err != nil {
+		return fmt.Errorf("parse ABI: %w", err)
+	}
+	data, err := abi.Pack("updateSigners", newSigners, newThreshold, sigs)
+	if err != nil {
+		return fmt.Errorf("pack updateSigners calldata: %w", err)
+	}
+	est, err := f.client.EstimateGas(ctx, ethereum.CallMsg{
+		From:      f.signerAddr,
+		To:        &f.vaultAddr,
+		Data:      data,
+		GasTipCap: opts.GasTipCap,
+		GasFeeCap: opts.GasFeeCap,
+		GasPrice:  opts.GasPrice,
+	})
+	if err != nil {
+		return fmt.Errorf("estimate gas: %w", err)
+	}
+	opts.GasLimit = uint64(float64(est) * f.fees.gasLimitMultiplier())
+	return nil
+}
+
 func (f *RotationFinalizer) digestFromPacked(packed []byte) ([32]byte, error) {
 	var p evmRotPacked
 	if err := json.Unmarshal(packed, &p); err != nil {

From e22d20b1418d598e88e9911ea670fe588220328d Mon Sep 17 00:00:00 2001
From: Anton Filonenko <phil@yellow.org>
Date: Fri, 19 Jun 2026 12:31:51 +0300
Subject: [PATCH 4/5] feat(btc): bound withdrawal inputs and add consolidation

SelectUTXOs gains a maxInputs bound (Config.MaxInputsPerWithdrawal); when
covering a withdrawal would exceed it, the vault is too fragmented for a
standard-size tx, signalled by the new ErrTooFragmented.

ConsolidationFinalizer folds a bounded batch of the vault's smallest
UTXOs back into one base-vault output (Pack/Validate/Sign/Submit),
shrinking the count so withdrawals keep fitting. It is partial by design
(same vault, no pivot), so unlike the rotation sweep it carries no
completeness rule; Sign/Submit reuse the current-vault machinery.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 pkg/blockchain/btc/consolidation_finalizer.go | 288 ++++++++++++++++++
 .../btc/consolidation_finalizer_test.go       | 165 ++++++++++
 pkg/blockchain/btc/depositor.go               |   2 +-
 pkg/blockchain/btc/txbuild.go                 |  19 +-
 pkg/blockchain/btc/withdrawal_finalizer.go    |  12 +-
 5 files changed, 483 insertions(+), 3 deletions(-)
 create mode 100644 pkg/blockchain/btc/consolidation_finalizer.go
 create mode 100644 pkg/blockchain/btc/consolidation_finalizer_test.go

diff --git a/pkg/blockchain/btc/consolidation_finalizer.go b/pkg/blockchain/btc/consolidation_finalizer.go
new file mode 100644
index 0000000..b555074
--- /dev/null
+++ b/pkg/blockchain/btc/consolidation_finalizer.go
@@ -0,0 +1,288 @@
+package btc
+
+import (
+	"bytes"
+	"context"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"sort"
+
+	"github.com/btcsuite/btcd/chaincfg"
+	"github.com/btcsuite/btcd/txscript"
+
+	"github.com/layer-3/clearnet-sdk/pkg/core"
+	"github.com/layer-3/clearnet-sdk/pkg/sign"
+)
+
+// defaultConsolidationBatchMax bounds how many of the vault's smallest UTXOs a
+// single consolidation fold spends when Config.ConsolidationBatchMax is unset.
+// Kept well under the ~800-input standard-tx ceiling so every fold is relayable.
+const defaultConsolidationBatchMax = 200
+
+// ConsolidationFinalizer folds a bounded batch of the vault's smallest UTXOs
+// back into a single base-vault output, shrinking the UTXO count so withdrawals
+// keep fitting a standard-size tx (the counterpart to SelectUTXOs' maxInputs
+// bound / ErrTooFragmented).
+//
+// It is mechanically a withdrawal-to-self: same vault, current keys, no pivot.
+// Unlike the rotation sweep it is partial by design (a bounded batch, not the
+// full set), so it carries no completeness rule. Pack/Validate are the
+// fold-specific mechanics; Sign/Submit reuse the current-vault withdrawal
+// machinery, exactly as RotationFinalizer does.
+type ConsolidationFinalizer struct {
+	net      *chaincfg.Params
+	rpc      RPC
+	signer   sign.Signer
+	store    VaultStore
+	cfg      Config
+	accounts []string // per-account deposit URIs whose UTXOs are also foldable
+}
+
+// NewConsolidationFinalizer builds the BTC consolidation finalizer. signer is
+// this node's vault key; store supplies the current vault (consolidation never
+// pivots, so Pivot is unused). accountURIs are the per-account deposit accounts
+// whose tagged-address UTXOs are eligible to fold alongside the base vault.
+func NewConsolidationFinalizer(net *chaincfg.Params, rpc RPC, signer sign.Signer, store VaultStore, cfg Config, accountURIs ...string) (*ConsolidationFinalizer, error) {
+	if signer.Algorithm() != sign.AlgSecp256k1 {
+		return nil, fmt.Errorf("btc: consolidation signer must be secp256k1, got %s", signer.Algorithm())
+	}
+	return &ConsolidationFinalizer{
+		net:      net,
+		rpc:      rpc,
+		signer:   signer,
+		store:    store,
+		cfg:      cfg,
+		accounts: accountURIs,
+	}, nil
+}
+
+// currentVault builds a withdrawal finalizer over the current vault, registering
+// the deposit accounts so the spend-script set covers the base vault plus every
+// tagged deposit address whose UTXOs may be folded. It provides the shared
+// UTXO/sign/merge machinery.
+func (f *ConsolidationFinalizer) currentVault(ctx context.Context) (*WithdrawalFinalizer, error) {
+	pubkeys, threshold, err := f.store.Current(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("btc: read current vault: %w", err)
+	}
+	cur, err := NewWithdrawalFinalizer(f.net, f.rpc, f.signer, pubkeys, threshold, f.cfg)
+	if err != nil {
+		return nil, fmt.Errorf("btc: build current vault: %w", err)
+	}
+	if err := cur.RegisterDepositAccounts(f.accounts...); err != nil {
+		return nil, err
+	}
+	return cur, nil
+}
+
+func (f *ConsolidationFinalizer) batchMax() int {
+	if f.cfg.ConsolidationBatchMax > 0 {
+		return f.cfg.ConsolidationBatchMax
+	}
+	return defaultConsolidationBatchMax
+}
+
+// listOwned returns every currently-spendable owned UTXO (base vault + each
+// registered deposit address) at the configured confirmation depth.
+func (f *ConsolidationFinalizer) listOwned(ctx context.Context, cur *WithdrawalFinalizer) ([]UTXO, error) {
+	unspent, err := f.rpc.ListUnspent(ctx, int(f.cfg.ConfirmationDepth), cur.watchAddresses())
+	if err != nil {
+		return nil, fmt.Errorf("btc consolidate: list vault utxos: %w", err)
+	}
+	return cur.toUTXOs(unspent)
+}
+
+// OwnedUTXOCount reports the number of currently-spendable owned UTXOs. The
+// consolidation trigger uses it to decide whether a fold is warranted.
+func (f *ConsolidationFinalizer) OwnedUTXOCount(ctx context.Context) (int, error) {
+	cur, err := f.currentVault(ctx)
+	if err != nil {
+		return 0, err
+	}
+	owned, err := f.listOwned(ctx, cur)
+	if err != nil {
+		return 0, err
+	}
+	return len(owned), nil
+}
+
+// Due reports whether a periodic fold should run now: the owned UTXO count
+// exceeds target AND the current fee rate is at or below feeCeilingSatVb (a
+// low-fee window). feeCeilingSatVb <= 0 disables the fee gate.
+func (f *ConsolidationFinalizer) Due(ctx context.Context, target int, feeCeilingSatVb int64) (bool, error) {
+	count, err := f.OwnedUTXOCount(ctx)
+	if err != nil {
+		return false, err
+	}
+	if count <= target {
+		return false, nil
+	}
+	feeRate, err := f.rpc.EstimateSmartFeeSatPerVByte(ctx, f.cfg.FeeConfTarget, f.cfg.FallbackFeeRate)
+	if err != nil {
+		return false, fmt.Errorf("btc consolidate: estimate fee: %w", err)
+	}
+	if feeCeilingSatVb > 0 && feeRate > feeCeilingSatVb {
+		return false, nil
+	}
+	return true, nil
+}
+
+// Pack selects the vault's smallest spendable UTXOs (up to the batch max) and
+// folds them into a single base-vault output minus fee, with consolidationID in
+// an OP_RETURN. Smallest-first keeps the large coins intact for largest-first
+// withdrawal selection and shrinks the count fastest. The change computes to
+// zero (recipient == vault), so the result is the two-output form
+// [baseVault(total-fee), OP_RETURN(consolidationID)].
+func (f *ConsolidationFinalizer) Pack(ctx context.Context, consolidationID [32]byte) ([]byte, error) {
+	cur, err := f.currentVault(ctx)
+	if err != nil {
+		return nil, err
+	}
+	utxos, err := f.listOwned(ctx, cur)
+	if err != nil {
+		return nil, err
+	}
+	if len(utxos) < 2 {
+		return nil, errors.New("btc consolidate: fewer than 2 spendable utxos; nothing to fold")
+	}
+	// Smallest-amount-first, BIP-69 tiebreak for a deterministic batch.
+	sort.Slice(utxos, func(i, j int) bool {
+		if utxos[i].Amount != utxos[j].Amount {
+			return utxos[i].Amount < utxos[j].Amount
+		}
+		if c := bytes.Compare(utxos[i].TxID[:], utxos[j].TxID[:]); c != 0 {
+			return c < 0
+		}
+		return utxos[i].Vout < utxos[j].Vout
+	})
+	if max := f.batchMax(); len(utxos) > max {
+		utxos = utxos[:max]
+	}
+
+	feeRate, err := f.rpc.EstimateSmartFeeSatPerVByte(ctx, f.cfg.FeeConfTarget, f.cfg.FallbackFeeRate)
+	if err != nil {
+		return nil, fmt.Errorf("btc consolidate: estimate fee: %w", err)
+	}
+	var total int64
+	for _, u := range utxos {
+		total += u.Amount
+	}
+	// Two outputs: the base vault + the OP_RETURN marker. No change.
+	fee := EstimateFeeSats(len(utxos), 2, feeRate)
+	amount := total - fee
+	if amount < dustThresholdSats {
+		return nil, fmt.Errorf("btc consolidate: post-fee amount %d below dust (total %d, fee %d); batch not worth folding", amount, total, fee)
+	}
+	tx, err := BuildUnsignedTx(utxos, cur.vaultAddr, amount, cur.vaultAddr, consolidationID, fee)
+	if err != nil {
+		return nil, err
+	}
+	return serializeTx(tx)
+}
+
+// Validate is the follower-side trust boundary for a fold. A vault→vault fold
+// cannot move funds out of custody, so validation is deliberately lenient (no
+// completeness rule, no byte-identical build): exactly two outputs, output 0
+// paying the base vault, output 1 an OP_RETURN(consolidationID); every input a
+// confirmed owned UTXO (nothing foreign dragged in); the batch within the size
+// bound; and the implied fee within the griefing ceiling.
+func (f *ConsolidationFinalizer) Validate(ctx context.Context, consolidationID [32]byte, packed []byte) error {
+	cur, err := f.currentVault(ctx)
+	if err != nil {
+		return err
+	}
+	tx, err := deserializeTx(packed)
+	if err != nil {
+		return fmt.Errorf("btc consolidate validate: %w", err)
+	}
+	if err := validateFixedTxFields(tx); err != nil {
+		return fmt.Errorf("btc consolidate validate: %w", err)
+	}
+	if n := len(tx.TxOut); n != 2 {
+		return fmt.Errorf("btc consolidate validate: expected 2 outputs, got %d", n)
+	}
+	if !bytes.Equal(tx.TxOut[0].PkScript, cur.vaultScript) {
+		return errors.New("btc consolidate validate: output 0 is not the base vault")
+	}
+	wantOpReturn, err := txscript.NullDataScript(consolidationID[:])
+	if err != nil {
+		return fmt.Errorf("btc consolidate validate: opreturn script: %w", err)
+	}
+	if tx.TxOut[1].Value != 0 || !bytes.Equal(tx.TxOut[1].PkScript, wantOpReturn) {
+		return errors.New("btc consolidate validate: output 1 is not OP_RETURN <consolidationID>")
+	}
+	if len(tx.TxIn) < 2 {
+		return fmt.Errorf("btc consolidate validate: %d inputs; a fold spends at least 2", len(tx.TxIn))
+	}
+	if max := f.batchMax(); len(tx.TxIn) > max {
+		return fmt.Errorf("btc consolidate validate: %d inputs exceed batch max %d", len(tx.TxIn), max)
+	}
+
+	// Every input must be a confirmed, owned UTXO. Re-list the owned set and
+	// require the inputs to be a subset of it (lenient: no full-set match).
+	owned, err := f.listOwned(ctx, cur)
+	if err != nil {
+		return err
+	}
+	byOutpoint := make(map[string]int64, len(owned))
+	for _, u := range owned {
+		byOutpoint[fmt.Sprintf("%s:%d", u.TxID.String(), u.Vout)] = u.Amount
+	}
+	var totalIn int64
+	for _, in := range tx.TxIn {
+		key := fmt.Sprintf("%s:%d", in.PreviousOutPoint.Hash.String(), in.PreviousOutPoint.Index)
+		amt, ok := byOutpoint[key]
+		if !ok {
+			return fmt.Errorf("btc consolidate validate: input %s is not a confirmed owned utxo", key)
+		}
+		totalIn += amt
+	}
+
+	fee := totalIn - tx.TxOut[0].Value // output 1 is the zero-value OP_RETURN
+	if fee < 0 {
+		return fmt.Errorf("btc consolidate validate: outputs exceed inputs (fee %d)", fee)
+	}
+	if cap := EstimateFeeSats(len(tx.TxIn), 2, f.cfg.FeeCapSatPerVByte); f.cfg.FeeCapSatPerVByte > 0 && fee > cap {
+		return fmt.Errorf("btc consolidate validate: fee %d exceeds ceiling %d", fee, cap)
+	}
+	return nil
+}
+
+// Sign produces this node's per-input signatures over the fold, delegating to
+// the current-vault signing machinery (the fold spends base-vault and deposit
+// inputs under the current redeem scripts, exactly as a withdrawal).
+func (f *ConsolidationFinalizer) Sign(ctx context.Context, packed []byte) ([]byte, error) {
+	cur, err := f.currentVault(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return cur.Sign(ctx, packed)
+}
+
+// Submit assembles the witnesses from the collected shares and broadcasts the
+// fold, returning its hash. Idempotent on an already-known/spent reply (the
+// UTXO-model analogue of a re-submit guard).
+func (f *ConsolidationFinalizer) Submit(ctx context.Context, packed []byte, shares [][]byte) (core.TxRef, error) {
+	cur, err := f.currentVault(ctx)
+	if err != nil {
+		return core.TxRef{}, err
+	}
+	merged, err := cur.merge(ctx, packed, shares)
+	if err != nil {
+		return core.TxRef{}, err
+	}
+	tx, err := deserializeTx(merged)
+	if err != nil {
+		return core.TxRef{}, fmt.Errorf("btc consolidate submit: %w", err)
+	}
+	hash := [32]byte(tx.TxHash())
+	txid := hashToTxid(hash)
+	if _, err := f.rpc.SendRawTransaction(ctx, hex.EncodeToString(merged)); err != nil {
+		if isAlreadyKnown(err) {
+			return core.TxRef{Hash: hash, Raw: txid}, nil
+		}
+		return core.TxRef{}, fmt.Errorf("btc consolidate submit: sendrawtransaction: %w", err)
+	}
+	return core.TxRef{Hash: hash, Raw: txid}, nil
+}
diff --git a/pkg/blockchain/btc/consolidation_finalizer_test.go b/pkg/blockchain/btc/consolidation_finalizer_test.go
new file mode 100644
index 0000000..436b4cb
--- /dev/null
+++ b/pkg/blockchain/btc/consolidation_finalizer_test.go
@@ -0,0 +1,165 @@
+package btc
+
+import (
+	"bytes"
+	"context"
+	"encoding/hex"
+	"errors"
+	"strings"
+	"testing"
+
+	"github.com/btcsuite/btcd/chaincfg"
+	"github.com/btcsuite/btcd/chaincfg/chainhash"
+	"github.com/btcsuite/btcd/txscript"
+	"github.com/btcsuite/btcd/wire"
+	"github.com/ethereum/go-ethereum/crypto"
+
+	"github.com/layer-3/clearnet-sdk/pkg/sign"
+)
+
+// TestSelectUTXOsRespectsMaxInputs proves the fragmentation bound: when covering
+// the amount would need more than maxInputs inputs, SelectUTXOs returns
+// ErrTooFragmented instead of an oversized selection; within the bound (or
+// unbounded) it selects normally.
+func TestSelectUTXOsRespectsMaxInputs(t *testing.T) {
+	// Ten 100-sat UTXOs; an 800-sat withdrawal needs many inputs once the fee
+	// (which grows per input) is folded in.
+	utxos := make([]UTXO, 10)
+	for i := range utxos {
+		var h chainhash.Hash
+		h[0] = byte(i + 1)
+		utxos[i] = UTXO{TxID: h, Vout: 0, Amount: 100}
+	}
+
+	// Bounded at 3 inputs: coverage can't be reached, so it must signal fragmentation.
+	if _, _, err := SelectUTXOs(utxos, 800, 1, 2, 3); !errors.Is(err, ErrTooFragmented) {
+		t.Fatalf("bounded selection: got %v, want ErrTooFragmented", err)
+	}
+
+	// Unbounded (maxInputs=0) with a tiny amount + zero-ish fee selects fine.
+	sel, _, err := SelectUTXOs(utxos, 150, 0, 2, 0)
+	if err != nil {
+		t.Fatalf("unbounded selection: unexpected error %v", err)
+	}
+	if len(sel) == 0 {
+		t.Fatal("unbounded selection returned no inputs")
+	}
+}
+
+// consolidationFixture builds a current 2-of-2 P2WSH vault, a ConsolidationFinalizer
+// over a stub RPC seeded with `n` owned UTXOs, and returns the pieces a test needs.
+func consolidationFixture(t *testing.T, n int) (*ConsolidationFinalizer, []UTXO, []byte) {
+	t.Helper()
+	net := &chaincfg.RegressionNetParams
+
+	keys := make([]*sign.KeySigner, 2)
+	pubs := make([][]byte, 2)
+	for i := range keys {
+		k, err := crypto.GenerateKey()
+		if err != nil {
+			t.Fatalf("gen key: %v", err)
+		}
+		keys[i] = sign.NewKeySignerFromECDSA(k)
+		pubs[i] = keys[i].PublicKey()
+	}
+	redeem, err := RedeemScript(2, pubs)
+	if err != nil {
+		t.Fatalf("RedeemScript: %v", err)
+	}
+	vaultAddr, err := VaultAddress(redeem, net)
+	if err != nil {
+		t.Fatalf("VaultAddress: %v", err)
+	}
+	vaultScript, err := PkScript(vaultAddr)
+	if err != nil {
+		t.Fatalf("PkScript: %v", err)
+	}
+	vaultScriptHex := strings.ToLower(hex.EncodeToString(vaultScript))
+
+	owned := make([]UTXO, n)
+	unspent := make([]Unspent, n)
+	for i := range owned {
+		var h chainhash.Hash
+		h[0] = byte(0x20 + i)
+		owned[i] = UTXO{TxID: h, Vout: uint32(i), Amount: 1_000_000}
+		unspent[i] = Unspent{
+			TxID: h.String(), Vout: uint32(i), AmountSats: 1_000_000,
+			Confirmations: 100, ScriptPubKey: vaultScriptHex,
+		}
+	}
+
+	cfg := Config{ConfirmationDepth: 1, FeeConfTarget: 6, FallbackFeeRate: 5, FeeCapSatPerVByte: 100}
+	rpc := &stubRotationRPC{unspent: unspent, vaultScript: vaultScriptHex, confs: 100}
+	store := &stubVaultStore{pubkeys: pubs, threshold: 2}
+
+	cf, err := NewConsolidationFinalizer(net, rpc, keys[0], store, cfg)
+	if err != nil {
+		t.Fatalf("NewConsolidationFinalizer: %v", err)
+	}
+	return cf, owned, vaultScript
+}
+
+// TestConsolidationPackValidate covers the happy path (Pack builds the two-output
+// self-fold, Validate accepts it) and the two follower trust-boundary rejections:
+// an output 0 not paying the base vault, and an input that is not an owned UTXO.
+func TestConsolidationPackValidate(t *testing.T) {
+	ctx := context.Background()
+	cf, _, vaultScript := consolidationFixture(t, 3)
+
+	var cid [32]byte
+	cid[0], cid[31] = 0xC0, 0xDE
+
+	packed, err := cf.Pack(ctx, cid)
+	if err != nil {
+		t.Fatalf("Pack: %v", err)
+	}
+	tx, err := deserializeTx(packed)
+	if err != nil {
+		t.Fatalf("deserialize: %v", err)
+	}
+	if len(tx.TxOut) != 2 {
+		t.Fatalf("outputs = %d, want 2 (base vault + OP_RETURN)", len(tx.TxOut))
+	}
+	if !bytes.Equal(tx.TxOut[0].PkScript, vaultScript) {
+		t.Error("output 0 is not the base vault")
+	}
+	marker, err := txscript.NullDataScript(cid[:])
+	if err != nil {
+		t.Fatalf("marker: %v", err)
+	}
+	if tx.TxOut[1].Value != 0 || !bytes.Equal(tx.TxOut[1].PkScript, marker) {
+		t.Error("output 1 is not OP_RETURN(consolidationID)")
+	}
+
+	// Honest fold validates.
+	if err := cf.Validate(ctx, cid, packed); err != nil {
+		t.Fatalf("honest fold rejected: %v", err)
+	}
+
+	// Tamper: output 0 redirected away from the base vault.
+	bad := tx.Copy()
+	bad.TxOut[0].PkScript = marker // anything that isn't the vault script
+	badBytes, err := serializeTx(bad)
+	if err != nil {
+		t.Fatalf("serialize tampered: %v", err)
+	}
+	if err := cf.Validate(ctx, cid, badBytes); err == nil {
+		t.Error("fold with output 0 not the base vault was accepted")
+	}
+
+	// Tamper: splice in a foreign (non-owned) input.
+	foreign := tx.Copy()
+	var fh chainhash.Hash
+	fh[0] = 0xFF
+	foreign.AddTxIn(wire.NewTxIn(wire.NewOutPoint(&fh, 0), nil, nil)) // NewTxIn defaults to a final sequence
+	foreignBytes, err := serializeTx(foreign)
+	if err != nil {
+		t.Fatalf("serialize foreign: %v", err)
+	}
+	err = cf.Validate(ctx, cid, foreignBytes)
+	if err == nil {
+		t.Error("fold with a foreign input was accepted")
+	} else if !strings.Contains(err.Error(), "owned utxo") {
+		t.Errorf("error %q does not flag the non-owned input", err)
+	}
+}
diff --git a/pkg/blockchain/btc/depositor.go b/pkg/blockchain/btc/depositor.go
index 23aa881..d4e576d 100644
--- a/pkg/blockchain/btc/depositor.go
+++ b/pkg/blockchain/btc/depositor.go
@@ -101,7 +101,7 @@ func (d *Depositor) SubmitDeposit(ctx context.Context, asset string, amount deci
 		return core.TxRef{}, fmt.Errorf("btc: estimate fee: %w", err)
 	}
 	// numFixedOutputs = recipient (deposit address); change is sized in.
-	selected, feeSats, err := SelectUTXOs(utxos, sats, feeRate, 1)
+	selected, feeSats, err := SelectUTXOs(utxos, sats, feeRate, 1, 0)
 	if err != nil {
 		return core.TxRef{}, err
 	}
diff --git a/pkg/blockchain/btc/txbuild.go b/pkg/blockchain/btc/txbuild.go
index ac06510..dd5e4a7 100644
--- a/pkg/blockchain/btc/txbuild.go
+++ b/pkg/blockchain/btc/txbuild.go
@@ -1,12 +1,19 @@
 package btc
 
 import (
+	"errors"
 	"fmt"
 	"sort"
 
 	"github.com/btcsuite/btcd/wire"
 )
 
+// ErrTooFragmented reports that covering a withdrawal would require more inputs
+// than the configured maxInputs bound — i.e. the vault's UTXO set is too
+// fragmented to build a standard-size transaction. Callers detect it (via
+// errors.Is) to trigger a consolidation fold and retry the withdrawal.
+var ErrTooFragmented = errors.New("btc: utxo set too fragmented for a standard-size tx")
+
 // validateFixedTxFields asserts the fixed fields the BIP-143 SIGHASH_ALL digest
 // commits to, matching what the canonical builders produce: version
 // wire.TxVersion, locktime 0, and final (non-RBF) input sequences. The sighash
@@ -54,7 +61,12 @@ func EstimateFeeSats(numInputs, numOutputs int, satPerVByte int64) int64 {
 // and accumulated greedily until they cover amount + fee, where the fee grows
 // with each added input. numFixedOutputs is the count of always-present outputs
 // (recipient + OP_RETURN = 2); a change output is assumed for fee sizing.
-func SelectUTXOs(available []UTXO, amount int64, satPerVByte int64, numFixedOutputs int) (selected []UTXO, feeSats int64, err error) {
+//
+// maxInputs bounds the input count so the resulting tx stays within Bitcoin's
+// standard-size relay limit. When covering the amount would need more than
+// maxInputs inputs, it returns ErrTooFragmented (the caller then consolidates
+// and retries). maxInputs <= 0 means unbounded.
+func SelectUTXOs(available []UTXO, amount int64, satPerVByte int64, numFixedOutputs, maxInputs int) (selected []UTXO, feeSats int64, err error) {
 	if amount <= 0 {
 		return nil, 0, fmt.Errorf("btc: non-positive amount %d", amount)
 	}
@@ -78,6 +90,11 @@ func SelectUTXOs(available []UTXO, amount int64, satPerVByte int64, numFixedOutp
 		if total >= amount+fee {
 			return pool[:n], fee, nil
 		}
+		// Coverage not reached at n inputs; if n has hit the bound, adding more
+		// would exceed a standard-size tx — signal the need to consolidate.
+		if maxInputs > 0 && n >= maxInputs {
+			return nil, 0, ErrTooFragmented
+		}
 	}
 	return nil, 0, fmt.Errorf("btc: insufficient vault balance: have %d, need %d + fee at %d sat/vB",
 		total, amount, satPerVByte)
diff --git a/pkg/blockchain/btc/withdrawal_finalizer.go b/pkg/blockchain/btc/withdrawal_finalizer.go
index a219152..ffec6ac 100644
--- a/pkg/blockchain/btc/withdrawal_finalizer.go
+++ b/pkg/blockchain/btc/withdrawal_finalizer.go
@@ -30,6 +30,16 @@ type Config struct {
 	FeeConfTarget     int    // estimatesmartfee confirmation target (blocks)
 	FallbackFeeRate   int64  // sat/vByte used when the node can't estimate
 	FeeCapSatPerVByte int64  // ceiling Validate accepts on a canonical tx
+
+	// MaxInputsPerWithdrawal bounds how many inputs a withdrawal may select
+	// before SelectUTXOs returns ErrTooFragmented (0 = unbounded). A fragmented
+	// vault that hits this should consolidate (see ConsolidationFinalizer) and
+	// retry.
+	MaxInputsPerWithdrawal int
+	// ConsolidationBatchMax bounds how many of the vault's smallest UTXOs one
+	// consolidation fold spends (0 => a sane default well under the standard-tx
+	// input ceiling).
+	ConsolidationBatchMax int
 }
 
 // WithdrawalFinalizer is the Bitcoin m-of-n P2WSH vault withdrawal path. It
@@ -157,7 +167,7 @@ func (f *WithdrawalFinalizer) Pack(ctx context.Context, op *core.WithdrawalOp, w
 	if err != nil {
 		return nil, fmt.Errorf("btc: estimate fee: %w", err)
 	}
-	selected, feeSats, err := SelectUTXOs(utxos, amount, feeRate, 2)
+	selected, feeSats, err := SelectUTXOs(utxos, amount, feeRate, 2, f.cfg.MaxInputsPerWithdrawal)
 	if err != nil {
 		return nil, err
 	}

From 56e8121c557453d92e738786fc01908409ea2a41 Mon Sep 17 00:00:00 2001
From: Anton Filonenko <phil@yellow.org>
Date: Fri, 19 Jun 2026 12:31:52 +0300
Subject: [PATCH 5/5] feat(xrpl): size multisign fee against the live quorum

Pack autofills the multi-sign fee from the construction-time threshold,
so a quorum-raising rotation underpays once the SignerQuorum grows. Add
an optional ThresholdResolver hook (SetThresholdResolver) the withdrawal
and rotation finalizers consult for the live SignerQuorum; unset keeps
the static threshold.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 pkg/blockchain/xrpl/rotation_finalizer.go     | 33 ++++++++++++-
 .../xrpl/threshold_resolver_test.go           | 46 +++++++++++++++++++
 pkg/blockchain/xrpl/withdrawal_finalizer.go   | 41 ++++++++++++++++-
 3 files changed, 117 insertions(+), 3 deletions(-)
 create mode 100644 pkg/blockchain/xrpl/threshold_resolver_test.go

diff --git a/pkg/blockchain/xrpl/rotation_finalizer.go b/pkg/blockchain/xrpl/rotation_finalizer.go
index a0d8fb3..0d5a9fd 100644
--- a/pkg/blockchain/xrpl/rotation_finalizer.go
+++ b/pkg/blockchain/xrpl/rotation_finalizer.go
@@ -28,6 +28,28 @@ type RotationFinalizer struct {
 	threshold    int // current SignerQuorum — sizes the multi-sign fee
 	signer       sign.Signer
 	id           Identity
+
+	// resolveThreshold, when set, supplies the live SignerQuorum used to size the
+	// multi-sign fee autofill. Lets a quorum-raising rotation pay a fee sized
+	// against the vault's current (outgoing) quorum rather than a boot-time
+	// threshold. nil falls back to threshold.
+	resolveThreshold func(context.Context) (int, error)
+}
+
+// SetThresholdResolver installs a hook that resolves the live SignerQuorum used
+// to size the fee autofill. Optional; unset uses the static construction-time
+// threshold.
+func (f *RotationFinalizer) SetThresholdResolver(fn func(context.Context) (int, error)) {
+	f.resolveThreshold = fn
+}
+
+// LiveQuorum returns the vault's current on-chain SignerQuorum. Callers wire it
+// as the ThresholdResolver (and reuse it for the ceremony collect count) so a
+// quorum-raising rotation sizes the fee and quorum against live state rather
+// than the boot-time threshold.
+func (f *RotationFinalizer) LiveQuorum(_ context.Context) (int, error) {
+	_, q, err := fetchLiveSignerList(f.client, f.vaultAddress)
+	return q, err
 }
 
 var _ core.SignerRotationFinalizer = (*RotationFinalizer)(nil)
@@ -57,7 +79,7 @@ func NewRotationFinalizer(rpcURL, vaultAddress string, threshold int, signer sig
 // newThreshold (each member weight 1), returning its sorted-key JSON. opID is
 // ignored: XRPL binds rotation replay to the account Sequence (autofilled here),
 // so the operation identity is not embedded in the payload.
-func (f *RotationFinalizer) Pack(_ context.Context, _ [32]byte, newSigners []string, newThreshold int) ([]byte, error) {
+func (f *RotationFinalizer) Pack(ctx context.Context, _ [32]byte, newSigners []string, newThreshold int) ([]byte, error) {
 	entries, err := signerEntries(newSigners, newThreshold)
 	if err != nil {
 		return nil, err
@@ -68,7 +90,14 @@ func (f *RotationFinalizer) Pack(_ context.Context, _ [32]byte, newSigners []str
 		"SignerQuorum":    uint32(newThreshold),
 		"SignerEntries":   entries,
 	}
-	if err := f.client.AutofillMultisigned(&flatTx, uint64(f.threshold)); err != nil {
+	quorum := f.threshold
+	if f.resolveThreshold != nil {
+		quorum, err = f.resolveThreshold(ctx)
+		if err != nil {
+			return nil, fmt.Errorf("xrpl: resolve live quorum: %w", err)
+		}
+	}
+	if err := f.client.AutofillMultisigned(&flatTx, uint64(quorum)); err != nil {
 		return nil, fmt.Errorf("xrpl: autofill: %w", err)
 	}
 	delete(flatTx, "LastLedgerSequence")
diff --git a/pkg/blockchain/xrpl/threshold_resolver_test.go b/pkg/blockchain/xrpl/threshold_resolver_test.go
new file mode 100644
index 0000000..7448eb8
--- /dev/null
+++ b/pkg/blockchain/xrpl/threshold_resolver_test.go
@@ -0,0 +1,46 @@
+package xrpl
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/ethereum/go-ethereum/crypto"
+
+	"github.com/layer-3/clearnet-sdk/pkg/sign"
+)
+
+// TestFeeQuorumResolver covers the live-quorum fee hook: with no resolver the
+// fee autofill uses the static construction-time threshold; with one set it uses
+// the resolved live SignerQuorum (so a quorum-raising rotation pays a correctly
+// sized fee without a fleet restart); and a resolver error propagates.
+func TestFeeQuorumResolver(t *testing.T) {
+	k, err := crypto.GenerateKey()
+	if err != nil {
+		t.Fatalf("gen key: %v", err)
+	}
+	signer := sign.NewKeySignerFromECDSA(k)
+
+	f, err := NewWithdrawalFinalizer("http://127.0.0.1:1", "rVaultAddressNotARealAccount11111111", 5, signer, nil)
+	if err != nil {
+		t.Fatalf("NewWithdrawalFinalizer: %v", err)
+	}
+	ctx := context.Background()
+
+	// No resolver → static threshold.
+	if q, err := f.feeQuorum(ctx); err != nil || q != 5 {
+		t.Fatalf("default feeQuorum = (%d, %v), want (5, nil)", q, err)
+	}
+
+	// Resolver set → live quorum.
+	f.SetThresholdResolver(func(context.Context) (int, error) { return 9, nil })
+	if q, err := f.feeQuorum(ctx); err != nil || q != 9 {
+		t.Fatalf("resolved feeQuorum = (%d, %v), want (9, nil)", q, err)
+	}
+
+	// Resolver error propagates.
+	f.SetThresholdResolver(func(context.Context) (int, error) { return 0, errors.New("boom") })
+	if _, err := f.feeQuorum(ctx); err == nil {
+		t.Fatal("resolver error was swallowed")
+	}
+}
diff --git a/pkg/blockchain/xrpl/withdrawal_finalizer.go b/pkg/blockchain/xrpl/withdrawal_finalizer.go
index 79fcfc7..950eced 100644
--- a/pkg/blockchain/xrpl/withdrawal_finalizer.go
+++ b/pkg/blockchain/xrpl/withdrawal_finalizer.go
@@ -36,6 +36,19 @@ type WithdrawalFinalizer struct {
 	signer       sign.Signer
 	id           Identity
 	tickets      TicketProvider
+
+	// resolveThreshold, when set, supplies the live SignerQuorum used to size the
+	// multi-sign fee autofill in Pack. It lets a quorum-raising rotation take
+	// effect without a fleet restart: the fee is sized against the vault's current
+	// quorum rather than the boot-time threshold. nil falls back to threshold.
+	resolveThreshold func(context.Context) (int, error)
+}
+
+// SetThresholdResolver installs a hook that resolves the live SignerQuorum used
+// to size the fee autofill (see resolveThreshold). Optional; callers that leave
+// it unset get the static threshold passed at construction.
+func (f *WithdrawalFinalizer) SetThresholdResolver(fn func(context.Context) (int, error)) {
+	f.resolveThreshold = fn
 }
 
 var _ core.VaultWithdrawalFinalizer = (*WithdrawalFinalizer)(nil)
@@ -61,6 +74,28 @@ func NewWithdrawalFinalizer(rpcURL, vaultAddress string, threshold int, signer s
 	}, nil
 }
 
+// LiveQuorum returns the vault's current on-chain SignerQuorum. Callers wire it
+// as the ThresholdResolver (and reuse it for the ceremony collect count) so a
+// quorum-raising rotation sizes the fee and quorum against live state rather
+// than the boot-time threshold.
+func (f *WithdrawalFinalizer) LiveQuorum(_ context.Context) (int, error) {
+	_, q, err := fetchLiveSignerList(f.client, f.vaultAddress)
+	return q, err
+}
+
+// feeQuorum returns the SignerQuorum used to size the multi-sign fee: the live
+// value from resolveThreshold when set, else the static threshold.
+func (f *WithdrawalFinalizer) feeQuorum(ctx context.Context) (int, error) {
+	if f.resolveThreshold == nil {
+		return f.threshold, nil
+	}
+	q, err := f.resolveThreshold(ctx)
+	if err != nil {
+		return 0, fmt.Errorf("xrpl: resolve live quorum: %w", err)
+	}
+	return q, nil
+}
+
 // Pack binds a Ticket and builds the autofilled multi-sign Payment, returning
 // its sorted-key JSON.
 func (f *WithdrawalFinalizer) Pack(ctx context.Context, op *core.WithdrawalOp, withdrawalID [32]byte) ([]byte, error) {
@@ -84,7 +119,11 @@ func (f *WithdrawalFinalizer) Pack(ctx context.Context, op *core.WithdrawalOp, w
 	}
 	flatTx := payment.Flatten()
 	flatTx["Sequence"] = uint32(0)
-	if err := f.client.AutofillMultisigned(&flatTx, uint64(f.threshold)); err != nil {
+	quorum, err := f.feeQuorum(ctx)
+	if err != nil {
+		return nil, err
+	}
+	if err := f.client.AutofillMultisigned(&flatTx, uint64(quorum)); err != nil {
 		return nil, fmt.Errorf("xrpl: autofill: %w", err)
 	}
 	flatTx["Sequence"] = uint32(0)