From 7e67bb4c662f191c7a8c4c2cbd32d5637fe2de0d Mon Sep 17 00:00:00 2001
From: Kaloyan Manolov <kmanolov3@gmail.com>
Date: Sun, 10 May 2026 17:41:37 +0300
Subject: [PATCH 1/8] feat: implement sandboxing to be used for measuring SVGs;
 add tests

---
 package-lock.json                             |   4 +-
 packages/scratch-svg-renderer/package.json    |  13 +-
 .../scratch-svg-renderer/playwright.config.js |  30 ++
 .../src/sandbox/iframe-html.js                |  76 +++
 .../scratch-svg-renderer/src/sandbox/index.js | 172 +++++++
 .../test/playwright/harness.html              |  11 +
 .../test/playwright/sandbox.spec.js           | 446 ++++++++++++++++++
 7 files changed, 747 insertions(+), 5 deletions(-)
 create mode 100644 packages/scratch-svg-renderer/playwright.config.js
 create mode 100644 packages/scratch-svg-renderer/src/sandbox/iframe-html.js
 create mode 100644 packages/scratch-svg-renderer/src/sandbox/index.js
 create mode 100644 packages/scratch-svg-renderer/test/playwright/harness.html
 create mode 100644 packages/scratch-svg-renderer/test/playwright/sandbox.spec.js

diff --git a/package-lock.json b/package-lock.json
index 5d03c7b427c..1e8472c1ec6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -34980,6 +34980,7 @@
       "dev": true,
       "license": "BSD-2-Clause",
       "optional": true,
+      "peer": true,
       "bin": {
         "uglifyjs": "bin/uglifyjs"
       },
@@ -36795,7 +36796,7 @@
         "react-intl": "6.8.9",
         "react-modal": "3.16.3",
         "react-popover": "0.5.10",
-        "react-redux": "8.1.3",
+        "react-redux": "^8.0.0",
         "react-responsive": "9.0.2",
         "react-style-proptype": "3.2.2",
         "react-tabs": "5.2.0",
@@ -38525,6 +38526,7 @@
       "devDependencies": {
         "@babel/core": "7.29.0",
         "@babel/preset-env": "7.29.3",
+        "@playwright/test": "1.59.1",
         "babel-loader": "9.2.1",
         "canvas": "3.2.3",
         "copy-webpack-plugin": "6.4.1",
diff --git a/packages/scratch-svg-renderer/package.json b/packages/scratch-svg-renderer/package.json
index 48a7668850b..e80b3e8b9f5 100644
--- a/packages/scratch-svg-renderer/package.json
+++ b/packages/scratch-svg-renderer/package.json
@@ -14,10 +14,13 @@
   "license": "AGPL-3.0-only",
   "author": "Massachusetts Institute of Technology",
   "exports": {
-    "webpack": "./src/index.js",
-    "browser": "./dist/web/scratch-svg-renderer.js",
-    "node": "./dist/node/scratch-svg-renderer.js",
-    "default": "./src/index.js"
+    ".": {
+      "webpack": "./src/index.js",
+      "browser": "./dist/web/scratch-svg-renderer.js",
+      "node": "./dist/node/scratch-svg-renderer.js",
+      "default": "./src/index.js"
+    },
+    "./sandbox": "./src/sandbox/index.js"
   },
   "main": "./dist/node/scratch-svg-renderer.js",
   "browser": "./dist/web/scratch-svg-renderer.js",
@@ -37,6 +40,7 @@
     "start": "webpack-dev-server",
     "test": "npm run test:lint && npm run test:unit",
     "test:lint": "eslint",
+    "test:playwright": "playwright test",
     "test:unit": "tap ./test/*.js",
     "watch": "webpack --watch"
   },
@@ -61,6 +65,7 @@
   "devDependencies": {
     "@babel/core": "7.29.0",
     "@babel/preset-env": "7.29.3",
+    "@playwright/test": "1.59.1",
     "babel-loader": "9.2.1",
     "canvas": "3.2.3",
     "copy-webpack-plugin": "6.4.1",
diff --git a/packages/scratch-svg-renderer/playwright.config.js b/packages/scratch-svg-renderer/playwright.config.js
new file mode 100644
index 00000000000..525025df08c
--- /dev/null
+++ b/packages/scratch-svg-renderer/playwright.config.js
@@ -0,0 +1,30 @@
+// @ts-check
+const path = require('path');
+const {pathToFileURL} = require('url');
+const {defineConfig, devices} = require('@playwright/test');
+
+module.exports = defineConfig({
+    testDir: './test/playwright',
+
+    fullyParallel: true,
+    forbidOnly: !!process.env.CI,
+    retries: process.env.CI ? 1 : 0,
+
+    outputDir: 'test-results/playwright-artifacts',
+    reporter: [
+        ['list'],
+        ['html', {outputFolder: 'test-results/playwright-html', open: 'never'}]
+    ],
+
+    use: {
+        baseURL: `${pathToFileURL(path.resolve(__dirname, 'test/playwright'))}/`,
+        trace: 'on-first-retry'
+    },
+
+    projects: [
+        {
+            name: 'chromium',
+            use: {...devices['Desktop Chrome']}
+        }
+    ]
+});
diff --git a/packages/scratch-svg-renderer/src/sandbox/iframe-html.js b/packages/scratch-svg-renderer/src/sandbox/iframe-html.js
new file mode 100644
index 00000000000..57fd2d9ad31
--- /dev/null
+++ b/packages/scratch-svg-renderer/src/sandbox/iframe-html.js
@@ -0,0 +1,76 @@
+/**
+ * HTML template injected into sandboxed iframes via `srcdoc`.
+ *
+ * The iframe receives:
+ *   - A strict Content-Security-Policy via <meta> (default-src 'none';
+ *     script-src 'unsafe-inline' 'unsafe-eval').
+ *   - A runner <script> that:
+ *       1. Waits for `message` events from the parent.
+ *       2. If `__sandbox_script` is present, evaluates it to define
+ *          `window.onSandboxMessage`. The script is sent only with the
+ *          first message; subsequent messages reuse the handler.
+ *       3. Invokes `onSandboxMessage` with the payload and posts the
+ *          result back.
+ *       4. Reports errors back to the parent as `{__sandbox_error: message}`.
+ *
+ * Messages use `__sandbox_payload` / `__sandbox_result`
+ * Batching is the caller's responsibility — pass an array as the payload
+ * and handle it in the `onSandboxMessage` function.
+ *
+ * The caller's script must synchronously assign `window.onSandboxMessage` to a
+ * function that accepts a payload and returns a result (or a Promise of a result).
+ */
+const IFRAME_HTML = `<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval';">
+</head>
+<body>
+<script>
+window.addEventListener('message', function (event) {
+    try {
+        var scriptText = event.data.__sandbox_script;
+        var payload = event.data.__sandbox_payload;
+        var ticket = event.data.__sandbox_ticket;
+
+        // Evaluate the caller's script if provided. The script is sent only
+        // with the first message; subsequent messages reuse the
+        // previously-defined onSandboxMessage handler.
+        if (scriptText != null) {
+            (0, eval)(scriptText);
+        }
+
+        if (typeof window.onSandboxMessage !== 'function') {
+            throw new Error('Script did not define window.onSandboxMessage');
+        }
+
+        // targetOrigin '*' is intentional: this iframe has an opaque origin
+        // (sandbox="allow-scripts" without allow-same-origin), so event.origin
+        // is always 'null' and cannot be used as a reliable targetOrigin across
+        // browsers and serving contexts. The parent-side listener guards with
+        // event.source === iframe.contentWindow, providing the necessary filtering.
+        Promise.resolve(window.onSandboxMessage(payload)).then(function (result) {
+            parent.postMessage({__sandbox_result: result, __sandbox_ticket: ticket}, '*');
+        }).catch(function (err) {
+            parent.postMessage({
+                __sandbox_error: err && err.message || String(err),
+                __sandbox_ticket: ticket
+            }, '*');
+        });
+    } catch (err) {
+        parent.postMessage({
+            __sandbox_error: err && err.message || String(err),
+            __sandbox_ticket: event.data && event.data.__sandbox_ticket
+        }, '*');
+    }
+});
+</script>
+</body>
+</html>`;
+
+// Support both CommonJS (Node / bundler) and plain browser <script> inclusion.
+if (typeof module === 'undefined') {
+    window.IFRAME_HTML = IFRAME_HTML;
+} else {
+    module.exports = {IFRAME_HTML};
+}
diff --git a/packages/scratch-svg-renderer/src/sandbox/index.js b/packages/scratch-svg-renderer/src/sandbox/index.js
new file mode 100644
index 00000000000..fe05090258d
--- /dev/null
+++ b/packages/scratch-svg-renderer/src/sandbox/index.js
@@ -0,0 +1,172 @@
+// Support both CommonJS (Node / bundler) and plain browser <script> inclusion.
+// In browser context, iframe-html.js must be loaded first via a <script> tag
+// so that window.IFRAME_HTML is already defined before this script runs.
+// The entire module body is wrapped in an IIFE, so that top-level `const`
+// declarations don't collide with those in iframe-html.js when both scripts
+// share a single browser page scope.
+(function () {
+    const IFRAME_HTML = typeof module !== 'undefined' ?
+        require('./iframe-html').IFRAME_HTML :
+        window.IFRAME_HTML;
+
+    const DEFAULT_TIMEOUT_MS = 30000;
+
+    /**
+     * A sandboxed iframe that runs caller-provided scripts in an opaque-origin
+     * context. The iframe uses `sandbox="allow-scripts"` without
+     * `allow-same-origin`, giving it an opaque origin that cannot access the
+     * parent's DOM, cookies, or storage. A strict Content-Security-Policy
+     * (`default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval'`) blocks
+     * network requests and external resource loads.
+     *
+     * The iframe is lazily created on the first `send()` call and reused for
+     * all subsequent calls until `destroy()` is called. After `destroy()`, the
+     * next `send()` creates a fresh iframe.
+     */
+    class Sandbox {
+    /**
+     * @param {string} script JavaScript source that must synchronously
+     *     define `window.onSandboxMessage = function (payload) { ... }`.
+     *     The function receives a single structured-cloneable value and
+     *     must return a result (or a Promise of a result).
+     * @param {object} [options] Configuration options.
+     * @param {number} [options.timeoutMs] Per-send timeout in
+     *     milliseconds (default 30000). Set to 0 to disable.
+     */
+        constructor (script, {timeoutMs = DEFAULT_TIMEOUT_MS} = {}) {
+            // Defensive copy so a caller mutating the original string after construction
+            // doesn't affect a sandbox that has already been created but not yet sent.
+            this._script = String(script);
+            this._timeoutMs = timeoutMs;
+            this._iframe = null;
+            this._ready = null;
+            this._onMessage = null;
+            this._pendingTickets = new Map();
+            this._scriptSent = false;
+            this._nextTicket = 1;
+        }
+
+        /**
+         * Lazily create the sandboxed iframe and wait for it to load.
+         * @returns {Promise<void>}
+         */
+        _ensureIframe () {
+            if (this._ready) return this._ready;
+
+            const iframe = document.createElement('iframe');
+            iframe.setAttribute('sandbox', 'allow-scripts');
+            iframe.style.display = 'none';
+            this._iframe = iframe;
+
+            this._onMessage = event => {
+                // The sandboxed iframe (no allow-same-origin) always has an opaque origin,
+                // reported as 'null'. Combined with the source check, this is defense-in-depth.
+                if (event.origin !== 'null') return;
+                if (event.source !== iframe.contentWindow) return;
+                const data = event.data;
+                if (!data || typeof data.__sandbox_ticket === 'undefined') return;
+
+                const pending = this._pendingTickets.get(data.__sandbox_ticket);
+                if (!pending) return;
+
+                this._pendingTickets.delete(data.__sandbox_ticket);
+                if (pending.timeoutId !== null) {
+                    clearTimeout(pending.timeoutId);
+                }
+
+                if (typeof data.__sandbox_error === 'undefined') {
+                    pending.resolve(data.__sandbox_result);
+                } else {
+                    pending.reject(new Error(data.__sandbox_error));
+                }
+            };
+
+            window.addEventListener('message', this._onMessage);
+
+            this._ready = new Promise((resolve, reject) => {
+                iframe.addEventListener('load', () => resolve());
+                // The 'error' event on an iframe element is a generic Event, not
+                // an ErrorEvent — it has no .message property. Use a static message.
+                iframe.addEventListener('error', () => {
+                    reject(new Error('Sandbox iframe failed to load'));
+                });
+            });
+
+            iframe.srcdoc = IFRAME_HTML;
+            document.body.appendChild(iframe);
+
+            return this._ready;
+        }
+
+        /**
+         * Send a payload to the iframe and return the result.
+         *
+         * The payload can be any structured-cloneable value. If you need to
+         * process multiple items in a single round-trip, pass an array as the
+         * payload and handle it in your `onSandboxMessage` function.
+         * @param {object} payload The value to pass to onSandboxMessage.
+         * @returns {Promise<object>} The value returned by onSandboxMessage.
+         */
+        async send (payload) {
+            await this._ensureIframe();
+
+            const ticket = this._nextTicket++;
+            const message = {
+                __sandbox_payload: payload,
+                __sandbox_ticket: ticket
+            };
+
+            if (!this._scriptSent) {
+                message.__sandbox_script = this._script;
+                this._scriptSent = true;
+            }
+
+            return new Promise((resolve, reject) => {
+                let timeoutId = null;
+                if (this._timeoutMs > 0) {
+                    timeoutId = setTimeout(() => {
+                        this._pendingTickets.delete(ticket);
+                        reject(new Error(
+                            `Sandbox: timed out after ${this._timeoutMs}ms`
+                        ));
+                    }, this._timeoutMs);
+                }
+
+                this._pendingTickets.set(ticket, {resolve, reject, timeoutId});
+                this._iframe.contentWindow.postMessage(message, '*');
+            });
+        }
+
+        /**
+         * Tear down the iframe and reject any in-flight calls.
+         * After `destroy()`, the next `send()` lazily creates a fresh iframe.
+         */
+        destroy () {
+            for (const pending of this._pendingTickets.values()) {
+                if (pending.timeoutId !== null) {
+                    clearTimeout(pending.timeoutId);
+                }
+                pending.reject(new Error('Sandbox destroyed'));
+            }
+            this._pendingTickets.clear();
+
+            if (this._onMessage) {
+                window.removeEventListener('message', this._onMessage);
+                this._onMessage = null;
+            }
+
+            if (this._iframe && this._iframe.parentNode) {
+                this._iframe.parentNode.removeChild(this._iframe);
+            }
+            this._iframe = null;
+            this._ready = null;
+            this._scriptSent = false;
+        }
+    }
+
+    if (typeof module === 'undefined') {
+        window.Sandbox = Sandbox;
+    } else {
+        module.exports = {Sandbox};
+    }
+}()); // end IIFE
diff --git a/packages/scratch-svg-renderer/test/playwright/harness.html b/packages/scratch-svg-renderer/test/playwright/harness.html
new file mode 100644
index 00000000000..51ebbfb59b2
--- /dev/null
+++ b/packages/scratch-svg-renderer/test/playwright/harness.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>Sandbox Test Harness</title>
+</head>
+<body>
+<script src="../../src/sandbox/iframe-html.js"></script>
+<script src="../../src/sandbox/index.js"></script>
+</body>
+</html>
diff --git a/packages/scratch-svg-renderer/test/playwright/sandbox.spec.js b/packages/scratch-svg-renderer/test/playwright/sandbox.spec.js
new file mode 100644
index 00000000000..a21f6dbe9fc
--- /dev/null
+++ b/packages/scratch-svg-renderer/test/playwright/sandbox.spec.js
@@ -0,0 +1,446 @@
+// @ts-check
+const {test, expect} = require('@playwright/test');
+
+/**
+ * Playwright tests for the Sandbox iframe-host primitive.
+ *
+ * These tests exercise real browser behaviour that jsdom cannot replicate:
+ * opaque-origin enforcement, CSP violations, and iframe lifecycle.
+ */
+
+test.beforeEach(async ({page}) => {
+    await page.goto('harness.html');
+    // Wait for the harness to expose Sandbox on window.
+    await page.waitForFunction(() => typeof window.Sandbox === 'function');
+});
+
+test('basic script execution returns a result', async ({page}) => {
+    const result = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(
+            'window.onSandboxMessage = function (p) { return p.a + p.b; }'
+        );
+        try {
+            return await sandbox.send({a: 2, b: 3});
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(result).toBe(5);
+});
+
+test('iframe is removed from DOM after destroy', async ({page}) => {
+    await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(
+            'window.onSandboxMessage = function () { return "done"; }'
+        );
+        await sandbox.send(null);
+        sandbox.destroy();
+    });
+
+    const iframeCount = await page.evaluate(() =>
+        document.querySelectorAll('iframe').length
+    );
+    expect(iframeCount).toBe(0);
+});
+
+test('iframe has opaque origin (window.origin is "null")', async ({page}) => {
+    const origin = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(
+            'window.onSandboxMessage = function () { return window.origin; }'
+        );
+        try {
+            return await sandbox.send(null);
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(origin).toBe('null');
+});
+
+test('iframe cannot access parent.location', async ({page}) => {
+    const result = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(`
+            window.onSandboxMessage = function () {
+                try {
+                    return parent.location.href;
+                } catch (e) {
+                    return {threw: true, message: e.message};
+                }
+            }
+        `);
+        try {
+            return await sandbox.send(null);
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(result).toHaveProperty('threw', true);
+});
+
+test('fetch is blocked by CSP (no connect-src)', async ({page}) => {
+    const result = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(`
+            window.onSandboxMessage = async function () {
+                try {
+                    await fetch('https://example.com');
+                    return {blocked: false};
+                } catch (e) {
+                    return {blocked: true, message: e.message};
+                }
+            }
+        `);
+        try {
+            return await sandbox.send(null);
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(result).toHaveProperty('blocked', true);
+});
+
+test('script errors are propagated as rejections', async ({page}) => {
+    const error = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(
+            'window.onSandboxMessage = function () { throw new Error("test error"); }'
+        );
+        try {
+            return await sandbox.send(null).catch(e => ({message: e.message}));
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(error).toHaveProperty('message', 'test error');
+});
+
+test('missing onSandboxMessage definition rejects', async ({page}) => {
+    const error = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(
+            '/* no onSandboxMessage defined */'
+        );
+        try {
+            return await sandbox.send(null).catch(e => ({message: e.message}));
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(error.message).toContain('did not define window.onSandboxMessage');
+});
+
+test('timeout rejects when script never responds', async ({page}) => {
+    const error = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(
+            'window.onSandboxMessage = function () { return new Promise(() => {}); }',
+            {timeoutMs: 500}
+        );
+        try {
+            return await sandbox.send(null).catch(e => ({message: e.message}));
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(error.message).toContain('timed out');
+});
+
+test('async onSandboxMessage is supported', async ({page}) => {
+    const result = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(`
+            window.onSandboxMessage = function (p) {
+                return new Promise(function (resolve) {
+                    setTimeout(function () { resolve(p.x * 2); }, 50);
+                });
+            }
+        `);
+        try {
+            return await sandbox.send({x: 21});
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(result).toBe(42);
+});
+
+test('iframe is created with sandbox="allow-scripts" attribute', async ({page}) => {
+    const sandboxAttr = await page.evaluate(async () => {
+        const originalAppendChild = document.body.appendChild.bind(document.body);
+        let capturedSandbox = null;
+        document.body.appendChild = function (node) {
+            if (node.tagName === 'IFRAME') {
+                capturedSandbox = node.getAttribute('sandbox');
+            }
+            return originalAppendChild(node);
+        };
+
+        const sandbox = new window.Sandbox(
+            'window.onSandboxMessage = function () { return true; }'
+        );
+        try {
+            await sandbox.send(null);
+            return capturedSandbox;
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(sandboxAttr).toBe('allow-scripts');
+});
+
+test('iframe srcdoc contains CSP meta tag', async ({page}) => {
+    const srcdoc = await page.evaluate(async () => {
+        const originalAppendChild = document.body.appendChild.bind(document.body);
+        let capturedSrcdoc = null;
+        document.body.appendChild = function (node) {
+            if (node.tagName === 'IFRAME') {
+                capturedSrcdoc = node.srcdoc;
+            }
+            return originalAppendChild(node);
+        };
+
+        const sandbox = new window.Sandbox(
+            'window.onSandboxMessage = function () { return true; }'
+        );
+        try {
+            await sandbox.send(null);
+            return capturedSrcdoc;
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(srcdoc).toContain('Content-Security-Policy');
+    expect(srcdoc).toContain("default-src 'none'");
+    expect(srcdoc).toContain("script-src 'unsafe-inline' 'unsafe-eval'");
+});
+
+// --- Persistent iframe reuse tests ---
+
+test('iframe is reused across send calls', async ({page}) => {
+    const results = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(`
+            var counter = 0;
+            window.onSandboxMessage = function () {
+                counter++;
+                return counter;
+            };
+        `);
+        try {
+            const r1 = await sandbox.send(null);
+            const r2 = await sandbox.send(null);
+            const r3 = await sandbox.send(null);
+            return [r1, r2, r3];
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    // Counter increments across calls within the same iframe context.
+    expect(results).toEqual([1, 2, 3]);
+});
+
+test('script is evaluated only once', async ({page}) => {
+    const results = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(`
+            if (!window.__evalCount) window.__evalCount = 0;
+            window.__evalCount++;
+            window.onSandboxMessage = function () {
+                return window.__evalCount;
+            };
+        `);
+        try {
+            const r1 = await sandbox.send(null);
+            const r2 = await sandbox.send(null);
+            return [r1, r2];
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    // Script only evaluated once, so __evalCount stays at 1.
+    expect(results).toEqual([1, 1]);
+});
+
+test('destroy removes iframe from DOM', async ({page}) => {
+    const iframeCount = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(
+            'window.onSandboxMessage = function () { return true; }'
+        );
+        await sandbox.send(null);
+        sandbox.destroy();
+        return document.querySelectorAll('iframe').length;
+    });
+    expect(iframeCount).toBe(0);
+});
+
+test('destroy rejects in-flight calls', async ({page}) => {
+    const error = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(
+            'window.onSandboxMessage = function () { return new Promise(() => {}); }'
+        );
+        const pending = sandbox.send(null).catch(e => ({message: e.message}));
+        // Give the iframe time to start loading.
+        await new Promise(resolve => setTimeout(resolve, 100));
+        sandbox.destroy();
+        return pending;
+    });
+    expect(error.message).toContain('Sandbox destroyed');
+});
+
+test('is recreated after destroy', async ({page}) => {
+    const result = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(`
+            var count = 0;
+            window.onSandboxMessage = function () { return ++count; };
+        `);
+        await sandbox.send(null); // returns 1 on first iframe
+        sandbox.destroy();
+        // After destroy, the next send creates a fresh iframe with count at 0.
+        return sandbox.send(null); // fresh iframe: returns 1
+    });
+    expect(result).toBe(1);
+});
+
+test('multiple concurrent sends resolve independently', async ({page}) => {
+    const results = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(`
+            window.onSandboxMessage = function (p) {
+                return new Promise(function (resolve) {
+                    setTimeout(function () { resolve(p.id); }, p.delay);
+                });
+            }
+        `);
+        try {
+            return await Promise.all([
+                sandbox.send({id: 'a', delay: 80}),
+                sandbox.send({id: 'b', delay: 10}),
+                sandbox.send({id: 'c', delay: 40})
+            ]);
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(results).toEqual(['a', 'b', 'c']);
+});
+
+// --- Array payloads (batch-style processing) ---
+
+test('array payload: processes all items in one round-trip', async ({page}) => {
+    const results = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(`
+            window.onSandboxMessage = function (items) {
+                return items.map(function (x) { return x * 2; });
+            }
+        `);
+        try {
+            return await sandbox.send([1, 2, 3, 4, 5]);
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(results).toEqual([2, 4, 6, 8, 10]);
+});
+
+test('array payload: preserves order with async handlers', async ({page}) => {
+    const results = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(`
+            window.onSandboxMessage = function (items) {
+                return Promise.all(items.map(function (p) {
+                    return new Promise(function (resolve) {
+                        setTimeout(function () { resolve(p.id); }, p.delay);
+                    });
+                }));
+            }
+        `);
+        try {
+            return await sandbox.send([
+                {id: 'slow', delay: 80},
+                {id: 'fast', delay: 10},
+                {id: 'medium', delay: 40}
+            ]);
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(results).toEqual(['slow', 'fast', 'medium']);
+});
+
+test('array payload: rejects if handler throws', async ({page}) => {
+    const error = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(`
+            window.onSandboxMessage = function (items) {
+                return Promise.all(items.map(function (p) {
+                    if (p === 'bad') throw new Error('payload failed');
+                    return p;
+                }));
+            }
+        `);
+        try {
+            return await sandbox.send(['ok', 'bad', 'ok']).catch(e => ({message: e.message}));
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(error.message).toContain('payload failed');
+});
+
+test('array payload: empty array returns empty results', async ({page}) => {
+    const results = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(`
+            window.onSandboxMessage = function (items) {
+                return items.map(function (x) { return x; });
+            }
+        `);
+        try {
+            return await sandbox.send([]);
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(results).toEqual([]);
+});
+
+// --- Performance comparison test ---
+test('reused sandbox is faster than creating a new one per call', async ({page}) => {
+    const {freshMs, reusedMs, batchMs} = await page.evaluate(async () => {
+        const ITERATIONS = 500;
+        const BATCH_SIZE = 20;
+        const script = 'window.onSandboxMessage = function (p) { return p * 2; }';
+        const batchScript = `window.onSandboxMessage = function (items) {
+            return items.map(function (x) { return x * 2; });
+        }`;
+
+        // Fresh sandbox per call: create + send + destroy each time.
+        const freshStart = performance.now();
+        for (let i = 0; i < ITERATIONS; i++) {
+            const sb = new window.Sandbox(script);
+            await sb.send(i);
+            sb.destroy();
+        }
+        const freshEnd = performance.now();
+
+        // Reused: one sandbox, N sequential single-item sends.
+        const reusedStart = performance.now();
+        const sandbox = new window.Sandbox(script);
+        for (let i = 0; i < ITERATIONS; i++) {
+            await sandbox.send(i);
+        }
+        sandbox.destroy();
+        const reusedEnd = performance.now();
+
+        // Batch: one sandbox, sends BATCH_SIZE items per round-trip.
+        const batchStart = performance.now();
+        const sandbox2 = new window.Sandbox(batchScript);
+        for (let i = 0; i < ITERATIONS; i += BATCH_SIZE) {
+            const chunk = Array.from({length: BATCH_SIZE}, (_, j) => i + j);
+            await sandbox2.send(chunk);
+        }
+        sandbox2.destroy();
+        const batchEnd = performance.now();
+
+        return {
+            freshMs: freshEnd - freshStart,
+            reusedMs: reusedEnd - reusedStart,
+            batchMs: batchEnd - batchStart
+        };
+    });
+
+    // Reused sandbox should be substantially faster than creating a fresh iframe per call.
+    expect(reusedMs * 1.5).toBeLessThan(freshMs);
+    // Batch sends ITERATIONS/BATCH_SIZE round-trips instead of ITERATIONS,
+    // so it must be faster than sequential sends.
+    expect(batchMs * 1.5).toBeLessThan(reusedMs);
+});

From 116301e0fbe3d247d3acc97cc9a5a8f87f3ba5ea Mon Sep 17 00:00:00 2001
From: Kaloyan Manolov <kmanolov3@gmail.com>
Date: Mon, 11 May 2026 16:41:24 +0300
Subject: [PATCH 2/8] feat: add canonicalize-svg method

---
 package-lock.json                             |  87 ++++-
 .../scratch-svg-renderer/eslint.config.mjs    |  13 +
 packages/scratch-svg-renderer/package.json    |   1 +
 .../src/canonicalize-svg.js                   | 228 ++++++++++++
 packages/scratch-svg-renderer/src/index.js    |   2 +
 .../scratch-svg-renderer/src/sandbox/index.js |   6 +-
 .../scratch-svg-renderer/src/sanitize-svg.js  |  91 +----
 .../src/util/svg-url-helpers.js               | 122 +++++++
 .../test/canonicalize-svg.js                  | 330 ++++++++++++++++++
 .../snapshots/cat-costume.canonicalized.png   | Bin 0 -> 35354 bytes
 .../test/snapshots/cat-costume.sanitized.png  | Bin 35360 -> 35354 bytes
 .../scratch-svg-renderer/webpack.config.js    |   2 +-
 12 files changed, 779 insertions(+), 103 deletions(-)
 create mode 100644 packages/scratch-svg-renderer/src/canonicalize-svg.js
 create mode 100644 packages/scratch-svg-renderer/src/util/svg-url-helpers.js
 create mode 100644 packages/scratch-svg-renderer/test/canonicalize-svg.js
 create mode 100644 packages/scratch-svg-renderer/test/snapshots/cat-costume.canonicalized.png

diff --git a/package-lock.json b/package-lock.json
index 1e8472c1ec6..6a1332d6062 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -12242,7 +12242,6 @@
     },
     "node_modules/boolbase": {
       "version": "1.0.0",
-      "dev": true,
       "license": "ISC"
     },
     "node_modules/bottleneck": {
@@ -14149,7 +14148,6 @@
     },
     "node_modules/css-select": {
       "version": "5.2.2",
-      "dev": true,
       "license": "BSD-2-Clause",
       "dependencies": {
         "boolbase": "^1.0.0",
@@ -14184,7 +14182,6 @@
     },
     "node_modules/css-what": {
       "version": "6.2.2",
-      "dev": true,
       "license": "BSD-2-Clause",
       "engines": {
         "node": ">= 6"
@@ -14208,6 +14205,39 @@
         "node": ">=4"
       }
     },
+    "node_modules/csso": {
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/csso/-/csso-5.0.5.tgz",
+      "integrity": "sha512-0LrrStPOdJj+SPCCrGhzryycLjwcgUSHBtxNA8aIDxf0GLsRh1cKYhB00Gd1lDOS4yGH69+SNn13+TWbVHETFQ==",
+      "license": "MIT",
+      "dependencies": {
+        "css-tree": "~2.2.0"
+      },
+      "engines": {
+        "node": "^10 || ^12.20.0 || ^14.13.0 || >=15.0.0",
+        "npm": ">=7.0.0"
+      }
+    },
+    "node_modules/csso/node_modules/css-tree": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/css-tree/-/css-tree-2.2.1.tgz",
+      "integrity": "sha512-OA0mILzGc1kCOCSJerOeqDxDQ4HOh+G8NbOJFOTgOCzpw7fCBubk0fEyxp8AgOL/jvLgYA/uV0cMbe43ElF1JA==",
+      "license": "MIT",
+      "dependencies": {
+        "mdn-data": "2.0.28",
+        "source-map-js": "^1.0.1"
+      },
+      "engines": {
+        "node": "^10 || ^12.20.0 || ^14.13.0 || >=15.0.0",
+        "npm": ">=7.0.0"
+      }
+    },
+    "node_modules/csso/node_modules/mdn-data": {
+      "version": "2.0.28",
+      "resolved": "https://registry.npmjs.org/mdn-data/-/mdn-data-2.0.28.tgz",
+      "integrity": "sha512-aylIc7Z9y4yzHYAJNuESG3hfhC+0Ibp/MAMiaOZgNv4pmEdFyfZhhhny4MNiAfWdBQ1RQ2mfDWmM1x8SvGyp8g==",
+      "license": "CC0-1.0"
+    },
     "node_modules/cssom": {
       "version": "0.3.8",
       "dev": true,
@@ -14678,7 +14708,6 @@
     },
     "node_modules/dom-serializer": {
       "version": "2.0.0",
-      "dev": true,
       "license": "MIT",
       "dependencies": {
         "domelementtype": "^2.3.0",
@@ -14694,7 +14723,6 @@
     },
     "node_modules/domelementtype": {
       "version": "2.3.0",
-      "dev": true,
       "funding": [
         {
           "type": "github",
@@ -14713,7 +14741,6 @@
     },
     "node_modules/domhandler": {
       "version": "5.0.3",
-      "dev": true,
       "license": "BSD-2-Clause",
       "dependencies": {
         "domelementtype": "^2.3.0"
@@ -14734,7 +14761,6 @@
     },
     "node_modules/domutils": {
       "version": "3.2.2",
-      "dev": true,
       "license": "BSD-2-Clause",
       "dependencies": {
         "dom-serializer": "^2.0.0",
@@ -14885,7 +14911,6 @@
     },
     "node_modules/entities": {
       "version": "4.5.0",
-      "dev": true,
       "license": "BSD-2-Clause",
       "engines": {
         "node": ">=0.12"
@@ -27411,7 +27436,6 @@
     },
     "node_modules/nth-check": {
       "version": "2.1.1",
-      "dev": true,
       "license": "BSD-2-Clause",
       "dependencies": {
         "boolbase": "^1.0.0"
@@ -31037,9 +31061,13 @@
       "license": "MIT"
     },
     "node_modules/sax": {
-      "version": "1.4.3",
-      "dev": true,
-      "license": "BlueOak-1.0.0"
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/sax/-/sax-1.6.0.tgz",
+      "integrity": "sha512-6R3J5M4AcbtLUdZmRv2SygeVaM7IhrLXu9BmnOGmmACak8fiUtOsYNWUS4uK7upbmHIBbLBeFeI//477BKLBzA==",
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": ">=11.0.0"
+      }
     },
     "node_modules/saxes": {
       "version": "3.1.11",
@@ -33250,6 +33278,40 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/svgo": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/svgo/-/svgo-4.0.1.tgz",
+      "integrity": "sha512-XDpWUOPC6FEibaLzjfe0ucaV0YrOjYotGJO1WpF0Zd+n6ZGEQUsSugaoLq9QkEZtAfQIxT42UChcssDVPP3+/w==",
+      "license": "MIT",
+      "dependencies": {
+        "commander": "^11.1.0",
+        "css-select": "^5.1.0",
+        "css-tree": "^3.0.1",
+        "css-what": "^6.1.0",
+        "csso": "^5.0.5",
+        "picocolors": "^1.1.1",
+        "sax": "^1.5.0"
+      },
+      "bin": {
+        "svgo": "bin/svgo.js"
+      },
+      "engines": {
+        "node": ">=16"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/svgo"
+      }
+    },
+    "node_modules/svgo/node_modules/commander": {
+      "version": "11.1.0",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-11.1.0.tgz",
+      "integrity": "sha512-yPVavfyCcRhmorC7rWlkHn15b4wDVgVmBA7kV4QVBsF7kv/9TKJAbAXVTxvTnwP8HHKjRCJDClKbciiYS7p0DQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=16"
+      }
+    },
     "node_modules/symbol-tree": {
       "version": "3.2.4",
       "license": "MIT"
@@ -38520,6 +38582,7 @@
         "css-tree": "3.2.1",
         "fastestsmallesttextencoderdecoder": "1.0.22",
         "isomorphic-dompurify": "2.36.0",
+        "svgo": "^4.0.1",
         "transformation-matrix": "1.15.3",
         "tslog": "4.10.2"
       },
diff --git a/packages/scratch-svg-renderer/eslint.config.mjs b/packages/scratch-svg-renderer/eslint.config.mjs
index c816685ea7d..638a7de215a 100644
--- a/packages/scratch-svg-renderer/eslint.config.mjs
+++ b/packages/scratch-svg-renderer/eslint.config.mjs
@@ -16,11 +16,24 @@ export default eslintConfigScratch.defineConfig(
             '*.{,c,m}js', // for example, webpack.config.js
             'test/**/*.{,c,m}js'
         ],
+        ignores: ['test/playwright/**/*.{,c,m}js'],
         extends: [eslintConfigScratch.legacy.node],
         languageOptions: {
             globals: globals.node
         }
     },
+    {
+        // Playwright test files run in Node but contain page.evaluate() callbacks
+        // that reference browser globals (window, document) executed in Chromium.
+        files: ['test/playwright/**/*.{,c,m}js'],
+        extends: [eslintConfigScratch.legacy.node],
+        languageOptions: {
+            globals: {
+                ...globals.node,
+                ...globals.browser
+            }
+        }
+    },
     globalIgnores([
         'dist/**/*',
         'node_modules/**/*',
diff --git a/packages/scratch-svg-renderer/package.json b/packages/scratch-svg-renderer/package.json
index e80b3e8b9f5..501cf9dd7f8 100644
--- a/packages/scratch-svg-renderer/package.json
+++ b/packages/scratch-svg-renderer/package.json
@@ -59,6 +59,7 @@
     "css-tree": "3.2.1",
     "fastestsmallesttextencoderdecoder": "1.0.22",
     "isomorphic-dompurify": "2.36.0",
+    "svgo": "^4.0.1",
     "transformation-matrix": "1.15.3",
     "tslog": "4.10.2"
   },
diff --git a/packages/scratch-svg-renderer/src/canonicalize-svg.js b/packages/scratch-svg-renderer/src/canonicalize-svg.js
new file mode 100644
index 00000000000..333e8fdf8f9
--- /dev/null
+++ b/packages/scratch-svg-renderer/src/canonicalize-svg.js
@@ -0,0 +1,228 @@
+/**
+ * Canonicalize SVG text using SVGO 4 with a security-focused, deny-by-default
+ * plugin set.  Strips dangerous elements, attributes, and external references
+ * while preserving visual fidelity.
+ */
+
+const {ident} = require('css-tree/utils');
+const {
+    cssHasExternalUrls, filterCssText, isInternalRef, rawTextHasExternalUrls
+} = require('./util/svg-url-helpers');
+
+// Cache the SVGO module after first dynamic import.
+let _svgoPromise = null;
+const getSvgo = () => {
+    if (!_svgoPromise) {
+        _svgoPromise = import('svgo/browser');
+    }
+    return _svgoPromise;
+};
+
+/**
+ * Strip declarations with external url() references from a CSS declaration
+ * list string (used for style attributes).  Returns the cleaned string, or
+ * an empty string if everything was removed.
+ * @param {string} cssText raw CSS declaration list.
+ * @returns {string} cleaned CSS text.
+ */
+const stripExternalUrlDeclarations = cssText => {
+    try {
+        return filterCssText(cssText, 'declarationList');
+    } catch {
+        // Unparseable CSS — strip entirely rather than risk external loads.
+        return rawTextHasExternalUrls(ident.decode(cssText)) ? '' : cssText;
+    }
+};
+
+// ── Element / attribute classification ─────────────────────────────────────
+
+/** Elements removed entirely (children discarded). */
+const REMOVE_ELEMENTS = new Set([
+    'script',
+    'foreignObject',
+    'foreignobject', // case-normalized variant
+    // SVG animation elements
+    'animate',
+    'animateMotion',
+    'animateTransform',
+    'animateColor',
+    'set'
+]);
+
+/** Elements whose wrapper is removed but children are preserved. */
+const UNWRAP_ELEMENTS = new Set(['a']);
+
+/** Attributes that carry a direct URI reference. */
+const URI_ATTRS = new Set(['href', 'xlink:href']);
+
+/**
+ * Normalize an attribute name for security checks.
+ *
+ * Applies NFKC to collapse full-width and other compatibility equivalents
+ * (e.g. ｏｎclick → onclick), then strips U+200C (ZWNJ) and U+200D (ZWJ),
+ * which are valid XML name characters and can be embedded invisibly to break
+ * naive prefix checks (e.g. on\u200Cclick).  All legitimate SVG attribute
+ * names are pure ASCII so these transformations produce no false positives.
+ * @param {string} name raw attribute name from the parsed SVG AST.
+ * @returns {string} normalized attribute name.
+ */
+const normalizeAttrName = name =>
+    name.normalize('NFKC').replace(/[\u200C\u200D]/g, '');
+
+const isEventHandler = name => /^on/i.test(normalizeAttrName(name));
+
+// ── SVGO custom plugins ───────────────────────────────────────────────────
+
+/**
+ * Remove dangerous elements (script, foreignObject, animation) and unwrap
+ * anchor elements (preserve children, drop the <a> wrapper).
+ */
+const removeDangerousElements = {
+    name: 'removeDangerousElements',
+    fn: () => ({
+        element: {
+            enter: (node, parentNode) => {
+                if (REMOVE_ELEMENTS.has(node.name)) {
+                    parentNode.children = parentNode.children.filter(
+                        child => child !== node
+                    );
+                    return;
+                }
+                if (UNWRAP_ELEMENTS.has(node.name)) {
+                    parentNode.children = parentNode.children.flatMap(
+                        child => (child === node ? node.children : [child])
+                    );
+                }
+            }
+        }
+    })
+};
+
+/**
+ * Remove event-handler attributes (on*) and external href / xlink:href
+ * references.  Strip individual external-url declarations from style
+ * attributes; remove presentation attributes that reference external URLs.
+ */
+const removeDangerousAttributes = {
+    name: 'removeDangerousAttributes',
+    fn: () => ({
+        element: {
+            enter: node => {
+                for (const attr of Object.keys(node.attributes)) {
+                    const normalizedAttr = normalizeAttrName(attr);
+                    if (isEventHandler(attr)) {
+                        delete node.attributes[attr];
+                        continue;
+                    }
+
+                    // Direct URI attributes (href, xlink:href)
+                    if (URI_ATTRS.has(normalizedAttr)) {
+                        const val = node.attributes[attr];
+                        if (val && !isInternalRef(val.replace(/\s/g, ''))) {
+                            delete node.attributes[attr];
+                        }
+                        continue;
+                    }
+
+                    // style attribute — strip only the offending declarations
+                    if (normalizedAttr === 'style') {
+                        const cleaned = stripExternalUrlDeclarations(
+                            node.attributes.style
+                        );
+                        if (cleaned) {
+                            node.attributes.style = cleaned;
+                        } else {
+                            delete node.attributes.style;
+                        }
+                        continue;
+                    }
+
+                    // Presentation attributes that might carry url()
+                    const val = node.attributes[attr];
+                    if (val && /url\s*\(/i.test(val) &&
+                        cssHasExternalUrls(val, 'value')) {
+                        delete node.attributes[attr];
+                    }
+                }
+            }
+        }
+    })
+};
+
+// ── Plugin pipeline ────────────────────────────────────────────────────────
+
+/**
+ * Deny-by-default plugin list.  Order matters:
+ * 1. Inline styles from <style> before removing <style> elements.
+ * 2. Remove <style>, <script>, and other dangerous elements.
+ * 3. Strip dangerous attributes and external references.
+ * 4. Cleanup metadata, comments, doctypes.
+ * 5. Sort attributes for deterministic (fixed-point) output.
+ */
+const CANONICALIZE_PLUGINS = [
+    // Inline CSS from <style> into element style attributes so visual
+    // appearance is preserved when we remove <style> elements next.
+    {
+        name: 'inlineStyles',
+        params: {
+            onlyMatchedOnce: false,
+            removeMatchedSelectors: true
+        }
+    },
+    'removeStyleElement',
+    'removeScripts',
+    removeDangerousElements,
+    removeDangerousAttributes,
+    'removeDoctype',
+    'removeXMLProcInst',
+    'removeComments',
+    'removeMetadata',
+    'removeEditorsNSData',
+    'sortAttrs'
+];
+
+// ── Public API ─────────────────────────────────────────────────────────────
+
+/**
+ * Canonicalize an SVG string for safe consumption.
+ *
+ * Uses SVGO 4 with a deny-by-default plugin set that strips:
+ * - `<script>`, `<style>`, `<foreignObject>`, `<a>`, animation elements
+ * - Event-handler attributes (on*)
+ * - External `href` / `xlink:href` references
+ * - External CSS `url()` references
+ *
+ * The output is a fixed point: canonicalize(canonicalize(x)) === canonicalize(x).
+ *
+ * Async because SVGO 4's browser-safe bundle is ESM-only; dynamic import()
+ * resolves cleanly under both Node and webpack.
+ * @param {string} svgText raw SVG string.
+ * @returns {Promise<string>} canonicalized SVG string.
+ */
+const canonicalizeSvgText = async svgText => {
+    const {optimize} = await getSvgo();
+
+    try {
+        const result = optimize(svgText, {
+            multipass: true,
+            plugins: CANONICALIZE_PLUGINS
+        });
+        return result.data;
+    } catch (e) {
+        // SVGO's SAX parser is stricter than browser DOMParser and rejects
+        // some real-world SVGs (Illustrator custom entities, intentionally
+        // malformed attack inputs, etc.).  Return the input unchanged so
+        // downstream layers (sanitizeSvgText / the iframe sandbox) still
+        // get a chance to process it.
+
+        // TODO: Would we want to deny this SVG entirely, instead of letting it passthrough?
+
+        // eslint-disable-next-line no-console
+        console.warn(
+            `canonicalizeSvgText: SVGO could not parse input (${e.reason || e.message}); returning unmodified`
+        );
+        return svgText;
+    }
+};
+
+module.exports = canonicalizeSvgText;
diff --git a/packages/scratch-svg-renderer/src/index.js b/packages/scratch-svg-renderer/src/index.js
index 5a6c636e23a..d0d73371d86 100644
--- a/packages/scratch-svg-renderer/src/index.js
+++ b/packages/scratch-svg-renderer/src/index.js
@@ -1,5 +1,6 @@
 const SVGRenderer = require('./svg-renderer');
 const BitmapAdapter = require('./bitmap-adapter');
+const canonicalizeSvgText = require('./canonicalize-svg');
 const inlineSvgFonts = require('./font-inliner');
 const loadSvgString = require('./load-svg-string');
 const sanitizeSvg = require('./sanitize-svg');
@@ -12,6 +13,7 @@ const convertFonts = require('./font-converter');
 //  */
 module.exports = {
     BitmapAdapter: BitmapAdapter,
+    canonicalizeSvgText: canonicalizeSvgText,
     convertFonts: convertFonts,
     inlineSvgFonts: inlineSvgFonts,
     loadSvgString: loadSvgString,
diff --git a/packages/scratch-svg-renderer/src/sandbox/index.js b/packages/scratch-svg-renderer/src/sandbox/index.js
index fe05090258d..8dd5a52c5ea 100644
--- a/packages/scratch-svg-renderer/src/sandbox/index.js
+++ b/packages/scratch-svg-renderer/src/sandbox/index.js
@@ -5,9 +5,9 @@
 // declarations don't collide with those in iframe-html.js when both scripts
 // share a single browser page scope.
 (function () {
-    const IFRAME_HTML = typeof module !== 'undefined' ?
-        require('./iframe-html').IFRAME_HTML :
-        window.IFRAME_HTML;
+    const IFRAME_HTML = typeof module === 'undefined' ?
+        window.IFRAME_HTML :
+        require('./iframe-html').IFRAME_HTML;
 
     const DEFAULT_TIMEOUT_MS = 30000;
 
diff --git a/packages/scratch-svg-renderer/src/sanitize-svg.js b/packages/scratch-svg-renderer/src/sanitize-svg.js
index a8cdb96d8b1..2aec93b72b4 100644
--- a/packages/scratch-svg-renderer/src/sanitize-svg.js
+++ b/packages/scratch-svg-renderer/src/sanitize-svg.js
@@ -3,75 +3,11 @@
  * as possible
  */
 const fixupSvgString = require('./fixup-svg-string');
-const {generate, parse, walk} = require('css-tree');
-const {ident} = require('css-tree/utils');
 const DOMPurify = require('isomorphic-dompurify');
+const {cssHasExternalUrls, filterCssText, isInternalRef} = require('./util/svg-url-helpers');
 
 const sanitizeSvg = {};
 
-const isInternalRef = ref => ref.startsWith('#') || ref.toLowerCase().startsWith('data:');
-
-/**
- * Check if raw CSS text contains an external url() reference via regex.
- * Used for Raw nodes (e.g. custom property values) that css-tree doesn't fully parse.
- * @param {string} text - raw CSS text to check
- * @returns {boolean} true if an external url() reference was found
- */
-const rawTextHasExternalUrls = text => {
-    const normalized = text.toLowerCase().replace(/\s/g, '');
-    const urlPattern = /url\((.+?)\)/g;
-    let match;
-    while ((match = urlPattern.exec(normalized)) !== null) {
-        const ref = match[1].replace(/['"]/g, '');
-        if (!isInternalRef(ref)) return true;
-    }
-    return false;
-};
-
-/**
- * Walk a css-tree AST and return true if any Url node references an external resource.
- * Also checks Raw nodes, which css-tree produces for custom property values and other
- * unparsed content that could still contain url() references.
- * @param {import('css-tree').CssNode} ast - The CSS tree or subtree to walk
- * @returns {boolean} True if an external url() reference was found
- */
-const astHasExternalUrls = ast => {
-    let found = false;
-    walk(ast, node => {
-        if (node.type === 'Url') {
-            const urlValue = node.value.trim().replace(/['"]/g, '');
-            if (!isInternalRef(urlValue)) {
-                found = true;
-            }
-        }
-        if (node.type === 'Raw' && rawTextHasExternalUrls(node.value)) {
-            found = true;
-        }
-    });
-    return found;
-};
-
-/**
- * Canonicalize a CSS string and check it for external url() references.
- * Canonicalization: decode CSS escapes, then parse through css-tree so that all syntax
- * variations (quoting, whitespace, comments, escapes) are normalized into AST nodes.
- * @param {string} cssText - raw CSS text
- * @param {string} parseContext - css-tree parse context: 'value' for a single CSS value
- *   (presentation attributes like fill, stroke), or 'declarationList' for style attributes.
- * @returns {boolean} true if an external url() reference was found
- */
-const cssHasExternalUrls = (cssText, parseContext) => {
-    const decoded = ident.decode(cssText);
-    try {
-        return astHasExternalUrls(parse(decoded, {context: parseContext}));
-    } catch {
-        // If css-tree can't parse it, conservatively check the decoded text.
-        // This handles edge cases where creative syntax breaks the parser but
-        // a browser might still interpret a url() call.
-        return rawTextHasExternalUrls(decoded);
-    }
-};
-
 // Attributes that directly reference a URI (not via CSS url())
 const URI_ATTRIBUTES = new Set(['href', 'xlink:href']);
 
@@ -107,28 +43,9 @@ DOMPurify.addHook(
     (node, data) => {
         if (data.tagName === 'style') {
             try {
-                // Canonicalize: decode CSS escapes then parse, so css-tree sees
-                // normalized tokens (e.g. \75\72\6c becomes url).
-                const decodedCss = ident.decode(node.textContent);
-                const ast = parse(decodedCss);
-                let isModified = decodedCss !== node.textContent;
-
-                walk(ast, (astNode, item, list) => {
-                    // @import rules
-                    if (astNode.type === 'Atrule' && astNode.name.toLowerCase() === 'import') {
-                        list.remove(item);
-                        isModified = true;
-                    }
-
-                    // Declarations using url(...) for external resources
-                    if (astNode.type === 'Declaration' && astNode.value && astHasExternalUrls(astNode.value)) {
-                        list.remove(item);
-                        isModified = true;
-                    }
-                });
-
-                if (isModified) {
-                    node.textContent = generate(ast);
+                const cleaned = filterCssText(node.textContent, null, {removeImports: true});
+                if (cleaned !== node.textContent) {
+                    node.textContent = cleaned;
                 }
             } catch {
                 // If CSS parsing fails, remove the style content entirely
diff --git a/packages/scratch-svg-renderer/src/util/svg-url-helpers.js b/packages/scratch-svg-renderer/src/util/svg-url-helpers.js
new file mode 100644
index 00000000000..3e5b70b7c65
--- /dev/null
+++ b/packages/scratch-svg-renderer/src/util/svg-url-helpers.js
@@ -0,0 +1,122 @@
+/**
+ * Shared helpers for detecting and filtering external URL references in SVG
+ * attributes and CSS.
+ */
+
+const {generate, parse, walk} = require('css-tree');
+const {ident} = require('css-tree/utils');
+
+/**
+ * Return true if a URL string is an internal document reference (fragment) or
+ * a data URI.  Everything else is considered external.
+ * @param {string} ref URL string to test.
+ * @returns {boolean} true if the ref is a fragment identifier or data URI.
+ */
+const isInternalRef = ref =>
+    ref.startsWith('#') || ref.toLowerCase().startsWith('data:');
+
+/**
+ * Check if raw CSS text contains an external url() reference via regex.
+ * Used for Raw nodes (e.g. custom property values) that css-tree doesn't
+ * fully parse.
+ * @param {string} text raw CSS text to check.
+ * @returns {boolean} true if an external url() reference was found.
+ */
+const rawTextHasExternalUrls = text => {
+    const normalized = text.toLowerCase().replace(/\s/g, '');
+    const urlPattern = /url\((.+?)\)/g;
+    let match;
+    while ((match = urlPattern.exec(normalized)) !== null) {
+        const ref = match[1].replace(/['"]/g, '');
+        if (!isInternalRef(ref)) return true;
+    }
+    return false;
+};
+
+/**
+ * Walk a css-tree AST and return true if any Url node references an external
+ * resource.  Also checks Raw nodes, which css-tree produces for custom
+ * property values and other unparsed content that could still contain url()
+ * references.
+ * @param {import('css-tree').CssNode} ast css-tree AST node.
+ * @returns {boolean} true if an external url() reference was found.
+ */
+const astHasExternalUrls = ast => {
+    let found = false;
+    walk(ast, node => {
+        if (node.type === 'Url') {
+            const urlValue = node.value.trim().replace(/['"]/g, '');
+            if (!isInternalRef(urlValue)) {
+                found = true;
+            }
+        }
+        if (node.type === 'Raw' && rawTextHasExternalUrls(node.value)) {
+            found = true;
+        }
+    });
+    return found;
+};
+
+/**
+ * Canonicalize a CSS string and check it for external url() references.
+ * Decodes CSS escapes then parses through css-tree so that all syntax
+ * variations (quoting, whitespace, comments, escapes) are normalized into AST
+ * nodes.
+ * @param {string} cssText raw CSS text.
+ * @param {string} parseContext css-tree parse context: 'value' for a single
+ *   CSS value (presentation attributes like fill, stroke), or
+ *   'declarationList' for style attributes.
+ * @returns {boolean} true if an external url() reference was found.
+ */
+const cssHasExternalUrls = (cssText, parseContext) => {
+    const decoded = ident.decode(cssText);
+    try {
+        return astHasExternalUrls(parse(decoded, {context: parseContext}));
+    } catch {
+        // If css-tree can't parse it, conservatively check the decoded text.
+        // This handles edge cases where creative syntax breaks the parser but
+        // a browser might still interpret a url() call.
+        return rawTextHasExternalUrls(decoded);
+    }
+};
+
+/**
+ * Parse a CSS string, remove external-URL declarations and optionally
+ * `@import` rules, and return the cleaned string.  Decodes CSS escapes before
+ * parsing so that obfuscated references (e.g. `\75\72\6c(…)`) are caught.
+ *
+ * Throws if css-tree cannot parse the input — callers are responsible for
+ * handling parse errors according to their own security policy.
+ * @param {string} cssText raw CSS text.
+ * @param {string|null} parseContext css-tree parse context ('declarationList',
+ *   'value', etc.).  Pass null for a full stylesheet parse.
+ * @param {object} [options] filtering options.
+ * @param {boolean} [options.removeImports] also remove CSS `@import` rules.
+ * @returns {string} cleaned CSS text.
+ */
+const filterCssText = (cssText, parseContext, {removeImports = false} = {}) => {
+    const decoded = ident.decode(cssText);
+    const ast = parse(decoded, parseContext ? {context: parseContext} : {});
+    let modified = decoded !== cssText;
+    walk(ast, (node, item, list) => {
+        if (removeImports && node.type === 'Atrule' &&
+            node.name.toLowerCase() === 'import') {
+            list.remove(item);
+            modified = true;
+        }
+        if (node.type === 'Declaration' && node.value &&
+            astHasExternalUrls(node.value)) {
+            list.remove(item);
+            modified = true;
+        }
+    });
+    return modified ? generate(ast) : cssText;
+};
+
+module.exports = {
+    astHasExternalUrls,
+    cssHasExternalUrls,
+    filterCssText,
+    isInternalRef,
+    rawTextHasExternalUrls
+};
diff --git a/packages/scratch-svg-renderer/test/canonicalize-svg.js b/packages/scratch-svg-renderer/test/canonicalize-svg.js
new file mode 100644
index 00000000000..3a7b8fb1180
--- /dev/null
+++ b/packages/scratch-svg-renderer/test/canonicalize-svg.js
@@ -0,0 +1,330 @@
+/**
+ * Three assertion groups:
+ *
+ *   1. Security: attack-shaped inputs come back without their dangerous parts.
+ *   2. Visual fidelity: legitimate inputs render to identical pixels before and
+ *      after canonicalization (same canvas + pixel-diff machinery as
+ *      visual-fidelity.js).
+ *   3. Fixed point: canonicalize(canonicalize(x)) === canonicalize(x).
+ */
+
+const test = require('tap').test;
+const fs = require('fs');
+const path = require('path');
+const {createCanvas, loadImage} = require('canvas');
+
+const canonicalizeSvgText = require('../src/canonicalize-svg');
+
+const FIXTURE_DIR = path.resolve(__dirname, './fixtures');
+const SNAPSHOT_DIR = path.resolve(__dirname, './snapshots');
+const RENDER_WIDTH = 200;
+const RENDER_HEIGHT = 200;
+const PIXEL_DIFF_TOLERANCE = 0;
+
+// ── Rendering helpers (shared shape with visual-fidelity.js) ───────────────
+
+const renderToCanvas = async svgString => {
+    const image = await loadImage(Buffer.from(svgString, 'utf8'));
+    const canvas = createCanvas(RENDER_WIDTH, RENDER_HEIGHT);
+    const ctx = canvas.getContext('2d');
+    ctx.clearRect(0, 0, RENDER_WIDTH, RENDER_HEIGHT);
+    const scale = Math.min(RENDER_WIDTH / image.width, RENDER_HEIGHT / image.height);
+    const drawWidth = image.width * scale;
+    const drawHeight = image.height * scale;
+    const dx = (RENDER_WIDTH - drawWidth) / 2;
+    const dy = (RENDER_HEIGHT - drawHeight) / 2;
+    ctx.drawImage(image, dx, dy, drawWidth, drawHeight);
+    return canvas;
+};
+
+const countPixelDiffs = (canvasA, canvasB) => {
+    const a = canvasA.getContext('2d').getImageData(0, 0, RENDER_WIDTH, RENDER_HEIGHT).data;
+    const b = canvasB.getContext('2d').getImageData(0, 0, RENDER_WIDTH, RENDER_HEIGHT).data;
+    if (a.length !== b.length) {
+        throw new Error(`ImageData length mismatch: ${a.length} vs ${b.length}`);
+    }
+    let diff = 0;
+    for (let i = 0; i < a.length; i += 4) {
+        if (a[i] !== b[i] || a[i + 1] !== b[i + 1] || a[i + 2] !== b[i + 2] || a[i + 3] !== b[i + 3]) {
+            diff++;
+        }
+    }
+    return diff;
+};
+
+// ── 1. Security: dangerous content is stripped ─────────────────────────────
+
+test('canonicalize: removes <script> elements', async t => {
+    const input = '<svg xmlns="http://www.w3.org/2000/svg">' +
+        '<circle cx="50" cy="50" r="40" fill="red"/>' +
+        '<script type="text/javascript">alert("xss")</script></svg>';
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /<script/i, 'no <script> in output');
+    t.match(result, /<circle/, 'safe content preserved');
+});
+
+test('canonicalize: removes <foreignObject> and its children', async t => {
+    const input = '<svg xmlns="http://www.w3.org/2000/svg">' +
+        '<foreignObject width="100" height="100">' +
+        '<body xmlns="http://www.w3.org/1999/xhtml">' +
+        '<img src="x" onerror="alert(1)"/>' +
+        '</body></foreignObject>' +
+        '<rect fill="blue"/></svg>';
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /foreignObject/i, 'no foreignObject');
+    t.notMatch(result, /onerror/i, 'no onerror');
+    t.notMatch(result, /<img/i, 'no img');
+    t.match(result, /<rect/, 'safe content preserved');
+});
+
+test('canonicalize: unwraps <a> elements, preserving children', async t => {
+    const input = '<svg xmlns="http://www.w3.org/2000/svg">' +
+        '<a href="javascript:alert(1)"><rect fill="red"/></a></svg>';
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /<a[\s>]/i, 'no <a> wrapper');
+    t.notMatch(result, /javascript:/i, 'no javascript: href');
+    t.match(result, /<rect/, 'child element preserved');
+});
+
+test('canonicalize: removes animation elements', async t => {
+    const input = '<svg xmlns="http://www.w3.org/2000/svg">' +
+        '<rect fill="red">' +
+        '<animate attributeName="fill" to="blue" dur="1s"/>' +
+        '<animateTransform attributeName="transform" type="rotate" dur="2s"/>' +
+        '<set attributeName="fill" to="green"/>' +
+        '</rect></svg>';
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /<animate/i, 'no animate');
+    t.notMatch(result, /<animateTransform/i, 'no animateTransform');
+    t.notMatch(result, /<set[\s>]/i, 'no set');
+    t.match(result, /<rect/, 'rect preserved');
+});
+
+test('canonicalize: removes event-handler attributes', async t => {
+    const input = '<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)">' +
+        '<rect fill="red" onclick="alert(2)" onmouseover="alert(3)"/></svg>';
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /onload/i, 'no onload');
+    t.notMatch(result, /onclick/i, 'no onclick');
+    t.notMatch(result, /onmouseover/i, 'no onmouseover');
+});
+
+test('canonicalize: removes event-handler attributes with full-width Unicode equivalents', async t => {
+    // Full-width Latin ｏｎload (U+FF4F U+FF4E) NFKC-normalizes to ASCII onload.
+    const fullWidthOn = '\uFF4F\uFF4E'; // ｏｎ
+    const input = `<svg xmlns="http://www.w3.org/2000/svg" ${fullWidthOn}load="alert(1)">` +
+        '<rect fill="red"/></svg>';
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /alert/, 'payload stripped');
+    t.notOk(result.includes(`${fullWidthOn}load`), 'full-width attribute removed');
+    t.notMatch(result, /onload/i, 'no ASCII onload in output');
+});
+
+test('canonicalize: removes event-handler attributes with invisible format characters', async t => {
+    // U+200C (ZWNJ) is a valid XML NameChar and can be embedded to break
+    // naive /^on/ prefix checks.  normalizeAttrName strips it so on\u200Cclick
+    // is recognised as an event handler.
+    const input = '<svg xmlns="http://www.w3.org/2000/svg" on\u200Cclick="alert(1)">' +
+        '<rect fill="red"/></svg>';
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /alert/, 'alert payload removed');
+    // The attribute with ZWNJ inside must not survive.
+    t.notOk(result.includes('on\u200Cclick'), 'on+ZWNJ+click attribute removed');
+});
+
+test('canonicalize: preserves all data-* attributes', async t => {
+    const input = '<svg xmlns="http://www.w3.org/2000/svg">' +
+        '<rect fill="red" data-foo="bar" data-custom="value" data-paper-data="{invalid json}"/></svg>';
+    const result = await canonicalizeSvgText(input);
+    t.match(result, /data-foo="bar"/, 'data-foo preserved');
+    t.match(result, /data-custom="value"/, 'data-custom preserved');
+    t.match(result, /data-paper-data/, 'data-paper-data preserved even with invalid JSON');
+    t.match(result, /fill="red"/, 'safe attributes preserved');
+});
+
+test('canonicalize: removes external href / xlink:href', async t => {
+    const input = '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">' +
+        '<image href="https://evil.com/track.png"/>' +
+        '<image xlink:href="https://evil.com/xlink.png"/>' +
+        '<image href="data:image/png;base64,iVBORw0KGgo="/>' +
+        '<use href="#internal-ref"/></svg>';
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /evil\.com/, 'no external URLs');
+    t.match(result, /data:image/, 'data: URI preserved');
+    t.match(result, /#internal-ref/, 'internal fragment ref preserved');
+});
+
+test('canonicalize: removes external CSS url() in presentation attributes', async t => {
+    const input = '<svg xmlns="http://www.w3.org/2000/svg">' +
+        '<rect fill="url(https://evil.com/track)" stroke="url(#internal)"/></svg>';
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /evil\.com/, 'external url() removed');
+    t.match(result, /url\(#internal\)/, 'internal url() preserved');
+});
+
+test('canonicalize: strips external url() from style attribute declarations', async t => {
+    const input = '<svg xmlns="http://www.w3.org/2000/svg">' +
+        '<rect style="fill: url(https://evil.com/x); stroke: url(#ok); opacity: 0.5"/></svg>';
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /evil\.com/, 'external url() removed from style');
+    t.match(result, /url\(#ok\)/, 'internal url() in style preserved');
+    t.match(result, /opacity/, 'safe declarations preserved');
+});
+
+test('canonicalize: removes <style> elements after inlining', async t => {
+    const input = '<svg xmlns="http://www.w3.org/2000/svg">' +
+        '<style>.a { fill: red; }</style><rect class="a"/></svg>';
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /<style/i, 'no <style> element');
+    // Inlined styles should appear as style attribute
+    t.match(result, /fill/, 'fill style preserved (inlined)');
+});
+
+test('canonicalize: removes comments, doctype, and XML processing instructions', async t => {
+    const input = '<?xml version="1.0" encoding="UTF-8"?>' +
+        '<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">' +
+        '<svg xmlns="http://www.w3.org/2000/svg">' +
+        '<!-- secret comment --><rect fill="red"/></svg>';
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /<!DOCTYPE/i, 'no doctype');
+    t.notMatch(result, /<\?xml/i, 'no XML processing instruction');
+    t.notMatch(result, /<!--/, 'no comments');
+});
+
+// Test against existing fixture files from the sanitize-svg corpus
+test('canonicalize: handles blocked-elements.svg fixture', async t => {
+    const input = fs.readFileSync(path.resolve(FIXTURE_DIR, 'blocked-elements.svg'), 'utf8');
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /foreignObject/i, 'no foreignObject');
+    t.notMatch(result, /<script/i, 'no script');
+    t.notMatch(result, /<animate[\s>]/i, 'no animate');
+    t.notMatch(result, /<set[\s>]/i, 'no set');
+    // Safe content survives
+    t.match(result, /<rect/, 'safe rect preserved');
+    t.match(result, /url\(#myMask\)/, 'internal mask reference preserved');
+});
+
+test('canonicalize: handles script.svg fixture', async t => {
+    const input = fs.readFileSync(path.resolve(FIXTURE_DIR, 'script.svg'), 'utf8');
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /<script/i, 'no script');
+    t.match(result, /<circle/, 'circle preserved');
+});
+
+test('canonicalize: handles external-hrefs.svg fixture', async t => {
+    const input = fs.readFileSync(path.resolve(FIXTURE_DIR, 'external-hrefs.svg'), 'utf8');
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /example\.com/, 'no external URLs');
+    // data: and # refs should be preserved
+    t.match(result, /data:image\/png/, 'data: URI preserved');
+    t.match(result, /#internal/, 'internal ref preserved');
+});
+
+test('canonicalize: handles css-links.svg fixture', async t => {
+    const input = fs.readFileSync(path.resolve(FIXTURE_DIR, 'css-links.svg'), 'utf8');
+    const result = await canonicalizeSvgText(input);
+    t.notMatch(result, /example\.com/, 'no external URLs');
+    t.notMatch(result, /<style/i, 'no style elements');
+    // Internal refs should survive
+    t.match(result, /url\(#myMask\)/, 'internal mask reference preserved');
+});
+
+test('canonicalize: handles metadata-onload.svg fixture gracefully', async t => {
+    // This fixture has intentionally malformed XML (split attribute name
+    // across a metadata element) that SVGO's strict SAX parser rejects.
+    // Verify the function degrades gracefully rather than throwing.
+    const input = fs.readFileSync(path.resolve(FIXTURE_DIR, 'metadata-onload.svg'), 'utf8');
+    const result = await canonicalizeSvgText(input);
+    t.type(result, 'string', 'returns a string (falls back to input)');
+});
+
+// ── 2. Visual fidelity: legitimate inputs render identically ───────────────
+
+test('visual fidelity: canonicalizeSvgText is visually transparent on cat costume', async t => {
+    const rawSvg = fs.readFileSync(path.resolve(FIXTURE_DIR, 'cat-costume.svg'), 'utf8');
+    const canonicalSvg = await canonicalizeSvgText(rawSvg);
+
+    const rawCanvas = await renderToCanvas(rawSvg);
+    const canonicalCanvas = await renderToCanvas(canonicalSvg);
+
+    const diff = countPixelDiffs(rawCanvas, canonicalCanvas);
+    t.ok(
+        diff <= PIXEL_DIFF_TOLERANCE,
+        `raw vs canonicalized cat costume: ${diff} differing pixels (tolerance ${PIXEL_DIFF_TOLERANCE})`
+    );
+});
+
+test('visual fidelity: canonicalized cat costume matches committed snapshot', async t => {
+    const rawSvg = fs.readFileSync(path.resolve(FIXTURE_DIR, 'cat-costume.svg'), 'utf8');
+    const canonicalSvg = await canonicalizeSvgText(rawSvg);
+    const canonicalCanvas = await renderToCanvas(canonicalSvg);
+
+    const snapshotPath = path.resolve(SNAPSHOT_DIR, 'cat-costume.canonicalized.png');
+    const updateRequested = process.env.TAP_SNAPSHOT === '1';
+    const snapshotExists = fs.existsSync(snapshotPath);
+    const relativeSnapshotPath = path.relative(__dirname, snapshotPath);
+
+    if (updateRequested) {
+        fs.mkdirSync(SNAPSHOT_DIR, {recursive: true});
+        fs.writeFileSync(snapshotPath, canonicalCanvas.toBuffer('image/png'));
+        t.pass(`snapshot ${snapshotExists ? 'updated' : 'created'} at ${relativeSnapshotPath}`);
+        return;
+    }
+
+    if (!snapshotExists) {
+        t.fail(
+            `missing snapshot at ${relativeSnapshotPath}. ` +
+            `Run with TAP_SNAPSHOT=1 to create it (and commit the result).`
+        );
+        return;
+    }
+
+    const baseline = await loadImage(snapshotPath);
+    const baselineCanvas = createCanvas(RENDER_WIDTH, RENDER_HEIGHT);
+    baselineCanvas.getContext('2d').drawImage(baseline, 0, 0);
+
+    const diff = countPixelDiffs(canonicalCanvas, baselineCanvas);
+    t.ok(
+        diff <= PIXEL_DIFF_TOLERANCE,
+        `canonicalized cat costume vs snapshot: ${diff} differing pixels (tolerance ${PIXEL_DIFF_TOLERANCE})`
+    );
+});
+
+// ── 3. Fixed point: canonicalize(canonicalize(x)) === canonicalize(x) ──────
+
+test('fixed point: clean SVG is stable', async t => {
+    const input = '<svg xmlns="http://www.w3.org/2000/svg">' +
+        '<circle cx="50" cy="50" r="40" fill="red"/></svg>';
+    const first = await canonicalizeSvgText(input);
+    const second = await canonicalizeSvgText(first);
+    t.equal(first, second, 'clean SVG is a fixed point');
+});
+
+test('fixed point: attack-shaped SVG is stable after first pass', async t => {
+    const input = '<svg xmlns="http://www.w3.org/2000/svg">' +
+        '<script>alert(1)</script>' +
+        '<foreignObject><body xmlns="http://www.w3.org/1999/xhtml">' +
+        '<img src="x" onerror="alert(2)"/></body></foreignObject>' +
+        '<a href="javascript:void(0)">' +
+        '<rect fill="red" data-foo="bar" onclick="alert(3)" data-paper-data="{invalid}"/></a>' +
+        '<animate attributeName="x" to="10"/>' +
+        '<rect fill="url(https://evil.com/x)" stroke="url(#ok)"/></svg>';
+    const first = await canonicalizeSvgText(input);
+    const second = await canonicalizeSvgText(first);
+    t.equal(first, second, 'attack-shaped SVG is a fixed point after first canonicalization');
+});
+
+test('fixed point: all parseable fixture files are stable', async t => {
+    // Some fixtures contain intentionally malformed XML (Illustrator custom
+    // entities, split attribute names) that SVGO's strict parser rejects.
+    // For those, canonicalize returns the input unchanged — which is itself
+    // a fixed point (identity function).  We still test them all.
+    const fixtureFiles = fs.readdirSync(FIXTURE_DIR)
+        .filter(f => f.endsWith('.svg') && !f.endsWith('.sanitized.svg'));
+    for (const file of fixtureFiles) {
+        const input = fs.readFileSync(path.resolve(FIXTURE_DIR, file), 'utf8');
+        const first = await canonicalizeSvgText(input);
+        const second = await canonicalizeSvgText(first);
+        t.equal(first, second, `${file} is a fixed point`);
+    }
+});
diff --git a/packages/scratch-svg-renderer/test/snapshots/cat-costume.canonicalized.png b/packages/scratch-svg-renderer/test/snapshots/cat-costume.canonicalized.png
new file mode 100644
index 0000000000000000000000000000000000000000..a993ec4f6dbe715aa4d705584dfcc44946656caa
GIT binary patch
literal 35354
zcmV*-Kr+9HP)<h;3K|Lk000e1NJLTq0077U0077c1^@s6tyr#}00006VoOIv0RI60
z0RN!9r;`8xAOJ~3K~#90?7i7@9NCfP`|}fPM&zCeB#_uaa3_nks;VS)x4PBaou2te
z@6&y_HjCNJof*xvdemyEO0}>S?jQ&dd+wRBopT=oplUCY1r|w2pII7cNkrs{M10}L
z-9L91{)|5@6xXJ}T(KSbiRY+aAh?<4UlYy0X7I1<fBxWkFY!f!{k#`&g0P_NK_;-B
z04boK_o7}PxRmBfD6<IGS>H7))q<`gSiK4DEM_K4@t^l1Uo@N|g0y_9UK5j9nE4Jp
zdjxl5{!Ee_rMVIm&LQ%ai1}r~F_&g*rY4}X1M#CoMvh~ClRWQrzF;^F1aYV=7Rj7B
zj9f(Q&=PYfb+emhOIviU1Gqf`{zU)wYaT^Y0Xd^A-mV7bovE_9)~=X^wP`JrMACzS
z<?r`p!Dw9pT>fl*AK~RENM*4I&MKDm2AIDSVO~TAB68DG&i~HB>_djD_uzK-c`x<3
zplB+1)+<W$mV&>WE@v12>Ri^mGN)y+uDP?XtdBR9pJ-DuSQX0iMS2?pAb#FUe-ZHV
z6C|}<Y*n`vOP0mOz~gKqFo_Z~doWb$0K23Lx{=0b?xV6jI(LWUPe}8;m;P+A>=R^l
z+m>@+-mVtS+pUtha;2@?@2qBWbzV!eXb_;}8_TxvwbAv=_%&!nu>EI(a2g1L5scWL
ziz<0Wx2wjyGOr!2ng2hx`I~;E&VhAP9R84G^3T*(Z*%x3u;mJ}y5)LrBJvZ#ygO4i
z=l<qGT7P?4%e6&KyP|PzC>Jo50%_61o+M0<6Vsw(cjz;G-k0zq;1m!<3}RACNNkI&
zQ8HXx$SlvIoEeIhfabwarh5}r8O34^C)6peY(Tt6|3RNqx0PrI)cmF`>Y@_ft%drn
znX<WfbzV=uyQ0-=OPRE*hSE{ID)bDEqM=zd-r-PM<3zQH!h6s68eSY&&wBws7=Gwu
ztg^Cb8^fi=x@rC0<<xp}S<6yGORI#6Qv6{g^(d9qIF)&WWn=6VuP`9)kDvD?oFIg1
zvu%m|%vSuuvgF;BhB@~SSF-BgUdWtR7B%gv5#Iqz<p&%N#oXN&dSjUkV(IoL=D;X(
zkLcj=`CiJ4ftTNc^u3f&4^pj$lSH&OsA>V0>ROtiP%9Y6V3mqK;hkNX-R`Nz!2r8E
zks=gIR(bVKB<UXA^#L!hZz3=iQYlQkmUY!q@@_3KZ_HNB+G~rt@y=?dt}SSpE*V1a
z%LjUnk(r87?Wzejd!}tGHH#Skl$q71#>;O(aBTwL(^}>X@<zLA=6<@C$zt6|zQ;B!
z)Ql|DjH-u5IX2$mNE-c#v=uUkQYB?%pbM1&lTOCV7v2;=QJ!6JZ2K3M&0o8gym4mQ
zto+l}wEW8pnR9tw(<&M9Y*6aU2ajT*J3<ae%4{4cwLfHEi~fTi9d16Ct9ilj@>>uJ
z8EHDia)()FvLq8ViiJ3Xz=fKF)B+>*Fr(xf0*@k?pdMPagCSGBiK+}@Wtm9T)8g6t
zi0snWeYhDt?<;!@2=%p+mt?cblWR)xZllQS^Hsg@`l7DBb0$+)=d{!UL&5##6L_|f
z>9V0&)SjhO-56;aR7ierWW1af^~7)rEJz0`wgJBl^3!(JEWW;!F;_EqHrPi`Oj|*z
zV3?^GR;P^2){JGec;kfnD3;YIl?4RPXfj;-#0M|BZz6#02Bl@OoWHXz`DNh9tLIu~
z{@-6qi@&^>+81WDG{W4HD*5J<=%d?zcOdfKx^3S-w05-N_XPD##s@E>MLkiR0t-UM
z-rj^tc_Lyb8nSUDY8W9U55&oT$#e2orC?;HoY4r4V_`~xZ->=_n%(S}=H5`b-LVuc
zl@*P*d^?Vl-J?j?NoAH5V8OBlLmNsKRh{3uMt}Jh7G)4+IP7N-rf@gok56<(WwGok
zd)`s<y6f=MMrdALZ0Ob-OIhjN)l6M#YgO{|hs1ZmwV@tDBSbvg*p`^UXsKspRcNQM
znV!IPzqB|F1TjEri%L)?Mw5&ZoIxa3s=vNFuvEVFT5f7ezES69jC}k+@xg}G{FmFj
zHBMyC80&I|^#{kXf0dNxZk$j!Sizb@P5VSih+PiIOaW{ggMj(UGhQ_4lyYf8nho$)
zM;zWB0~+QXN4zDJ{G(&*w~L-Rf3~Gt|L$rUyt$OArKXXRZys6C?}DwM<QuAiF(sd@
z;EElmW;%=Q78Scsm(dTr?w1;;fgk_|WfDuNu@NStSky2QE7QVPx6n#JSx_w?)q<fG
zWK#AFp-ZSSg<7a;`+aHk##H)|NMigN^|f_kb{Nq62H!*hHcYvc9G|r4;o`ZL_HBi4
zG;U&yl^Su-co^kl`ypZq%C&q;^pTB|uMs2@JJZ4h%Nk<LkjmLH=*+gn@hr~yuKD>?
z$y`~TGPSps)8OruOkJ4O%6Gtd%+0f<@>eO(hnRY(z1~n-QKV-`W#ei77^exRg&;Vh
zGL#t`WHgHLh7qLM_a9gE;LNn98p4^DR-bMu|JS#y=Jf~amE@4wQ7o?+_>H#B`-J*B
zLw5Kw>ugGMCB&;^XyKV@B}@Y?kQSDyE3HDy;Ah}~*od)3l(H?v5{0O*@7}aFU<_i!
zWRQVMMVVBI$^aaPVx^#GF0^&+pRT0->x-FMXnZ-x@g(pam@R8HUsb`ql$qYx%w+1%
z^7m6i5D}ds*3cL|9LG``Mnd`+UW02x-G-8{rBxQ{fpG+5g^nGR3u<PoOY>l;+}=b&
zV@pvxXYVIjHUe;b6`F){imE$GHynrQf}^L4E-l}YR>3hdmNIq3gbF+a%Tg#y8El1d
zZM3B@fcdKZ&<4r0kt`F5GbGiZ4LZ}JGmS2LhPk?t*A_GN)^euKwv2M^ry~bE%7;k1
zs)OCWYKtYa;1r(jY^MjOh9HTuQrpnav<yZO=`e!q3EXN+LBTOBH4H`1s0%a3T;EcB
zxS<;Va*H=6iE3v?y%NKQ!rnj`Wg{!vV%B7)W+@3n$Josh-b~pPX39F4Dw{$zFmBN^
zcIcu42Pt@l&@&uugOnx4z}Gie#^fZ4Ghr0LFct<A)G!tq#i){(N8^?ons)8GBUO(B
z-+`HmQLVBGeAl#XrP_k=Pq$$0`*CUrBB@R@rTR%me;7+LjKmxf<gsp>W8b7wKq>`8
zJ<OyM7>YgxZKPcZsqOWp-Jh_Nq-;1gR>?Ojo?}|Jq7*vDsfMJDqM=pNYN}+^bje7)
zXr%1tj&R@_0uMsh;5mq`K*=|+&m3*yk_^TP3?rdGfng*vjG^GdLQPW(a!32C3BV_X
zXCtk$VY+NQ+mfa+G>z5)c`88jCz=mAH3W$hohV23l8kPDBFP}ar26s5@l6O^SZ-*_
z1tY5stv-FI{NLQMYIpXOKZs}+eWR8ey0lm~g}JJ>r;0`@fw4mmd>dTHh;Qf4vSWd5
z87!6G%*T%L<1EfTin_U0E-*|pL#qE6jkDF)t<TfIcMPqHp;^?n1;sd{Vzd<VGUm;Q
zJjDDbhf_lkl%49#4B~`-KQi%PB09}PeLZ~ocyR6fRrHLsN}1G)Mr>u&Y(@FQSgL_*
zWVxx;Qr)P<hNf9Ggf8Nq&^LN~(~IO`vd4`|JuN&NnxUZ)q8!_}N>R#Cvs6kgx~(19
z{*#oypB{q5X^NwUab||Su|)kyvL9kWj-gb3^UT*Yg$qW#6={>|qbIv(q~Ji{emQIZ
zGQzQ-QZUp)V~Rf7vrRG1IF}~rL&CzC;h$!G$mt;nc7|b?Xg%mnNc#~cIf2~wv2Rkc
zkdmJVoPPLOUpy$u9rb2tSewdt*p>2DN3QG}87tdKQ+L(naJUcKBmRW^kyD_>I)YaY
zu%zx<GAqK`OvOySy^^W9s(Fc@>pwmc4F(YbXLlgg?nu>vvMu6dZsCw<zxTY?_+#Sq
z5X29Cj9nH*Tf?Qfs%gEunpyL;{E2@Oj_hfMNd7Vg@odCaI8jPbL_&cu)8Z&0Q(o0%
zP9Y=iC;SOmlG8(waLPqYC}PcJnrm}a)Bf4nOfA;)9NeD?@_0~^m*Lhz!(7!!JwSEG
zQs_)nJ<~FmX{jj7>1eOqdr9kOo(QMM2RZC#l*_|JnW4@^$B9Us3Tbw7q0rL=ts&KU
zo+ZitD0{b59=)5b7%BUjz{TswQg>|%>-(y{H<ZFSF(Wgvy|i)eCi{91ZYG>kqMRNJ
z!nDHD7M9aC@RPZkng7Xh#$3&aZ9TmN<Fq2lU>L#SNZ9TxcKgENNEpUojG!b>MwSDZ
zt7>T$QR7tXVMK9~$Xt|3Ss{m7r9F~n0tcruPjY%J2zN8Q)e%OIK&7e9%Snf^;M(Sy
z=Mi3X=v=zOC=&LE!tOxW?Fk1Xp&wbqX|8<sY(vS@R0BgjgpzNh5*WEKliA$~%2Aec
zeM?ohI${rE-RT(1!cIP?+ulBn3B^-H5Hb#LkExs;i!!M;=wXB!Mo{tq=Xo#h`9d3r
zQ`qPz{^hpA2OEl8J8(F*uq+2eFveiC#^{uyXPB)Dt4+<N*@SjAlfPWc)Jj9!<$^8m
z-#5#*cGQ39PiSZ2{J#{ejB$GpHcwUk$Y~;o1`>ow36a*4j$*Ng6S1=5sSmb%D~!oQ
zO}(*jcVF@GmdEcO1l;bH7&tXlP@-5Y;5s%&8=@p-IGQlZCTyl-;!clocF5syENjzR
z$_3<dTZ=K&GEGS-vHN2>T}0s&KBCv!g6#>X#FCsQf&ds>bY>}QBEn=GOE8SYO0%yQ
zPW`FCkUQiLI*R}Fk;{h<LwdSKZDy5Uy!txJD=Rc=RSJII4`@7z==KI|Z||_aewU5)
z+x%wzbAEScpVg-3Tr1;3D^XL$6xX)xz?HdAAF6*G#A+%7MWve2<<v-1P8&gRlu8jZ
z21erqcM#z`PF=|3B0Gxw#2Fk%$qYvw6fA>l<r!()%HMn5(X%Ll!=Z3{*W$xXkNcAb
z%d6+PdgUtbzVjw$&#X|blphf!ieh^G0bAQU+-OZvEZ0d?iQR|yxjon;m9A8R5%of%
z)~2->Bb6wTq7oy$3HzPM7%G)N&@F79hVc`p&UJOe>Z}sE)+o_lsOfOJj5}L3luxMi
zCr<P2%1&RgexO)C6t+6TZeQq4a>BSaxYi$&Z_g74L*e?C;=K)zPj*Af(`)?GKmI+x
z_=|U0UYMg&F5@~j>PRmyA~=ps7!;VEYOpZhX6?)pje4EK-k1k_WA5x~y5o$qQ(6`p
zMl6Lw#OqFEY7j|a$ab+zhoqW7=cR7?aOy0GD3f65>&y&>kvwtX)K{TRzC{_vdGu$e
zCp_#5dqa!P#AcFMXaq|%o=T|{GFoLrGt^W9L#1G-77V_7r0e>T2{VX<8#@;Fx*=|<
z#nRFWmoHx6{Mj?umi34j$FMAgWx05sOSMvFy4hfHewJFLOcZB)VEf!(zYE=MSsL`1
zD@B}b89}mgcg)!|BOS%^V4zf-qCY+=QGRKy$f+Ypl3FQ>UYx1kC^pG3lE<n||2Ak1
zlN9bB{xSM<dk1>4gXaf0j)!GgWLe5+G{R&tzO8AMHRoFymu53wna^lf^KR-tHbI7w
zaC_fjKd!O3a)C=1&Qq&auq`WBTzwC0+ae4C&a5m^3<H)I=lJix`roYIR{W1!uu|#r
z7i%$ZE@v{BV2jYcyQlts6kCB)pqmUYAHc^i?LeMWN07X5%IYVX?hhh~hq36)$Tzgr
z`EDGQywW*}{(Q9M@!o@gJH0X^zlK|_P_LE=10UPAh?A6Ff5dP&VmukMnf6Hc4jHBc
zhDpSkX3AVuQx7#y(skr%aa@r&PK2$FqH98~&djsCG*7V@e$8@x8<bMGuA*M6QmvHn
zT$jOcgoxskPlUT2Ef<D;T4BV6S)+{6mHt?r?@#EbnffrPM2B=+4_{WN{nQcUxNs`T
zRIfY9;{F(&W+)!B^!6CXd4u%>#ee+B<)eoo15>BbKEp3xdz00b6&m#lLBU5v$h0Pk
z5<1-;4>lii_wH?Oe*Pi9eXzkFHU^w&O!(__F<0hbwxWNu#ATcs4hEW`Yg4V&nQk`l
zy>ID5`W+C-$<mr`@>f59hf29b9LH?lnefkd3}@?_Hy0CW1ev{YDE|J?Y7fTz#Ij7B
z)r-I8;LikkF(9!9XA-AoGMJDIW6`PRiG?QP7#{Y7&$n$p+6vf;r&(S($JMJ>dH3zN
zID2M=a=G~EX4BfBwWinW^I&V6>FFkp7jWa&6kA(c-0bZV-alZH47uFS3$Thl-`n}{
zhd}F`<fGV-+7@9DQZ9wq_LG08h#&&RVn`4a$g+&B?Hx=Ovwk~8b|>=6Tt+R-)Y)n6
z_9xQ3xg*yGk@V5r0JeDvXCI!rC>DOL0xbECEO?GtoT-@VYfD<qR-UXbWT!9uZr$d+
z2L;x9Wg6{s{9pg@xBTVL-ezf`O}Sjcv2D~BoC*<nv}d1c);Y7X#QfYW1wUXE89rSf
zu)Z_KQU=e-o3#Z`{xE+mXp`4=+}>6E>T{dSo8_IiUgga45@8tNI!`Yx5D_fPqFSw>
zl*O&PTO1r7;M*CFGE9|?1TOaap(<_nB|_u|j=y^(k$<TYh^NVd2w)?s1ghoOX1WsK
zR|<%u9)EjvoO$k!gpW5ZZXXs28;hJfcb==4FLLhe>NiGzj-Rlu>*BgD<#LhsY>Q^2
zj_3I}u1jwWd;2c$Z|$N@AIAa_P0`Ck!_NX=&Bd4>m@qwd>`TRvGb>9B217ph_;YT>
zU2Yycz?iPQv6u-)`_m=kJ}AgSoSJh(UD%?sc$@C}OEr4rG!ew6x*Q_Xw&1mrXRe)Z
zna25<%r5$m@1P%No;zdVvxkbEtj@b{yuzEWU!&QmKX&v7@|&qzE%WNti&QIRnvFUi
ze$eFO4}QZ=XM%0zpSRl7)KB;?p#&TS&ZAm+LmbD%ag5eKe3zq?!uMR-GcA7l&YL*4
z;r)M$h$jPHUC5X!8?#U|X18xDyM1{zPNkP*asa$kldDb-K`M(y$5^Wchs&<RnO4cn
zT%5`5b1kik-s3+t(+oy&o?v^}Q^ds*OUtXATU()0E<JYi=a@tV->2aFc%FynxhSRB
z-0g9=W%yug7fTHY94I(>82BV*`AUIf3BIcsE6sR3W;h&^{*bu$qjM{i%A;FXE}o;;
zAMl5dZ?WIqWp8Mh3KN!_nn5JxQN+bPWDo53fcv~eb4N}MK|JF$aMaHNkDpDK&D7Z$
zBUk6OoNMVv11lc~Q3|_#VRxX2GllQ_%(kYOZB5~O-uIv2TMz~XmKWzS#*m~bAG}}S
zv+KX3JBXMr<q5@l`0ayko))$RMPC?6#&9^G)9aHYC)Y1A2z(aj+wAP^voJr)cKm=F
zdnr+z$x72Gk*suM$6hf;HnC_@Ukf<6IU;x1UwE7bg4nPYWQuu9<du@IFI}3=s@E1W
zwc6A)i%)j4B+Iu~y@>*46Bc|b<r1Z0@v*JPH^FrsT-U*vInp#EOEd0l?D6nm%tu=t
zLT}8Kc82fd57r+lQ8_+7pZ{SP#u2^F0ekxgMDfYF0gmHPsW{BGrdV59BJMwAy*q|<
zEPrt}6%pgs0&L%<m1*WDk#51%7VHjAY!S~8r+^@90Y&DGQfrxEwHlb&cUE=br>mK&
z7oWUEPp0!NR-9S*o=+I~xUPdz>O^!^#V}xPb&*LlVdKFTH$I8@-R2!8amG|BVycv#
zXtv$A4XtuUzc=D={~=r3J4_}gKV7a|E^+a~SqA+Mzx~ZF5+C5&DS10nt?MB{Z!Bw*
zNHz(>KEpo~<i|nXR4n9D+1J;~zO<Jcx^%vksg)@s;Ztl^w2@q;s};86;CW8olKq74
zTGw@{yDlq>^Su7*Wzu-ezx`X6PagKTyO+``<<)%t2^Dx19K&2C;~*OHaCeK12U`q>
zBeE<zBK_lCm)4pr%a}}J`hy{9mf|`NzV8tP1&U!VM|rrt!$1G)`|J-D<3uR?nwg4`
zg_<edGqTo?+0<A!PUh;KJzjQ#C`U^Zn|Eu0dFRSp)_ip_lewCq=sn(qrLV%6+=^%e
zO4JkGL{EZRt;(CPy+WEKe0Jj&``epb-%2R^8JFAo(N^n+B5)0hb<I|9$Vay~k?;ZC
zUY{gQacmpQdc0IvmSv2_6CQ5w@!8Eg3`Zksl?pShDV7)86be2IbF(bWwF!cNNzdY8
zS0P5rd{tY$Y090EoH-cE{nX0B<R$5@^%4{0vP&r`D_hSik#m)TS-I5K#cOj~nkDnp
zc?FR?lBC3t>5MGX7<2LgmqNj3er|>{XI5BRUg7q5ms^Khl>L<XnqjJRGQLRQ8Ww7r
zdj~N(?y<kW&(`)1yL*Q;>Q#cm;}N7k7;)>)I-lOS&4(X<Mz=qpR;{qMvWQZ`(n6as
zDA1_as8y@%9E9u+Q$jbBnX-{VWP%Sjm^GR?lTjuwf_~xW(!aa}sq{lAECXwnqFD<~
z;gxx9U0u*r3Qzx?TLJ|K97_|&G2=-@_CxgY-vT9qZQD#W>b!RC3S?t$eG+3o81a)8
zjW+s3e360+b2ZIkJ>R+=Mni7jxkqby8qakI3Xd1!+u7aczy0c8_|3olfjjp$=nsZC
zj>Dz%XK)-F+p?Hzw+IS8Gt*6?!zP_cL~k6i($tJ&?N}C-D3yj0t4eh_q;q!&ywD>^
zUS5JIyJV4FDEVBhg}O0cH||oys8-p?4{0K8Tlw~^U~7^jW;BkNL@{xad}9XvX(1w5
zB2+3RE?qcFr_<rXPj0f&*<`1u=#7QYdwNUw=z0{Cd}x(4%k`9W(BaOl&ncBF%+5?v
zuT_t78sE&uW9!-N_qqP*O@8->kJ;NlWIUb#pp<as?l~6bW@$ERc%DnMQRlGIU@+Nd
z8270Lnn_|*=o#0uDP@}JB(s_@mBQ`|O^}ziTa=5b+LpXh3%GWrZEBa>nW}~6cqq+N
z<G9Ot(bHr}!eBU|KNvC^O-Qqomk||%fYs%BR+bki6ha1(;{Ktq(GkWcbn6IE4K&y0
z6P8Q++`aiBzkmNjws-c3qVLbF8)Jx~nEk^J2L~PE_>T*V<AlBaL-r01iQ*X7b*WaX
z6w5Ut?K4g+3NF+`W9lJUCBXGu=1?+EvGT%?czYQwhz-qx7Q1B`Rs+v0o}bCWOEX%k
z1@nV5(Y6Jp0#tmBYip7u;_$G;L8pUlH=bDJmt~qXO&N_RbbEc$G{tot3cgRN6ymrJ
z^;(tIRFit6&Q7<?_8{ZIVailde$aLi{^-M$eZ!^MjLvw-#~YfB`**o<^A=N$8uRTL
z%H`7coG0HB+O~~~lShg}C4y~Pk0dy@ZBr~3DHMtvYL`i>u#`~pbH8f3Wc=-(nH@xG
z7FXZ;K^ONU;3XtTvp}iTHknz{mTHAA<#RLIx!Bf}{U7e{9nTG~g-{C>2a>R}yUXU*
z4&`EzVi-Kp`O-9{KNxcV!4@B0|D66{NUd6CzCFW*v#T^4H7v`bSPWU5Ym@b7IgBD6
zbS9jiIXT~_=;zaX4@R2b-pkk=9q_x~zlUYn6#n9!?<9zb5CjG0XIsq8w%FKwNYWpm
z)Y1Fx{QZLOGaQZaJQv&bNVQFr3fh40BC{23wQCX#A~mH(x~UVMUYhVD;pHPpSPX4P
zt%M$DLf6!1D#lx=8PzHoIf>eeM{~mqFjFzalMxR$H@LSx%fj3Y%|`8s&etCf`TW)$
zKD_=pzkB~<4m(|H)e7g=R&d=s$8ua_F*`d=ceh1ncZY|)E|cWsBulOZ^$?aCn#=7J
zz1`vd-Oq8nfQ9)s#W18?D&l>mnCdvhT`iY*<??wZQOxHz@6hS>@mz<?7teC`%rZ06
zO?=;DI2z{);-i%xzdYM8RWdSNGXDC$p0Y(XvGHDXY41x%5HC<AjCHXV=!?ruT{_#!
z$DjGm4<BUtMTD+qxsfv3>+)dzCZ$S)SFc`t;`8k89q>Q@`M3PbzrM$<yZ7n!`Z$im
z#)F4>hF%nFtBd%a$Mn<`TlFb+w?cLYHc@)A^+f_q6*Yf#Ho<p#{O3<Mxc+I#TzeMB
zcDQt5jVZ7GjmJ(m8~ozuZ?n8O$EP=LGZ>DjRVysa&2s7d8Jf*Hp6jBuCQcI4G{#mb
zu4Pb?OI~V$k$PY}&sI%a(L`|nOpud>(niV{RtqkxXQp)V?6j6j!C;?o=~vM+tWBkK
zCIf!|aFaXtHrU-iU^pD*TZqT3${P%Ze10>xAUk^pj7DQ1Z-#K|?tK>KW|?cZa2$tP
zwL(~`GD<zVT9KS!OyG;Y$oW>rFq&}vfo6SlpHHrTfMr>Do`Z-`Du!RPBw<)!b$NkW
zwM?U4C5mIJl`^$Tg<7>t;V4|3rYXICpV4TDXB)zTjqSMDb|&R~YOt#mHG|A*V-^UP
zw-}E5N8K1-xM{jC6G0R#yGcUDQY?5jbIVN~oSD*6d<Hw&l5e=s((DZ<{QA}*8(Z6K
zJlJMw;ehF8{jmv>Bq`l)KhIu&K}8!UDV=VQPPb2zq=aEE*C-SMqRe8H<l_lW8n%^_
zWOYjO%ZmxW+t}m1n;)>(jj(NtOl!`st$yQH%d!;Za*@^LMYPs9j*aW&BFtk%QN-Tf
zKHbg%Wf$t@0N3}iy@XO>Lcz-%W2BsBvXB{h1ItRNR6e82_KVoE^m!6Q!J0!gEr3)o
zt|E;`46QNT9P_mV(y~iP)v~0iFpYv^N^@0h&DXRPPDqyVMHC#Etr`}pDRqC$!Dx@0
zH*e5v)bM?mAjl(>-zP({EQ>-=ASe`=Od^sb&6~5?HU;0u_wyPNOIdiHhvRspS`nq@
z(aesM#IcVxUD8~ehcp|qu@|wsCw%xph(3zCtu8N8uU04=HKjOy`JO&`7VH23AOJ~3
zK~(pRvi~g0h~tD#x6kIo9eRTaOG|BLmY4Bo9Xwytv`4JS#Cj!4eZQH`Bx&~AXgG0q
z4|_9*w%ki~afc|~XOwhd^Vp(1O9<e=d5_B2rn~;NVy@>%kTr)QWsJRmsLOzhZQZBH
z27~2IxZC54Ur-evW4CQ+yN>ZozG1dvXqEH&?vsYC@@>{^#c;W;`Sjp`>mU9Ol*N3z
zMQf`0SQ@P`3^=pAz{bWFQ5-XgVr<KzTq?4%G|%$lJYi7CL!?KENNw`Mt!JQcd4#~t
z8%O9P?b-XAdwlrW``q6;WM_AuH(tBKo3CAEu08WuRg`g@aM<awxxLH!#zV$qXsx`-
z(i`Up<|-5dhxtj2cYet9<vn%p!A|Yw-L2O?y?K9S{7KyJ_Q&^a><>~;KEPEU(7C+z
zjQeTjCEDfrB3idFei8WXSAXd_5+oJ0=U}H5Fw2N(g0!(@iL(0u&h298lhS9b`;b-<
z<^x~aW#1I0iiUb%coy3$$Q^!HL9?j2HlGojKEL0($ETlGxq0;xwQ7ZWt@>#1{cSjo
z{={)Y5ER%uIK*>ZE}dWF!r4{YGt(4&k4Y4hWf@xMv#Txjgnf#Ra9mTbb$;V#=8x|k
z*QXzMcnm$5uWIxXC>gTfjoCb$@cAbRX)+;A6V9wG)2LS|mrH~}0oTnfo;o5-lBP^1
z5!<`_+_-g@Pd~rKB#Nn28?=`%FuQV%LamD9yEsPUHwRL0?b2>P3~KfJepsr_1YyN&
zZtpGj2g6FQKdAJ2gW`cbx{-{|Z!#Jl!bZ%=ZM`gL`2=nS$D6^JX_QPO67UTKd5&F8
zniigMu&g?m6^vR1xrCT&2(N&gL(CK+1zep0Rb^Y38%1+zxuI7twRPo<B`wqCXFH_R
zl3c2hWbo;hVSnu4xE}VAQ(Y>C-+8?4Sk!A(=4M+g%+GT5(m8(i_UpX;<~1&zKf_d`
zhU>bF#$&d&ce%HIpS!njQdaxCdnRF__GAxGL+-moY2H<F5DEQ>FpPw8B1EZ>YC#{B
z%2*Z@T|+g1>9QtpGB)=n+`NCl&D;05x3R@|907vox_HL~ISLt$M)|rw_~=vq%YXad
zeDvuJf`ZTGi)VTF%~x4kn0pkhLj+M4wp$=5)tH)|mDQCcxq5L$omrf50?(>sY0~cW
z2Wx}jWC~@*M$~{bjG%Wy6^N~XN_84#y@IHJhp1m5oCi5WwEus9^|zm+1-Y5wu0@#a
z5UhJZ07heI042c2;G(F2Y9Y$Q$Q8%Zi?x8T9vX3M^DLC;UqZo!xvFMuI^k?{%;()5
zZhZDJw&PK+Rq=g~Vi0`EQT@{KzR!GnhFZ14^i(5v$b$l5SRnkuaY>Rlof{5%_;y0s
zdc5w7dEYDOO@z)!=ucph2$Ll5su(3lGYHA8hOPeCT-&vCt(RlvRwi%_^OXq)gFV#Y
zfX?;~w<m{~H0I#2%lgLFkpkGqwrz|t^!fufw|2OB`yO}JH^9J!i>ti;$|Yu6&97Kk
zLD?>@?c(|+DOX`OjU|oeXt$;cuIqVTA*dCC!ou`}?aITwUixsa<Hv#Z3HxiC@KmL`
z7PLKzL5MOHj5UMFmQZpYI1iLC?1K450sixJ(lZWjj;OD#W0F3?`-qe<)-;$!jG0HI
z4dx9*eh!2fLT#k%+PYY9P(MVJ__#QZ;m=hye|<hCTtDES?|nuuvY2W%a9x+x<pt_)
z<vY*gdoI&c4U9Heb}r4ZzYv?AL^0btdmJ9@QnV*D1N~S{<wh~w-B*0NrTG22#oaxj
zGZw}%WLmy+i=`wVP3JjzS?*$8vsgF$?S+`wz$d#7cRF3}-Ts6RKf8-Dg5x?A!vNd1
zNwbV-5-}K#aU6@OMx6`iR{8lmZ*bx4Dvet8d)F_@#&$!dXBT;=P*KY(%kFDeR@4U{
zeRk$Q{g3yG`<=m}f&ZKo_3s(1-G`e`SV_|MsJhc&R?zAy%3J_B1GpHy4e~L<@5#*8
zHy!;v31WbhgPT2|2do1&;YuCL*#L6}Odn(!m_tn67#dMb`Cusa{X-=mJ+O$=T;5*v
z&5=w!Klw>n7Lk0LRSOJP+L}q4aAR-GZhwc5KK>Y`6h<4er8&yQZ_h;AwoUOHLc>~X
zGOg+L2dr;wvA5r)TB|eL^6{rKs3ee0AdB*!I?DfT@+^C2EPSwG@qcb9ez$IMXHV#j
z^R3j^zU?n9EdOC0JpiUknzd=cc5L3d5HQuKQ|ir7*)Q|yLz|8Lgo93>(P%=Fq<Jtw
zYec|tY+6$dE?+#$wJYbjbYYG5%=BXgF+?duxr9Ym!eW_5t)g1>&~<FLzI`yP*^cc!
zc(^}!u)Qydn-~tJ)?s(Tmo15q`xYK0+b1m)aC8A>g&18&q>WaK2&)J!FdlG#a2?G1
zMEZTkw;z7f`d*|wNKTlc)uB8}NW3j9`2!+##I!K-2Fm=0?pW2XZy}wraQ{$oX*T2P
zoMx@1S*U5Al|IzBVY&>L7CbuE6z^@?eD=x5JlH;DJee?wA}*X;{nkwMw;|J-$s}U`
zpu>&Z_t-rcvikZJRxV8wp7EeGfyp+ExAUKqU5NG|9fHy9^@aa+L-D^px7ZuxKF5<J
z7>|1p?+t`Wq9|2s{M0(f!s10PmanjE&G7C-(dkF*9dzjS28_lNvMj^0EP{ehty-Z`
zuhMMPXw)iHtCgp&!gT$BW^0ja%9B#5C~Hd}xBj31^6S6ZJLpwJR1%j<2|d2p^g+l|
z1_2eO(58h;8&M0uGNR@%G!Y{h*$3_dH^AHlStp+CFwQ!B%hv5hA_#zin-M)C;2?i%
zzChh;V(fx}zjkb+>Y<T>lmAh#Z&{2IVP_z$HidT8&<G7B-{9GtP=;Nwy?|nQigs;|
z*JoBSb&H+x1_%8iA6>semS&8{6P6d}sa4B_VIJ|Zzon#AYfYMFbh<s(H@5in#%=cY
z4^g(q!tz;`E?gj(_Q8ve2(oiTke!?)Nf)vS(Zdlt<33yc3FAnUWKR|wHsq16Q7nuT
z#eQ5PDP6{IzeO;05j&U$5hjzEPOnd|*QY-ilB5}qoe$cn*QykY0iNrAY1{ZTuq;~&
zVVN1*q8z#;Nm~5fhc|=G?fvYaGuVlv#GzEXgRb?kGaD@~1{a}>NE0OuFpZoPOoNn;
z6k!LzEij*8^ao_J&VVl5|IQ8;FB(C<0lp^6Vr-LuF|!pd|NfPf*@|J~P_fw&{`HRH
zw|5jX6~l!Y&D$#(=UbX)=_Dj50;0g5hN+)YEL~&OUBzBfIL*6!@X2kie|D35>ks(+
z=3OpbSmX6;msnk1pi!@47rxn~rD?`+G~&*^4gSAh{U1KO{ux=8v9dJJ+Uhcki^~MQ
z4ORw)StuWGv&N8(AnrlDkJG<RW$JfSOZU-wLZ;KFN-!ShVZ5M5Fnxu>)MYHMoL@V6
z+oEcvOfe{sq#4GTN4<z$$H`^zCn$!qY>z^z$@I(u7tgM!gTv0u$DiN(Wv4edXB2l4
z8G%(oQ3A?{DS)_OQbhV7hhXkt^g|2}5P1k@AJPNRT?Xz5ZhmjY%}YR#^jI7UAe91g
zbxw1xrMbOlxUsDO#cn^J{FG)2WAeFtt5cfUs-YI-4cVS*W}qG9<fvYS##^|xSEvVV
zteRl?HC#VnI2^IQvBl=Y9g;L9iXt{2?l3dmq*5;Bmc+IYAk&64O&JVF92|DIdHWt8
zeEb=mUXSI)Ij&u~z`}f+O7%!J{M7{;4JL(j1n~i-`6lNtX|@L*pWM7pyw@em@{-*z
zB^tlux<v%v_o!9MOt)q!*5+`+=|}$uM~VQ;0{_QRs2_)e{h%b3N`-Q%Sn@r0t>8NK
zILT^hraMOqv;iLk3=@zp#_S;G0mwRH?h&PTnGE;7!FTyyyaWV^6|V1M@GznrD<5gL
z($uudd6xU<XN9|a!bcAjclQ<l?Nf{2-c`K1pm}XE<BcWFT-BhSIQb^vHDT&!(0B`K
zS0QMFRUimpaX#<nF*`HGjhlD*@cIqzKiK3y{?}h&DaBN?PP0*`S+5a>1(XO;oY3nJ
z*grUA^WhG|;TYStSY2M=7e9ZSYgaDNnreLan#9hDt8AL{Hh=kx5EV4(jsFMT!GtJI
zNYfOp_4j7uMFgc3)pCh*Ys;KlTmIhM&W{CSAk7Tp7!qws7z9?iG<LfEv72Ve2*YhK
z+ZY*v?t&a(q=(WYQZ>R(Mx@q=Nj!wzr%E=y1O&+htsF$#pu|>~z=K+VG>QhT4N(g1
zicoO!h)k3!`jdQkWt!!Ynn|K*SIy(MAypo@WhkA2`fE^oB`1fI7Zy1RDiw!9!KYEL
z(x_E&90%96xpilqZm-YbVUK7M)9(-PJP#2bRTmD2BZk8<1>a+FVUAa?Uf|WM7df-C
zfa^Hl?&QjmK@}I2OR45??tDO$DR%a{*p9=-=0gq+x{N1z#OX`;id9h}IJQN-R^iIU
zvs^lVhH|<1Oj;d14GM(<?RJ|B=LgiwzO3Khbgtjr2sgJonL*zm<2r^eS=M1<9m0(v
zC#VX32?(MEtu2&o9qHxr82*tpP%0ln)2<o{ZpP}A=G6toCtHf&uPgrTp2bdI@t~9O
z_m@*jk6U%<l%RY8>aRli{E_AOI=hbNfh;f1Q8|*8?CkBcyLZ6O?g5={kI`sMlq48!
za07=%txBm>q*1FdJ=LT=JI%~=lc{DM*KwX`FYnkkm2!!T=gv^@eO8wj_^<!-*L-yS
z2D^I)WLb7(Ma<W%iI6LF9mk>BsB`VgMXp{xPvv{cZ+|Q(B}_N#{KZe-<jVO)I=k!g
z-XA`8d;LLqckfVTTGq2nf5I?HAdX@4c<l6vsn}iuf&lXE7pw%71tlw&s5in~z*zPT
zqc|U-mg;=kYpRdy+`bEWPhR{cRIfnw%a-G7zkM{r@7Rf*n{6>1jo3fvu(`Fv&fY$U
zogSm{<dH<YR19g>YqV#lnQqn}OVjmjuq+G9vY4J~P%afI_#SZ_Q!W*`zp=%`ojnda
zJqE)eQIwEn`CxaYatFIst*|gZ%e5=#xo~!c`Pmk}|8#3PNgP|SFboL8fc8{HM(r|D
z6j`<Z^?u+vwy(8LhlkzKvy{od1O!nA$x_5hjS-_wt~JW^Hw*ea8=6JKEAyI0(Xi9Y
zGt0HWP<b5dq3oOt!F+B#s#n1I?kxEiacohJpX{s43&ctC=t-X6m^Pm4;QKzl=YFe9
z<w;;Eh3|W;EX@;!f5WR+FLC?sI@dqD#d{xo!tJ~F**`dBG|uv^m6iYg(qfx`_?y4r
zr$2d(<;8h?-^V)184M=`%kc=xQxwWA%PW*T&-2Q0oJ>;)8;sj~usM1bpZgLJ#L-wz
zf-y1q7(j{BTwip&-TESID}VV;K2D(5fW5w8DF`2DPKXsiumGhs2$#WcJqmR`4!&qn
zia(;Wdn_QVRV&o0m3(Bw%oJ12+_KEKXV~4_r+?I!*Kushr6QNkukrJD-r(}Zv(&2<
z9OuQnC6uyJUJ*YiOSxRMDwU$&8;)x9hE?#p&+2nu%x~jM@HH_J7BTs(OriuP$<gGb
zZ@G7mHB^;CP8Na3o4w(dkG57<!L2<JIbI|jizF-M5@%PJ==S>b`a=ez5##X$$F`~0
zDoi!&%(kYE!qLy5u;xS|_`YkV8)ZG$sw%y$OS?+SlqL@SXY+|K0YPqN_~$2NdMt)S
z8?s>}Y7mL|j^VrR`C|)XeIb)_?5KV{NOKfEb!$*Qn_Cd4bmBVtJcFJRCn<59AOfD}
z;X3x0WaK{-j$`9EMarcjbF(edG-VRSOePWINrYu7D&-Qs=b@CmFj1>-#nJj4+oDn|
zm`bUjb`NYHg-=#^W>2w~fFNY-eKxkMXND*>&Wt48u{eh#vC96pPl-LQix|dmFvtgN
zPL&Ly`z`nUac;qD=3A?90qm0(b{!`PJKa9}haHqCTGI`x<r2Q{ooF`ti#VPs=-4(v
zP{>7wwsT@*9eyk*5gf<Db1ktfQJ@qiduA8$A`rx(vREYc1DvdY(H5dI#Lkdd6DbXr
zHt3S2#6$_vMn_q<c8rCA-Xu2(TIYmFGe|OFlIHrN-Z-B(ST4Y|`3$F;OT4YGex;TR
zUL6W8@Tb5j^K><R-;G{>$Y(e2u)eXy?%n}lm}=Ci)hblWC5mBy?|Vn}>fVtP|3{6}
z(?02st<zJCNPn(~lZ4S|LLA3rnPzwYkl}D5Ns^Lf+JHRME-26c>#8gk!9Ig)mN2S~
zQiVJ-Y9eqV9AXraQEF9d<MhT%KHCyc8|Ccugi4SPHjYymPV$1G?nF2k3OhYTe*&o%
zF3jeg7pnzL(f@`PrIrtcHWcP^OY#iJ0kFNh&wu^zzvjIUuhSn4AN9E{6+>oPQ?zHM
zXwOVDJ2TDf%oMGu2F-e%ASk?aPy3U=Xf$DcV>54<J&9OfU+2NYJvzOyiQ_CLGcjU4
zv*r%ZpCFlQV-p@pl9zxAA~9kTganZkOsWk{K??neWViQ}i83+$iKbjY%u(of62mxw
zaV!iX=#BHXmjxF>_h_Kbx7}lw4~3cBf>{2E`yR&RiMnpD&&QwL<kK6sY1Z>{+bD|Y
z4~77Y$72pUT{a)?P_I>J)N4#N>W{h}dPiYl&vo*d>_=^P^1itima@LHTl>p~<4Vi>
z4|1*B-FxeD=l-^OxZCwRz0ou_i)bP$Yh_}cAX$RtCG_JIybL-T91Zr7rAY-61(tzY
z3Lj^DM{@D`6U0svjNQjb7i9(*2@&Iil+eaTVPnL`P|h%wVT9T^6ecMq)k-Rb{K_n4
z@Q%W}m1;i1pzP~MiNkiqFjv#xK6y%c`PRyx&i{SFFeZ1<qbR1^?NRW3{^l>=;p~}Z
z(llc*7_zgs&;DVDPN&Dc^#}9^L$o#&eD5gpUZq~I(x~P27ma$AdaX*WTBcko5r&0)
z<h1Le)N^b%aMCz_uzYfZ&u-ji>*2QQ_WJcnoV*5<QLJHjh+}oZ>SE{;*h7?_V0jU-
z8zV<mGRC)Xl}lu0ILVNHYy4e_#^+Cv&N!h`J;ay|G&ag~FsgvygK;s&1zeCrjM<Me
zX{Qs;1s<O77@Ea=zPRt?HPt20Pzen65T=TT>5^f(oD)XLcNhlcf>X_tg6dg>JM$z?
zlBSHK2*<WrU0&eLSFd2%7K5V(*AKR~*?PG9|Fid=O>$jVmgw5&n!M?48I*$uNRR|*
zB}$^G?tVQz@#f8k7w>;g#7s=LrlY4@qLWC_03d9ks(|t~{mq-#pR?bGlLdklKvV$*
zihyQCWUzoJWG3_8o%?LF*22zS3%kuW1_KYlNKY$@Vz{1%cDsv0A%|iik3u1@|C`St
zpUWbfb>L(&qpV`UG|bVoT|DSk5k~+0k?s{Uk9-NWH=&dgsgw`?ykGQ}OGQkMH;^BR
zdLMN+%(6_B%SDXU${4HVv6(ZGBnf+dB%tq$3V`Dvt^x4D<U_CzqEMee>=+hez#atv
z8z9?;O#zhJMlrXIL1PPOJ+e{!*AEcvhUjAt#qt1&T7!iQSQubsfR%v7TIx)321G>$
zzay0>m9uK>-QyDP9G9r&bvMft+5pEg^b90pYSCoJI)G;g8M<p_=Jd};3}!%$Zn}Mf
zxFCT{CWCURfU$ZN6XOlM_Uc)LVWbxt{Q&*`0IhZxy}paVV2FV?#9%nY?p_;9%WLrc
z0AUzGDh0zZV43E~ULm8`G;%s{9LFB<HjL2@mI2GQU_7R4mP&~@jvu@iKM3Lb0sJ6D
z5QfOunqz<Iwe$F=fA|2WPtG0rX9fVdTo%V?r%=jSI5C;S?0BC0eK&1&dOfAE2%=pu
zJ0L0oGyy^$Kn{cq00S%t#19>zh`=O3Xu-fOu=obqvX9_r8z7Lt?hu3B(INb?zh|O$
zCI@B{;13LeS<^tSoMr3GxS~ek8LMg%y7n+K&m}-W`*WG^zO@x=PPdb>k<aH)t$erA
zvOh2JhCZ6@E?Vs_+MOQSoi5s)K04hV+T9+yy*}I#4K__vL~;DR8{5rza55QflV%z)
zgaARWxEto<9kcecT@ojV;{;J0BZ^}9VF+*NBTXe%*Ehk;c<=2upcFrsy2rLG*kubD
zL$WD5m>w&}rJUUt;57)`P?9$Rs(?`jp#q=+pbQ`fAOm7^H0^z862=OQA%IBNxQ}1Z
z`#A*2K_Ssu@~!%*7J&Q1h^DWv(`+Fl%9AA)ji>NL{~k!_W0tU=%k=z#(Tr(6*mX*h
z6iJdmJ%Y6Hz>FrJgJtOr;QbpljuXU5f;f&5#R;M)Mi4&q4IhLE!U$m$A&T_xCrN^2
z#1R4XN<x~Zk9=)FA8m5kENsght?^sPWVCv_HzJ6Ad*cpvcAFUb0hE#;da?rJ(_-lR
zSX*7=?d>fuP2&|3bX}zKD;4t+Y+*qO3rrTw#D)?UpbW4fU<eb;8891q=~YP(Vkip0
zJb<Jgg0TI#*L{%!gaM>UYPKzlZ+j7s&F_kGCCBBr=M*N(N6A5dJ`h5{Gz?gysd=2}
zn_E4?By?X3*S7T><Z&b>rS!2aj$;h{0Dcf)=#L&lU;mx2MJ3`meqbZFuciA)gVIqj
zI~iNgVw?<eSqJ%C7Jd+6V{;px=RX*1(mqG!Ie=LKtl+vXZZEE3eretFgYX`RZl^Gp
z5iYDE{L!Z{fEgPo8^9iPXY1ffjW1GwXt3W);@p*i5XCs<SH=oFx7sF}su0GXg@ev&
z#QBc(&(8^lA>d>(@XZi$oM;za_4J$CMEeVpwpJO*Wl^n2q^U$IQ^-^zl?qB}S=0TD
zp^I>Sti`n$F%9<%d}Cy@wzjd2g{5T-{Q%>QI_74Mp;*YnFrJT}JXnEcgig1IuWqj3
zi)$-`cHh67r0Oo@fi|#|4v3BYH^(@H-tUVSAg(h+K`jqsO!^7dw)<l0=9W>c<dMl(
zin5kgTRil&VmZ>E3Pze!M~jE`v5JNKsPGNo4!pl){T=dob&zNwy643hmr~ax%v;#r
zZKCfEFg-Pav!_p>SS&oZ6`3TCc+lIy&enRmy15%IZ?#)#qV5CcDm-_1fTv(Q16Sk)
zTvc64;K2oB!vNjr4(ZNki$?F0yN25B6Q}AaRnb{$wGioRQH19N+t!-Cg<KW`Z;18}
zTw{N(NYWIp>tSnW4|f-r(e89{^7ss1zi<xaQsKG1uIIV9zj&LM@7;-fuiun1*?>~(
z=(&5q){jc|90gvy3<4-%DS~lkkHOal5f>Krs9JPH>C!A^$~mHm5+iRP@=&Z2Anxgh
zdVV*oZQE$ntLXJz^!o$swb}^dpRW<w{t?XchFH44ipBe@a0dfq9S0}pW^i(D2Kn6K
zj7<*$rBbLgLZ`Kht2gFx<MyIEaJ{=y%G=;{_jwVdeux(_Kr}jjM^@~w6D2G};@nnG
z9J_qq6oOLm>obb-_94@V47GY;um_Z$-xrgUu`%ALW3SmpyVJw=ZWCen+`kB)3CxUU
zyMsSnzJhOW%_En~;>^i89G{)S*vOmksG-sbvA2h<jTL<M^<Dn*+H$+!4?b53K2KBg
zv0bO5#)}&u*b30YW;%9eUMlfzXQ;|IHpCg*H0;STC~HX+9UMpi8h{Rva0dvtM|H?!
zi6hU1Y}Ucd^dxrnT3BA)z}EI2dVLo`5RP1Le_n04FpSXc^|5q+6*uoJV6WN6>63G~
z_}VL&oESqsceIoM-L;bN+#WA4E#k)Q`C#GxR&QyowIqQXh?52Q^qlBXe~F*h)i^v@
zQHjZ*Kr!(kq?tsDM$uu)+Mwc(@J0R-1V90H1*lxmON)4#YX1pum>H&Npx+<h%D1;M
z^aGqba}wi?I&91O*->6woi4t;F^?~=T*viWcah0t@PB>yKHh)#5+*0c9%;w+OyCrp
z23THR#y|h-$Lga$U283GG;j1h|1wK_iGkVxR$}}_W}h#5fB;EBDkQ^*4fv605Fu|E
zumxaO^FYpK5+h%}9|!B=+$sU3GeD-UC+gy8Z&)H-sP}p<uHU+=+okmy3WXd>#R768
zb(6m~!!L?r^!hFq@2%j^m#^UN(h8)MIDK*sfA_&J@XFa!$Yq@)>t5|=4u3e{?afub
zcKv4hZy#Uwuid)0-1Gd;!YKI?NxFn&rH7x;3HQYh5V(xA9K*__Oh^=n+a8StDJs=0
zQy~k=SqJekWZlU!^IE9EECOcX$XSK^dbR`4$NJ_DhQ1!=DXB0!J&9Vi@?c2#*F>-H
zVt(;HzWnAoKK|2}=(`@?ee3lH-XFDU`Jo}<5r8G2Vr*}%^CzEtqCWfltKrSNYkPZb
z_j;V9|CadSRrsO{^qyaf@ez0l0t5`WDdKVh!w5o2+zU_xkhe`(2Eoi_fQ-pxJTa3f
zy=r3SMw-0)%t9R5QA^t?8;C}e?;wn@y|afP3^6g@K(Ub5eDa@|`nTV$3d0Dkb_a|1
zR`KPP>$o+)h<3M!$?*n0{LL@$)*G*4yitSWI7bp3JklEWhXdZ;TIU-#Zl)i7_C@&Z
zt;Ow~X775>3of%tzmWaa)t@>zfR`gcM(8Re<slpu3n54`8O;Gz`ymyJ8K!&&l(qF{
z?-QY7%?T--1f06w%{t<5bRvObArGY#?k+B)+3LVF4OoVO$^pC&p9hp;G+P~9y?zIu
zeen%G`qP(acY3(=`YZVDuinL5Z@h}>V-rWqo#zyshS(Wpj!*yeMR@hr{oeX^`}QzY
z|1*w~Ph-W~2)jSNQ1YDc5(Nkp(2Zc#6DA~4LfjdOf>dy93nl=|u>sq7QYK-&a$?w;
zVQ7~0&*ErXnTBDYkk3I%iLLED3<g8Jx*o;II(od69#{YXAOJ~3K~($Jc*v&hc^$dZ
zR6gibt!-}O)}1AMb@e*#E-k}#Jsg{8;J3ee2X9|`4Kve|C>_z%oRtL22%g*J^|e*L
zcKt^B+2>#S*KRKCtZsL2?{$JNqELR4ba?^cy#PO9-SIG9rU221YZ4}0HsL{wgVUZ%
zwT@3kOMn~;0GU8$zf^Ge@fuk?D%K&irl~M=!M=agIwBD1AQ3`a4=^h%EG=VYeN#I)
zDTPX@fI>cZv}gSvAPlv0)cnGI{Nd9t@X4RQ!p%ENU}pT{os0P02fx6ZZ@h|`sY&Fr
z&XKjDSw@gy7i-Il{J;M9AJxBq{DpsGezm>1*SqOQ$v;P7`bnaKHAE{uo}X9x6Y=r|
z2s#pR$A{SnnGi=QtBx<SNlG@2$jPRml@=`lm;yhrk>&^ff8a!SvNCmDywfOPjsUtA
z(c8WIvxL1?8}7h^?}zYxU)!@qTE{9)Qq8j(74U}*7|n@i#7TnT&_}1+$L97fmX_CW
zdwvNwZr#PrJBw(wyKtNg&YnJw58i(VZ@%#=rjAXZR4hDOaExjknMR2G9@@<<UR+$j
z*H^E{AN}d;{<WKn8{2#CjgA{!jso>b(hKe)+W4ym2k=q`$O!Rd3QM`n%4MP<GgR9X
z_2xj7hB3fQsOFdoqgwMX?l+brA3!<kXk~Sf9C24mQ&%%6<a21$s>o#>Z0|O4Z+Q)O
zmzHsFWgV{TAx*VhsBPIWOykfuD>EaN5(96Dt?gahzPp6azW4@z{PZ$D`s_09E-pg|
z!s(O8@ed!qj}L$S9?qRPiAKE&Cu1K`&B2I<U37Qu;>NdE@ZbLBGxfhex#ljd?5uYC
z!>^-M{XR|PXNih75v~8#g9CV>C+SbZtr!EeP@a=emg;&&+V|P^BLoa{B2HzI8OHfZ
zCB{ok#SD{eK2)2i1c<wUw+eKw>g=)4G&BpkE;$02rintq#Pmo^I-7M6Mlt3W?xEA`
zV{Ls4N-=tU7n?h~7;k8ixm+#_+qPht=7<^iP=xQ(d!=4`*REHZRMqXd*x74gb9)zS
z>sx4bx`^Whm2wg1&YZ*>7tZ0mx8K0r%oLoA4f7ehX{=JPj1dGw?sj|F-CpC>rJJ~M
z>+bN2EAy?}OS>ylrZ-b1ze!U13jL)O9I=JLv*6{>hWT-5VLE9agGsNHv-Dm$tNwAU
zz-Q;`Y+sy_*6+?saehLHeXF+b!N_Vsxza1Z#D_rjEueTx|J@N{p9Ai?9(MQISl!st
zHObm0ws!W=>kkko2{N{Ydaa6DwTxP&j8d^MG7SB$J;%&Qk`!SW!5jMMyB>P|KH8l=
zyrGXINs!6dsMji(nVQ7ulXIAxnZo2m17r0XYSr?CA>gxS4wd*w{T4PiR`~0yH`KM8
z3+m>=I<IfH*LGUo=birWYsvC@n#yJL{1&k5<7W~az)PJ$9w0$~tqaVA$Yur}8KEDM
z<NCsF4%D$>gt}><)blBGysj`=(yAzq2@(X53;=&iUotcQokw8dxK=^gH`RH@BHA<z
znAt3xjDtqKhRKNr>Qyc6lV8YUb$v^3{)REyogRW9M87{kF6SUK`lf%t2;vcAFiA$-
z^Z>)5W*IVTA%yWp9jA`Z;N01hc>UG0n3<kLv5<e}#Y0vStYRc_$lhRpZl{U8oekW(
ze=olJ?M?6I{7V1MN~g8m8qQ0FPXToeNbl)u^z*~tLI&A~re0=qH7mz6w!j73;$M{<
zT&xxN^zpi?UYb?(=B&cS8A-=VKR9w3SuJc`I0@9=*4`o2i-0qEq;ryefw?%2;SGJQ
zV&V<a>$zxky6ANK=ydyV2i|DV7$S;e$aKUBB7CP>VwuR;HnL6zxm*^-LLRkh8RLyQ
zs+BT|g&c~-0?MTVvROy-<)1ZUqybdaL#MgP_ZRQ-wOdR0{M!}2x4zf+2K}{x=ilyo
z(dBkOybXmlh_s3Rng`%#Ns9Sf$RPWWz(#-o+evVuois!@jzsFk!rSa|zd4|}D5d%^
zqQW4Ab+W<6Sb<T=F%>cl#|j|Q03;)wMO35<_~PkNm#a7ueR#IM$38=Fp9|ioYq#4d
zis24Cbh>@)?zPbBXel6fFvQUJAFvW>6d<N$!pUTi&t*|8=20n^P_I?cs8uo6s3D)r
zJ)5dK?`t9_P)Ud=3VGmp==Zv4w|20-xt6XjFNU}7E_<I}+w3lH^)?B-2;%EWDldbu
zg2BoVKhwb2$KO&0c^Cp?V>u*+x=CV&S)46q`C=uH_sdy6RmpMjL|tXxnpNV$l%jJJ
z3gbnFZ32dA>tM)^YZds)Ye4;79Vm9~xhTQ|n(~^a+A<-GB1CblRZ&vSJ68|!=m}aB
z&KPmZt%sFKY#W&)5X0VA&q<>JqQMUKb~gC#(mlSlu*z3%Z_&nXdl&`7rtkYpJMG|`
zPS3wXq?S{aZh=Gxy_F%fCG*dw-gp%LmNLl0U^L4KO5q?iot`1!`Z0naA-U5h5P{b_
z1UDeGJi@L^n5{9_@{DpeLBVMw8w|+~doU9ByN*|G8pw?Hw?;P2N2Rf)g%h+kZ?X6j
zuAw{-c}Sts7-<qB3_}e4fP3zc-ChfBdkece8_Dwh<>Bq6&B5i{JMPAw+Y|yDfS6ZO
zU6Cvn(Hrany9eQs|7`HLm_Z1DK;d*9f=(GGy=oe`1mJ>_bXEal0PL*AX1&0uWSNQ%
zFjY}}ep2E5gu>ZLh3N`Wt!N>eE9lxJHw6?<Ye(G5YuaDLDrq6Q7a6QYK;)<!<#zY5
zx4VUVE1T-doegzwZI4^+J`KE~8;8M~=Ld_s-SB3A5ZogJ8-m4d941{1eeZdiZ9Xsj
zEoBf3IF&;cWlPZ*nZ~R^e74~5xoV!zXKl=ygt}p{V`#-25~RHlJ41nCB;Z9rb3oYc
z6K1N+6Qu-|TnB|r2ibg+vXwS6wGJ|o3$wTlI1P|p84Vb7y3pSjru(@#Iz7k`608!a
zG(nm~h?9iFD8kSWF&IWX9Q5J4do<|o%1&!1T3+AszrMBZF08h_W-lE2fouxm6%a2b
z5;p<4f>zZ0skr0M3qO;q^i$we8F|bZw)vV6{Jv$-IZJSTs-mhFrd0WOUF9dsuxmMG
zma>3lFewK11_JZj0xNC7J1*Fd36=mAGK@xn)l@~{RD;EA!=UL#78CV6#%e|6i*-=$
z7$`rZJ74)Z?VM{@kEEDCGB5*Rs5FF%`Ur<zcy1e=PMdf3TD-E+;#>Fj)W%K^J$E3&
zAP6AiRuqSut)73cJBaW3VY(bfa?673C7>Q8TzLL)q&o6KWsD!<WeyMlz(i@Lkg@HC
zWOG(2K3mS=VlBt-m$Q7Lk>|{8jqUTtq&V47V!Fa;6d7d)uuVp)bb#F17FgU7ywoCI
zYYS}mi3TA-DOS}S<McSwY?W!M!k8#28Y?m?r5tDSb!19YaH=O@mF6f@nt_#Xz|Q1g
z*;$xY2Ew!<%nV3a-!T|zRJ)KkybS8-NW`pn%9N5|nL^4GGEI<5$w`tRic`di<RFaU
zhcUunh{*3z=yf<8cG6z26E~ZkU}dxEUtiesSGIaV&x^t+R<0qiC&23o^L?psACbC`
zAZ)!10r5k;%mHGfI9;@?>{%hiZ-{V_nU7CZc<RkLS$};><=>c=#$1g>ImcAUfU=hE
zR9S{rgJ)<*T{k3n5wRBmt1W@A*9=@=7r4D8FbKh=tmeL3hTay=T8vW8;6~Zzu}TKx
zl^oTpS*n+_sFsVURH`Uf>L`>Oa0(5WxjKwYd2|%Zf4B1`oWoOoSpq5@9hV}cv5zG5
z5C#MIo(s?OxYr+`)g5rNJCs{ZmshvD)a-cV`+<m)C>5LxA>&S*rrUmyY`6QtraOo?
zgE-xaleA?SaEaNAS$as#;X~QtXR{)5R5-||uU9pMS+s$&X&?gzC59O%5e86jF;D|w
z>F1(dW1}=v0Gs0=<3!G;i+M+VP;&5UImhEC>ni`&oTN*$ie8^m7%ypl$m4{`GbT{V
zG5{@(JzZfqHXs$S+!AmDLOIJ^&N38hf5gs^&>1T1xgpBU0Oed4)f{sr4^#^d%H=W&
zr5Y8=4LHRH>|7mYw#>rHgRDG+m4~o$5M~y_Fh{eIeSZ(Je*@~nkzz>2Bo!l-3NlSe
z$pkWuNTm@}8gd$WDh@prhh94L21(!b;%<K!?zRWv`d&X?-smJd?O`$q(j-k(V4KP%
zLR%@?NfmD^7F$r*M1oBOem8juGsWZZ<Nz6Y2pSNt7^Zj)f+vXCFoCudd{;@_K>>H*
zq4^WM-zTFqQvj?p5aLZk&~I&vU!AJ(*o8?|e($7o&QB^aRbey=j8ay66&@yyma>f3
zrzP4R;p4ju0^`44OzDkj1<M3_0kFI$u-PNDheU2jSZxz8H3h&R5(;E^5Jn8s?830t
zU|Kdz(}HChuuKECZLw{cux<N+ZGpB}Gubc<CL+ZQmJFmRBM2o0Q9{EoK@i3wN>U-E
z0xJoEQUYm8EF*#(Dkb}AnzoZfb;4M7hC$rz55sN{ryZ5bHY?SWsTh(eeNq%EMFC=j
zu>1f40$?k~&tS{;r^1f}$O#8|REmY-N!!l6)2QSxO^y{`b8K@GfDuNr-RyW1o&K;A
z29eRTPcNYpwEqfS3*EMDG;&Dt4bwDFDi&{4v;1x?&%c_f@a*|xOmEIg@yk<EoM<S@
z*?|3&HL@vyLI&E(%>c?d(CgC*zd0k3u^4Vhn5i(<Iz-!jf!2Vy7XZVE5GFt(8Hr30
z%Mj5}cga!(C^gd9C58}yX%KAFfMJ>=VwDLP78DD_DIl355~439hG8UQKS)y7kJyh=
zj$*}9DhZ;Lz^Ne+8v>ya7!uG=C3jNhj#8onNj(^<3z8i~stG@I(?_*qAMe}pQseOf
zl1IhN7;jp(`Che>|Me?pX3qTmuU@YlpK4@<AllsN7C!#+PUX(x+OeHhcgzUzm8@m|
zj1GS401?294K`*h%leG~-ZluYHVQcYtJAV^X;zvSXBa2yifV=LoT#1_QL0<LEsu~&
zAZs%Uj?PBb$RjatE1Vezf<z%nfmnic5CDn^QUP8_Xb<(HGt`EoenbdTAWlJ25demQ
zgk*s@CHR3LHze+Og2EI-VHop7v<!t-D&-(dRGcJ;BoKn(Lnx0Gg-{$z=2WmqL7YHw
ztWu6)Br#Gu0V9S*F?@=E-2{I_8RAKJOn}T}Ez6!D5^pyu<zK({%BhQQzj0>b-M8Kl
zCub)~2!ZvjRyIh@vX#l^#QdV2rZGjSYz+&iBY4#R32G7noUxEktCk~X9aCI1P5ic;
z#l^9_oI5|M%I}|&;>}q_XT}xk&#14=tgFvKKv>)rSnCKl7BEp{lpHMvVF<t>on1!%
z3i!bZPFt~Q5BL25X?sB5C-Ndf5NnV3B-M3}9QnV8sm?;1Jwg}?a)%_MlqgDR2=F49
z*1_ySN*@LVNYf!qYlyxbrnr>?P(QgO$V-4n2S_&45T-RJOnPTxyngBb{>NWc-hca|
zn4CO@LZP6=&x(^M)sBhjndwp-MQ1#3m~?x?_RxqJ1-=Ond(Zc+pRtga71J>;5Q+b6
zn0Tv_<JngyRpWQ((%i*qB~FYfj1?FK=h<J4p>NivNBC+*&ql@yjPnx;l`IZb%Lvk$
zW~{&{X9?349T2Gkq|(;a`&Nd`qxJQX)%D$Nf&XEexVmPP_6GD?ED^C1w~(qf6g3gR
z16&E@Q}|0MbT;@u8R04M=m0V3bfuI#RV`;voSL1Sc>VlYdgc5%GVC10h)I{pN~%<<
zP|VKC%Bmg5!Rea|YrXDZ7%QSSFf%xelg}Zb*VfC)Bn<O>E<?X8X81Sb1%Bn^n99C2
zEA0=?NO5*TQOUsp1mk`j`<cTFfnAqyXItRzj({5iZ_X;bKCMv6@smwLN7x^rTZVq*
z|Dr4U<6TnQ0NvS9*mcSAV~odAoJbX)m4f%AA{Rm20h%$;JgU!q^mz*h2|36Z7FY>H
zLP2nZA%(#G0D3F;rE2j4kK?508voy!nZ}v7UqAlp+n3H)FTQb!8sn2h!hC4^Q@0*1
zlh7z<C}Wbjw6a~>-t7q@+GL0h(p(I<N1WMb9Aq;Mn8qc8=>M%|@%N`1YVN%gs`&rB
zk=nmKC&gTYspNo6;{fiqPXI%In{W0ApDr5s{Jw$Zra(2%_=i^{-aVnSl>HMe?F=HI
zIS?4=*$m=T*h*ncDJl|ihbeK9mXGjrpK*|N>M+DCEaN;t=K<q1gqVgwC78-YQV0R}
z=j-9{40z;awFJLjC}bvHIX#ts<@5|n<<f)9u@9|uV4zqi()qKe;dx%}m2dAluG>G~
z=?~v(wg+x1%o`XY#L;}S=$fOFPJrl*at6OHW%-wLH9q(DaV36nLW*}!C^1*lTD;F3
z7^7NY5CS`W!i`OVZ&nR#bO`kV<JDsd=Oz@UE9xf;4nSv}QkGH6Gb%Yy5OXn~;d5~c
z9)xK2ktNvT7Wz{=PdVBC{sw|HCsK*&tfi*%4jr=$E}Nw6R3RKjq7|ja7Hn&UadIP0
z#11^^j>M&3ieud)FRf|fjN@44nPX%5x#<a!&p!STFH9SDu7>HEIsE-EFHqi!$3Fe$
z-iPhZ0G4I%B|sBLGGWy<2ZZs80s60{EdTPtl$v^bP8uJc)4Yv(Ubje(Vm&}H5U0R;
zSKtqK3|w6oSZxbba*PkpNxU<sFk91^<2kq=KNbYth0B;g-e!yyrKn_K`Y~qi?u!57
zMPgi%6399!f~nS1wB1dVW(t;-I|JYYA^3HJFl$?=H3}+I&avs3FoGCzv#%l*2v;fI
zQ_8$$8vKWpF^}Pi9<cIPQ9?XwJnp-1+As{KQmJO@wJKTG;}7yAOc=I_T4MrlUb=uN
z3X6AF+UGWRd)*|JSNqYq76QKmY&=^hy?~PG7_a0ldM9V|+jDhw?ycj>eE*aZ7iSes
zm7mcDdW2Nz!07sft)9S*4S_3b0$Y6@92br$ygjGz>Xbs!;RC3~)5u~v16X;z(My&t
zMmW``p)%0^Br1NQKjMC~0023bZd;$9R7R9iIZ-GO5qTlCyC8z)+=4r?b-*=q6Bu()
zu8spZ<yg2>$fytU4qmHdd7_?I`KdBgHP39DpdbdeUE)0#adUuy8&GW!Q{pMpP91Rz
zZS0O-^M$TU9vL7~q9R#XnQY$7=1VXRApMfdmoRto0=0UHHGTDdVRN@N)9m?g!wG!|
z^D2hVHfpkMi~;yvF^dn6SNYgmbISbitTZmoD5~X-?i$1?(DDekw+wuA*TDRafExgl
zWyar~m$)<|alFnbI()Es%D(@))6lHL>@h9&KtlT=Mr~lYsm*($whopbfmA>k6XH}K
zw<b!AU!Rd=5DZfol(jH(dt3Y$Hxv_+*+jXh(8tb`iArM*ip42Fy=fTYpE4%DF;V96
z3zMqy-bv}48B?NOV9MKo5PHDrg@pSpL0{Y#;^wAt?tT-6A&GHQAxInNU9|27(5%51
z7LUC16(h%N2w^yeoyqAb?h{~HHkGSmn4LQzF1>a(;|Ig>YqwV3YWMu1vcxuUqW6?%
zQv;aFDB?*0daYpdD;K6@<=x}bcy&_Iv1iO2`$kexs+SVCdxWJufm>Sw^E<j2o~kHZ
zoRN6<xWu^$1;;vwAG-jAr44y<(|YB-bWZ<lmG!pnet_gQ0Dtrd_cS{(^}kbid<cmI
z`T^j_&~um)(}^0Rlw$-51b}j!q990!zR$g0$QCNO+mO>67;Fvz{IHnb-?f_o#KlS$
z@7HqbSH~*q)GNo7cxz6IU!79oWL;4{1KO{*_UAK`6(&J!7(|UhWR(1b{Y2qP>dS3l
zYzJt1&vJeK+IUQWkf}f<42y(e9gw%Ii}tZbjsEesZ;PzOwe{`prTgo9AsKW>=6DzW
ziSFUgrc)U>nK4#$ObHq<=VayG6EgFQlZxtvqsts_K)AInaCObV=l2Y>JVGtUc;~pp
zFHcIGpOl!Y=z-vYgg=BeGUGW5O#HoO89HNtReb1(B}Ydr9|)U(w*vHU1MRN?e+@{(
zzi`}*Q$59ZLqemVi*?&%)N+h>Pbey60NaF7a4_}ly7<riNX#&+2H<>y;?x2LTdnUs
zVR^0qSf@b7I|Tkum8`mWX--YNH7l+6PAED%p-{`~%<*u>6r}%rtgP_iIi{Qqu{$8s
z4UKYdNau$zc9G9}7`}u7^5C{3f-VaW5Fn%9Efk7$`qXLa_Py-+Q;V5?e{i<b_b#<S
z{gmQc7$U-<&ZV{uVbn~*m}zmbl11itoyA;DQO10FV&48RZl5K1zbSBaT_34ho?an2
zKdJEcafx@1OH5aFz47FNd{lGT6&)P4ceSWP>D-8?{+N0$Hw`%BI;cnh{UR`2*V#nH
zT5k$Kkm&d82EeH?##m7yV*-u^nkq8{DZ~;G0wt+X%-WP~4=C+L<UnOhqJDNY4#GY}
zCV`49urmWgy;IGq_ZxY<b9P)EfA56EdnXiKoKYArJ~~4a0R{ni8<ejxdcG1fHD#=I
zsSw6A4HDBZGk2cu>im50$N&*wMF6pq#7fd(?q^}zu=5Q}&z!*Dz5hDpZ8i3%Zx(;o
z>3L+^b}JsDg~N2U3Wg1EHDgnyl!Z~vvn)DH8S{YO<d1<;K$rllZGlf04Sc&UaK9yB
z8o*m~3KxzkT$oart0`1-huHevFUWJ#z{KAH_4k1MaUC2#Cg5OXHLu;w0l8zkUfKBw
z=+6Uj2dn}}1^5wRcOWnbfohI1Sz<WWcOPXX$9QvAQ8fpQ7nrWD8TC(>#4o+3n1L`Z
zD(1U}ow*@_K44b_sq+l_Z6nVYJ~%7K-Z?Jm-4hZg8;o-H;MYB4F-;VeajYbq&Vb6o
zKuIOZGmdHh`gnAJ2t<OE!73q{M#4}BZ>8^dwd#!tymj$4BuQGlzu7yt*Y)~gnBMB}
z$v%3A;3~5eFbvx;VB01rV=!CBL27^>hZpJK_;y|3+M3?2G6is=uJG=0iHkD|vo(eC
zVO4z0oDPo4Yg$;YboR$H$3BFmA4X2gni>v}jOyzCZNyOwH&AE|0XF~`gn9uOFMZ!$
z&M`rgC5B^4WDJI5A|Ff6R&uEJeVQ1Am~bOh!w4=3Di<?2Rm-bO7pB$JFHTB&=eVTP
zV+yqc3a9L6@V`7~s293>wU0*zh#}Y)P*xfRW*qu3o${e&;B$o%j-S3jJ)iB<cQ?wN
z-r&UMPUkm$&tO^0eSYArUosTPNF~cOPKjel#7FSaHwT1|7YtlmGqCFt#)^#hPfNT$
zr7%}lXcP|PkoyqqI?(u~e&l9Hnd1<XL=u`wn41A6f2aR_+=JikW3`iDy#pi)C}tSr
zMMk6WXshd-4V-8w6taxDh7gOpDtm3s7@yx2x%*9;mWmPsY|T`;@WEMGeS1#Qn{x`Y
zRfWP+2(d&7@$Nv#ojwJ_1YM=jgP~sd>H4EH2vHj>^HDI!486W>7aBNhuC%PoepkzQ
z^Nm-XD2yk=c>b+!-w&naov=JNJdot1h*GfQ$y9iOVChFh!<Z;ab&>ewImDwehzJY2
z0xNAo$pKC_6yBMWxG<%VvvK(8xUe);Ha`ng-T=xMbS5~gGu1v1-6{jc43Kz0_gi?>
z#JzSG8{G(5OShftc}5}g=shso)Q^0IX{;bIR%9z@vr)~9+*DbNxdA~C_;_84-<(n6
zwJAk2)x&4ZRO$|3+b3-I1a@2s{a9>6VH*-J{IKxRT`YwyDbs4d-zjyv?R>sAi>K2I
z6c}sN@w?yrLS&sxX?>@AesiZ2g;BDO*z!@HyZ=PdVmFCUcA8<ztwd7V3t;qyS~THc
zgStmUw@V2O;OvCL8#4-%<!9iFn0ejGEx!sB&**uF@eFIk`<WzD1Bz!bFx!}KEn>6V
z#$<_cZbG4yee#l|A#^sGt0@#67H`ce9>)5{27r79s2BK<p7P%zN`burVY5rL?LxFX
z5u}or!L*EF=7kc8dlVi$C<L#@aU890H;;{P?v)$U5tW~6gM*RFI&@-g21Czt-g^CX
zCW)idOKUs7@Pi~#Y^1;$2`u?|>_BNZ0b5<EoVEga!<eESm+W1a4BKR6%%|HdF@)|^
zIhI~8-@jqR0h@Mz0kfbB>+&nw+t4aL&D;78qfDZVJft;_z8c4BcLN=t@XnmX`3Z%R
z!%ytu3DOEfmH{d`-*M}o75lqt{gC+1j^NwdB5Hf&`Y|>cv<4CG0&6dP26=R8k*U3w
z&pQS&PuWhsa`NO^s@EHb{9t)x6(B*xuuZ~PB}-YyuvRzr8avHyo&>pUC=YQh06LE&
zSTQ0uHM5PnY4U|y4ijSqwhI|pjUuDyJY9hF1H!H=&>O9k1PS3pL)RV#Jw=BsHw}#c
zR;#{eCv;cp2#`h|e0LX%D|`6Em2HH>K7M;n;_W$!vEo7e-=7cEh@Z0D68!t?ruy@e
z(b?*Wc`wFS%=ilZ<xRZcQ*_|5M=V<C_XG3p@~&TP?6T|jp^^Y(*q|Q@p6&Z(qydn)
zK<eqeA{hZH0dWdqg;E^Qg+>qlRFJ<i7G*nQO11}RbtD0KVPJS_6}a!?FKZG7AQq5a
zLB>ju@bSexVb_c7oSRfMSz_HmIb@iWvW!=cNen{Z@_hp<ErB~*28tPcuX}ai=QSK4
zI|XE?k1RL<AdD4ncVcX`LbL}GA|=>{o_idX6Z2v4fFBcqw|auFZy5614I^6I6T8D0
z*9iC)1~u_BS8YEi9$kt`p6?C9LJ%h5>~>2GdV7?HJ(x}fBz|!5In`?s{wC172@LK5
z!8Q>0bf9nwFvDPltV}T-5Ao~iu7Ic7ZS(>F03ZNKL_t(0K3}50?+#I869)1oVR&i<
zxZi)&TZ+N1k*eFBAsV-~MWdWW<+o>3Ln_c=l}P|SLwI{mffZrBEwI%S_|uYsFaiGQ
zHO(<U)N|5ka&DFM&qoB;3vqjCn{O@c!u3LA8PpsQ_6CG<mY=HQ^eout$L#ir|9xJl
z&+i%0YMTbbh}IKUm!(R-K`;JUn&CVR9vvWFyfrki9Y$z&`~Cjj_C~(Bd(5s)I>=gC
zec!OsEa$ilc*}aA)xG}x0NMA@fF>CT5~#DFOUDF~P!xJYIt2*o4wc&*!c<i%fX=L<
z<9C3q?|Wm**ptXD3_?sqDK4#bS#EZPI9_K|a*XUD?@7l3rpk=Lq%P1U0~=j!8E|@B
zpp;c8XZ32y;lMc5qQGOIWCE3j=yY1RwY0@|mYbm$#61?k-Ca?w<T#tP0aIv|7V9~4
zQub>OF9PrOiLb5;b@{%L+}IH9_E0Q_DSyL4-9c~Vr8rvc<1yonzO<Zbi3H6~RCDD<
z#m;AJ%c<5UDPJt>08xoPPPq%f*1rO~pXi^%9UvWyR=0n+m&h;#qnKe790l88G6d|l
zM`QhvCIv*1hz-tAA7O8Zhwrp#T*2bNFsQ)bH!2RM#!E2r88*sU-HkachyYXY1Ip~;
zo<PSZ<ZVsWEgj~0opIg4a>hp5yU&(IWa1-ox3RD=kAL~YSA6BxTGRF7D`BFxn;uoX
zh>As<DW3u5?57Fj!(qSXSnCM>k9kx5@vfQN*ffKkzF3G-{-24YkCG@{K|J{Wb$h|_
zxcQ$_PBCi;Q7Yy#1pzs3T6Sq>dYY=03K0=V`arOyv&QZxK<}2`8<PHL!S2zYktu+j
z&2UU6#{!uIJCUdeLeUV&N+w4LVNj;#D65i%RWlK18CXpbcS2#+^GrCI&7f+V>|`w1
z(^YL#aF|+T-}>1cG4v!8HoAmCNQkA@sG2J4;K8G8qJIdxq>FQ_II=xBY!NfUNKAU*
zc6oJqp09p;EBfTC`R?LM^KO)=Ps4=P`+>+whHV<Km|>Zw{#-|Mp&$6ZKO3adE%B~T
zywVc<&8i_kUNEEU8=|$_7Yn@rm*bTGkOH^SU-j^kFbVhZ_yKvQNXif~F*(hyf0hhu
z;?>hrG}$PVFf$OTtAnF+4RG%Qapw^k<40at07Zw<C<4dIiYhr6{gCo*K$BA9yj0>O
zNEDcuAj}YHJ_KB)oVra+4v1|x6b)0LbZ$b?c=73|wnU?0BWq`-IMtcN3khc@6vj&j
z>}rvrZ*F1fU8+nK2aBv9LU;eRHn;dcKKhgT{OcQ?duw}l+I{abgFk}edqf;cCNu|B
z+jFUuNI(#%oCR|BV|?GA5{U!`Az@)x@b7P!>JRf~bZ46e&4IWRr2Nlu!hc9(br0@+
z7cZe4>Ei<=8dne;4P)uJ!{|glo2gDul#D{oF|zp*GCUx3u7LWtbb+28ZmZcG4X_Fs
zrfLq9wP8qwoNZF2VDqtDhHHjEM#0FDiK4Vc)hbkL0-`DvXH!XqK}55T#g!9vB`P^4
z#{%p_&PDbEgh;P!_%Y$;mVh4<PL3(m^SYJ##K}6dK2{Rx;4rf~SoRC{1KzPo67itd
z!rg_t>OVgIBEEKOaiiTIe&G+3FE|$0A^crtD~wW-ZJ#nx0z)#HNh(Y=($P}-<w!h5
zyLx|(Cr-7D>Q+zi?QMatSB&_xCBwb3CAQiFG4DonIZ64W6nq=*vWu6f?synKvSQU?
zB#i_P*~DCSGNuy*ekn>+Zf5!z)v_U>a}6|D(%C~jole~TjakV9r|L|n##l_0*vMLx
z875ToB08BWafyj85{t7!;21M(2owmI&RQsCY?zh-W30$j%0A`bkTl0TNC@|udM;AR
z0*(#TayWptmU__I*7X-_&qAy8-FfZ+81&m%UAoEFzrC9L`I|f5(%SCbC`$j;kNGQj
z{Wjw50GX`E!tMgxCWz1tsk+^x;!0a!Z$M;@ROX$71ok7q0D3;KxGV6*Jp;eLVX9A;
zjKNw<Y`Oui#!UYrnLkb<tiruFz)Kn&z>fw980bidA_>zF1Xu%aI7UEea;zfqqAx7(
z4vcV<kh-9!+)EQQ(ucA^V@0NVo<-h)$l7e#1{F&VkJSo1Q_JzOY994MhASD9GYqb!
zjA?=>rKy&&Jyu~VJNl?~*cB8l<_35%VY#I<h#(yxvsH!a6SrF#;6w+A4E1r-$O49?
zEewQ-A3JiXG(i%2*xFdZmtTFw-+X(!cjx}r!uodq%UGtLsIGkvSdIathz9{eF@$Zq
zi4?&gg5d@t?f4WABVx%g{g{kFNbH5$wjqd#;*^l=XPHsa9ZMjHwVY6ANZ1<?uXhCB
z*%s>Rn!#7r4e!fkV|!soEDa*Q7Aaf~W%_5;5{rnJJiLU*s)zC9CEcVbnasXnf#X<C
z2~sto!VH3KvrM~GFg&7k0ODs~+}tmki;lJ#xNuC->oZE6n@}`YW22VmoMWK^!eo+)
z**L*OkWk(Y$plDD7J*U@l(U|G!aNA|Zjm4B<CbFqXD1kA#RE2GSZZE*;(gc6%RHP(
z9v!(!=)r5R;r8tt{6GHfGXMGN(sH}!|9%)Ie@w&VK9a=&zE=SI3XvId*6Iq-iU4h<
z3dtaZz1k6l`5nWV-!bHJTX4rC8iYhaOo&rLs(@4xq7?8VLfa#3bOjc61-@A|_&?@N
z`Nw%ve!Xg>i+f_L?TIhKgg;W?Kc=bt2F7p~{zizGtRR0B4v>I10tDEKa%bn`B>iTu
z+09<RweXs9jbk_!S$;h<CbNo)=IG4(l*Qrx7pr4wS<ZSMggVnO(sG|$eYRFxWNmaQ
zztt1<y#b@=lhGZL=!b-1OmuTwAe&*>hNhuf#=$em!-|I`hmp4#gOCu!4^%`B22S-x
z!Ty{`rFvyuB_qLx;&<**09a}F*luT+=WpG{m2YqRcb3-o7FPCdNfzHAj&5U!9{%!X
zOo66{ZZk+R(@aZtD@hR!0@2^-(_Y@fv1*?4>s=I@E)}OLDqGFLE@jy$WI&e5L<FQ-
zPYeA}q%9BeMpyU?JHp-Sk?Td|Mk($o#uqZB>p;8+ccXKNPveEhK~JbEPNN+Q_J0h9
z@o;{5&*`+0-`tXgw`U{gKb=d&nK4c1KWdFA#{$NSj8ax%wh9C>M3@kT2@s`3n_a@S
z4FfA}!p%(qZ^X1KIqHG`$DzOgv))+TFLIyie@TXVCe)L<^&RX0;~(lxU(<OIAS#WK
z_${n1FX6xc+ZXEcl{?L?z5eHt=`$qhJslh?KbD>quo1%@+m36c&!FfI6vk46XI&rX
zloBUhA9FXi#H1ip1tCWSgLEewiW!Qbl%!BGI$=s%eINI{5KF1zC01fhO1TY09k?4W
zG{5|5aPShYzcxrPw$L@D*&A9D-hjF9;&kk*@uERa5D9a-%2dfQIp(u7{`SAo%@KPr
zpJA#$r~{bxMV)tCLOI9Ctr+;zl7Y33z_m34rU1@OD2x}ikH?b&WuK$&$66Gj9}uz@
zP<C`yIW#!coxLE{N3Q)$!U>R{g))m!Qli&w@yh)Le0AkU_|1)bz3U4bi*cHM38}6^
zggd~-lQv=*fCQQzI!zD2HZbOdrP6W;-Wfz<y)zWE1fED0*CbP3Dp;ckC4d!y5`%bX
zn%pIbtyto|lynbKd=H`Dd>Oq54~oNFdIo%@j7BI-xhp_}SW?9eP+so{tLedXEKuGC
z9jGmO1fWrYU&-lCSU({2e8Ngwpgq*8AC;W`ohJpXRGQmxuPN~FcT8;d2(vXU+;DnK
zp`3f#cd15O2P5T@)B~)N_WbbMxVx}`|Mo8*sek|MT6<-4?^b{4f59m}RqWp#ePbW?
z#^n9_1g6zy5^I9xyZ~QK6<?N$KL;D1L#fZf{AYkZ1=Jq|@y87QoTa*&Dq|ip-Gm?Z
z9`YXio5W#mV+N4ITk0g<)X=ZwWRQqb5UHp&z)3$gkJ%=wgMgfqV~QusOw}ACXM>)F
z`S&<HT(eA;8L?DodRqD8#)d99zgjU6OW=52(^CtX??k5e|Gj)jNpYh~xVA2^+!9D7
zP|q`_%FnpQ!D@8eY69s{XAm<7pQd@E8Q}W06?OT_&E(ph^>&o1>oQKS$T(hx|I}xF
zeVx#JAh{FcffyD+>x|hz(Et(w3{zk?O#enR#FOxp2cdydnL=QY*aFi|3W}qc&5f=o
zFSjYT(<dHA1jhnpZIER=o2%24K+u+I^@0w9VWf>Tmzr8nSMjKooY4XG@K_>BfS#{y
z4Ss*a#K#LJR@(yA9PsPYnu1%+9|iA%zw2;?d)QoCz(<$w@Ml-<r?>C7;`Sh3lqvsf
zs^YKV#cg2tyw=4T7$~5f0^M}<I)Aen;z@X#gOEP+_Sd>G&`0)+Yh;k_rsVGoFx+#^
zlRaNm-B1;WvC3_Bl{HpWT+J~G4k%|cWv!9b@)4-8@89T}R?3JHg~eTk^{(ceuXP9t
zBh|z{X%!Gti(G46EW)0vfA`j=ft~)yD^M`@286W^!8Qqk_<)LvKk~700z_RP830`Y
z^Z^<YY(;DfG9^%i$dr<z>|=oaHtJC?{*7vu|AT|z8B1v}(p<tqcA3mAK&%MDUXnuW
zxs;vX5!suY!oJrs<c>=S5|C0v=EyweshE3Dz#!6GiCvel-W6ziI-9Jt1a52!Tw52o
zvn_Ca!@%WbUD$uTU|?a_fFP|aRdV!QwA>chbxE(pIJ*7(?6sBdE*L_gl2v4z3cCXm
zZa{`)QB5SW!Zi1kpX&ndOXoZOqTyKs1b~|&aR-P>U5K=;$aI60(#}u>n?3ScLow(F
z7!D&!h7pN=K%(X8PEl(>+#YHdSU32-M_>HFl5F(g|G&L2f0E-m()%)BU0r=lPtS?_
zAV`WJb%iB+cf)Hr6tNpVHthd(!&=F^vO<<9E#)OCfB*=Bm;nZZx%=*}yWV^0A8ML}
zBuXOY05KH4hz|UMi0Y~8tjw4B<@bHQlkn`PG(cPc{fO|SU!6T39w>AphOvi)$VOFK
z<r>IJLaqsM4vf;72@TM$0pB=h@%pmh;=G{d0sWXT%?VZr+EC>_%av&L@w#*Z#X`+M
z$W=gEf{bOiFf>;f@`xyrz$vU+EKu}c7XSIbNSx%<f`O|ZnqI^Ab;lT5(w5HEe7@53
z<c-j`HyQz63mjQ;9r7B!P^S*F(y}-=XPw1{aI01g>6(F{831+vu&m*#RqK2~NtP6Z
z?z9q|{<jUrgZ;y|z6;zuZ*hIe;=;TI6R<n3cF?o3Dz6k*{Hso*nzgL7Eb4w0h}$E=
z`x^=m_840u!h8t)#~T{|?ux-%=PZ_vsmU-4@No*+8nAq@sr3K4?c{g1_+XIo!zjah
z0{x@17vKMq_64tS3OLDTtOYhQOp)bN^nk0IsH2_2-zZAi9VE2Fge`zqN=x;choBRR
zx7woM!aUa(n>LuM!EJcr)_pj2&vNL2J-6zDeNliARVwG*DPgl;l}^KyP;&*>mn^=2
z)!^+5l?xOA?2ZNfL*Zv_09Og-YQSns&}meGIrC3nY7o?+K=UY7=tscqrwnZ?Rl^&)
zI=t7OkF5I{W~_sD4HT|eB7)PK5)-iU$v$fP0F|11Sg2E(-`GI3HpJJ!Z{w`tG`*3k
zj523yV5bS<hD)|CaOSkwj!Rgod9+&h<Xpp()xecS$H5#kwFsyK2$;kHNbzCU>Dh%S
zLiGbPhZf1M5-ik#YfBd2z5Ka7+I(1*OF*T?o9ik#tb9(CoSiM64ZvJibCoB3!tE`E
zJ6nu<+m&|j_pTazuM&91`S#I7BW9SDjgyRIYe4eB6J>sM$H_n1;%-02!)eCviIhJo
z`_achH^bMMIr}o=G{<>WMj0amFa%~Y7gqz+(Jno;SSECClFB)Uc*SvKfr;7zG>t{W
zSOmtx1IUBG14#`)3!nyox~s$uT}U$!ny(91T0(D~v-tKUi|<{nBsBfso9I^(onP(+
zJmZA<mG%}qB^V`Dnf74s^VV@zR!db4A4dw5nM!&q5PE&3;z#vk1Wdeqe^=G^Nhm9v
zJ{H<kW{nNRj|ZrN<W(kl0XTs}`txFBQMOBjDne-nP_k`}U1#89Cb|Vn?;C6X)d+qK
z!M}p=0j%5u^A;23M8ZTA);;mhw;}IbF!=kMn*Q#lp}%>pQe<ClRizK}@i*(3s<Ti#
z6s#T&4LACXjUJ;H5i(6!tPAGC>i-_~db5lexPsM|P^$(Wr*Nh@1%<^*ZqOj6o(<+l
z$c6^5W*096FT$U-^4Uh_01XAO09lE_Mh4)s9p-1Iy)N)(fCXuJwp_66E^AODaDYZl
zY||HM_*Rx%f@=$co9C-?=d~sIopS1=;3^zyWC;o_*cpn%Iq;~*GRa8t5~zEMv@tl>
zuI#6ey!uN(D*%PdLPQ3GgnTAizPHPDBH}zpKgx-8{pvd6jXqvwl2gZNXAlC;2dGg8
zwO|o07U59~ie1#|Krz+$-R=wl*BfZi1;x0@%zq7{9|-V+x{vR#w&eO-=k3xD-ZYIL
zzG>Y5{HCGrUNL;RBWMMu!zP|#l2x;m`@4)gJId~k*d_(cI3?SivP1>2SO?A3gcKid
zzQa_hs;oAJ=4zlQCza$BWSUlT!*ycn+S>f^RVF!ooJIywz)FD7n{z$2EbK06!6E}K
z#qa@ZOXE!eHFnxJhMpslHntQ239C@Vb{M!A)^L3;khki-yjJt%LZ>c`%L`)PTru?R
zi<Vzovb5R~`tz%>M}s-swu^H}KO))av)tWcto1mVX4K0xM!BY_G~^|@oYU56w?hQl
z!nv|2G#?%Y$`LXN5zq`k^(vFlFd-ITk%&V8NDFl19Hhf5>qwsT@G6s>8crcVRszg5
zR~6xHIQUNtyr~S$5g~Bc62M|bthFjpN(LYdNjXD;I09NFQ47RqH9cuwTeNepuh_<$
zt5Un#v3#yAwA8Se3qkc$)`BWb#nD<nAo<n0vUj(YdE6&^FrmFcg!hb*dkoqvN-T~+
zfB#^Q-_DKG*&b5;zkf^fTjzvAuM&<v3J6seT5St{_zlgSx^)3JG?uULPWXSM8Y_<P
z{G)a+XJ5)j;uVgBlME07;GkVwg3x!Gq5SoHh#xe3d!z0n3|(<t7e)k>7T{b{sVyeP
zU}VG&iO5l~=UfM^(1W|u0$*D)^yZ4Co9Bft&0Creg--g6F~h9gnrp}?A?!^En|;Fl
zJypE7uBH$6X>>59-Xx<3M&ws8xQmjWiZ4rrMNJD8(~Q3%7OP85sat`2ZBeLGmm{&6
zXKn3<54yf20IV8Bh5#%$TNE;g(!%!Q%wyfTv5tZ69nnSj75)THGC&-(uht>zx>EFC
zT7mr4+vn}-&2u(<=YmnIZ6RMlX$!<Ts27p5HRRSHq987?;4o+|lwi4K-OC-}l~#4G
zXw@oiRP97~P=6dV5rcy%;nt>-TTdCcwpccM9FJ3MPIKHV4Sr+D-bX20K+#8vwDdUf
ztou*e&~9ANe_ih~{o^fXWqU}ifB2T+o98Vxj^Sf6%OvO8f*;=0yx6p^Vu3(i-yYHb
zOiDWMi2O*0a_49+!mseBaDqR%#Q=s@LZ7aCE^aP2<i<M}jQcm&Er08h!Rnll!yqe%
z)9;AXlfJ0#l>9iahIE~J)k?jxV9^f0m|AjDn5mQ(8i+Drl#=u!l1E*(zkRCo-EEHU
zY;$jKOq(ot0Fv9K*#8IRZea2t#cW_VMpgh37OrY-yt#u3nMqFX7@>=cO*E{)du`d$
zVx!_+9W|5GebDtq0h3ju#1MlzuHuHP$cb_qkHmA~*aw&_?Y$Z(o*YiDi&bClfYr@L
zNZ(ng+jri+U>E<}H#L9%nx#%%;HgT~fez^#H5Zr<f%9#_)rIPFsWV$_s@ki^nNa^Z
z%v8#UG4Sa=<2M^he)5rPfA)#W@9uECHRAPYhX0cm{4Y%QU2XM8Al}1ZEx{l1qQuk|
z3#ZfvqG+rI^+Hp)H|E+nh2Lp_=4yv~F~_*$GYzq&Ca4_>YfGG$s7-S^pOn-Q<^+x#
zqj1vdHS`L{#mQw57XiSlHP@b7Y9PEgFMM@D=-k}zIvNo^b38)Be{qeMXB7jZoG{KH
z!-(YRkmSKW%l#dd{B~3IpY*9)8tiL}`^L(<u;#v=O!k28pAsw(4A!PO5QAPbu0zeP
zg&8NTE!5@ZCR$eDzqx8@xgq2^$IB#F7cCqGPPBFvJM&7RRddN3#E6E%F52z8Fy2#4
zx2O1Qyz~l3!O3M1ud~F&?<_Ut&FhPD`HdAj_s+$tv^cSA91~V5iu=Qg`71xZ>)M}w
z;^<pXRIz?QI|mWJpOo|qW9gs8;9Xs)HAJKSVaf944!^lmSdY6zYAgi5&=l@XxIRfa
zXxD}24(ByT5`s7c5#Tw3rKZqALn!pXAozorR>v7HLLd-Tzz?S=rs>hI^a>}JK|~k?
zPZ7Mp6%{xj^%aK3@0>AmV49H(W0LJ5%Yy@w`@1Un?IsU4`#i`shNY3mrI8P<rn|7^
zr-&bS@%$Yj0lE>!h>P|$1EP9AQZmliTEX>&hMKbm!CU7oR$50>e|ctul0r{Vb1fVO
zDVAoMqv<O6y@-lYOpYa=5nfqGLaz?*N5lyp(n+j{u>w;VvZaOC=QL?LNeHU0)F=TS
zbs6{fSZ+Uc?4ur;Uc`EwV1Jn4R$9tk5qx4THm#8!fDvN#dn$%Uxcn&Z7W2WozGH_)
zNyXD4mH+gS^XB%5yuuj%&LvZk9FLj9TY(%}R|_?LU}ZxVfB8`T)g<K(TW3yu)ix+T
zK!V-lUFk0qCl?^>Xow`Gk$9S+j51hbaj3m?`k47xWEv7>m9Et|h3t+<9`%&{WRKI^
zPkFf6=V4OPu+Z|@7~Hb3cTp4%kUZ_;L?_Za35M9rJ2$KXh5aeaC?c_fa<L&DYZ1P4
z(c=7^rJ8s2lFM^Ii;c>dNL3yoVU*J)&w+O^AsHud9ADYoy<CHr9-!O(S{dA&Hcsvg
z!tDkWFZnK3i0IN{6Z7A`Wcc?F>8FK4SCj9jL&oh*g<q{J`SBgc{_KIHZ*8h#{ebqm
z5#LTqylV~p#EAX5(e@53Zz9GR7?n7UA5I#U5_)~ob_6D^4R~*?=7$M2>Yh+NIG&d9
z3~I(Yt^>;rp{6gYpQz?Ap^jzh5G&8Z8z31@@G3yQG)^vqDCB_YW+ip|5f#1Y^L=mU
znB=`@F;hUyH4tTlsDQ*d$tWQlOo+C}WFGe@TRTwE$Gbe*AJf<h#v-&?TDfZtK8CXQ
zF$fNTdm5)cdEQFV$F^>~RyrW=M`Zi41X`4I8q%?X&|C&C&ReQ`M;F}loWqZ@6uJV}
zMKDUuic%cx4k;WY;(C_TV)<IFG;R+CXRx^g@f1WW_(nlI1}s4=V^$s$1jH6l7F1Z|
z%79G?E;OdKvRXsiD)2R32|l?1iN-0K&F!>scS<8ge+p+9S3(R8U*MfofE)(L!KB(l
zU+c20b=hq78QmB>NhvD~b&~>*M=?Gw4IZ+Q4XbF+YBPk93C86FSbG7%@eCpw>xTIV
zjFg4-{)FP6-dEq-9aAkYHR-Fs)kS-3wm>x}5q#^Sq0ke)vcUD9+;c8uyUa;RO)A~j
zm9ZZha1V}CheZhD5a0lS3t<-w_w!ep7+5MR`F^*AXA_8;Kxz{-FowYx>G|Own67?J
zaDs>QUJm%Z((-||YBJ3!+ZmI$Hz9R#UY^_e>5pNWLmqco)((_;uuo=fpOa7bX}mS!
zXb@4B8Vp^+E=V33i;qo?HN^fVaPNy0(qACfazr>l<AzvA++j>IO4v6RW-d@mRuEbN
zt}Iw;2D9zQ=f_OT*kPf%XUJ3HjS^~m3hw5B8@&kav_Qie+jAY%J;#KOl29=M#pEi6
z#|)RqDgY3Hu~rIWQCN$jG?HYRCWXc%*O*whHgak*Alw+2z!Z=PKw}KnW^98q9W*D&
zZqk@;Po4QU`b=_=mo#{Ez@62m)Y>&cD>#|^v_B^K@m)v%+lI;yrWB77+8w8OI8Cu$
zihV4?yB2o9LL&oA5SJ0)C3sm#d=VyS;GSiqP&VyOX!Og6>TkMJx}24U@)CGs)xvKa
z?=p@8S^@CJs!-r+zP2Q_pMI=5cea(+i|AZwByaejW+1BJ!KwM;_^wsHBIP?!N(lpi
zF=TTCookq^gqfzKM+wSt24jS6X;6R=1GMi5)<y7%A^Q>LuWw`cD8U(L8K1DK2?~Z8
zGV!Cdpi7_bvo~Lt;KqujrDoM-IWD(qnpczWTTeL|r?it4c%Uu4Z?(M#k;hQwfgWze
zcxfNZT8;=^v@RMLSB9ywqm)8pm1zc8wt@yxWlJzu6Zl8Wyy}oayvRaLUnp?kBn9eo
zA;LjK%i02=FShPM>Yh-|19=X}cPzUKJafyn7E&14T$9a9NR&e+DPfWk#f4Q_Nm3Y;
zX@TA}qYH6{<)ox`QqTj;UD?1m>7He7*opIF3&L0l-5JD~zq8HDp)U*n;X2Wkg-QtF
zsQVE!2o5d8EMkGIThNCV<~<m@jyQ^eZjQ6?FeY0OS{K(KsuV%qkI{c`UHzaRAxt$W
zE-ZcPVrAcO957eq+Lc91|KJJ#?dt}Gt_G<}foD{FMW917Q{qF{UjP6B)`CSq#sXR(
zr2&c(lxw0<3fUd8_qa!$yF2`i$6d8*BKdZ%>7Fs}zo6N?jVX5i3{~f)#mN)M2WD#O
z{9r<~n3VL*rvqMn)a78cW!;M%fvb*p7O6R)^Yg-&7Ob<;V}F{00UIG!BcOYhgqVxU
zt?9Z!UCbzP>?D=$e`fUn012N-L_t)Bv21D{Rz=Wo6-Zl)PWX8yIg<WXwO3DbHK8LM
z3F!C!1yD6hv<1c~XnQ0$*QQ!45PzYL&Z8dN{Rz!Y5=sX#6XxbM#@)(a@$5Vw0H?B(
zJ~Aj<iCg1<6t0CH7F{L2%W#%kLhbN)0a8}Cm#o0u9`SrPCIRRP9O<E0D1pHlYc~!p
z%1#1@rUDuRC`K7CjT34Yrt&<W4?)e~XaRDXnCXf&e8EZ+cx~CzrH*jjuh!~^DJ@TP
z3Pfldeyxvu^7|SDFFj5}w7~+SOoa=+5G}e&8il5|Qqs7xAk+yf?Wd#8MMOZp1Ijfy
zPx`7pNl7clzJMmy&87jg2ut_KCufbEXMtgkLZ$HBX{Mp48Py9*UTMiQ7GB_i{KGki
z!!Jjm%y#D;Rh7=o0JPKu&4nP(1($}ry%D$L97eHh7or9T7h<G?Go>|rYN{qi%`-uA
zBjijny5=yJuXZZ-sqX;p5sN#;K+O{vL$W(!i3^maW=;)h$5C4*8J<y-$;6^?Qg~h@
zggy~xla!aoDcVU%WG&FCSF%FSVY~jq;X1%vSb4kcj9I1`Cxt<jYf1z-KsuOw)!*@X
zaC)*oMcrD`X)dmplyo(4F+U%Q3S6kUuwtVE&;OtmS8ptBQMu5Tgo7ys!<bSlcxcm3
z7Z?c6UjN+!Nr9r4f}C+KRK_`nrGb}gxZ03cb1S1D*AX~e-MW`0P(I5j3~KnG(hzn=
zgmFeilp&9D9y@FvnPk-es=w>=;1qSSCIUTIz-QlK>M)}|NvU2M)Gi%nlH(facrGZ{
zq(0r}+Rm7#R_GHra)6?v&)!*NhN*?F74U;t2tCD=#2GD)Q)&-l;#`9k8`XiE==4^S
zkBcY=1_@J?!*nColN3EBxmU)c{jd7FJr7P(I8K0xMty;a;8@G<B;^GnG#8uTx(BLx
zNAJ!MfdUs4WyE)P*gcr=m|@q9K^FxQ;B3{p&p?1_iM*LXnUMw+NkO$t!-;ZoOG94Z
zfnD|4;uYZ~EV<&Gs2>saA~sJ4T=Zk!5sTlJ$?#0k?oVHvHx0D-JW@>7S~?G4J}Jr7
z7S8!Oq51G=H8oLHZj4is`+Ld^A{uFny<B4i$MjK-;#2v1UKlD3V_V~xE$tD@q|n@%
zW|%vevWjz3i*-2>CCAgiG$ZVc89O5?AN4rxMYIXA@0ZDN=d1p1&x02rUOm;wMpF(t
zVgyYH*P<Lv2!#s`;rihU>hpGI_^^XAN=P0aDBF)QO$zG88G10-h8~Vj^RIdV5MZQ{
z4pLid53J=Z*A(O>)F>gRH00J?u*2Y4CV3f3uG#K?KPI`qr)2FwB~J#_8zl6Qz#o*!
zVDGE_hR=r=rtWUsP_x5B2$y+@OUBX?KujdO&;YfL*ykT6geN_sVM56$L3fnWE);Db
z9}G|9@AwKJ$cDzMPQs4tF)%7Ex8j_dyA$%p3AvrRP^%`#R!uo6SOK;MEWh|v+1p!c
zxI3n`X^Oj6^j(vVdSCVTdmg;F+nG;F8!nHHhRqG;0fdD`V1@jKC*-?F>+|<x!h?Or
z&WNYoDenzq-URGA^0V6R{X$q2gWM+d0X$AiOKw(z`w_c^Cf9exQB3R~W)eOHbJRZv
zV}Viw;|#JjWcg@|?YnDE`RP9IPEz_H&2dX-{0RD0oA-}Fko1iW=QTqn0xqMRR-&9b
znP##U)Tx77fjrllWPeQZ;ifW=4tUg^(vwMs#~@xu-v7E}kY_NlCTM4h)SifptRToV
zg*#)ejS}`-0jL?sXG6soiBbcT3|K#4`Pl<yfBwKJKi*M!cgkydiGR*Z`#$1H_pIr4
zy~x`r05k?!U)OLal8}=eiy{z5@daa4+fz_U4qk2vHT*xVL|B^YRv$!_<#R8lywKDK
zq>n<*)I<1^sQk@G8{-0)qV-zoI#fHDpd7}OYlExp8n=rQ!RxD)YD(x;a;-DF?c>Z%
zW}BR|-T%S>g(hSgk`^SR1UQ%wt#!G4?~#f=+2g_fgm$BhJ`~vdn8w?Otll$)ub^U`
z2z0BEKvE{RM?^`SV_}d`dv8oM&cF@7+SUG3HFcB&PX~nCn~YyPRQPnCwqlK6Xf3y)
z$^+!%Gxso_3y1n!3K&>YC^Wp?F}L=n6lw#K>VStshAw6Y_@f4hnXNhJgnnFgs2=wi
zcXwERy{_!fKXvTSK2iA1V-;=md25v7c2>&&E;RjLUFda`TN9iyq9X8OGsp}E*h(?F
zx~J=T7Qr=f!OgU=X_WGXq{IRfHF}Zp&b2GosL-p<CIX-^kT@gR857p_iEcmTWN%FU
zamMS`+D9n$4iY|Ve5~iiOn)oNYZnXUv)j|82Qig#PB$DzXP9#R;=FY_p>R-%LWooO
zyvrdMu2R!@#uRm?-Z;|~vjT{%^ps0Ol$Ai76UHep&d7`s()$z2p7eRTHRO1EgmjwG
z0W%&k@R8McPm_L(`0*FXwVnxll}*9Q1vm6NPGGLoT>hr-+P`hq@Xh(qUOwNJ)*H(f
z*B1pB=Pfq_kOk0>$v)g;yWVAa+#}u{(@rm<-;6T)rM32F7@D=eEE|A}HH0(|-@C?8
z-)YzJ-Nm~7Ug*gcS0Qv5-k~IrI0R7&)>E*K15qrWWfVmaR{=y2W2)Vc!VqZ#Dh;@_
zphAPS0kpsxi(G`JrNKdz(neh1NtDTx)Y7H{*>a59%cvM&v=QSBuikzY8Dxga1vkOI
zPFBX#`NlLe3gb+sPY3E?dnl{Jm|FW2sb8F@pb@|ofed0Q9_~~0xX01Xh^CVaYgXvj
zAo>tm?E&jw@6zfIu$3Y~3ionqfovS9Nt{w7;H#xUOGE+y3?fzxa@o%2PEd!l6QIh_
zo>RRsjR8snDJ-Pa)tRHT5M#&+NE1oHB&n+~CEy@8^u!w3fXEY+*{)8hud(&D$l@;p
zL4g1;IydStyy&n#FW{?nAFsD-_(t8s)xei!#i$ct3xn}A!_z3^wP}WXX>K3F(k6%x
zFm)%uy|3c|{ma0`+~o#HwOly!0<^R>4G@PA_+a=T@?3_;WIZNwh)J=40f1SUi5v!C
zNvyUoVo+)kZ7r2XkXw-i!VyFwut{B31r+i!voSO$@QN5?n|+;RfL?|G`CZIkp964N
z!Fihr|6Y;YWQ9urS|C_h^t8xBYj8^o{TgNYDPoLXY0v%vT;Os8H5<b9LMW-hI5n`;
zU?l*P4<Y9nc^`&Y4=e;C1B*)P$07$Ihfo5G2~0LdT8@DI6n_C_?EeRTbRq?J;`3qv
O0000<MNUMnLSTZhIB1vv

literal 0
HcmV?d00001

diff --git a/packages/scratch-svg-renderer/test/snapshots/cat-costume.sanitized.png b/packages/scratch-svg-renderer/test/snapshots/cat-costume.sanitized.png
index 9012a4b2e4d0ae62817d57e8e93095b311aaa3f6..a993ec4f6dbe715aa4d705584dfcc44946656caa 100644
GIT binary patch
delta 20900
zcmV)fK&8K+lmeQR0<eTNf1XWpU00Uq+UJ_Q>1`R5g9k{E1ZX8nqNwhEJw5T}&4(B7
ze@?_qOt+?^r(2?vNYDTvY@w=v@;3d=o7bPS--nY0f)qeh0R@VHW<_MMfGA`p^WL5N
zY_rzF&Rz?<%{B%D55Y)JD~e*co`-h3i$WoXVj+)0A+P_N&mo`7lLIysfB*fF?iDkS
zd<nHTp_CG-ln?&AU-XwtMNE!2kROS9A9Xj(vP_iAMU2(T7^~&6nKO|j344Adpzn(c
zfa4&p0r0`(L$D8`P@h2T7#3o{9t8j!Alrsb0hHQCF}ICDV+&|KvQhlk4-o8z=wlDX
z@&JiigM|!O7+__9m4L-sf9gze21G>$zay0>m9uK>-QyDP9G9r&bvMft+5pEg^b90p
zYSCoJI)G;g8M<p_=Jd};3}!%$Zn}MfxFCT{CWCURfU$ZN6XOlM_Uc)LVWbxt{Q&*`
z0IhZxy}paVV2FV?#9%nY?p_;9%WLrc0AUzGDh0zZV43E~ULm8`e>8GBa2&@T@ivUn
z4weDSwqQJ_YnDohIF28@7e5H$`vLqQL=c9^*qUR1>9zCtr+@eWr%%ou`DX?Ixm*^<
zXQxogSvWD7!|ZsT`+YZUb$UIeun3}EFgqYB0yF_a9zYI+3;+Wx2*eK^p@_gFKxo0h
zEwK0o*|Lw|XB!}pf57e#gWb^~{IS1hqIM<+W)t8K41rnGK(3r+>&&>KM&TK&Y7)Bk
zFfz|2KtTI*neV=}6>Cnnld+M{=TNPDx6-mdFY$&xn(Z!H?JnA#9@?EQ+MPZ+-5%QA
z9=g3g+z|~nO;bd1{Jk67&3JG!8Eunh8Zd+aL9e(Q=Hnf+fA+Io5+{h`1W_C#iemU-
z2yf^kO(j;>H^Iz!@9j6B6hD``$F?lkWeXWYvMD>59xKMBoZT1TH3-~Lk~aaWfKdja
z0-yq*3?K&}17dSD?R{tx#tMuffJoQ4k6+OHIRwZ-A<<d#t@^1JfcwLUrmwHlY#}4c
zlO-07r|?Aoe;!EaW0tU=%k=z#(Tr(6*mX*h6iJdmJ%Y6Hz>FrJgJtOr;QbpljuXU5
zf;f&5#R;M)Mi4&q4IhLE!U$m$A&T_xCrN^2#1R4XN<x~Zk9=)FA8m5kENsght?^sP
zWVCv_HzJ6Ad*cpvcAFUb0hE#;da?rJ(_-lRSX*7=f9>rpFHPeW5_Dap@+%ed5^P~X
z2@6aX%*2Kg7N88UAz%m-%o#8ndg)b35Mn3_z&wDY9)hs_xYvD=0)zpiNouw&i*I`o
zkInCjawW&*x91cl%SXvUe?AaGz%&e4qp5kE=$l(T!X$KG3)i;w9OQ8%CZ+VTEskRh
z{Q!OtRAA_j9z$RMov%eD;y8X_Be$=m`$&V*Q7}6hThC&g402fq`CJx$5Mg6;8=mJs
z7;Mr$N98$ySplrzx-M=nu3>&@-SdO+9*AzIFqaW7tRno;r<3G4F#*q$7CLtUH<OM!
zLVtO6kZ2*g=fxP8Qr9HRTiD)hqVEncJvD)|r%#|*EIhXrnIw*Q(A&Yz)_S_Sxf?BS
zwOeVT?gQp3Ja>42r(iq-SL6j;Rb5Kp!3AT(0Nv;g>CR`1M(>lmhT82Dr|KzH(OGJ>
z5b0}Cgy#g?)|$SBTowawi1rU$V}Gtl(ti}L>tSnW4|f-r(e89{^7ss1zi<xaQsKG1
zuIIV9zj&LM@7;-fuiun1*?>~(=(&5q){jc|90gvy3<4-%DS~lkkHOal5f>Krs9JPH
z>C!A^$~mHm5+iRP@=&Z2AnxghdVV*oZQE$ntLXJz^!o$swb}^dpRW<w{t?XchJRSP
zzlz2Ct8fPcWE}@5=VownZU*_>;fzfW0;N)@G(xAfi>o*0apU%)J8-?bQp(%lboY4?
zq<)AOF+emren(d9uM;IKMB?05PaL~^-xPvU@#`~+^7bLqhzzxQVXz03p5GUfld&=0
zsAI3$M!VC)_HGkl_}sq;p9##2W`DbbKV80pZ*R>bm&@YJ$vGUKox<42oA9Wi(g?A)
zhpmkjeD?KS{_@&#yWbB!R|!5(Q}eN1r=!M;8z9&U(8Fdrc4l5G@oi_Q$~QK|8QV1M
z$ucNwNfaF%NB|mu4v=sM2)9Rd$YY5k&xCB&!OZj|cJ^9WUfsaf_8xkD7k@zzj$Chl
zUTwHAjL_}%v2=eGH}5Q9ui3`wlXJNE+AElx7(+gHw3GndwUY4M9xpE~;>PXyVB!8&
zZ)vTyB!L@<lLh$noaj-1iJ#ZiI6PQUiOHZqG4UXznM8_4(P7HkpyH44Mg9^5Kmm3I
zs9exXi+Gx9{|RrH8K!BV-+v$A%D1;M^aGqba}wi?I&91O*->6woi4t;F^?~=T*viW
zcah0t@PB>yKHh)#5+*0c9%;w+OyCrp23THR#y|h-$Lga$U283GG;j1h|1wK_iGkVx
zR$}}_W}h#5fB;EBDkQ^*4fv605Fu|EumxaO^FYpK5+h%}9|!B=+<z(or87XLt|#i^
zXm3~|U8whZF0S9YtJ|gZ8VZFRO2q<lBXyI%Hp4H9V)Xhh7VoX#&zG;@?$QdRlsJ8I
z4uAK-FYwCQQ^;kVBkNx6XAXZj;O)&-zIOd)`fnd!_OIQ#x7_pm&%!AA5=pv*WTl6n
z&<Xd&4-mMFv>e0Aq<>6E6o}g%jRh$x)htsX3(8ps@iAoG$ujd=sKG1(X5q+Lh5LH8
z1JB3$<_?Cw9_A^jFgrboTD9_ENch)8ukT`h@jkx%<~lz9)0gPG9^QTH^#|S`wQBjH
zA>k2#C7@z#Z>{qupM0V|`~0in&AV%Rdu{i6oTUGj_~BLfqJInYo?nac5qJp#1Pr(-
z;&KAR2trBR3s3`)w@p|E!OUfVjLBp?F_S30YGUR_n!NkWLLAvqOWP?Mh(?p|AdIlR
zvxguIF)`jiv5?n%@}HRcx8JP_!w9W*2aESs@#U54xHZ3scDIMg@diHp%`foQ8?R!#
zQG??+M-m)7(tjHEhXdZ;TIU-#Zl)i7_C@&Zt;Ow~X775>3of%tzmWaa)t@>zfR`gc
zM(8Re<slpu3n54`8O;Gz`ymyJ8K!&&l(qF{?-QY7%?T--1f06w%{t<5bRvObArGY#
z?k+B)+3LVF4OoVO$^pC&p9hp;G+P~9y?zIueen%G`hU}xXm@(J^!h9K?XTX&TW`FI
z>0=W|%bn*GoQBvLWsXn(^hJ2}*8Sf4cKh})RR1%Ml22pB+X%ZqzEJX<@Dc?G6wr-e
z)e|NpQ9|4qih@*dYzrm;%dr95cv2=|y>epMnqg>`^v~jGTbYJoppef&N{OxQJq!jz
zy}BO7$bUL|yp$eT001BWNkl<Z`__2KrtNthxzbcV=v1w3ZsXRSC46=DI_@ql!*x9z
zn`q#-zj_C6UwREQ(~~G2(bSxk1j`7X+vWAORlaupM*7+3U;5W>F6^vscW>`?f-j;_
zev))~0pYy>KVjYRFkYqr(THmjCR{e*L5qXao_|ZVj!#8PfE)`{aQN{WSv)G%A+)Bc
zFm%Dbf7Ci65a}QhLR$|oD=aK6V`Y6)J2)wYN~wTCK6kWd{U0C<wR6<`!hQVV(=YJJ
zpTEM*J4;|@{NkO9_}vG;z?*NpikYcN<g(6@wV_!?kYN{V%ZvQK{`Vi%zkmFNe`9{N
zy??payXi;CKSyEuNuq)^L@Pd?pI7=5@$v--IudcmhuH|35JxGijxVxFN;Zwi$)=%|
z7A*mo0za^k<_G?N;6!(_GId?N(<oq$0J;{@+r9g<guPZ9?!bfZhwy!0+p|Sl$0|)y
z&9fR6@P`c;&538kNrK_fN2lAz=Jqa@mVei9dwvNwZr#PrJBw(wyKtNg&YnJw58i(V
zZ@%#=rjAXZR4hDOaExjknMR2G9@@<<UR+$j*H^E{AN}d;{<WKn8{2#CjgA{!jso>b
z(hKe)+W4ym2k=q`$O!Rd3QM`n%4MP<GgR9X_2xj7hB3fQsOFdoqgwMX?l+brAAdkO
z>S$$kkQ{MWOH)@fDCBc!)T+p39c=G5ac_AIcbArNZ)F{>>mg0GT&Qi?FihjnH!CwE
zl@bGQh^_5i+`hYn&%XEufBf_^KKkr3?k+Av2*T-;$MFvzzK;)o{T|MpIf+KS3MXS9
zQO&`KhFx@b?&8L`SMcBd<umoaKYzLAF0JgWcKgGxqg4GqP2^{ZiZ&6g|J8#7c%dih
zPr|Jj1GG?{lTeoGdPds!+4ds@409q*Wsw=i`AH?lOH9QKlWjg!o2UecyMVU}bgt^`
zvClL#3%V{j0+^<WLczrJNK87Lbr41|<`?dv)9YhxeG5u4dVLq0JG&TfXn&EpTrLaS
zwqTj&h#B}$gzwXPrCxj2u2-5=)$O_1*=u2Qdlzf#TWEE<h~os6auMgwoWvU!&f&ec
z-@x3=6r79=^BKEotWvOy5d=f-c6->}UgOoJo49f7?(mB%^R3%UyDL(rH&Z3QNmBX>
z{iPKgv4z32;N{SU`Eh7rI)7;&gGsNHv-Dm$tNwAUz-Q;`Y+sy_*6+?saehLHeXF+b
z!N_Vsxza1Z#D_rjEueTx|J@N{p9Ai?9(MQISl!stHObm0ws!W=>kkko2{N{Ydaa6D
zwTxP&j8d^MG7SB$J;%&Qk`!SW!5jMMyB>P|KH8l=yrGXINs!6dsDIZgn3<Zy>63Gq
zo0-DoL<3{>8fw+@gCXFvW)7A3Nc|QzH&*!Tt2flOn+xjZ!aA>Sx7T)B-sheE@N3EP
zdYZ~*^!ygE>*Hq<9KcJRK^`DMf2|A5gve$F9vPt@k>mQpZ4T72VT8JApw#mzbG)uF
zS<<Q~jtLS3kPHBSOMhQ7Gyk1OVBxq{LD@IedB!5zGz^&8ES!vkM!kl~i3aLbE$x$E
z$YOPUOK<*$G1{FTf*?e{KR_<$AT#==f4~Uh5o0h(M%?rO!=YvwGHW4(@kSk|j?duS
z*^_wv)w7tHo<y;bf9AzQRuZgYByq^zV1RC?iM^c-+`E4-zJL1dP4DLXO8?GEr?uT0
z&P#<)0d);X@9Asw^TXdl2HA(EUS@MOE5|dozy;glUzHqOtQGk5@w%#BnpO1Xtir_^
zNykb*IC2?TEo@yl3Dn-!-XYbCfHQfdbCP|5xj2sD4SlU*;tkR3xoCB|=ydz&bo+1z
z-e}MmB8p?kbbrJNB7CP>VwuR;HnL6zxm*^-LLRkh8RLyQs+BT|g&c~-0?MTVvROy-
z<)1ZUqybdaL#MgP_ZRQ-wOdR0{M!}2x4zf+2K}{x=ilyo(dBkOybXmlh_s3Rng`%#
zNs9Sf$RPWWz(#-o+evVuois!@jzsFk!rSa|zd4|}D1W8;FrvaBgmtpP##n(-$uSi&
z495x}(f}kQokdin3;5#cQJ1SY5`B2KzQ;a8aGwj_sB5>|D2m|@JaoE!?C!PD>S!q-
zcQC}z_aCqlX%rx)Wx~m1kk4gNEap)umr$=&(5O{0)~F$$%RQT_JMU{ECs0X<C<=Mt
zdFc1LXn(hMu)VpKt}ZWzx9%=`pI_VTE^qZV3A_m6>q#mvgRp|Z$`C)(z}Uy%QU-Y#
z0%K!2B!#+3Vuo3qEoS**C6D*ZSw2<Caq&c5W!{=q;=+`oa}x^VMTTtxhH2|y$c}3j
z_{wWQ{aqa>cI~++!ULM}nx@(^A&eqKajaEQQh&`mR}b;%30f4+7;(z2hm}ce8<`^z
z!`@fVNuvRx!4CFzHu&z+J-)TD%2#f0(Z+6j7zM+o@B2$T?ckeE&%Z;YmQ$5(fkX$r
zl_9hx^UtQ<cohDYGRVVVG|LG};UG1go+04+F@hi=xzi^Qf!8|(Hz2e;!mdl0tufc~
zjDK=ALBVMw8w|+~doU9ByN*|G8pw?Hw?;P2N2Rf)g%h+kZ?X6juAw{-c}Sts7-<qB
z3_}e4fP3zc-ChfBdkece8_Dwh<>Bq6&B5i{JMPAw+Y|yDfS6ZOU6Cvn(Hrany9eQs
z|7`HLm_Z1DK;d*9f=(GGy=oe`1mJ>_bbnR>V*u=|#b&+0sAQRn4lq?we11~l{Di{U
zNrmYOQLShpn=9zrBsT>VPHRWp%4^zR#42eax)&L&ML^`J8|8NQu(!K~dn=pj%AE~$
zZ*7lT?LG~>p&N(6n&$_LyWQ|+e-PXw0~><HZX70E41Mo;nr%KW{4He=3pkZS6@O(*
z(HNP=tU-LX;PAO>p3i4(%$kI{VX$Lp#Tyc&y%0M?fng-zML=^v*zOZ%s>~Cm1eII|
zg-i$8e3P=3HZrviGLZ|jxD7ZBkX;!K7<0PN-xsF)xi~sK$Pf~&5~wsmnnZ|`gu^Jp
z&<`;fMm!w!;k$b@=<do+YbRP>-+%JIzP0WythT*oFC6-TYzpEP5HBVYHvzeVR@D5d
zxZ}?YKa;EUQ{Yq?dCVEM`I->?zGcukOK^RvqN*3BRQY&a<tNLqYdK|>vVdhUDF*fi
z0`uDfD{a9$F4&I=mH-tpj7EXgR7K%bgT-vapy@^y6ZJgCYDMIWbx`gYD1SerJ74)Z
z?VM{@kEEDCGB5*Rs5FF%`Ur<zcy1e=PMdf3TD-E+;#>Fj)W%K^J$E3&AP6AiRuqSu
zt)73cJBaW3VY(bfa?673C7>Q8TzLL)q&o6KWsD!<WeyMlz(i@Lkg@HCWOG(2K3mS=
zVlBt-m$Q7Lk>|{8jqUTtq<=WsP-42mXcQS`2e3^>s&s(d*%nyb5xmqQUTX_%_lX7}
zK`B<%9OLvj(`=P#s=}BkDH<y>Dy1A}@^xfNQ*f#$V3p=5Q<{O5Z@|vvVA)xiRtCbf
zA<PU&Sl=-iX;izAIJ^w%=t#t@cgmEKV3|V76f#YaO36u*Ac|AOiGSoEjNykd!eEHV
z?@{P=I2?A;Uau23o1I`~v*}-7*z;GmdO^>N!YEd*A+RUF>k0FHsc;{Wx{n}iy$k{I
zL%hrZVxu@+w5;q|A;fQpaFLmhPgQv8%{f_reM;run3l#|jYT=fRLFp`mhMzphE{`T
zXh&T)BzO_A7Xhm+fq$>p3|wCqxV<GX2*IVS=Du5o-WJYUj8e|vM%m`EN(SSV9M!8?
zs+Y5<mW!xVswh|LD3lv;3JsXKI*d$tbQH^fxAP^O!&81)0xBIHmm;LGk0kUE1_St>
z3(xbo*B_wO9dNTdlv_=gSGT*=?0Dq+fryhR6`Twq<4&BW+kbwLY`6QtraOo?gE-xa
zleA?SaEaNAS$as#;X~QtXR{)5R5-||uU9pMS+s$&X&?gzC59O%5e86jF;D|w>F1(d
zW1}=v0Gs0=<3!G;i+M+VP;&5UImhEC>ni`&oTN*$ie8^m7%ypl$m4{`GbT{VG5{@(
zJzZfqHXs$S+<y{q1422=T+T8SYk$PfkkA<_?71Pz%>d<G7u6hdB@a{!4$9>+3Z)tq
z$_+Th2JBoNX12`2%7d&tgq4S|au8+~!Z1g(k$ry;v3~>V!;xZ0#UvFYl?pOVNy!8<
zjYy>tR2p&`c`6P)6^C9r^ae@a_2O=S81A+Q;rd=bUVq-`Bs=Y4G6>QnO;li;$|XWu
zDcVUDZz~pCP}oF*O$2^7c?mPc<M8AF8F>gA5U&`fcnyLlh}kfKwiJ9<N!&pJci^G<
z6TIIiqcl?htTPbeO+(OcZHr%>s_@u_NmYLDq;$?tDlt`IGzyGTR(lm5CXJS|jMt|n
z+8*KKyMGJ<<G)@^>5XXx%LIA>u)HU**(0=vL~ck}Z4)mw1;8K@3S@W?Mhw&J!m!q0
zS~g76f@K=8Oar!Uv2B^KZTo?3fwovP*)R+yBE<}r45TR|2qgtkLc=gY5XK@(QX!=R
zD+z*90%=MtBZ3?%CHrZbwv$A4!dP~OLEP;R!+&lNryZ5bHY?SWsTh(eeNq%EMFC=j
zu>1f40$?k~&tS{;r^1f}$O#8|REmY-N!!l6)2QSxO^y{`b8K@GfDuNr-RyW1o&K;A
z29eRTPcNYpwEqfS3*EMDG;&Dt4bwDFDi&{4v;1x?&%c_f@a*|xOmEIg@yk<EoM<S@
z*?)ljlr^#`fI<e^%FO`EIne9V3coock+B$VNSLWG);dJneSy}1xEBD!h!7?~A{mKH
z5z7$KP<P2v1t>Mr*d>M#fN2nH(|}=`BVv^a7#0)@#3>+|A`+r6C5B-nV?Rhz*N@nb
zQjTK9QYs0el)$MW5E}xa5Ev5BPbGI!=6{Y-q60}i7^(}B9Ym@LKXlVawPPRe+wxN5
z@d1)Y#mpFQTDJLKwUYn!D`#fT{Qa+9uN<FhWQ8Ew-02oR{_;-c&f?m!omO|u2=JAx
zW&ey0e(C@bz>EzxW-QD4jR4*@2(LB@IR2~CvT<ovnippnC+do7h3}lGo)%H6TYtSR
zkB~|rYcmRt&PLYABQb9)oEZm#L?KCmSb}sA0E!7x0bWRG5A~xn)P|#eL<mwKPC-%;
z0EU8uWPvy(_<<ldB<^^E!W2Vc81qE5424!I<seK{oFs@O5Q5=DD329|P#jC<RIo@v
zoIr7`QjTFHF;Y7LBZfsWe2ReG1b=@+8RAKJOn}T}Ez6!D5^pyu<zK({%BhQQzj0>b
z-M8KlCub)~2!ZvjRyIh@vX#l^#QdV2rZGjSYz+&iBY4#R32G7noUxEktCk~X9aCI1
zP5ic;#l^9_oI5|M%I}|&;>}q_XT}xk&#14=tgFvKKv>)rSnCKl7BEp{lz$v824M)m
zA)Q@D{|flQ2~JzFX%F}P0BL(b-zV}SLJ(_@_axPIjvV>FhpEm&n>|7p3UY@eqLe5~
zX$bHlnAXAUK}sJ61xV8&Olyd~9j3UI0#HA>B*;sEM+ZnY(-5XLCro;0V!VFo|Nh5c
zRo;L5qL`dKhC-pB#m|b9D1X(CiRqc?QXEBRJa3qEd&Bn7h!_RF2@iYE_pP6?ke3zH
zF)k2^|7@6etCHi{S0`2DcjwaF#c3r@j46y27zO9qUyY$})}}}JYDLdR#tMw{6AG0q
z4pqwt(wSzgz$j-4(-j>MsRE?Z*46t~hRmb&^^w)}-ED#YVVbzQW`C6S2J~7i5wQ}t
zkg7HmH4(rATnXe;_)95tHuygo;VJRx05RxvrIb5WEoV=hnw^|@{rp*a<@`A^>>R|1
zNtek=s#K~_%+AWnsvXC{>6;5{z3yNbE21_qGdPTs&mo}K*2~Ex4D)<0L%%F$_&4JP
ze&ytt%Dy!#?GMgKaesC~QOUsp1mk`j`<cTFfnAqyXItRzj({5iZ_X;bKCMv6@smwL
zN7x^rTZVq*|Dr4U<6TnQ0NvS9*mcSAV~odAoJbX)m4f%AA{Rm20h%$;JgU!q^mz*h
z2|36Z7FY>HLP2nZA%(#G0D3F;rE2j4kK?508voy!nZ}v7Uw=RT>f4vjS1-PCi5laR
zM8bS%`%||bEtAkFXDDNmxwNuf+urR7BHCn#4$@o<xJR7XXB=cR4VcCygXsUQX7Tr@
z8fxyn6RP<Cyph_!JtxIngQ?_zOydCVwod><f17Xi2%jz*`24<s<)%P2&-jN|B;Gxt
zvy}Z4E$s{<pno|K80gsy;#Am5VN5A15^;wqagmmf@N=JWkag-X#4If1JV56G<1~br
zhCwBm%0yBK0r%(Y;qVN2<Yl!4zg{S0CSEx`m4D^*3`*tFgUqoHt#n|ZSSZr@v!~&C
zUhb7|?>esAKi}yO-)go8ZYs<h7$U^ce6#49qmoX5=zooJ2EQ(4`ImDwKKJ%<C4O;2
zig!;aF;~-Cyw4mMqgr7Q0y}-ejZJ}XRt;=)2=xNv)nf|hCKRSC>L&{hKxds&mQl+y
zDmhRPb1|Rcb8!kDglP7WCD`H?`cpekIobaH27)vvQi<uTrKa)@9kUEBo22YiAsj}c
z6{W@&Y=3KoadIP0#11^^j>M&3ieud)FRf|fjN@44nPX%5x#<a!&p!STFH9SDu7>HE
zIsE-EFHqi!$3Fe$-iPhZ0G4I%B|sBLGGWy<2ZZs80s60{EdTPtl$v^bP8uJc)4Yv(
zUbje(Vm&}H5U0R;SKtqK3|w6oSZxbba*PkpNq@XEr!ZU7nd3RQA3qiZ-G$4TK;CAI
z6{V<TVfry<?(T~J;zeRyk`l-|DT1liQ?%Vplx7N+l{*9A10nczgD`7bs5J^IQ_ivJ
zm@tAEa<i`@6$n=;-c!oFWg7g4lrfLti5{@>S5ZPdYCP_{Z`v>nr&6hA>a{9a*5eQI
zB!5g8wuxF}0&iZrfG7%!cURiyHg|j7B$ZeD(YY1^zXNPMTPMAMlIa+)<Slw9XY<>0
zb#?Bo<H~&hloA(b6-||&(FS^iRO!Iz`h=~Xz>N)oD{BH<eH|PZjw!r7r|{~OLeb#^
zsK(RCVmbp@dA-p~mM%s()uy2`(EcPUet)7r;(oIL06CU!Tc4j)MwC)HQ78}*c_FpC
zAcE!Gf;+Kwz%_Fd7;{jrjsrO5Sh!Tks1NcEUaMqzqMldzsWMbG&up8ZAO^Nw;yo8}
zbAW*xP;C%X;wjTk9dQe7?2caZg|15;86Z-kB3W3OY~IY~OE3-~{gTU<Fn96-wSRhv
zHGTDdVRN@N)9m?g!wG!|^D2hVHfpkMi~;yvF^dn6SNYgmbISbitTZmoD5~X-?i$1?
z(DDekw+wuA*TDRafExglWyar~m$)<|alFnbI()Es%D(@))6lHL>@h9&KtlT=Mr~lY
zsm*($whopbfmA>k6XH}Kw<b!AUw@yGWDpEf7?iazb9-C-7dI3WlG#MLsL;pGlZi@W
z4vNJoK)q=g;-4}mzcEqf@e7lx^4>}5oEcN1USP`GfDn4X>4k**EkR%07vkooaqfN-
zg&~P?Qz1wj=Uue!2GFd*7Z#7a^A#h<YzSdEhMmdjDee<sSvHlcW0;*gA%8Btb~fV&
z!|`jkR^Dp&{GqbMHgKZ%lxI@|n93;PNdbDTVDl>%rex*a<I;F_Qqi$z%pChhQc<dx
z61RJVr9FXLTLSYtx)`3SC|sP8c=x!(xd{cwI*1>;0EDFtd2-Ww<-K%H|7?}@w(fp_
z<Te0*^a%GfJ2CaYQ+Rv`iGKw80pQ2bbC?p-i5jDnV+08VfO4FoAV`S5&%IvA7Am>h
zkkcC&Yz_eYu$bQ8wVMIN#Yz_M*K+Dt$13X7E60?0Yfg$^ol@dtT~R&*+ON0v=QEQP
zCP8c%M2$gYl>CJKMBz&6%WYt62WWcFa(({VcuathsX!zQi-chvkbk$Vi}tZbjsEes
zZ;PzOwe{`prTgo9AsKW>=6DzWiSFUgrc)U>nK4#$ObHq<=VayG6EgFQlZxtvqsts_
zK)AInaCObV=l2Y>JVGtUc;~ppFHcIGpOl!Y=z-vYgg=BeGUGW5O#HoO89HNtReb1(
zB}Ydr9|)U(w*vHU1ApzW0e=lh!@qFcjZ;0vcSAy>po?|eWYltucTXrPWB}WQQE)Kz
z?Yj8S{YcC(s|MhFgW}Wz23xJ~Jz;sS09dC$#ybT5PnE2?cxg^eyfrJW_f9A}JE2g^
z>&)?R#uTLge5|bS;W?(94Y4~Q(+!PsZ%F5dFm{p8dl<fi0e|w~wj+Wr3l9(=qu(tQ
zigfzaY3la9?D<oRnSOt8w$t}6wLtxp;#(LZ!lBNkwhdv_Ov0FHaj}v`=6IdOTuo8N
ze0pNu{xEKzC3wFnaCKcDsal?1Avr&(@b+<ucaBR;S9QJd<br%ubJ!If9JP0~s6*-8
zh^PLTdM-B&IDg|hs7L_)A~0On*+j)!Zwf$===bXez^O6DSWzKk0*(cmDl-Hr#1aq!
zC8<!%+LUb%DD6e$KxIp!es(nu!ahVMfr>1!GXq1tQ_ZUP8+p8Qc3d5Q?}WsAClp<r
zQ5Y{iIztly1_5~+l&>**z7jJvWvq3n5XLkO64Nj<cYmJl>im50$N&*wMF6pq#7fd(
z?q^}zu=5Q}&z!*Dz5hDpZ8i3%Zx(;o>3L+^b}JsDg~N2U3Wg1EHDgnyl!Z~vvn)DH
z8S{YO<d1<;K$rllZGlf04Sc&UaK9yB8o*m~3KxzkT$oart0`1-huHevFUWJ#z{KAH
z_4k1Maeo~gKPKQ{WHqnd%mKM$x?b7&2<XoPaR;mdNCo&2VRs-f2!U#jF<D|b)^{Ie
zCC7MkR#7zvj2D=$t{L@Dm&7l<rkH^+E-L1`hMl<~fj(eY1gY~3`fVf67d|*E$KE+E
z>D?0&CmW1%_Tbk&V=+w>m2s>joX&vC!azwS$$vABY5)3obbts%f|S83A(=+PPzP_N
z?{~H8jS0MU@iin#TD-s6JGa;M`eB&f>hQ@vdWYaDvlK84+c03;CMaVtTgE|ZfFFk!
z>EQTwUEtc9-mNkPaH6j8?s18WGYYdch4Nule9W8<j>>CVSgv&T$1}%1gry%wPRp7a
z4u6o0>gxV&#8C`4P-qPSHvkxfdI1<OecxWrF+r0hhGR-(42EMOA4|?wa;Wxwnizzb
za3fU12rdaK7c)3j%d1Nlrq$FhPD*;`xTMo#3bg|Yr|f6&zdUEC7rJ}3k4FZGA=npC
zRvHCn9QrVw@}XtmbA=L)pT0mnpY79kH-E~V-r&UMPUkm$&tO^0eSYArUosTPNF~cO
zPKjel#7FSaHwT1|7YtlmGqCFt#)^#hPfNT$r7%}lXcP|PkoyqqI?(u~e&l9Hnd1<X
zL=u`wn41A6f2aR_+=JikW3`iDy#pi)C}tSrMMk6WXshd-4V-8w6taxDh7gOpDt~)z
z%^08G6}kIOnwE+Z18mJyx$wbRS$%s>(wlP%vsHz{QwXs{3Gwbg$elg~!vtNW(1W2~
z`04tiGYC-|Eb~z?$PB%{Z5J9iY_7Dd%zjtPc=L@{ohXba!+8F!Zr=~3<ejiQH$0H!
zq=-_m<H=Nbfne!JM8lXUN_CO=<bOHDqcMmG3%dd<Z9>TbPBs+YnUlCMrI536`02Q?
zG*vb~3sl|!$`^DdIIJ_(J`de01H}xGctH1Cc+|wbb{8An2w6+Fo$Gl<A@k@xFx%9R
ze1>VPATd^CD`&G&&5PVrS&X>>K@j+OU5ekFQR1~JMKjgIXUtUU4q)3SY=8Fzc3cYm
zSZqUK8xk-4u<+4cEQKv8(`vupDRsK-e7-h|r_&1*7;Dt=yWjjmWSvZDeW!bVbEgx9
zQL>KM@=>0<|3uMZH;GVonqkVVL{i!dVDyGsG~r-_x<^B|O9>3%?1aJ_GYXUCXW)yN
zdELq_zX}x3=y`|n3~R*unSUfx1Bz!bFx!}KEn>6V#$<_cZbG4yee#l|A#^sGt0@#6
z7H`ce9>)5{27r79s2BK<p7P%zN`burVY5rL?LxFX5u}or!L*EF=7kc8dlVi$C<L#@
zaU890H;;{P?v)$U5tW~6gM*RFI&@-g21Czt-g^CXCW)idOKUs7@PC6OQEa5Z83`=;
zc<exFHvwB+shqX~dBd2Z9hdA~mkirvWXz}AEHQ-cR5_MjFW<jm!~vUje*v?g3+wVL
z+S|}7KF!<u4x>z>j69?@j=mblYIg%2pYYC{#Q6z@lEY8z;tA3ULzV$5Ip1;XpB4MN
zYW<M-&W_;Q+ahXv<bV1xHW{=A5$*zOFMI}hbZL>Py_U~A1~E_BPQG&T<XNiM8;AU0
zd1MtJLBz04!dN9sS;w$eH})Dk&2F9qxojv8aV-Ekk0V$yA~!X&jk;;_g<1|1V+FPg
z8CZ=Xqv$+cfb;{xt}D<Rt&{`_;Y35%9tJ%{hb%V@jQ>`vzJF&YbXV#KkVYPScNdE*
zd-%hZZG^)<etS;h?Kz3D;z9i1pAXcCpR(K%{QK*s`ty>}+3JaTFUD8Q_zL~yO}yY!
zbl|Z^EL!OI1M}|ku3v5Jvg`Jtk^p4bpdSjJ?fYe<0g$*r>gl~A838H*aSCFEQXJ5Q
zMi2f}kiRk(Wq&(kO11}RbtD0KVPJS_6}a!?FKZG7AQq5aLB>ju@bSexVb_c7oSRfM
zSz_HmIb@iWvW!=cNen{Z@_hp<ErB~*28tPcuX}ai=QSK4I|XE?k1RL<AdD4ncVcX`
zLbL}GA|=>{o_idX6Z2v4fFBcqw|auFZy5614I^6I6MwtI7}p5+76vu(GgoatC>~vk
zN}lfx!a@)x;p}!x40?N%hCP^01tflO@j2CN5&kC7y9o^L0l_v9_jI6e3NXW9g{(|5
z9S`yA>8^mM+HLd#001BWNkl<ZCO%)HzwZuFV-p7QCSiDL1-RdT)LV+du92$Sogo^x
zwnd|yMStbDXH!Ee&|#HH06jx^drpBBVZAM|)f4#Bl7TP*{^>Q%F+bFE(r9vSmGsX?
z1lJ33duf|*E$zbfLSz}#91!*fgmRXjs^j!5*yqRW_KE*}UZ~IS8PRH+2E&Nf6IPd{
zO20ub{#lygJPjTlAYQyRG_V~;Xm<Pk{@(URzJIxU%&tv3$XZ!_->}jw=eP}c%X*;I
zz5e|G+4s<ZCK(74sI#C;#{`m46naBC1qkX6mD?M_R8=Z~&a9&2cYv+$dt=MklgKR$
zLQF&{F0FN0Zgzz@UT0KtjO-!rNyh@F%8bFJF3=?d8(nP~aC%&zlvOBa^=irCz&O;R
zz<*<)WCE3j=yY1RwY0@|mYbm$#61?k-Ca?w<T#tP0aIv|7V9~4Qub>OF9PrOiLb5;
zb@{%L+}IH9_E0Q_DSyL4-9c~Vr8rvc<1yonzO<Zbi3H6~RCDD<#m;AJ%c<5UDPJt>
z08xoPPPq%f*1rO~pXi^%9UvWyR=0n+mw(7G1f!T?6dVQHU@`>kwnt<AkR}C0k%$e>
zP#<A$h==dAXk5YKz%Z!5;5RA`rp8M!@)<VDS>25}EQkP8@B_;1;+{aqC**BS)h!+7
zd7W|H!E(k%+Plw|MP%Y5a<{RtFpq!v!&iLe)>_l`;wxdIwwoSRyoicLn<<|G<$vs_
z3FO0Jzvfu$2>y?GQ~mL-ncUbkgPp!uh*JKaiKLH`C|p52`2KZ!!ST5HpHfaSYY0&)
z<}w8VIc{2ZX=Zwws+9^65lH$#u%)xc?k7O+mfjnZ{%FDO(VvkifSk>6OeV(ynFKqL
zs0c#Q5Xed<M+jk1rsgQCl7&?>5r1bHSWOXkLSfbOOgNd%plX}!WGvXzRc%vnm|A4t
z`q>;Y^du8Dx`aVUh^5x3nkwty!J}-Ve+avzi*u_uvOPF#5i`O_OnTsUd3AZ7uYP+g
z`sAzm?&3=GZj`7`!-UrRfyhaQZ5ptcVVS1>Tt{=EANamM8>G@L@vcw2(ti^C&8i_k
zUNEEU8=|$_7Yn@rm*bTGkOH^SU-j^kFbVhZ_yKvQNXif~F*(hyf0hhu;?>hrG}$PV
zFf$OTtAnF+4RG%Qapw^k<40at07Zw<C<4dIiYhr6{gCo*K$BA9yj0>ONEDcuAj}YH
zJ_KB)oVra+4v1|x6b)0LbboF_(RlIcsJ29-VIym2ra0A^#0v>$Cltm@2kdH*p>J+s
z>0PQ!6$gu~A3}Hkwl=r;KR)`C`uyt~oqKD0ciMgLGJ`*Y;(J6KN+vW1RNHf@lt@4j
zsGJ3I_G5hCpAv}#1|eZ#SMcv|nCcJnW^`wp2F-!E6Qumlal(H{V}ErI?tK?8p&aSs
z10)((5F8C->A1t_L_V9TPEVAKLe4R=`4TcbAat&P`nPm}o*r(i*&Ge93K^zq4wSWF
zNQInjQl((?v0R30hCoKa$dQSnv_;h_RBHmFDivo_Nrgc~vyR1;6LlpjIVQ&f>_g5)
z_5*}SuWa}+;pUcrAAb{0jw#ghx|RCG$vU$>RubvpFta*X_6zm{-mys%@u1hj-G#gA
zKR*5<zIJPIqun2V;SZB9I2P9-{9R@%j8c+qpE6MbLo%63Doi!f(Ng;5NIXTmdVh^4
zPPL5cR!{KlZGo>>jQF!9!@aR3w%P+R??!YvN%^A`d>ihvi+`7>?synKvSQU?B#i_P
z*~DCSGNuy*ekn>+Zf5!z)v_U>a}6|D(%C~jole~TjakV9r|L|n##l_0*vMLx875To
zB08BWafyj85{t7!;21M(2owmI&RQsCY?zh-W30$j%0A`bkTl0TNC@|udM;AR0*(#T
zayWptmU__I)_?UEYtKTf^xb*x02uV!SY5iw*T21*{P~+Z-qPCc-6%@`)sOirc>Olw
z?Esmq$HMLc+$M<74XL`_qvA?iU~fQVj#TEIg9P>?zyNwau(&Jm#XSSRzhSCRmyE$$
zOKiFUuEtFNBAGu<BCNu_H^5689KeqT2pH%{h$0Eo5Pt+%18+D+KxuNUBJ!dyEbk7C
zaFdX_pr_nR6ExC?vO!}-rh1-5-hs&4Y}p1COAe3K3OrNG@v&+i^+JX#8Iv;%uBD7=
zf+(e_ma#onVJbWNsCC#C6fNckcrjtQr89^i9U!w+h3XTxTN&U)2Z#*yanr~GhNUeG
zgoz(Ja(}5bK@xh{+E~GtUwy^je0#fh=l<5h`gZ@zSf-z-u6++!jsc{I2LVDcgl)Tt
z6u}^Z;RYh@_!JK#V#zT5n2bS4?1kF4A&80Ml#uLanNiUlOCX4~oKR;-*c%Y9cLd+r
z7V7Gn!B^G|@5^OldtpZ`4I;i4DO?U^`e)S=i+_lhJiLU*s)zC9CEcVbnasXnf#X<C
z2~sto!VH3KvrM~GFg&7k0ODs~+}tmki;lJ#xNuC->oZE6n@}`YW22VmoMWK^!eo+)
z**L*OkWk(Y$plDD7J*U@l(U|G!aNA|Zjm4B<CbFqXD1kA#RE2GSZZE*;(gc6%RHP(
z9)BIVN$A0Aui^IX8~i{1?K1!Q>e6z%=l^~fCVx!B<UW$c0lrrN`wEd6a@Oh!(24+U
zrV7a*guU7kh4~%Bncp$wa$9i6BN~K6K}?8KLaKmN5uz0EB0}3EY;*+{b_Kp!HTXZ~
zP5H-pQ+~Z_q>FoEtL=#|!h}Ck;6J9R{C@_<a2NhYh?lG&e-sXofHwjJ*otyz=i?;(
zX0O@JUca^QnsSX}I2BobJv1h>ii+mw%=?tZ;r<t^V`*8=dLD#2(=gI<pId#lR$F9k
zbSb~p6ZO3Tqvw;+9g^sWgkel{b6X&rVc3SIp<2elGs(k>hb4!Rw;6+w5X28uM1Kwj
zPW48?{+vjqdSzWDBf*B^ckWRDSZVjzZfBS0Z{5a~Z*Ti|me%(cR`za57T+L_ZexfZ
z{_<u_fu@IUGe|MhOiOkvNf8bL(ckFPUf#m7YM%4!T@;!w6{jjHTg|~PW!WfXK$giw
z1f*I|3;j@}Ef4WVSNID%!rkhT>wiV$Mk($o#uqZB>p;8+ccXKNPveEhK~JbEPNN+Q
z_J0h9@o;{5&*`+0-`tXgw`U{gKb=d&nK4c1KWdFA#{$NSj8ax%wh9C>M3@kT2@s`3
zn_a@S4FfA}!p%(qZ^X1KIqHG`$DzOgv))+TFLIyie@TXVCe)L<^&RX0<9{FOO<&V_
z5Fjdzk@zjFE-&G~|JxVp@|8Qyt-b!|lIb%f={+4BD?gT=6|fP*9ovp;rO%+~4iv^x
zgJ)eI=adpBT_1Bdx5T6%R0SbN1cP)Z8;Ti<p_HUhF*;#NTYVq*ybw#N;w4sMO-i{9
zL>;&rFEqdWX>jlouD>=&Fn_ktHKo}bS`*%Yx$ok1?5pvjK~4|}bGph@$uT+Rvorqo
zztPPRdoZ72sz0a$nD#}TcU(d_$H=W1_|uYswT{5GH3Oyq&P^zc7qySalLBR*qwdFA
z6rmpwvKCNwbXGYuIMtoKAk{~%{Y=6Mke`Jzi%?Rc*KP62{RMn=<$p%_&5e7#>kAu;
zahiS!sjfnVJHW=1Hewlo1ezW?O%K2}Fy@4%(sBsi8AM{eGZeD~o=6qfBvW20SfdCf
zfE9rfgLr6~+$D&uSmM5vbPrK{524?D8NCM&io;xb27INAMkq|VD?o!-QpF8WUhfF2
z>A`d?P~HX|s4aQ~pnp+;U&-lCSU({2e8Ngwpgq*8AC;W`ohJpXRGQmxuPN~FcT8;d
z2(vXU+;DnKp`3f#cd15O2P5T@)B~)N_WbbMxVx}`|Mo8*sek|MT6<-4?^b{4f59m}
zRqWp#ePbW?#^n9_1g6zy5^I9xyZ~QK6<?N$KL;D1L#fZf{C{VFJ_Xbt1o6iV{+y+{
znkr)+GTnq9_8#&c{F}sKZes?J!dvPj-qg^q<YbVDQV^-AHNZ(fHjmjRs)K->lVge}
z%S_cABWHu2h57e5JY2I(mKm{BXnI=t<Hm+AIKNsk5KG{AUDHzwneRlV_y4_oNJ(*{
zOSrZ!u-p<zC4W%QGp5SVxW>V1blhqJ=}>17GY6lhd7~NN`n45x`O3}Y+MV@wl&b48
zPOr!~UWWhFXMKI0(0m}d6XSsx7D4Nb*+9_%5&;ZTU^h(vMl-~d@RSFkfl`@5V361X
z(@qMCqnOQ&t|%|JDYw%n9!3Pm0%dKGWjvd!)005ZmVavXf)0XVq>VI}np#g+@u-!Y
z(E;`FSRzV*p08~Uet*Nn#|tJ_+XB@b@axl>f?LfW1@D5t>u`m8*j!t{N0;yLXIJj0
zx9_*&_8?xADgSG#;;-SwZD9Dk*2NhZD4?AJ-E{Oif3q3lNqCxrkUsPF*Say#NA`?s
zWRUKr<bUrBFx+#^lRaNm-B1;WvC3_Bl{HpWT+J~G4k%|cWv!9b@)4-8@89T}R?3JH
zg~eTk^{(ceuXP9tBh|z{X%!Gti(G46EW)0vfA`j=ft~)yD^M`@286W^!8Qqk_<)Lv
zKk~700z_RP830`Y^Z^<YY(;DfG9^%i$dr<z?0;i`{Wj`RFaC{cmj8o;;2BG4Fw$JY
zLUx(VEkLXY!d{X>?75Vk-x1lHo5H@=GUSd+2ojJ|MCQmm=Bb!_PrxA3T!~$mu-+AD
zdODk|v;=N!3S3(kxU(&AeZ#=zWnI{RykKBq*MK0cD^+szU9{X5*mX&-#5lVB{Oq-r
z?td;ALZOmXWSa`R0}^gPhGbDqB(lOZ_mrRO0`5!aJN}~KSpx)sn<8-sh)P|Ew5`Z=
zgOt+FPz0Mj@>)YN=m!`MBT9x5iGDz$<>^jQYe3u{Y8O~H_`XM9{J@fI^x*%$y)S=~
z<2us&GGAR?eN0c!iTfZ(iXe4`C3|<nYkxTuu^T=%?EiJcTFJYzLY62k<s~VA00@GZ
z0S1G)`|hs0-h1gEYMO*3N+RX}F%-Ut4*Y_M>Z$6i%$ND)_kF&T@a(5FKwJR*i14Ie
zojo2ND0Cx+v4@1nMpatn8pujQt_g7tjMAA24bZLu-#BOS`m*5SyrAX*{g^P#34c}y
z+EC>_%av&L@w#*Z#X`+M$W=gEf{bOiFf>;f@`xyrz$vU+EKu}c7XSIbNSx%<f`O|Z
znqI^Ab;lT5(w5HEe7@53<c-j`HyQz63mjQ;9r7B!P^S*F(y}-=XPw1{aI01g>6(F{
z831+vu&m*#RqK2~NtP6Z?z9q|{(rX(#)JLCx4sM9Ja2J*$>PGi1rxA4u6EF~vMR3>
zSNy9^qnfp>v@Gg=6^Pp-!uuNv5B3;aBf@+L{Kp#_|L%&xTjwm6j;YBo3-ECY*&48X
zu&MO_y6xn5w)kL>^1~>@djkEVvKQa~lJ*6!a0)odW~>D^GE9->Q}lqVn}4XIox<NJ
zO4%JGw8MlgfLBUO^_qvE6N<OmqTs?j*B6^Mn5)5Uc;eQ5ICal*=z%@A>VkbyfDlzG
z=iMn`vtN}?!<0~S1=p7>zJJx=?F*F)6aegw1^q+eXKesi3Fd0RYD>^*RDn73PhV;f
z)S*E0C{^f3!0o3DZ7Ws78-Kbwyw{$Otos>etb=w96s}kzg43H46R`5hK5F{_m7054
zs8gBW*g&*4#Mi)Y<E-H{y^*SnGG}XGrwQVQOSUd>=Cs(3OIWITv|9J%T*H&qz?DVE
z!5lNS2&e-Hn8X1{@nP5L*@Y-V^#e197Rjy>EYyK(OBUa~{JA~ae1BM#OF*T?o9ik#
ztb9(CoSiM64ZvJibCoB3!tE`EJ6nu<+m&|j_pTazuM&91`S#I7BW9SDjgyRIYe4eB
z6J>sM$H_n1;%-02!)eCviIhJo`_achH^bMMIr}o=G{<>WMj0amFa%~Y7gqz+(Jno;
zSSECClFB)Uc*SvKfq#kG0yK?9!&n5y!UM>IzynDQKntJ-fV!*14P8hx5Sp(GR$4-D
zowNA%C5!J}tt2%4-<#-H5}jY}1w7+~`IYt-JS7+<Rhjl+@AKAiR#r<@4If7el$lC;
zD-e2prQ%2RV+2gRe1BKf_DLu!oIV!XRA!A0#E%E4g5*^ud4B;ofkXQ9Vq{UaON1&y
zX$DZTZH--L;A1Ab1xxQ6YyZ^<ehtCDg75*X+ynC#6Xit0L=@IN@z1v*?_4nW`<t5n
z?xvx?d96}pUv5>U5A*Ri>zJyuP&*W?9u5sR`izYpqZbh}O<1f8=ECa#9`$;&j2O6r
z)s|4J1|FwyrhhpFg~dv4&>*Is4dzG4h6b-@7cT@a!k@MB*+%974F#|OS&6|$2H>+D
z=4Yn8F7Rf61!;M<T(ImeYfvL_fJRMh(-&#@R+d|WYYT##=c{t(wI%tTa_XeuDjaHL
z2?{OP8H&U?@TkW!$w=}NsC$aEF*w(*?5B^s`b$7706T@tLPQ3GgnTAizPHPDBH}zp
zKgx-8{pvd6jXqvwl2gZNXAlC;2dGg8wO|o07U59~ie1#|Krz+$-J_jz0)Jcwt<ZzJ
z(gI&wGW6z(rJLu4F3nq-4~0(pj4{Kk-I{C2C?V`k2%CMv{XJE@x2~oS_Gxr5rQRf?
z2S(&qFu047o{BF^g+)yZ71NBrAr`AkO{rUfdu>suQ<o#LnP+Y7h7Y>FBmk@$M1}w?
zI9n7lh|<FL;>=^+xv`Fc?tdN8Mfer|1WqzQ9JH_2A?mtP^j}(m{MFm%?dr{QHhkxT
zQLAksUqNXL#5t%Jk+U`A)*zxFF0kM*XfBjsxn<qU9pRN$b*^aDDsEKmM0ikt95WGv
zgDK(GrjlDv8Mn4rHhUb8Q*2Ii+$#-!W60h|DO*6%M~bxcIPt9ePk-9bZd}lRUGFme
z<1J@pdq}N+_?F?D=Pfmk;bSt(B<I?KAKuiw*tD)<fk0i~9?}0yN;>a|{78p#=V&g%
zukfdEf<L*%0ESjVpRRi@ZZ0?E#yb~``#0Auf9sOL>YR|nAS;K{?}*fszNqe${5Y?M
zbe($DO1-jR(GI_uT7Pm<n5mQ(8i+Drl#=u!l1E*(zkRCo-EEHUY;$jKOq(ot0Fv9K
z*#8IRZea2t#cW_VMpgh37OrY-yt#u3nMqFX7@>=cO*E{)du`d$Vx!_+9W|5GebDtq
z0h3ju#1MlzuHuHP$cb_qkHmA~*aw&_?Y$Z(o*YiDi&bClfPdA^Mo8aTsM~kmzF-&s
z+c!0T|C*&vUErxo)PWA^8#Nc04}tS-!PSN8bEz|1Y^vI;$C*(7Im}ebhcWQ!KI1nV
zN`CT@Yk&5M%J1%QyfxzWX@>uk7W^+v_FZlDM<CwAU@gHP@}k7l77M4;2cl@K1@%Hx
zxHsn7IECM7fPdy{hkG%{xZ^Vov85)c9SUnpoR_Fgb2^`t)Dh+cjvJ$J(&{zz3IR$H
zweH8o$z>210l=#@*PdHyAiOv)e04$S+}!Uv8WBEoJVL{NagCQ}6$7K3FwP*uh~(*z
z<iS46{T-G3c2o7A^r>4K>}!kr#>%^}=Dwax_JHo65-bo5)~0_s5QAPbu0zePg&8NT
zE!5@ZCR$eDzqx8@xgq2^$IB#F7cCqGPPBFvJM&7RRddN3#E6E%F52z8Fy2#4x2O1Q
zyz~l3!O3M1ud~F&?<_Ut&FhPD`HdAj_s+$tv^cSA91~V5iu=Qg`71xZ>)M}w;^<pX
zRIz?QI|mWJpOk;}3uEb@#o%3Cs5L~R{$a`T<qp5OQ&^9?L~1Mqzt9x!O}IWuIcV2~
z<__mIM-qZK1QFmlf~BU=LPIF@z##a8m{!LbFG3&?RlpCYD5mMruk;EhmqA1r1WysX
zz!eoZAoUf7#_yala$uT~3}ce*A<KgUlKZ<V`RyhTHv4}($Tfzgk;kQx53Q!Vu;r(S
zA9wNm9U%d_5yps%_B8{ddOuP!&e&SP^@WC-vj)Li=Pg!RM^k@!W`mMKPf&9$90n<t
zW}2hvD)_yKicw6CC7%&qSw}*z4(~_A2_Di(tcbA!Qy8+Ph1lmbX*x*=s;<;10UmW3
z_xD(CKXrfXqaK-F#Cn`yf0*D_TFPA!d}1v&t&tvp5n}awDuze6{3!1h^TE5mV~0ga
z#nT~`|MZdb=JtrZ!WjO}B~y_ckD0?;fgD;_3pIUUWkVK!`B44UB;^iUXHI<8HYh$o
zg5Bd?=`Rx}7a;6th$N+vc$%S%GFW4AsJ(RhnE8KLWEv7>m9Et|h3t+<9`%&{WRKI^
zPkFf6=V4OPu+Z|@7~Hb3cTp4%kUZ_;L?_Za35M9rJ2$KXh5aeaC?c_fa<L&DYZ1P4
z(c=7^rJ8s2lFM^Ii;c>dNL3yoVU*J)&w+O^AsHud9ADYoy<CHr9-!O(S{dA&Hcsvg
z!tH+s6fgNMR*2}*ViWV<zGV3K59z0cLRXXTr$ff=O@&{rEBWyq$Nubrqi=1hV*P;j
zx)I+_O1x_g{ltj<xzY9xEN>#l7#Ni}jUP@LmJ)h>(sl$Utqpi@tmcOaHR_&FJvg40
z@C<6kI<5oD4WXtls-LLlFrkiR>JTf>!W(}e8BXvjK)y6iE`uoKfazu>b^8$&z3B6O
zZ|9igy=O5~K+H7|WrV1J#5u_*AskGIw#Q^1_b6LCP|?S`JlY@A*b2rXv{_oYYYjez
zviC6v4uE?ar#^Y!O3}x*ZoF1HAnr$G`>_OClyn->v4YTC1}@H9s(VKl-1D5nkFtLh
zx&qflFiOpeQXK3KDI6r?dY02-`C6?sZVv@#u(<>A6htfdMnOCVEI}+|Rvr@s#1>E%
zR9NK7fK3T5G^Vw(T0`3^@HJftKDhvi#wnW3?X+-rN+U&o3TGHsLJSRG;GI-}90te1
zq}oGY>$0qM*=+S0-55McDJu+hlLCK_M=?Gw4IZ+Q4XbF+YBPk93C86FSbG7%@eCpw
z>xTIVjFg4-{)FP6-dEq-9aAkYHR-Fs)kS-3wm>x}5q#^Sq0ke)vcUD9+;c8uyUa;R
zO)A~jm9ZZha1V}CheZhD5a0lS3t<-w_w!ep7+5MR`F^*AXA_8;Kxz{-Fou7@80q=p
zADFIwO>lyT^j;45z0&f5wQ4fWDcc#7w>KemabBL=`RR{gnnNCUS=J7ed9Y7rZJ(1*
z_i4N};%E?2mKqFQ!Y)W28H<lijy1&oCUEbI6w+TH)^bERK;wp3N8DjdGD_Gt7G^F`
zOI8qC0j?}qY6i3I$LGgP%h-Qmp}J?tQ{s&hYI_Rq=71Z$2<@~$!y4Oj9n?L?gpQI>
zF#^TpDu%}lm&hsr5P`8)3S&`Ni=s4=WSS<0#w6F6ShqHEYBC_)7?;2lkO@Fz4Ay3B
zgEJj8C&_Nom~Ky<`8WDZa*&racyz#>)uz<iH9;#lnftUqCi(GQNB@7@hRP476ps?x
z9jACWO|f2zeJsMe7IwfwBLhqjml5D4cv(n%5hiHho@Jy^HtkMm^vj3pZ@N>uoRx<1
z5_n_P!fzb!GL8aT0r1AEP~d95wj{Nmeylooww2e5=v-+eZ}^~QAgbZPsrlmgu2sGw
z<vUPH2?KyJWOD<ZYnXqmgqfzKM+wSt24jS6X;6R=1GMi5)<y7%A^Q>LuWw`cD8U(L
z8K1DK2?~Z8GV!Cdpi7_bvo~Lt;KqujrDoM-IWD(qnpczWTTeL|r?it4c%Uu4Z?(M#
zk;hQwfgWzecxfNZT8;=^v@RMLSB9ywqm)8pm1zc8wt@yxWlMiBR}=V0%)IK5LA=O9
zO<yQ*;3Ng=b0NY(M9bO&p)a=XLF%4R%>#K3$agHe3OsYmwH8ts*j$s%OGuPMCMjW(
z5ygd7SxHhDlxcz9G@}b~hUKKBc2dv-%w5^QIO(2cZrF+QV++Dq3EdgQn7^~l%b_m|
z|KU2(m4!+O;i!N65i<x5EyOHhfvj85hZg2N7`u)*ih*v9v+yt`TM=3p*C47CLEewi
ze{Ws=pdTSjH7G7Ded}Un-*6l-SLNE3MN9wS3IFZu28FH$sY-!oRD4CCLo-w2L)Tvb
z00Gv5ML@;^S|FtXiV~D-qEQOj9kKVgN1eMn{Ef$5wQ7GN`F5`9o-yvfpxL~QDR%x0
zRp+I}$rH#2W@_sEU_!K*l=RJ~173a9<zTgC-HRQ8tB!XTsX3tY^TL-Fth3Q$f0}{;
z8zELBpnH~tn2XA->AFE(%qVf}B$e)eX7vC737<(sK~#pZY-%1>MbK~+NL!0e_<1Hd
zlKxh;S5JR)HK8LM3F!C!1yD6hv<1c~XnQ0$*QQ!45PzYL&Z8dN{Rz!Y5=sX#6XxbM
z#@)(a@$5Vw0H?B(J~Aj<iCg1<6t0CH7F{L2%W#%kLhbN)0a8}Cm#o0u9`SrPCIRRP
z9O<E0D1pHlYc~!p%1#1@rUDuRC`K7CjT34Yrt*J0pASLJ;AjDInwaT|HGIKJ6L@Xe
z(xr}Y-LKZ_hbb*ja|%Rg8-A^ieDeDm1TQ^KL$tvHqfCVhz7Q?CN*aZxwo=l#vLMt6
zEA6MF&P7B(z5~iNIZyhkK1oR{#=d|i*3G8KCufbEXMtgkLZ$HBX{Mp48Py9*UTMiQ
z7G8hgf&9Zchr=&Npv-pX9aWXi%>cC21kHsY&jpu;yuA^(;~Yk@Y!{*i2p3|cgEOTy
zd}^vDM$I!pawFtSGP>q4maldy_Nngx?h%VS#X!vy7(=o<Vu=fsrDjeIX~$7pCK;Yl
zlgY%Qa8h_)B!oT@XOond$0^!LNn|b1saJopLeF8l{=(rpz+6~)yX}lwrWq%NL6mDs
z1UNuCn0(dW@p*81vOh)LTGDAQu9uW_HE=OMABqZGsJXCWqXN(WpcPkdENxM_(3XUQ
zDFwrrQY(09(@qx{2+m&r-2zF0qLzZ3aV}KGIftczmutA%kXLgnqafE2I9%PjmnDBt
zKFcT!YWSei5Ozj{aYjXyA&+t%J8T}AWYqtvzw7hh6m_vC0zFs2XWwD!Frz+6sa_h?
zE*)l);~MCAE-2TeKHcZq&X}iG=o2_{fTE+%-dSXZsfDf;@Pk+gJ;jv787+=eY7b)K
zT!R)H)q$Jn^j4COizo*M2~(8AbR&P(lN3EBxmU)c{jd7FJr7P(I8K0xMty;a;8@G<
zB;^GnG#8uTx(BLxNAJ!MfdUs4WyE)P*gcr=m|@q9K^FxQ;B3{p&p?1_iM*LXnUMw+
zNkO$t!-;ZoOG94ZfnD|4;uYZ~EV<&Gs2>saA~sJ4T=Zk!5sTlJ$?#0k?oWSTn>P)#
z_&icf)>=9bU_L3y)fUeAIidORXf-uaRc?$^lKXqg3?dq7i@jW91jqDIj^b1KdtMkS
z4P#s5m@VxQ%cRiUnP!+fn6ip<Qj2vt5hcgdz%(Q5j2Sy4Dj)SY?M1W+vG143aObQ3
zZqI`kAYMJy$VO8RI${J(2-kn298Cy?3k~7=;R@>Wc4zpogEC4;9v&#$k1<UO>cts)
zFxZA3j!*NidI1n%q>&C%TWb%j<t*0}<R#Q7A*VFt)?Bc|;8`Yl8A`6%?tecfxxc4m
z?LZ|@2GkoQ^pL<Gl*wT4tNn)0hZm;qZro6_!$Sy{d5KHL(h@*SB)osn0JV<T=N~47
zCq1HJLdhsWca+jD6m1|M3{T_l_zED%hQ_K+!j9}QFe)v#;+&eh6Y|Chxt+RDt0u=*
zO*tu80k#G#zxY(y+gob5JEpa1in~_yU6YP_U-kEU9=y2QnNLa^E{~0d%?;)OgoQ<5
zh5Uvm<hw`f^Y>%IgMEL-&WNYoDenzq-URGA^0V6R{X$q2gWM+d0X$AiOKw(z`w_c^
zCf9exQB3R~W)eOHbJRZvV}Viw;|#JjWcg@|?YnDE`RP9IPEz_H&2dX-{0RD0oA-}F
zko1iW=QTqn0xqMRR-&9bnP##U)Tx77fjrllWPeQZ;ifW=4tSG)g(?<jL&X<~QUj9=
zSU+I-*#l*N{=g|e-jlzDmVepf!TyAHql`Wj*!!5q+lQ>)Glj39Vx0(dtB^oaCbvgK
zNt|P0kWhPXOf=5G4Zqse{!=w|lmkx(gxi~pUp!R!bf30jjbCUjx1q`d<l{5<FrEvC
z`dbPZSW+l7yxlRk_NEkS1Cr{1heL)gW(WAA28fxhIp>6aTy>}(_kS37cUXSCuI$f0
zb?nbRQTWYc6>ao+Yn0-4R?7b_H2q&)=yjA^6Pz)kBJg4}$P5P9N-?^+r|WqZ!8LKg
z&9ty-l=6k7!~zpFdXe$YwJX=C(5ucS0-!LEI3w8^6V~>LZa?K@Z%qAh#_QJFM=13U
z5<Y8utmnl{e=Evs7k>-ov)j|82Qig#PB$DzXP9#R;=FY_p>R-%LWooOyvrdMu2R!@
z#uRm?-Z;|~vjT{%^ps0Ol$Ai76UHep&d7`s()$z2p7eRTHRO1EgmjwG0W%&k@R8Mc
zPm_L(`0*FXwVnxll}*9Q1vm6NPGGLoT>hr-+P`hq@Xh(qUVlE{mew1~7S|UA7w0WE
z1CRyKkI6pVW4qpEdE6u39n(%PqTh@%`lYq@XBe8bzbqSoi#3Ea58u1SP~U0S@!iF`
z{a)zF6;~m27~Y{IkT?WU3f5DwjssCFpJfz95LW?25M!#{kHQdX11b%;w4g$RwE?ui
z8jD<nrlr9_lz-AjT;NHR$&=L5rUTh>jM~en7+|y!;|#Cfeia#HhROvu!M;vb#?$%6
zG&2h0Or}o<>R@{)tHYRD`xB{OoTs1>z!iZEVk#c)Q}npU(awmblMHKC=+_|n5L)d4
z>tFBE>JPA$B0&oGa%zEW9H~j1QY7H3r9n$X0sssmR(}j~+0N!pP=~V<pvusmQ@t^b
z0ZIcYETq)cnWMB2W5^0f6G_1&sjDz0;2<~j#2VRv$P<*=u1=}1vGujc;x7Y1fdDW%
zH|j9F=&(L7;Hz~XueWRXM%}~Jz?Wsks1sldgYh)O(<tM$X@+}gZXd$ZCWsF(btk~R
zuj2vz%YVSd+~o#HwOly!0<^R>4G@PA_+a=T@?3_;WIZNwh)J=40f1SUi5v!CNvyUo
zVo+)kZ7r2XkXw-i!VyFwut{B31r+i!voSO$@QN5?n|+;RfL?|G`CZIkp964N!Fihr
z|6Y;YWQ9urS|C_h^t8xBYj8^o{TgNYDPoLXX;RPr0bJm612r4M^+G7A!8kRr)L<n5
zlMf;18F?RuSPv`&A_I#`>c=7nA%{=`iwR6NMp}-5{S<!zW$gb4esm%QcjEJ600000
LNkvXXu0mjf2vFCE

delta 20904
zcmV*7KytsDlmeiX0<eTNf2PfGU00Uq+UE{=a~?4e6K7JQBvPX-+p=6$uev&3zy9#z
z{m+i*j;?Z7R9D%WY>663iX#Ys#60GF^X8q;+3&+iP?SuH013(>-76x4AOk=q^WL5N
z>|w2ioxK)zn{5mR9)gjcRusi>JrC`67llF&#X=s1LSFxw&mo`7lLIyse}Dc+_llWE
zzJ%JFP)dnZ$_IbnFZ#=+A|}Th$d5$5kGdOXStiQmBF1WEjMehk%$Z1%ggrkJ(Dy|J
zz;O`Q0Qg|?A=n2|s81kv3=1(}j{<-VkZr@J07`A6nA^snu?4gq*(m<&2MBgU^s$Fx
zd4NQ%!9oTs46ri5O2A?*e|4rf1EL~>-;qj`%2_q`?s18Cj!V??x|?MRZGdALdIpj)
zwP><q9l$e$4BfRdbNcHe1~Z^WH{Cu#T#!H}lR>#uz*xPCiSY(rd-W{BFwzT+et>>|
zfL6PUUf;!FFvP$cVlW(Hcdw15<u&+zfG~_8m4aayuuOAguaMDee;PR*IF4hFcpJuO
z2g`tETQDBeHA|&L9LEn{iywsW{Q!OtA_zldY|XL1^xAp+(?5KG(<kSS{5=DJTrP{_
zvr{PLES#9kVRk&v{l1&FI=!A!SOn27m>m!m0h$0I4<H9Z27mz;1mcH|P()x7AhclM
z7Fc|PY}rTfvkeePe_(fr!S3h~{@Cv`Q9F|ZvkCAAhQO?8AXm<^b!J>qqwtJXH3?mN
z7@6l1AfWxZ%y*yKiZ!R($=Jx}bEsCnTWQ&!mv}=T&2|^9b{FkV5A9AD?M@$^ZV&Bl
z58YlL?uZ7PrYWL0{@#u4W;{5VjJ8QL4H!azpjX@t^YM;ZfBV@ki4(+ef+&s=MKSy^
zgg5k&rV^{`n_y<V_x2l5il0l}V_O#NvW1Kx*_0hjj}_xm&h88F8U$`A$(sOGz$k-I
z0Z;)@29N`g0kJun_C7QTV+F<#K%{Hj$1mvp90KH^kmxM=R{c~9!2MxF)7RH&wvZ9!
z$r6jkQ+T3(e-9+|F-zFbWqSU=XvQ=j>^db$iX=&(9zoi8U`CVA!LsxQ@cxY&#|h#j
zK^(`3;sj9?BM2Y*gbzXlVT3S>5Jmd?lO#bh;)noxB_U1IM?N>8k2bk%7Pe)M*7z-C
zGFrXe8xh35y>SOSyG;!J07^*^Jz0VAX)*MDtgWu`fA;p4m!|Ow3A!#)`IU-!3AV7H
zgasxGW@1AL3s45w5HN%Z<_wq(z4WRi2r(1|U>-nH4?);|-1ELj0m1;%BsJTX#kakP
z$L4oMxsv1Z+j9z&<)h@FKOYDoU>XLj(bPOn^v$gvVG_Epg=^b-4)Qn>lT!NF7RND$
zegHoRR50{MkD;&s&DWw5aU4Iek=xhOeWXF@D43m$t!FV#2Dz+*d@c(=h_JD_4bSr*
z3^r+>qw*ZUtN>PUT^F|(*D$}d?)gD@4@9?9n9B$kRuTT_uao3CF#*?;7CLtU7n6=U
zLVx$_Akji}&x<iGrLIYsx3In2MBg1?dTIh^PoF@sSa@zLGD#fqptpmat@U(ub2nPv
zYPZrv-3QE7c<%53zk=}$T#*-WRdp$W2N#SD19YQ1q&uH28of{M8fv#soT{f(MQ5qi
zLZq)n5uOulTWk6ja#;+#A=*E1js3YINq<wgu7|CiJ=|SfM!VC+$>TG4{lYnvONHn5
zyq@Rc{^D(3zIP|`y?#^5WCKdAqv!4cTR$q<a};>-G6<l6r3l8EJqBMJL|j<dqiWF+
zrAxDvDd&hLN{qaH$V0J8fVih0>iONUwr!(PucFs?(eDqi*J>k-f4)X!`$sU(8-HTy
z{wfylufiP+kaZlKoSVVPxf$ehhch-k2$V{p(g>Z_F0S5~$Bo;I?!fi#N-1xH)7|Gq
zkoqBB!~oIg_#IiXzfP2}5Q%eJJ#p;veNzZZ#jnpO%G-xbBQn(Lg~1+BdVU{FPR7P~
zqmI318|_XH+q+GK;dB2Wd?qk6nt$yM{&e{YzP&Y%TrP_<C+Bc{b_!!7Z^EO7N+ZPH
z9=0}C@Y&aQ`O9m|?S4P_TqXECP0h!4osJqWZh&AbKo6Vg*qM2$#J8QHD&N=;XKd53
zC(EF$B~f&6AOUCqIzYl5Alx3+A&(`FJQK262Q$-?*x74gd36I@+k5EsU4H~YIC8!H
zd9~rfFhaN2$I|^(+`O}Zy=EJyPtM`uYp-B(Vhs7*(NY3**Gj^3d%V1~h#R-(gN6HB
zy`{C*k_2ubP8Q(PbD~H6C4OF4<M3cbB_@Lc#l(Y<W)dkHMTaSCgNi@G7x_yN00r0;
zpmISkE#hga{U^L&W|*ddet&;}E8pJ6&<}9#%t?$l>aZ>AXGeK$b-MWW#yq~favj%i
z-9;vo!T<H)`*{D|OPHJ(d!!xPGl5fZ8en;O8UOsRAFGf4bgi|#(Y(?3{L3uyB?f8(
zSc&lynSH+K0RkiisgMjKHsD91L4>?vz!rdA%>y}`NsN5?ejKcebAPJ@l+FN|x}K<u
zqrG8?bfMnsxwwAou5OpsYbX?QC>0CHjnqy4+6=!aiqY%4SiHA_KVQCryGtvOQsVT<
zIsDxRzrZVJPa&6ej;wpNpE>;DfVVeS`P%iH>A!t^*}rz{-g3|LKMSMeOC;$Ml9e8Q
zLMPl8KS1Cz(sB$dlYcTHQ6O%6G!~?&RI^NlEGTCk#K(|zC(F!hp$4-En1v%}74GZV
z4m=<0n>!f#dYGrA!tC@UYSqevA>m&Wy}pb2#ryd3o9p=aPhX<%dU*G(*B^L))T-r&
zhJ;4|mVk<}y|vDteDaC<?DMaNH}9_P?X}(OagzR9;)hq^i+?WAdwwm(N8lw05HR4T
zh|38KBM2pNFF*}I-Zo(w1T&WbGA5Jp#7v^}s)?B!Y4Ywf3vpyeEp4Z4AR0}+gD}GO
z&K`m=#Kd?5#X?^5$$w(%-+s3$3?sDK9W35k#g|vE<JSBl+T9)|#~b+YH^0DJZ@h}}
zMh%YR97%BSNPlbC9}akXYn^Z0xS4+R*%#rrw-&c|n!W2iFSyJq{X+IvSAXi@0A7v&
z8KJ9?l!tIsEQBD%WHbj<?T1t>W|;CBP}bI)y-$RSH7BHS5^(BzH|vN$(TN0#g*=o}
zxVyNFW~&3!G+-G9DhKdBd>&AW(QI{a_4*xr_Qf~&=zmXNqTT7?((A9_x4(K9Z@uv<
zrjJb=Eq9(%a2jG~lsP{A(-+~@TlahG+wI%KQ2oz1N<NJhZzJsf_(I8Z!b=n&P(U|=
zRZp0ZL<w<cC<;=+u`QSYEXM|H<4Ku>^~#B1Ylfj&(qD_CZDksUfkHk9DJ8bH_b?a?
z_3C;QBY*4YI`Esz001BWNkl<Z?OWp^o3`h5<VsWdpi{NBxs6+Qmhjcp>$tnL4A=E=
zY@&hR{^}jPed#sKOi!Y8L{oEC5-cNlZkN~BR{7fX8|i1Cf9YSlxv;ak-Mzin3BHIz
z`AO2{1%&qk{DgJK!+4njL?f<Am~h#I2Q3axdw(v~IzAOG0dg!*!QsbiWbvq2htQg)
z!q5f#{!#0QK%|322yH#Utgx`OjFt6G?ck&oDy0Gn`P|W-^?!gc)Xq`!3-|GdPrtw?
zfBp(L?<|3t@r!pZ;&&hX0&l+YDrTl8k;^(q)`n&oL55wdEidx_`rm(4|Nik8{*C$7
z_J8JH@1`Fm{~U$sCy5Hy5Uu!leqQNM#LE{T=t#sJA7&$DLL8;6I=;vzDcLk4C!2;=
zTC@aU3jDxEnjiT8ffL=y%G7o7PNRT10_a*qZ};xc682hcxC0NqAHw&2ZO;~I9ji1+
zHP32Pz#leXG$)=BCkci_ADwO=o7=lsT7O={?fE6#xOEpd?<}I#?!s|0ID7gyK6w8f
zy!pnfm^wCrQnB!C!7-|FWEvszduTVecyVz7Uthf*fApuX``2zRZfx(lH#%-`ISSM#
zNiVpIXydOM9KcH%AS1++DJ<nOE0>9e%usDl)SClQ8pZ%Kp_*eVjB3rlxZhZge18Dt
zsH2tDL2|@hElpj`ppeg@QL7@Cb+EnL#J%M;++AA6y_I#iu7@<$a-p_m!!V6Q->l4x
zR7woIA-1-6ar^EPKKtSu{PEMv_~^6CxVyLvAqb~W9>+g?_&z@T^?NvX<|G>RDx8dc
zL^TH^8g|j$xr-a$UcrC+m(SGy{(t0}yR@>i+U*a&j#BmeG?AYrD%wP}{#OqU;Dw%~
zKMA*D4A4S(PC{9#>lta^XWNeuFwBWKl|^P4=O>jIFEJG}Ot$$@ZK4t&?gHK_(7CF!
z$3D~0Ea<xA2w<8f3I!9>BQfc0)<GD>m|wVuPOp!(^(`pH==EJ}?(AZ`p?^i@a=9#Q
z+k$19BWB=35x!6Fm3r-6yIyHhRk!D2XRn3L?Om*`Z=u!cB90SO%0-+za}sY{IEVM%
zegkteQ*bgi%xCPTu}Z-*Mi30S+wEa@dyQ9@ZsNwRyTdQ8%(reY?XF0f-b|JJCQ0cl
z^p{p}#1;n6f|o-Z=EtFh>3^hs3?{u&&eD73top~X0-v3$vwd+!TE9Cl#rX*(_O05!
z2P3Nm<w~yr6CVQAw}9d){clHzeGa(mdf44-V|8Oo*CcD3*xK1cuRlPXB*@qn>a{9r
z)iP?8GD^k5$T0M~_8c=KNm7Ji1aIi0?|SI<`)GIi@P<B;Bta%)qkmqjU}kC(r%%pd
zZe|LT6Ag^jYp7Mr4~BrxnmJVBBlTO@+*skSuijACZZ4>s3+ueT-Co;id7pRs!>=XF
z>uD;N(eqotu8*HdZ~!lL26=!4{k1MI6C#@#cw~frM2_nVw>eP9h7szffl|+>%<;Oy
zWJ#-{I3`FCKr#UQEq{H<%=~vAfraB*1!dn<=NXG=(=cFWvv4vF8uc0`CmN_%wX{!u
zA&b@ZExq|0#%OnX2!as({s6h0gUslY{sAM1M~uNF8FAAC42PO!$gG7B#v65<IzEGQ
zXHVkwSI=T*dJ@G#{+SmKSxK;pk;EZ;g8{moCiZqVaPR)T_<!oRH@%zlEB!kwoz`}1
zI4>1G1=KYly{E6y&kuhK8Dt-tdYR4DtQ^nS0vBwHe^qjDu~y*I$Lp$kX;#sjvkDhy
zBpoaL;K*fUwXk*JBv5->dxumn0?y=-&PnzK=HfVpH}tiNi8n;A=c3i=qSNi8)9u3@
zc%wmMh$xOB(|-{si13|iiDe>V+sHZ@<Z@XQ3whM4WsEoKs8-4-7IG*S3n-Tg$YveQ
zmw(obkp@sv51r;F-(S4T*KRH0^KV!9-uhnO8}!!(o`1XVMVH(C@HQ0IAkrrKYaW1~
zB`M}_A%pBg0viDWY$w5qcG3{tI1;HB3vaW>{pNt?qJNa?!-xul5Z1{C8)F4VCC60A
zFdQp@NCS|JbQV#OF5ru&M_sPsNc7>^`X2iX!F?`xqpsa<qbP<u@X+b@vAfqotD~iW
z+`$k--+#bLq)~vFmI)`5K|Ys7v6x4tTtdB8L8Dg1Sfhq~F86Gz?!2#woIoWZqA28n
z=b_*0qJQ1m!S?1_y1Kj=-nzT&eSU4TyS&xgB=91LuP3Rz48jTqD?|KD17jb5OBv*0
z2#k&8kQC}Bi5X^bwwUFMl|0@rXZchm$HfzMm3eDci3?MT&P^zc7a6t*7^ba*Av>;B
z;47~I^>=lk*tO@P2oGq=Ynp1ygfNN_#j#dJNq;r(Ts_32CumVPW5g-99#$r?ZDfu>
z40~TaCyfS(20Pf>+2FfN_xRSrDqp$1MH{>AVH6CTzV9#Xw1aOtJ^v1oT258E1ri<f
zR))})%s-oY<5Boq${-Je(JUt@g@e>|dWL}O#|VOi<W8SJ1YYkD+<?&X2)iy}w#Hn`
zGk?n21O=y!Y%nA{?7>Lf?>b(&X&^J&-x}F8AC<<I7EaLGyv5>AxQ6mT<ROJhW28xl
zFbpyD1May)c6%+j?Jex?Y$VI~mxs5PHV2n)@3<R#Zc_+s0AgNAbw#pRL~pPQ>>h+i
z{<Fc~Vg?}q0)^9c2s&k$^r~s#5`YUz(tlY6i~+E-7Mt|~qmpGRI>1y#@%c%G^AieZ
zCl#hEM75%YY_6bdliU<gIISIVE3avP5v!zy=w4*776Fl?Zj{^I!`|)|?yYR9D|a^3
zy|q1Vwfi*ihHe}NYn~r0?smhQ{XuY#3~UG%yK$IwG4#FXX}0;i@VAsfEZ|fQRezK%
zMPp<dvj*|mg2U&kc|M=DF>4a)hQW@Z6>mt8_Co9o1%{D;7Xi%yVY^S5sWMNL5>#>>
z6fzxT^G(WD+Q`&8$V4v8;x^zkKz3y`V9e=4e_xpH=i=z}AVWy7N}$pNX%Zn$5)PvX
zLqEh|81Zn>hwtvupt~zOt(|CjeSgdU`qsL;u-f*Ty>RFUvMGpHK)jep+yvwbT2b?-
z;*LKr{7kOWPk~cq<S}R1=4(Rm`<6lHEW!1uimG0iQsv`ym7grbuH}?j$^w?bq!`#6
z2+VH_th5F1xL`jfSOQeYFd79`Qx%0%4HmNvgQgo<Ow{ujs}+$i)<L;rpnv>~?tJCv
zv~#XqJ(6Pn$iNJMq0$g4>LVO>;kj*eI&I$BYw^lPi*McAQyV)y^xT06gCKy6TTvWt
zwtD`(?jXMBhv{+{$t?@Amw<YZaN+sGk?P0`l`(#ZmpMQL028H|LdLcmlFeDA_-r|c
zi?tlTU(WK0MxHaXHMY+mlYio5Ly74Mqfum(9l$mjsnP**XIo%#NAOaMc&#n4-6tA^
z1f^J2bBxpDOtV#{sS0DFq-d<jsFZS?$=8u7O~I+2fK{5KOlbyIz5zRvgJox7S{Vq_
zhA=ZAVSUG7q*3ic;_x!4qazWs-YHW`f@KORQ^+(yDkUdLf+$WACx4QIFoqw-2!kOa
zzel0h;c(bVd%aHFY<7Z`&8B~SVb5RL>IFS73Zq!LhQOWxuP4m+rNVtg>OO+7^)dv+
z5AiYwh>hZO(Xz5<g%H0X!bN62K2_nVH|J#i^(mEqV_F(>H5TO@Qy~M&TDntZ8CngV
zp&fPIkl;ncUIeVR1b@C>GjM%f;P#flAOx4Pn)_}UdRsVaF-kdu8)civDjAGda#XKo
zsb0>aS}vkesiIt|qfl<ZDKuc_>M%0p(NQe_-OiVA4o~@I38-{*T#As!K9bNw7!2Th
zE<DfUUVngAcfif=P;NC{Ufu3ev*VHP2O>_QRB$qcj5~3fZh!khvfb_no9-aq4B~Vv
zPSTcTz$IocX6Yd{hYw|opUsNMQQ;u(zFyT3X3+-9rhyC?lo)25L>NH9#Xt>!rJsv-
zjg8Vw0c?(gj1xJVF6JHeLCL|Z<s6TntgHN6bCNF2DtdiNVZ5aIA&(O#&zL|d%K)@E
z_H>2e*nm{Pa(_#}4G85db2-aUto;!?Lqcb$u;+#-Hv^P&T~u?-l{`=_I4GCPD3oec
zC^z5~8?bYAnAtK5D-W{r5LO<-%0ZY}2*VuBM)v(Z#QqJa4@Zh26_ZqqR4T|cB_$Kc
zG$NHoP-)0%<f%CHR2+Kg&>JLu*NeOTVYu5KgzJ0#cz=1LlkBvI$skCRG*N+VDwhat
zrD!KryscPlL17aKHWB#U<R#1$kHeD#WaJ@eK)hm@;x!1KAZEh^+EVacC2<D@+<}MY
zPw;x5jM7X2u+Bh;Hw{6*wJm;is={LzCRO>plhQdqsl-%;(I_xVS?yJLm^50-GG3pS
zXnTZ@?|(7~jQ@Hur8lM(EEDJj!1A8JW{=Pw61gE^wN1R#6aa%rD3IYn7%@z<3&UE2
zY1uGM3zliXG7Z?a#kOU_w(SSD1=?cGWWz9+h!iteGLWW>Ae0nD2@S&pK^TiDNrjXO
ztRx6Z38X2pj0ke5l<cQz+D;PH31itA264AP41c>poOV<y+pJVirea8@^hr^u6a|P8
z!tw(I2!O2^KZ7mXp9((`ASWE;Q7IORCv7|PPNR~)G&xp$&9Ti%07e+ecC+J6bo#?e
z7(_<TKD~ra(EclQEp*$q(a0gmH%!w!saU*G&GNgoJpXE@!n5a(F}*n}#V=1uaiXCp
zXMY3sQ`X3)016psD>nlu=RmJdEBxk+M8;ycAz`M%SnCjN_XS!5;$8p@BSM$}iDV=)
zMJz)^L)|4y6`<5eW0x300H#5(O#_B$j)+wzU|3Kr5T}4-ib#mQlo*DQjQt=<T|Z(!
zN;!%ZOQ|G?QUa%jKx_zvLSRThKb71`nSVP<i4G+7V5lxgb`Ys1{LoDw)sB6<Z_7)K
z#|KCr6*FVJY1!s`)k^-?ubi1V^Y_1cy>fi2krjeybEjMQ_{%$$JBw?_c3RyrBfwX(
zmi;q2_^AU#05dk&n6WJDHv)LuAiUZr;P|gj%f_WyX<nRRoTw|R6~1$#dRj!OZh!T*
zJVGjgtj#DmIvZIdkHoyKaAq6`5``oMVhPeg04OF%1$ZH$J=BlRP#cc=5g|x{I0Z>X
z02m4qk_F<F;0J=-khtRs3R4V)VayZJG89^=l!Gu)agrdCKnR8pp*&U;LUAmaQ^6ty
zaRSA$N;!s+#7OM~j2ITh@F@az6My^-Wr!!?F#$4@wJdvrNW9&slz;u&E2l2L{l=Mz
zci(zLoSdB`Aq3X9TG=2q%T^|v6Z4C9n#L5RvNbH6j^I)MC#XpTaK=JDty+$lbxd*5
zH1XSV78l3za_;=3D!+e9iZ^E!of%iCKcl`fv#ve|0by}hV67wISinS)QGar@7=$4J
zhjexs{S@$n6P&hU(;n{o0n+w>zE9*ugdo-)?@6lb969oT4^y3mHhY9H6yy#`L@7~}
z(h%T9Fs*~xgOolD3XrBlnAQ+|J4|sa1)zR%NsyNSj}DM*rXfsgPMGx0#CZME|NW1@
zs=WX9MKL*f4242Li=P!IQGco(6Vo%(r8tVtc-}DS_J-}D5itsU6CU=S?@K>pAulVY
zV_YB-|Jg9{Rwc)?uTHAQ@6M&Ui_=P+7*iN4FbdAIKN~~etWA&b)ry{tj1?H?Clo4K
z9IBQPq%+M}fl<y9rYkxiQUyq*t*iH~44Fsk>m#e{yW0Z)!!&Vq&3`EE4d}I4B4Q<O
zAysWCY9fFKxDv>x@Rw5PZ18_F!c*eW0b<bUN-1}$TF#z0H9I-+`uVf;%K39-*g1$1
zlP;5$RH;;<n4OiCRXdJ@(>E8^dfmY=Rzz)JW^foMpF=>et(TKY80Pt0hJIPh@NdQo
z{L0BOm3?bg+8>;e;(zRfqLPCH2*&+5_A`eU0=q8Z&bGka9RW84-keo<eOjTC<0qSh
zj<7#Kw+#Kr|3z2y$GfDq0lKrJu<MfJ#~6>LIFTwoD+TXKMJ|H412kixc~tNF==~NB
z5^|6+EU*%Ygo5A*LkfZW0rXbxOV#299>+<~HU7UdGmSHEzkh!G)weI5uU>rP5;evr
ziG=yk_NQ(=S|*`U&QQiAb7^I}w!PaEM6}5e9i+J!aE~~%&p60t8ZeDZ2GRdp&EoG*
zHPqaDCsgtOc_X!ddrpeE22;ranZ^O!ZJz*!{xsk05k6fs@cDfM%T0l5p79T_NW6PO
zXDRz9TG|;zK!0-}FwnCZ#Hp~A!kAK2B;pQJ;vy{{;rl-0AnVj&h*?<1d4SFX#%TyK
z4TDNBm5HPf0`AY(!{Hh5$jfR8e!Wo0OuTY>D*wvq8I;PU2bp6ZTIs+*u~4M*XHUcP
zyxc3_-gR8Jf4<WnzSV3G+*Fu1Fhq!>`DD>GM<tyA(SIA|41Qh8@-OFVeD3YzO8nx4
z6z`r;Vy>pOc%L~iMzz8q1a|s_8=C^(tQy$p5b6cStH%`1O(;xP)K3;1fX+IlETfiZ
zRC1so=3+j>=i(GR2+`~#OR&W)^rv>7a<cvX4FqXUq!QCvOHJh+I%XMMHc8p3LO6^>
zD@u(m*nidv<K#x1h#h#+9f?c76vw(pURu+{8OO28GsnjAbJG(dpMCrxUYIuQTn*DR
zbNKsTUZA`ckA3>hy${=+0W8bjOMoVhWWuUz4hZ8F1N2`@S^njPDK+)>oHRZ>r+FLo
zyl#;m#d?5ZAWnhxuD~De7`VDFu-X==<QN~GlYe+;PGPpDGskmqKYlC-x(k;vfxOKa
zD@swx!t`Uz+}#!b#f!waBqfk_QUp`2r)ayID9scsD|ZIK2SV`c24U8=P-_%arkrEb
zF<}HT<Yr$*DiE$xyr-0T%QW~8DPtbP6Fp$%ucCx_)Og%y-?U*EPNh=K)N56;tj8bZ
zNq?9yY!kJ{1m3)K0Z|kd@2<4ZZSMBENh+`QqjN0;eh1iiwoZBhCDSop$y@YJ&gQr0
z>gwEE$Cdg1DJ3q>Dw--kqYd;3snUVb^$A-&fg2kFSJni!`Z_o+98-9EPT|!lg`&d;
zP>rXN#dHR+@_M6}EM1Ins!c;>p#4cy{C`A$#QkOg0CFtdwmv_pj3}jYqEH|r@<M8N
zK?KXW1$ScWfNSO^Fy^3K9S3mAv2dx7Q6J<TyjIEbL_M$aQ)Q@Xp4m1*K@4oW#CtB{
z<^TgXpxPj&#8al7I^q`E*d0CR3tg8yGC-t6MY6Cm*}R#}mtY(~`X!eyVeaGwYJc?-
zYx?T_!sc#krrGn~h7<Y_=2Z-zZPaAj7z6OTViq4Bukx|C=9Ky2S!rCFQB=zv-8G0)
zpyd&6ZyEULu7UX-0XG09%Z$G}FL7x`;&`1=bogNNlzsnor=eMg*<)JlfrR!$jM~6(
zQ=9ihZ5=E>0;zy7Cd8>eZcUUJzkfa>$sib}Feqzb=JvMuFK#F%B(sTfQK65WCli&%
z92ARFfO^v~#6M+Beq*A{;}<4X<-L>AIWwk2y}*>W0U`8&(+dgrTY|p0FT~AF<J|ow
z3PTd(rb3W5&bw&c4WL<rFDxE;=PO2z*$~2T3_Fw4Q`{%OvTQ0>$1pp0LVsL(?QF&m
zhU3?6t-RIl`9o!iZQw-jDbJ<`FqKinlLGWw!RA*kOv%c-$EES=q@rWbm^t>1q@q+W
zC2sc!OM3#hwgl#PbTK?tQMfoG@$PYna}x@Vbr3&x0SHSQ^5mxV%6sXY{@N<*ZQcC<
z$!!4s=n?K|c4F#(r||d?5`PKw1Hg}==P)Iv6E#LD#|RP#0OdGEL68uApL@NKEmU&1
zA*VMm*c<@(VKKeGYc~Uki<K<iujSOQj#bpDSB@$1)|?c-I;F(Px}tmrv|n%S&u1np
zOoG@jh#G^)DESHdiNclCm)pSD4$$<T<@)@!@t6Q1Q-Mer774>TAb)RJ7wuz>8vWyM
z-xgVmYwO$HOZV6JLNe%%%<(S#6Wzm~O{X$&GGnahm=ZKz&dJKVCuHUqCl%ETN0&L=
zfN*PD;Od%z&+i#%d4yVy@y>CHU!IgWKPfR)(F4H)34aJ{WX5wAnD~3mGIYiOtN73n
zOOB3MJ`gqmZw2Vz27lUL1O6J2hJWF>8>f1T?}mg%K^N<`$*AQR@19Up$N;tpqu^lb
z+ja4u`;nMoRt>=U2F0lb47OU|`-SDX0$`m28SfDIKUK2o;-xt?@z$)g-aDb_?1Vxs
zuQSKP8B>t{`?0dZhv%4bHpK3LOgA*jy&;_+!q`PV?_u~727kzd+l~mjEIdGfjJ~%}
zDAMUur>Wcbvgc1NX8QfX*-qcP)B^QWif>_v2!}eC+BSqyGYMm+#l=b%nd5a9b2UX7
z^XZ9s`@^_>mf-!Sz}0nqq-uG3h2;FC!rR9s-Z?HYUDfr*lMC`u&0$w`aMa$_q7J2V
zBcA$W>bcxB;D3zkpdtbEi@<PQXA>1`y(s`eqF=8Y0H?+nV?~9G2{;yLs>~3i5KBM^
zl%zs2Yg4v8ptKi}1C=d_`q|Yu2>TG31S+z?&I}CoPBp9EZ{+dL*>QFJy%Q4eoltaf
zMq#}8=nPE+7zE^PP`<|K`AW>xl(E*OLKxFDNKC`b+<$qxtMl{0BLhT$6#>Lb5-UlE
zxu1n;!_GG_J#zwo_x|gYx7FC6zFGWTr{|Gv+pTzr77o+ZDi}7v)r?J*QWi!v&$8$+
zWy}M9l0ODY0bv5Hwgo<2H1O@Z!2OnhX#j7{DO@<FaA8VeuBK4U9b)TuzaY;|0~3D-
z)ZYX0$A5Kj{Fs1)k=49*GY903>3U`7BcMMI#2v5-AQj+8gx!I_AOxy8#$<`%Sl_*s
zl^o;ESw+<xFkWD~x@OcrT@t_anqmgRxTu)#8g}M}1p0to5v0yD=(mkLU-;mx9DC=u
zq<2q9oNO@4*@IvAjKwrjRK~HAa5@7j3j-yUB!AC1rv2;V(E%b52~q~Dgk%~CLmj-8
zzTefVHzx4b#n+G|Y4QGM@7!M3>xW@_tHUSz=pBNq%u>KGY{P(Uo1l!rY#9fs0e&1_
zq=Vzzb%ASZdbi3Hz=^uTyT>Ii&M3^*6v~HH@iB8cI4ZAcVY$-TAI}{75SD%zIW22y
zIDbGgs;m3A5l1oHK%q4R+yGz@>IGoD^nH6d#{^B57>+5CF&K`Cd@MOz$)Vc!X<`s!
z!i`W3Be*1}T+HB9Ew3(Jm{wE2I4S9!<C0E~Dbx-qoU)(6|MHxnUg+-CJ{}n$hG1Vn
zS!ooQap=Qz%7>PL&lO5Ie)<CSe6~;D-G3-|dV>?2JDuP3J%eQ}_xXXhe#uZEBb6-E
zI3<oH5g)-@-y9G=UNCTN&A_fp7%MW~KP~b4l)_wHp;0)DL+(Sc>p<g|`jML*WsXBk
z5=m$#VQvPP{GI;!xCg)6$7(0RdIv}pP|PsKi;PC$(N@<v8#vKWC}bIP4IvhHRe$!{
znlV1VD{}XnG%Xb+2H2XZa^ZusvikO%q&MdjW~&N?rx0R^65`!~kUM<}h6%b#p$9{~
z@YD52XAq(`SmvW(kQsV?+b%S4*j#B@nf<Po@#Y(^I#C!;hVlGc-M$}6$va_rZg?Qc
zNfD)B$CIh>0>RRch=wsyl<Fe!$$xW*M`I8X7Ip<z+Juq=oNOq(GbeFjN+D<C@Y8W&
zX{u~~7O1=dlrQK^a9C%meIB}128tOV@qq5P@TiG<?JhRD5wezUJJ<7!LgvwXV793r
z`3%!oL1L`PR?cRlnisjLvKVs%f*|nmx)i@Tqr_`die{>Z&zPyy9l*9v*njQ`?6?&A
zvDk*fHY8s7Vd0~@SPENGrqzDGQ|ffv`Fw2_Pp20sFxIH!cfa|C$U2$Q`cC)!=1wOH
zqhuYi<)b`z|B0f-ZW5vFG{clziKMg_z~~LNXu`n;b&p0Wbz2tz&Q2)2F{3b9eg?jX
znb)n{@~c4cjGlKG&#*?kpMOa*HK2F~1GA0!)*?2$ZA_LJ=Oz?N*(Wba8bW82xtc=J
zVe!_i;$f`+{{WEB0QCYN(o_CBL@BU0AZ&Jtwq1ypCxTS+GMJVz%)C${agV~I2Zi9(
zIF6(B?dGxZ&AoDCI->GZZE!GhS%*%{&0y$x&Rega&LnYkdTDLv7k_?`B#Mm`I3s~2
zACDa<?IvKWE0xn$Aa58`wBwS!>ylxcjEwnon<a(-au&m}^m_UJ4I>WNwEGK~1zlK|
zU(w!%R`F?G)^`|X5@qBet#S0#I99tG==g+p<|NKfD3lz2Vi!-4Rv5AjP|5j@TmP)s
z-&N~}#CLWC-`*Bc+kYe1kFm+1HHdH*SbO0!$fHY(OzpLN-Z6-I%69UVlPAwoz1}$F
z8_OfB00|<7Z4$;RS;{(wwYss_*lBk2B*<k$d5CKP(0LreiV?Y~nQhcflP}bAm>4Ut
zUC6*{6d6V5=>o(J2s^Go&nIm51cHQcqM>UKgPx*8mYW8~e}Ai0-?J0CD|G}&BM-j2
zi^Y{a{Nc(r!eJl3Jty(@oWxl1ApY;q2WrGmS#Amb{dH6QdCBN(^~Agv<11!-h5qs;
zUhpY8@Yo|3E%f_=d3Sl&uQqnsb^B0B05WXQ4+YQm{W8)3NL(QG^j?vS0F{6^1+hXY
z4(LLo2Y)KaUw;{kvYjy{+XJ*Zl7PH0Fg&#i-1qU9HHiWc3&^e@V<kxV_~M?h>qU0X
zO)8o!vF@N8GE9nD#;eC91|jgpeFG~kfje6UiWz*bdv)O7YdAo53dl|$S#SVA7%SfH
z#Mo$sXb&VrO0W$*_c$si=EL9tKPCci^#otvFyyxzMt`)pCw7N1t`YDp3~J(MuG)T3
zJh~K>Jl`9Hg&<7A+3l7X^!6wXdoY~}Nc`a9bE?-O{7s;D6ByhBf^8t~=|JHWV1~g8
zS(#!w9^%*23ys{-001BWNkl<ZT>(!`e7;0~-yNdHCJf|F!tm4zaKHbkmlT6tBUQIM
zLo{w}i+@Hri^^}$riN6Y!zz;idWP`UoPtt>wYI=kPvB2W2EqjRr`I&c{7}D>Mw4@^
zq`y8QxL%0cOWS;FX&0^+BFmuWfUq|pl(YO)9j9l(K0ju+PyFxmLVbSEh*sM)7)G?7
zu(~W&`VD&V&(aL%Y4GR(@#3waf$cCtv)k|Y_kXrG^3C02c5Tu@*2?PphLvVH$8Eq{
z)&s5X_3sDBzJ~@h$v}`modsPwCXj@p&>PYzKu~w6+};qTs!{=TW)&U318jZY8(YSn
zL~daaVj@a$X|2n0vn#~$I-`<fWDj{yIu<ZhW(+2Efi4-?=xWP=)8hiAtU@`fS4$2D
z#($v}1s($>6R0#qr_;i%r7ga*+zh=S?y&&w?uu$9$Jwk6m_n<xSkIZ0vR`v}5qP&x
ze05!@%lD1s#)fFOhhi~I`5PAM4tgsu#nEaXj~Q?DrR7vhBxrV`nkzRdc0OZUPPINs
z`C?fIh)VQv%3T1q{uS8$M1LLb0O??~x_|w{y+no~7{v^u;3(JzlObTYJsRtWG$|m8
zL~L+|`UrbNJbb4`;|dlBhCu}ezfo~8HC}>|&#+O>>Tb+oK?InBA5dl&_XIjVA#ZD{
zZs{<;*BRFxEN5(_z58rgL?%8WcN+@}^Z1uPe8pF8tu<XQz7i&CyXjHIi>O$%nSb&b
zP|kjuKt3GyYmT*!;QyF6)gSMg$&F1j*y)RfDCPf|Nct#=!WG1W?_akU9FLp-DdiNi
zh7hG<E>jSY<ECYoW~Qg9TB#5bfus)vTRLm(eggDv>AfN8j~476{T`VD$k`0XWO6K!
zNw5=%iXapXfvjY5gb)U0YL2ohS$|kH6LFS-)f90j6jnXYgp=6}s<z2a#)3Uv)iwo(
zsYUj!pUn|NPcmVnOBjTNSZa-`sj?0pJjy2ehp<b!IJb%;+k?XvF(Zt`qz7)7SC{Ac
z>bJL|PrjP(F0M51Mv3|~OlZ9yh@52DrU8o?mTBtubu<_Hf$#gXK`OmL+<*0nS6YI<
zSvBOx3ubhEL$r4LVxbq{a-8xXQs6fFs~%nwCgDCFKOoN(Nf{z0Ca2l;&yrzHyn1?y
zCL3iEW(Fd4b#Qd90q$KO?mQx6{Kyjvpy)6fMc`OjQ6&eXA5z{8Xi`d?mr9%ji2@T7
zgc%~uhk&b;Q@4r90kQ3dqJLoul+H~k8ZSN_)s|>9Y-H`s6sJ0qcp>5Jgu-~~fL$#z
z^vx|Sy-Ss;;$V^WL+I|`*5(%f$47rspMQO$b8l_$PP^}2X7EQ)e2<7j$%N*BYI`n~
z5(x+bm9s$3evI$?QzDVTAS5j83jX~KQ~hDyjP7jHpg9nCf|UO`PJj3hX{_$Sz3<{B
zlp}q7fJEa8f}>$99d{U=$Y(Rv>4}n2$T>zfUqXflgw7RE|CTP$)5C2wo1+0%A;VP7
zfwDFXsgScxsuXNKmdkL>5XdMPIWkd{wy0W#YE3{?rQ&QVsW6CW*0H#9qOL?G$K+Um
zeaN}Uet;0^l?^{8+<)8>@MFTsF@<_ww^E-tS!dSAN+KN`W>yEwe!+ggJ2puo9`stc
zyKq<i$H!m9*KRFtwEM#^{9*D1$KpDKzsqceQA)DyQzlAaNG3B$g{ek5T1r11iKl2+
z@2~O1sg_aQ>IuHRE%5b<5r4L1xHq=MR(l}k-H0wHDSwoLZ-2vGcJUI`9S`G2R;)UV
zq>;cOo0!W^#&m+fFGY#U%}gJoS~etfu7L(iI(w+6(}~-^F)MlCRGsP67>kJ#8(E7o
z!-Q&HL?=@vE-}$XVsTao9AkzJfdT>3Sqr6%4bw7Uj1`$m*{2*FlIC~^3E^H-&qYdE
zz_Ec^4hPWIQhyIx+q(W@?OAA*zB|ty0E2!Tt4lZe`nOk;KYw$_TUy(_8%62A`Z0e6
zuir+z9UznSSlC^F+XNB1Ayv0~R9tBb><x&_k;=StkidQf7(mYl7Iy`{xM$$^H%#^E
zk}+6oiA^`a)tKpDB=g5fgjKlr26#z>1NhMZ0RtTgQGX<18iD|8;0?zJC{2!4L|*iT
z<=uf1ZW2-#^ptyPf=2pKHfXHKRL`@>I}ll$E!&`C$>FhDfoEztK32`6UdV7IV{(SU
zwUjYU5T!KLGPcJmOl3zOwGO+2qQ%?*FD5LvbOsTm17x<UP<`TdD+8S90Fj|SZW>v@
zu(XANFn{r5M=q5nNJ0-=8!PzotFQQ*Z*TYR+}~PQ-|l}I%k&e~weJDTF@O~DAV4UF
zux&SyA{az4+(4uqpW<OeEE%RBlQ9U1y-?dW1Tj&Z5|aHaGb*}c2?Vj06Y2~JdjsP2
zj^I1nLS0=m_{zHBeYtFGFYJh=LB!W0h0CE#|9`AnViEC@hnMhJ^)Q~iq?;5ali4>c
za2(4iL8>NHm_e{@mT8v?hDVeRK>X~BoBKs`(a|;o7mg`<eMX6M6N=_)Y}E3cb1YOq
zm`qYJ8z-0u63V+FnE;8&B2dbKa@NyNm<OTWE%IZ1+;S}7>;z-1c)-RCOU)}!yzjbs
znSX~f$)h7T2|al2HQc^^ga60BUFJVuU0QDU{NE45<d12X+()uF!1oGZUm-F>&RSgo
zS`nblR3RCJuva^xFu!9s^E-xIZVT>sM1znhhzW5@NEMJOLX-ktL}+`2jjq7LuD~~|
z2LH#rDgQWc%CA?Aba78?wLS4gnD9pm{C~$ZmEXV^?!w;)@sbtfkHP^G@J4_DTT$-p
ze4M1;>@~aD>$etOQ?79gry|R*hsI=9QPCWod7rX4-2Y&8EG^4f&x25B8b(^~bF0tR
zYKyFmF6Fm+qP{m^^n5b9LlXUvFpP<AZVO~H4BOB&RLeMcCV5!#u;eiEHe(PHf`9md
zipashsop5qpA)H6udJ(NB-l{=&OHhMEA1ZJ?d<aWt=qWr?QQ?g()!-Q%HA!>;v2-#
zZ4A-FU*3!<(Dcx41}SEmX~}LSDZ)V@`Wt=P%Ud{B&2xUei$c?-;#5Utt2x-EEE|Ok
z$TFFTfK=;gp&yF0<ssha3V&foxPMzca=nP$D8)U+_(G<19f%j<ZgdXuZoKd~=m}ND
zX|!X({*S>h9?mcCIh{80n_IH*_H5+*r*nxoGo}gsN39X%SipFZQOYXJR)HXf2os_(
z0iu*>vrD+PVPK_AxVb6djhJ>NM?LWWI20IQ)*FlaMebAmmt?4CLOrQl-+#dlF#e(5
z^fjFa0ix0viQmHN@)G|0zkQ)DU%AuV+UtKVnLb03-qXRc@?+^)0UI&gvF*54`V5Nh
zKw&I3c-HlCPAPHH^)YvIOH2wvRS<GSFi3Z@p_ri<N=XV8qZ6jI)%S7F3$c_cUScKI
zq?Fr0)PcM4Li5X?1_v+U`hRPK1Y-+bQ<}Y@HQ^1I`z}t$z8WtY<OGp0r>jhr9Ft={
zJL7Nv6WtuK2lE-G`hz-vX<yWN$0d|=jNFQWKP?$p>j+$1Ghhnf+=Rk-QTup2DNyz~
z>VB+65&8ikYXN0PXO%;PQ{CAMQhnsw&m^1x`B^Bl2qh(Y-4?IhUw^<?S8jyg+_=}f
zzOb<vr|FlF>MBII18h8LBbEV3py{F0^Z;xFV@_BqEr;NpK_u2YLorL>iBxe-GUcU$
zHHuIISP>{Oh=-=hU4qz(CGJZ}_YlSR5c<uR(R=WqILxJIz*ov>gu;}&0yKyvRonpO
z^^UNb9!$pq<!#V`+JB-)02&qem7MN`^#elBC#<vu+C#1SQOW7=c~ZbirMV6FngaiR
z$HZojFk92Y4X4Kx%DJa~m1?wgFj6i_J-{ky&kw(iy9*2WZ~yX<`uESSwO2OxZuN)$
z7o6f##s1yVC-z})Ox~|gU|MY^u_jo~3-Hxc@nxy_bFlF_lz;jh%zp;xQ$YPe5P!_z
z&snOgsWRpv(@pqc?;-EOzeybCHf8`RyroX!O%44@P6ml61(Awc1Dy0@^O$X-Ita))
zIi`5B%v8-WayIB$n17GM!!^rfnGs8crl*xZZfxj+^Q#pDu>_9SH9fVE`A%ed|L5gH
zN{Sm@!nJjQ<$snyDuH^QF;#xXH4avz<5m+$hdP6pIrucq8_fXMudS%dS8gWP?yR??
zR9%;GdPT<ZGW@4L>+9=;<^#!{7!Sm-2wG>%28srd2w<23yJ7k_njxNqr#uJ^l*$wW
zgTxk?c2ZCr#cXbLMR~bRxt%`oFd{e>C~Jc(<JnxDo__>_wp6PZbPx<9ZKS!>)Oxy#
zN3G<H4ycF65>W#5d~Iv+`x_=cUNEuR7O3WcU!T?#+-m+Pco+O#hb!E}=Gp>2x_pN}
zyK+CheZLjA2l1jz`Cn5Ne+@5g1H<RFF3!L}0qqp%rlaTio6QhU!qXgt^qIH6){TKa
zvS(Z)gMV~4C4Xmt;ht-r?D?wdhN?J>Rc^DZtg)ivYK~EGKslQ!YmKayk3fZe|3=re
zQbv?0Ebc0-cQxmHtwT^4sV4SGtALnV<XY=u5%ygDy|*?E?DR)ofr7C&Agpx=wn-4g
z2UJx2k++Q#AnF3i0O$&!573ZcD`H!aDS;wHrhk+aWgi3Vw^5IJ@o!YK{2v?y&sa)>
zk>(N>vdd&{0b)fE_L3B0&!z1Aj>z8J6!yKAA$MFtkbsmTGDqeyPsQAO0tS)hO6<CX
z^{znE)7fODC2(U?;M%&too#{Z8wM^f>%#uy1p^Da1_Wtcsgk4bqUE;0u1k6)#?kHP
zXMeA)ba%lJ3YDxP+f>*ckZ=PsB#UYykrk%7r~F(Oa9=v#@fQux8Xy4N6p1@PRO&*c
zZAGRVq?C4sBG~Ma*BXjJKfrJpQ8J83^aBztPj`x11N#5l`|>9_t|PrK^VQYW$Mp1^
zxDSG)2vS#AvUfMUmO~M{;bX)8UpK6kynibzWQo#JUQz-GfFOt&U@(}w@9w(my_f!>
zrb$quBw`K_L*a|)z%PiXo~q8ue3@T<pY-F(1$L5t-lMPh)ROG*BcJUgJo_mP5Eno{
zB0T9=XOD*m3f+id>>(ktQI%G?2C|ZnYeJj@qjY9M1GH<vH_lnSzAU&nFQ|DyKYu1n
zbAlCuHdMLKawS@Qye^$Uu~0J*autx4AY<7r49yjWJR(XYa0;sy3l#mA#ee=U5+^ye
zVBo5Urq}R&-7$uiw54-3pRY7Mc_Z}gjYfdi0!NlyhrEU_)TzU)v@FieS!b~!+^SVW
zx@I6~20-0EENi%G)jD5Lk|hP9JAbVNr~hq(@nHY(t?vRi&s$tyvbZpB!36A%s~z;L
ztja6J75}Q!sAerIEsMHe1>*LI@cxFvgFVL9h%g@l|M7;#zq?}a);Wu%V`?(Y0(_i8
zwgxO8Y%2Y~Zaev%Ej}2e{4mP!o<RSo?8W!Lq<z6FoB~d=8Eb)!3{zzJ6n{P7>L%)F
zr|>t5Qg#Ok?J!{r;FZ!+z2+h4gyOBXD7Y}s^~I(Q=4x;op15@%PTjK{dSK73x?o=v
zAVihQd3Rc^&EDT-3{yhQ6<lAk`2JOcw=YyKPynzy7W5B=pS1y8C77!Lt1UsNQ3dAA
zKYgh|P=^A|qg0_E0k@wrw12Hs4R7e`@Lqd9vhJstu@2fbP`F}=2u^QGOu)*=`>5>$
zRBG;Fp-yFfV*}CJ5MKkojkAW+^hT;O%ABo%ohFDIF4?-knbTrBE@7$W(Q4h3a}7^c
z16LLu2XoBSBA^Z+U=jx)#fM#|XBVOf)ep=ZS|qzluuuoCEm?f`@_%RcX!BuJE&-Jm
zZ?3E0u<{vEa(1?OHUM*7%~hWC3AeWt?rbscZCBd8-@9t?y-MI2=i5gUjhJCpHcm2<
ztpUjgPn7x59Vh>Ai@W_852qQwCsO{X>_;B~-3(u2=IqOe(;Vkj8D)$Nzz~?pTwD!M
zN4xaYVwupnNh;?Y;(ry#kp(7d3(zzc4Py})3lAU<0uLlL04;zT0P3z1H*_J*Kxn=$
zSZN8pb<X13mn^<_wUW^Ee{Z5+Npya>7x0V|=2zNV@RVSbRAt(Oz0X?5Sy?SrHGCW?
zP-ZIWtw8AYm5LwLj}b8O^8H;^+b5x{aQawiQ<*h35I-KE3V)JUndAlF1P<xXi;+dy
zE)l8-r5QlUwl#L0fsdHz7A(DQto>Ib_%#Io3c?4lau3W~Oq3G|6H!?A#6RDLymP_e
z?{8}QyPJmo=Cw+ZeYsVYKFr78tYfOqLhVqndN?%P=rcBYj9x^@G-0tWm<y}_d(`XA
zGGgEgR$D@?8h?14!kOk26c#JFL4%ljHkcnF8ydWtUAz#y2!GbfXB(LVG!(!BWF-b0
z8GuiBn4g*Uy1<(O7Nq6ba>25@tU-;y0U9;2O<$zpTUl-it}O^|p0CQC*OugS<<v>R
zRXEhh5)@jnGZcw);8Bldl9A*kQ1=vRV{oor*-syN^*@(@Rsaf@g@_CW3HeO4d~cWQ
zM8tWHev}jG`qg#B8-2XWB&Uwk&L9Mw4^X2HYQZ90EW)D}6uYR^fnuuh`J<V00)IRQ
zt(pgSr3JpWWa!NmOE=F8U7EKv9}1oH8DoZ7yEWI4Q9{_85H|aS`+KT*Z(U6v?9=FA
zO1()&4~)pKU~m^DJr!S;3X7T+DyA8KLo8O8no_p{_u8URr!GfgGtb)E4IgxUNdQ<i
zhztQ(aJDF95T%9f#hJ&tb7LI?-G4ixi|{M_37lkrIA~w3L)3Mp=)bfA`K!0j+tr)r
zZ1~OvqgLBOzJk&gh;vXcB4=yJtwBUVTwuXr&|E0NO3S*JI>IZh>Ri#PRotlBiSVHQ
zIA$US2UEhWO(nOUGHz|LZ1y-Fr`Vk4xK|qd#*n>_QnrAij}&R?apGC`pMSKW-MFCt
zy542_$6L<I_K;ft@GZkP&s%C7!^dQnNzSzeKfI}Vv1wh!0)e`|J)-}alyu$^`H>Fg
z&e2?iU*S*T1b=di0Sv8#K3(@*++1$Rjdv~>_iwIS{?;Xf)j1)DK~@f@-w~-NeNo*h
z`Egzi=@#l$EA{e%MLYarYJbT|VWv`EXdudfQA*N_NFH_B{_d&LcegpZv(3G|F>SKo
z0Z49_V*ekMyMf7r6tjWd7+C>CSh%XS@#YRDWF|SiV}vd)Hqo#G@3m!1i;aqRb<|8!
z_d(Ye1x!|r5<?8?xQZLDA}7jeJQB}^V;^9$wD)SDcyc(oE>?ZH1AkUG8zFsXp>E%K
z`+{BkZ{O7X{cDywb%CcUQ3pDtZ`531J_OFU1y>iU&&5uq9@6lu_Udsa)PD{$mGWT>
ze6r8@&4!YneCXPreXR1kI~;F~czv4T|D*-~3zL0UTm2!3_b^yX@Q1u8F}20QDfNLU
z8f!tl&=l^Cxi(JWcYhk7x!U1g%rWlxOhas`32KMJ+7jm_YSWy~Cna@+If3KGD4eu<
z4ZXr~adH{NMF8+>&9&#28VE1W3twFjIyd)uM<c?gjz?(tFRt<OtYTo46UG^20UHtI
z?ii6g9g;lQXSu(llHYBr{*yj+OM`uFao<>Z7uMX@lgS>?{ZoPkg28{<GzVhPYsPh`
z*|jj^gtdjbyxc^~3j8-$EiE^MJm+|s<m#e@qri#Qu3~3iDYR-Xd4m|yP}oJgeHX@i
zis|+gpN^Ma;V3w{4B~Z`nE0Kgro4H5Q7*r+V&~quSd|thc8z1gN=0#hSTTR)$9G-(
z(~li}>xnAX4`}Bg;`e`(l73+<{j(Uns|&S;Xw*L}S-#xiH+Kr_ahFJqh2R&O!o3OC
zCn*Q*y3pL=yyi$k5QiWFJV&t96k2Eqg&r6Le-P8^IO9bK1fmM~;S|L*J^Gbi;p8%i
z2!r4$f)}`=0tckN!qE8K86yX#8Obmv*&ebyI3T&dtCHVs@?d|n&x2fJSQ>d;8u_i&
zbQiY#1o7i8p1&g`KsUk|anZhJKveHXO2!#mE4aSUP;=HGc<a2yO6zFqFVAdHQs@b4
zu7$%O#nMc3G+hP17f~^a$+6@!!Yk`Y=+)u<h&aJRI*AoAR$vN4wzLrYoF+{t2|?AB
z8YRG^F5~_l%k6)sj(yZ4(~DS-6YLKY+)7KiD}s-$#iljV1296Yeow{l2$vt_-C{m?
z*LUo&D5-clr1GCWbl%(^kyjYQ-??NelH)ORcq@=Y>uRB<53Fp+;x8YnznY}nVe8C^
zui6I12S~7cyes`>;^YE^9SxDBG!joUlu-t2EDp7oP9J|WAB#*wqO8)j8mExm5y_*T
zvLEkpdiyC4H~TzHN*Weg9vg#O7WOWR;sKJUU7YAddMCjUn|bGkRiLmxg&9R8R!}ZB
zq+>0@cP?6-pR-i+j$U$k4rsAa8560>BP5J+y5u?V4kjey1dih?o4c25@X`ZxyI(7V
zo72Y0ok4%N-GJgH-^B_MU0Q5n{@a%f|NbHUv{2}3^8IwkxV@?Ht92zmzT?=RJ#h4`
zO;xNP&|Wv<+ewLct)ZV7u|GH3-ht&!#25pk5~uOQNyAb?uTR>Jz@)VS?~T>`Frh}>
z6RHQt(-NLR%~;2EV7VdG^hNa()f^_&u}mFe<yn7t10=%<UIoaP#>r(6g&Z*5tfX!~
zqM{dlw(sp6lf3sVW(tV82BM4*6_7Y586|{+3DNeL%;O$qYX>U&XqQL(V;Wn*ScEo9
zD|fBIM^N@Y2EhSvPvg`l&s!<_*w&5LN(aRKh-^QWK#P)2LpoLvn#;h&c}sQg=z@Em
zbNGKzmO@wHx(G(8Sy76E-64g8L|o5uS}b3ymB#I%;0!i*AfAF~1>Y!$$ABe>Wz5QB
zf`Hfp%7O}uTp6$_!G*@OR#t0hTLr$RE5RohAkjEQv$>rX?oMf>=uhDc<4TC3;S0Qz
z3XsF#IG9v>=xbe;wJw{jKBF6hCn;rxp>BUt;PEKNN2S3-HnL$A?OAPxFfzfooB(St
zAUK{uL}T4BAA*sxu->0g{L}mDd%I(*<)tQl6}Y-+kIfdS<|Kk|T{IMW!dDi!{*!yo
zg>08ODXB@N`?@mrw+7sU<J4ghf;a>?0N_H{1;hR9l_mz3%1XZ9E#cV&q9%~q1Py<T
zVK7E|e)tEbt6vkG;32)21Aecxd|<7bOmoV1#^miyNL`$l=XQSjW0>ZU$6c1S17#lU
zlUdv6<dc0GZ;dz_M3kilLzl1%l1IkkBa>qdvA+r2`yz$(7l^eS5f0F}A=VLh7?X?=
z_Kk&^3)GSogjRqn3znL}Z2R%~G1GrCc37zH8S<2PqlDU?g1b53MlV7;Ezq#W_FM;b
z&oQB+Bvgz*F}aH2F~cRY3IIf4td+u86xO0BjU<_-Nue>xH73@rjhvbc2sg$hFa=}+
z&=`ZY8Qb7Y2hB;cn>41|Q)m8-K9d~eB@G@OaA&nCwRTO=3Qp!e?T<-*eAj=`|F)s>
zgDJ(Mgm%X%9!^uNmtr4_@UDd&u+Yc=6U1c%cnMw>5?_P~8n|Z}DU?mS6B_;Uq57Nd
zlrCqbp}Yj%ShesQ$GeQ9fK~v!u__d}ny)QM?WZ59&Yf-L^&&b~8p#_zs2PZAcyMaI
zIKFF@uSoe0lv2U~U<}#ZK<9rNCM#j4Dd|yya-6{!VOts$AjAOeJA!o)d~C>mi23W=
z7(PmH##zQEtZIUSVTMfnC@tvHC;RNp*Cn{IVri*aby<$ft(xZ5<oniBPR1$iBn2L5
zOYd84??L1-RC%C>8!=wm2eXzVLKm%z2F8_Ps_ZDG&{$=f0hX<xK~#U)63o>E{t+{;
zI%E(pvQX0(3LH2|f%;sCa1hb5wm|5Mt$UEVCsgx5o&)k7%dP^?+;Xjj6b3feWb+ad
z<&a5Am}Eq8VO3U=6b5Blpf}CvLY!eaDXE<l^Z;{LHZV@QXPFyz;{4cxFjhi$1~KOE
zZ1ZyH%ff%SPIP6V5<-7C>VCuwf<p^2i&!A*7W7*S^B#;{M;ygKH^*6c7?Z6Ct&3|A
zRf-_*$LPPeu71#u5T+Uw7nZ(tv9fPC4w$QQ?aHF1fAEC=_H~0oSA$fgz%weoBG93k
zDe<A}F93i5Yr!HQV*xFY(f~yX$~Dm_h3t;ld)%YW-5vhM<F0>NHIaNf*L2Sq_g~O#
z-o_L=e}<~_(&FR^<O4G`b$&1*T1-m%=F<VMKI(F?+OqD&j=)vNJB!pD(D`}cOAFT7
z=&?Ud!GMhrs}ayWOG3;=<<@lFpf2}w310vJ38hIyK~!dxIChds!&o*o533?*xC*4L
zMJN0$lN?EZtJ;67r@5NY5sn1(d;bEcnkCu-;}o<#5}a#OtrdvBP)FxckL~`1<|YZH
zgO~|(^BUuB<*#^lo)3Ui*-0N6l&!?AaX<>!LJy0s65nMw%PpaHc)S29tJ_Of;BJq2
zz8jMO^aPIdP%M<d;Ec5!hZbcgfkRUPjR6#+jF-j<wF`e!d7jUQpk{Ei069&}bj2FJ
zV5JGXwruHAN4V}+YxTpFmZv!dBD4*^)<-`1eGP(_9;YGNV1ZGl!UbQ57F{KcLQ`8Q
zX<S(l>V%c{(^2OlA|T%Z<(ix)eN~^Nq!nXdKojd`Q{<DgM$WUqFh`+Mc<waQ(9?|S
zg(a`F<QabpFYrMA;he+amm^SSyYr5!O6O((T55vkLXhWzOGDn?h}&@vqgb{JQ3Hev
zG19@A(i%QBRTHD;nIO3lawZvFa~R84I~DuXcL4W@#hqfH<_U};*&VUO1<F!0r-roS
zs4bHW&#1{{Vo^9LJTDSLpNO+b%FE*v?W82K7U+M}D_NoEuw8%Qa2;SSti0WJ#w^o}
zlfod%H6;QZARSD;>hJhGI6c{)qHZneG#A%PO1c`jn4b?t1uoQFSg}!o=YP<Ot2dUm
zs9b1E!oie+VN9tNJhW-23k(Ejum5g=q(D(iLC!cAD&w5P(!k3#Ty4m!xs_3n>j)gK
zZry*&5-6W$6b3bXP-zG|Bf>bNBFd0QIgcGSk4!S^f7Rdhd2oulSQCMsE8w&5Fm;$w
zpQKbT4QiJTGs$rcbUYW7Yf_)=b8TnLQ!Df_963PI(P!^0GQ-qD*9!PSEQFq7O5%(b
z$0@Z3F>$Uzi;e2QO>}xI$;U;M1A~Mq%3*)H5$j2c9+TWF<I(<C{oS4irzspKz(k|I
zz(jDYWp|SD0uh>vO>o@<)x4v3XNW+73yL!0yF2V2OnA(&YsR390ts-oYTaibz_di(
z%%IFjgNme}TBhMdIk}}FFYv&w`gHM%@Di3>aZc2ah<Xv5rvonfG4F`Q@5*F&rf7fn
zr?1VM23mX`DJE+zod+<Vl;mm)=lq<|e0a2)ny4x_#wp4DJ!J+FjkLvHt}%jR`Y1>7
zsr)@J43&nlt#Qnj_K0OtXzoli%pFWw#W|_Px}1oT<7r@;5q8Fmoe`CfdYtwm+JxBm
z%VfCoRe!hV!3z+to@!*HDF+=ff+l~2Yf+9Sgu;b}aQ$!v^?AE9eAq!5B_t0Il<miu
zCI$843_TcZLl4KN`B%LF2r$w}2dS;K2i9_yYYOrbYLt*u8ggqc*kSN2le`Qi*KGH{
zACuhQQ?hoTk|zV|4H9}t;19}Vu=mw|!{@^bQ+GFRsM+Bmgv-3dC1Ys`ASQnjUTA<?
zN9^+t6T*`o(J-N8l%P9GX%~t%kPn8Z@ppU$5M)DRRVQIb_81tImRoU7&D{xk<AmH!
zU8q%)W2>f|6s!PS1D0QWqU`N0HQXK3+BC&oEBdZUN4>B5`#ld{-0jRKr45(IM#JU?
z^8muaBCtY!!xQq|qxJdwG2wr~K4WLZ)9#e_hB0pfb{+XyZTEg5EQ&#HlllN2r==w~
zE5ZGU-9nS=yW%J&_75`&pMp8+pM$YLsey3@*&4EZxW)F}HK+V!pLZuIeURq3r89m6
z{i@CT#~?`h#)k8nArk?YQBEsSPMu6MSqtjaL9IZZ>rApgCi(5AGLMsYg)A1QL&X<~
zQUj9=SU+I-*#l*N{=g|e+LO73mVe&k!TyAHql|tlu=g>Iw+~spX9{0I#X1q_Rw03;
zOm2^ek~qi0Affi&m}s1V8-BH`{ikZ`C<mSn2)8#Gzj&zd$v$nx8o$t5ZbOv^$j4{y
zVLTTO^|ur-u%u9Ec)Me6?M*4v1|-!14~Gn0%ntBJ4G=S1bIu9<xav?n?td}v?y&rN
zUD=<1;@F>ktni!1D%$At)+oj8td##<X!^gp(Ca9-COBh6Mc~C|kQofHm11;tPuKG-
zf@|V}n`vRwDCG-Di3KKV^djS(YgevOp;w(v1VCXRaYnK;Camof-G0i+-kAF1jMuHT
zk5K9zBz)HRSkH@@{#KONE`JuvXSb(G4`M3goNhRb&M@Wr#d+&=LgAnig%GFmd6z>j
zT&1S*j4A3&y>X@~W(5#i=_!|nC@X<DCyY~IoRJwNr1vM3J?ZmwYsm5T2<bGV17<v8
z;6tnNo+kYm@#8O&YdsVADw~3p3vTFloWNYEx%^GvwSU{J;hXcJy?=bZEv+|}Ev_#L
zF3wwS1|SQdACrB!$9BET^0-I5JEompM86qj^h;~)&oDG=e_1vF7i$P<9=>;tp}y0u
z<GYJ>`@PVUE3QK5FuX%aAaMwy6s)IU9S5RVKFuhKAg%(4AjVX?AB7>(22>hwX+ebs
zYXfM3H5R!DO-qA=D1W7mxWJPrlP9UAO$V~&7`2yCF~Dde#u;9{{VFoZ43!IRf_<H=
zjHmOBX=W70nM|J!)WP;pR);aQ_9s%mI8Q+%fGYwS#8f=or|5Byqn!~=CmGhP(62%C
zTWGZhtbe^rt3SY2iUcX#%c%vjaik`3N|AuCmIf^m2>>vNSbs6dWjmWYK^@LcfGR_K
zPW8q#1}F`ru#i$$XO7ZBj3Fx^O(X@Aq^`o0fP>u76KiAxB2Q3eyE>)5#@5#&i@yv6
z1p>h6+^ECwqQm;UfUnklyxy+i8+8v?17DUEqfUS=493$8Pos?2rWx*~xqS#rn;<^G
z)SUqLzK#d<FMk6UbC(++)pFs?3((TmG(a3e;Dh0V$a5JUll7R$AtuEF1^{MZCUO{n
zC9&GVh(W1Ew6#<kL2gA72uBc!z$SHB6;Q~_%*N21z$;>mZT5AN0eTq%<nx%nJ_q2k
zg7Y>L{=Fi($qJVMv_P=1=xLFM*5H;F`Zdb(6T}$3(o&xN1GvED25L5h>xEEKgK=tL
zsliGBCLco1Gx9zRu^w0mL<Sa>)Q?3DLJpw>7896kjI<m9`zihc%Gm!8&DbFUG6wlm
P00000NkvXXu0mjf_e%4&

diff --git a/packages/scratch-svg-renderer/webpack.config.js b/packages/scratch-svg-renderer/webpack.config.js
index 9f97a32f220..b23e3c0c048 100644
--- a/packages/scratch-svg-renderer/webpack.config.js
+++ b/packages/scratch-svg-renderer/webpack.config.js
@@ -10,7 +10,7 @@ const findMonorepoRoot = () => {
     while (currentDir !== path.parse(currentDir).root) {
         if (fs.existsSync(path.join(currentDir, 'package.json'))) {
             try {
-                const pkg = require(path.join(currentDir, 'package.json')); // eslint-disable-line global-require
+                const pkg = require(path.join(currentDir, 'package.json'));
                 if (pkg.workspaces) {
                     return currentDir;
                 }

From 114ce5470b7c0c0efaa8a7aafd19d53669f06a88 Mon Sep 17 00:00:00 2001
From: Kaloyan Manolov <kmanolov3@gmail.com>
Date: Mon, 11 May 2026 17:38:44 +0300
Subject: [PATCH 3/8] feat: implement measure svg script to be used in
 sandboxed environment

---
 .../src/sandbox/iframe-html.js                |   5 +-
 .../scratch-svg-renderer/src/sandbox/index.js |  11 +-
 .../src/sandbox/measure-svg-script.js         |  85 +++++
 .../test/playwright/measure-harness.html      |  12 +
 .../test/playwright/measure-svg.spec.js       | 301 ++++++++++++++++++
 .../test/playwright/sandbox.spec.js           |   1 -
 6 files changed, 412 insertions(+), 3 deletions(-)
 create mode 100644 packages/scratch-svg-renderer/src/sandbox/measure-svg-script.js
 create mode 100644 packages/scratch-svg-renderer/test/playwright/measure-harness.html
 create mode 100644 packages/scratch-svg-renderer/test/playwright/measure-svg.spec.js

diff --git a/packages/scratch-svg-renderer/src/sandbox/iframe-html.js b/packages/scratch-svg-renderer/src/sandbox/iframe-html.js
index 57fd2d9ad31..09aa7921b59 100644
--- a/packages/scratch-svg-renderer/src/sandbox/iframe-html.js
+++ b/packages/scratch-svg-renderer/src/sandbox/iframe-html.js
@@ -20,10 +20,13 @@
  * The caller's script must synchronously assign `window.onSandboxMessage` to a
  * function that accepts a payload and returns a result (or a Promise of a result).
  */
+const CSP = "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval'; " +
+    "style-src 'unsafe-inline'; font-src data:;";
+
 const IFRAME_HTML = `<!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval';">
+<meta http-equiv="Content-Security-Policy" content="${CSP}">
 </head>
 <body>
 <script>
diff --git a/packages/scratch-svg-renderer/src/sandbox/index.js b/packages/scratch-svg-renderer/src/sandbox/index.js
index 8dd5a52c5ea..89ad6188b3f 100644
--- a/packages/scratch-svg-renderer/src/sandbox/index.js
+++ b/packages/scratch-svg-renderer/src/sandbox/index.js
@@ -55,7 +55,16 @@
 
             const iframe = document.createElement('iframe');
             iframe.setAttribute('sandbox', 'allow-scripts');
-            iframe.style.display = 'none';
+            // Use visibility:hidden instead of display:none so the iframe's
+            // rendering tree stays active. This is required for DOM
+            // measurement APIs (e.g. getBBox) to return correct values.
+            iframe.style.position = 'absolute';
+            iframe.style.visibility = 'hidden';
+            iframe.style.width = '0';
+            iframe.style.height = '0';
+            iframe.style.border = 'none';
+            iframe.style.overflow = 'hidden';
+            iframe.style.pointerEvents = 'none';
             this._iframe = iframe;
 
             this._onMessage = event => {
diff --git a/packages/scratch-svg-renderer/src/sandbox/measure-svg-script.js b/packages/scratch-svg-renderer/src/sandbox/measure-svg-script.js
new file mode 100644
index 00000000000..6ac34720706
--- /dev/null
+++ b/packages/scratch-svg-renderer/src/sandbox/measure-svg-script.js
@@ -0,0 +1,85 @@
+/**
+ * Build the script string that runs inside a sandboxed iframe to measure
+ * SVG bounding boxes via `getBBox()`.
+ *
+ * The returned script injects Scratch's `\@font-face` rules into the iframe
+ * document and eagerly loads all registered fonts so that text-bearing
+ * SVGs produce accurate bounding boxes.
+ * @param {string} fontCSS Concatenated `\@font-face` CSS rules for all
+ *     Scratch fonts (from scratch-render-fonts). Each rule should use a
+ *     `data:` URI so fonts load without network access.
+ * @returns {string} Script source to pass to `new Sandbox(script)`.
+ */
+const createMeasureSvgScript = fontCSS => {
+    const fontCSSLiteral = JSON.stringify(fontCSS);
+
+    // The script is eval'd inside the sandboxed iframe. It must use only
+    // ES5-compatible syntax (no arrow functions, no const/let in loops)
+    // for maximum browser compatibility, since the iframe runs whatever
+    // the browser ships natively — no transpilation.
+    return `(function () {
+    // Inject Scratch font @font-face rules into the iframe document.
+    var style = document.createElement('style');
+    style.textContent = ${fontCSSLiteral};
+    document.head.appendChild(style);
+
+    // Eagerly load every registered font face. The fonts use data: URIs
+    // so this is essentially instant (no network), but the browser still
+    // needs to decode and register them before getBBox returns accurate
+    // results for text-bearing SVGs.
+    var fontPromises = [];
+    document.fonts.forEach(function (f) {
+        fontPromises.push(f.load().catch(function () {
+            // Ignore individual font-load failures; not every font is
+            // used by every measured SVG.
+        }));
+    });
+    var fontsReady = Promise.all(fontPromises);
+
+    /**
+     * Measure a single SVG string and return its bounding box.
+     */
+    function measureSvg(svgString) {
+        var container = document.createElement('span');
+        try {
+            container.innerHTML = svgString;
+            document.body.appendChild(container);
+            var svgEl = container.children[0];
+            if (!svgEl || typeof svgEl.getBBox !== 'function') {
+                throw new Error('SVG element not found or does not support getBBox');
+            }
+            var bbox = svgEl.getBBox();
+            return {
+                x: bbox.x,
+                y: bbox.y,
+                width: bbox.width,
+                height: bbox.height
+            };
+        } finally {
+            if (container.parentNode) {
+                container.parentNode.removeChild(container);
+            }
+        }
+    }
+
+    window.onSandboxMessage = function (payload) {
+        var isBatch = Array.isArray(payload);
+        var items = isBatch ? payload : [payload];
+
+        return fontsReady.then(function () {
+            var results = [];
+            for (var i = 0; i < items.length; i++) {
+                results.push(measureSvg(items[i]));
+            }
+            return isBatch ? results : results[0];
+        });
+    };
+})();`;
+};
+
+// Support both CommonJS (Node / bundler) and plain browser <script> inclusion.
+if (typeof module === 'undefined') {
+    window.createMeasureSvgScript = createMeasureSvgScript;
+} else {
+    module.exports = {createMeasureSvgScript};
+}
diff --git a/packages/scratch-svg-renderer/test/playwright/measure-harness.html b/packages/scratch-svg-renderer/test/playwright/measure-harness.html
new file mode 100644
index 00000000000..2764b887e66
--- /dev/null
+++ b/packages/scratch-svg-renderer/test/playwright/measure-harness.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>Measure SVG Test Harness</title>
+</head>
+<body>
+<script src="../../src/sandbox/iframe-html.js"></script>
+<script src="../../src/sandbox/index.js"></script>
+<script src="../../src/sandbox/measure-svg-script.js"></script>
+</body>
+</html>
diff --git a/packages/scratch-svg-renderer/test/playwright/measure-svg.spec.js b/packages/scratch-svg-renderer/test/playwright/measure-svg.spec.js
new file mode 100644
index 00000000000..7e8ebf48d63
--- /dev/null
+++ b/packages/scratch-svg-renderer/test/playwright/measure-svg.spec.js
@@ -0,0 +1,301 @@
+const fs = require('fs');
+const path = require('path');
+const {test, expect} = require('@playwright/test');
+
+/**
+ * Playwright tests for the display-side iframe measurement script.
+ *
+ * These tests verify that SVG bounding-box measurement inside a sandboxed
+ * iframe produces the same results as the current in-process
+ * transformMeasurements approach (getBBox on the parent document.body).
+ */
+
+const FIXTURE_DIR = path.resolve(__dirname, '../fixtures');
+
+const catCostumeSvg = fs.readFileSync(
+    path.resolve(FIXTURE_DIR, 'cat-costume.svg'), 'utf8'
+);
+
+// A simple SVG rectangle for basic measurement verification.
+const simpleSvg = '<svg xmlns="http://www.w3.org/2000/svg">' +
+    '<rect x="10" y="20" width="100" height="50" fill="red"/>' +
+    '</svg>';
+
+// An SVG with text using a Scratch font family, for verifying
+// that fonts are loaded inside the iframe.
+const textSvg = '<svg xmlns="http://www.w3.org/2000/svg">' +
+    '<text x="10" y="30" font-family="Sans Serif" font-size="18">Hello</text>' +
+    '</svg>';
+
+// An SVG drawn in negative coordinates (like some Scratch 2 costumes).
+const negativeBboxSvg = '<svg xmlns="http://www.w3.org/2000/svg">' +
+    '<circle cx="-20" cy="-10" r="30" fill="blue"/>' +
+    '</svg>';
+
+test.beforeEach(async ({page}) => {
+    await page.goto('measure-harness.html');
+    await page.waitForFunction(
+        () => typeof window.Sandbox === 'function' &&
+              typeof window.createMeasureSvgScript === 'function'
+    );
+});
+
+/**
+ * Helper: measure an SVG string by appending it directly to the parent
+ * page's document.body (the current in-process approach). Used as a
+ * reference to compare against sandbox-based measurement.
+ * @param {import('@playwright/test').Page} page
+ * @param {string} svgString
+ * @returns {Promise<{x: number, y: number, width: number, height: number}>}
+ */
+const measureDirect = async function (page, svgString) {
+    return page.evaluate(svg => {
+        const container = document.createElement('span');
+        container.innerHTML = svg;
+        document.body.appendChild(container);
+        try {
+            const bbox = container.children[0].getBBox();
+            return {
+                x: bbox.x,
+                y: bbox.y,
+                width: bbox.width,
+                height: bbox.height
+            };
+        } finally {
+            document.body.removeChild(container);
+        }
+    }, svgString);
+};
+
+/**
+ * Helper: measure an SVG using the sandboxed measurement script.
+ * `fontCSS` is optional; when omitted, an empty string is used (no fonts).
+ * @param {import('@playwright/test').Page} page
+ * @param {string} svgString
+ * @param {string} [fontCSS]
+ * @returns {Promise<{x: number, y: number, width: number, height: number}>}
+ */
+const measureSandboxed = async function (page, svgString, fontCSS = '') {
+    return page.evaluate(async ({svg, css}) => {
+        const script = window.createMeasureSvgScript(css);
+        const sandbox = new window.Sandbox(script);
+        try {
+            return await sandbox.send(svg);
+        } finally {
+            sandbox.destroy();
+        }
+    }, {svg: svgString, css: fontCSS});
+};
+
+// --- Core measurement ---
+
+test('measures a simple rect SVG correctly', async ({page}) => {
+    const result = await measureSandboxed(page, simpleSvg);
+    expect(result).toEqual({x: 10, y: 20, width: 100, height: 50});
+});
+
+test('measurements match direct getBBox for a simple SVG', async ({page}) => {
+    const direct = await measureDirect(page, simpleSvg);
+    const sandboxed = await measureSandboxed(page, simpleSvg);
+    expect(sandboxed).toEqual(direct);
+});
+
+test('measurements match direct getBBox for the cat costume', async ({page}) => {
+    const direct = await measureDirect(page, catCostumeSvg);
+    const sandboxed = await measureSandboxed(page, catCostumeSvg);
+    // Sub-pixel tolerance: float comparison for potential rounding differences.
+    expect(sandboxed.x).toBeCloseTo(direct.x, 1);
+    expect(sandboxed.y).toBeCloseTo(direct.y, 1);
+    expect(sandboxed.width).toBeCloseTo(direct.width, 1);
+    expect(sandboxed.height).toBeCloseTo(direct.height, 1);
+});
+
+test('handles SVGs with negative bounding-box coordinates', async ({page}) => {
+    const result = await measureSandboxed(page, negativeBboxSvg);
+    // Circle at cx=-20, cy=-10, r=30 → bbox should be roughly (-50, -40, 60, 60)
+    expect(result.x).toBeCloseTo(-50, 1);
+    expect(result.y).toBeCloseTo(-40, 1);
+    expect(result.width).toBeCloseTo(60, 1);
+    expect(result.height).toBeCloseTo(60, 1);
+});
+
+test('negative-bbox measurements match direct getBBox', async ({page}) => {
+    const direct = await measureDirect(page, negativeBboxSvg);
+    const sandboxed = await measureSandboxed(page, negativeBboxSvg);
+    expect(sandboxed).toEqual(direct);
+});
+
+// --- Batch processing ---
+
+test('batch measurement returns an array of results', async ({page}) => {
+    const results = await page.evaluate(async () => {
+        const script = window.createMeasureSvgScript('');
+        const sandbox = new window.Sandbox(script);
+        try {
+            return await sandbox.send([
+                '<svg xmlns="http://www.w3.org/2000/svg"><rect x="0" y="0" width="10" height="10" fill="red"/></svg>',
+                '<svg xmlns="http://www.w3.org/2000/svg"><rect x="5" y="5" width="20" height="30" fill="blue"/></svg>'
+            ]);
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(results).toHaveLength(2);
+    expect(results[0]).toEqual({x: 0, y: 0, width: 10, height: 10});
+    expect(results[1]).toEqual({x: 5, y: 5, width: 20, height: 30});
+});
+
+test('single item returns a single object (not an array)', async ({page}) => {
+    const result = await measureSandboxed(page, simpleSvg);
+    expect(result).not.toBeInstanceOf(Array);
+    expect(result).toHaveProperty('x');
+    expect(result).toHaveProperty('width');
+});
+
+// --- Iframe reuse ---
+
+test('sandbox iframe is reused across multiple measurements', async ({page}) => {
+    const results = await page.evaluate(async () => {
+        const script = window.createMeasureSvgScript('');
+        const sandbox = new window.Sandbox(script);
+        try {
+            const r1 = await sandbox.send(
+                '<svg xmlns="http://www.w3.org/2000/svg"><rect x="0" y="0" width="10" height="10" fill="red"/></svg>'
+            );
+            const r2 = await sandbox.send(
+                '<svg xmlns="http://www.w3.org/2000/svg"><rect x="0" y="0" width="20" height="20" fill="red"/></svg>'
+            );
+            const iframeCount = document.querySelectorAll('iframe').length;
+            return {r1, r2, iframeCount};
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(results.r1).toEqual({x: 0, y: 0, width: 10, height: 10});
+    expect(results.r2).toEqual({x: 0, y: 0, width: 20, height: 20});
+    expect(results.iframeCount).toBe(1);
+});
+
+// --- Error handling ---
+
+test('rejects on invalid SVG content', async ({page}) => {
+    const error = await page.evaluate(async () => {
+        const script = window.createMeasureSvgScript('');
+        const sandbox = new window.Sandbox(script);
+        try {
+            return await sandbox.send('not-an-svg')
+                .catch(e => ({errorMessage: e.message}));
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(error).toHaveProperty('errorMessage');
+});
+
+// --- Font loading ---
+
+test('text bbox with Scratch fonts matches direct measurement', async ({page}) => {
+    // Inject Scratch fonts into the parent page (simulating what
+    // scratch-render-fonts does) and build the font CSS string.
+    const fontCSS = await page.evaluate(() => {
+        // Create minimal @font-face CSS for Sans Serif using a
+        // system-available fallback. In production, the real base64-encoded
+        // font data from scratch-render-fonts is used.
+        //
+        // For this test, inject the same CSS into both the parent page
+        // and the iframe to ensure the comparison is fair.
+        const css = '@font-face { font-family: "Sans Serif"; src: local("Arial"), local("Helvetica"); }';
+        const style = document.createElement('style');
+        style.textContent = css;
+        document.head.appendChild(style);
+        return css;
+    });
+
+    const direct = await measureDirect(page, textSvg);
+    const sandboxed = await measureSandboxed(page, textSvg, fontCSS);
+
+    // Text bbox can vary slightly depending on font rendering; use
+    // generous tolerance.
+    expect(sandboxed.x).toBeCloseTo(direct.x, 0);
+    expect(sandboxed.y).toBeCloseTo(direct.y, 0);
+    expect(sandboxed.width).toBeCloseTo(direct.width, 0);
+    expect(sandboxed.height).toBeCloseTo(direct.height, 0);
+});
+
+test('font @font-face rules are injected into the iframe', async ({page}) => {
+    // createMeasureSvgScript embeds the CSS into an IIFE that runs before
+    // window.onSandboxMessage is set. Appending a replacement handler lets
+    // us verify the @font-face rule was injected by querying document.fonts.
+    const fontNames = await page.evaluate(async () => {
+        const css = '@font-face { font-family: "TestFont"; src: local("Arial"); }';
+        const script = window.createMeasureSvgScript(css) + `
+            window.onSandboxMessage = function () {
+                var names = [];
+                document.fonts.forEach(function (f) { names.push(f.family); });
+                return names;
+            };
+            `;
+        const sandbox = new window.Sandbox(script);
+        try {
+            return await sandbox.send(null);
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(fontNames).toContain('TestFont');
+});
+
+// Opaque-origin enforcement is tested directly in sandbox.spec.js.
+// The test below checks the CSP directives that are specific to SVG measurement
+// (style-src and font-src are required for inline font injection to work).
+test('CSP includes style-src and font-src directives', async ({page}) => {
+    const cspContent = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(`
+            window.onSandboxMessage = function () {
+                var metas = document.querySelectorAll('meta[http-equiv]');
+                for (var i = 0; i < metas.length; i++) {
+                    if (metas[i].httpEquiv === 'Content-Security-Policy') {
+                        return metas[i].content;
+                    }
+                }
+                return null;
+            };
+        `);
+        try {
+            return await sandbox.send(null);
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    expect(cspContent).toContain("style-src 'unsafe-inline'");
+    expect(cspContent).toContain('font-src data:');
+});
+
+// --- SVG cleanup after measurement ---
+
+test('SVG is removed from iframe DOM after measurement', async ({page}) => {
+    const bodyChildren = await page.evaluate(async () => {
+        const sandbox = new window.Sandbox(`
+            window.onSandboxMessage = function (payload) {
+                if (payload === 'measure') {
+                    var container = document.createElement('span');
+                    container.innerHTML = '<svg xmlns="http://www.w3.org/2000/svg"><rect width="10" height="10"/></svg>';
+                    document.body.appendChild(container);
+                    var bbox = container.children[0].getBBox();
+                    document.body.removeChild(container);
+                    return { x: bbox.x, y: bbox.y, width: bbox.width, height: bbox.height };
+                }
+                // Just count body.children (excludes the script tag in head)
+                return document.body.children.length;
+            }
+        `);
+        try {
+            await sandbox.send('measure');
+            return await sandbox.send('count');
+        } finally {
+            sandbox.destroy();
+        }
+    });
+    // Only the script element should be in the body (from the srcdoc HTML)
+    expect(bodyChildren).toBeLessThanOrEqual(1);
+});
diff --git a/packages/scratch-svg-renderer/test/playwright/sandbox.spec.js b/packages/scratch-svg-renderer/test/playwright/sandbox.spec.js
index a21f6dbe9fc..4151bc9780f 100644
--- a/packages/scratch-svg-renderer/test/playwright/sandbox.spec.js
+++ b/packages/scratch-svg-renderer/test/playwright/sandbox.spec.js
@@ -1,4 +1,3 @@
-// @ts-check
 const {test, expect} = require('@playwright/test');
 
 /**

From 4eeb5d78ed2c420ea46429f719ff333726bfe03e Mon Sep 17 00:00:00 2001
From: Kaloyan Manolov <kmanolov3@gmail.com>
Date: Mon, 11 May 2026 18:04:14 +0300
Subject: [PATCH 4/8] feat: use the sandboxing mechanism for svg measurement

---
 .../src/load-svg-string.js                    | 87 ++++++++++---------
 .../scratch-svg-renderer/src/svg-renderer.js  | 10 ++-
 2 files changed, 54 insertions(+), 43 deletions(-)

diff --git a/packages/scratch-svg-renderer/src/load-svg-string.js b/packages/scratch-svg-renderer/src/load-svg-string.js
index f6c50badf3f..41cf2eb213f 100644
--- a/packages/scratch-svg-renderer/src/load-svg-string.js
+++ b/packages/scratch-svg-renderer/src/load-svg-string.js
@@ -2,6 +2,30 @@ const SvgElement = require('./svg-element');
 const convertFonts = require('./font-converter');
 const transformStrokeWidths = require('./transform-applier');
 const {sanitizeSvgText} = require('./sanitize-svg');
+const {Sandbox} = require('./sandbox/index');
+const {createMeasureSvgScript} = require('./sandbox/measure-svg-script');
+const getFonts = require('scratch-render-fonts');
+
+/**
+ * Singleton sandbox for measuring SVG bounding boxes inside a sandboxed
+ * iframe. Lazily created on the first call to `transformMeasurements`.
+ * @type {Sandbox | null}
+ */
+let measurementSandbox = null;
+
+/**
+ * Get (or create) the singleton measurement sandbox.
+ * @returns {Sandbox} The shared sandbox instance for SVG measurement.
+ */
+const getMeasurementSandbox = () => {
+    if (!measurementSandbox) {
+        const fonts = getFonts();
+        const fontCSS = Object.values(fonts).join('');
+        const script = createMeasureSvgScript(fontCSS);
+        measurementSandbox = new Sandbox(script);
+    }
+    return measurementSandbox;
+};
 
 /**
  * @param {SVGElement} svgTag the tag to search within
@@ -191,39 +215,22 @@ const findLargestStrokeWidth = rootNode => {
  * In Scratch 2.0, SVGs are drawn without respect to the width,
  * height, and viewBox attribute on the tag. The exporter
  * does output these properties - but they appear to be incorrect often.
- * To address the incorrect measurements, we append the DOM to the
- * document, and then use SVG's native `getBBox` to find the real
- * drawn dimensions. This ensures things drawn in negative dimensions,
+ * To address the incorrect measurements, we send the SVG to a
+ * sandboxed iframe and use `getBBox` there to find the real drawn
+ * dimensions. This ensures things drawn in negative dimensions,
  * outside the given viewBox, etc., are all eventually drawn to the canvas.
- * I tried to do this several other ways: stripping the width/height/viewBox
- * attributes and then drawing (Firefox won't draw anything),
- * or inflating them and then measuring a canvas. But this seems to be
- * a natural and performant way.
  * @param {SVGSVGElement} svgTag the SVG tag to apply the transformation to
+ * @returns {Promise<void>} Resolves once the measurements have been applied.
  */
-const transformMeasurements = svgTag => {
-    // Append the SVG dom to the document.
-    // This allows us to use `getBBox` on the page,
-    // which returns the full bounding-box of all drawn SVG
-    // elements, similar to how Scratch 2.0 did measurement.
-    const svgSpot = document.createElement('span');
-    let bbox;
-    try {
-        // Insert sanitized value.
-        svgSpot.innerHTML = svgTag.outerHTML;
-        document.body.appendChild(svgSpot);
-        // Take the bounding box. We have to get elements via svgSpot
-        // because we added it via innerHTML.
-        bbox = svgSpot.children[0].getBBox();
-    } finally {
-        // Always destroy the element, even if, for example, getBBox throws.
-        document.body.removeChild(svgSpot);
-    }
+const transformMeasurements = async svgTag => {
+    const sandbox = getMeasurementSandbox();
+    const svgString = svgTag.outerHTML;
+    const bbox = await sandbox.send(svgString);
 
-    // Enlarge the bbox from the largest found stroke width
-    // This may have false-positives, but at least the bbox will always
-    // contain the full graphic including strokes.
-    // If the width or height is zero however, don't enlarge since
+    // Enlarge the bbox from the largest found stroke width.
+    // Stroke-width enlargement stays in the parent because it
+    // walks the SVG DOM which is already parsed in-process.
+    // If the width or height is zero, don't enlarge since
     // they won't have a stroke width that needs to be enlarged.
     let halfStrokeWidth;
     if (bbox.width === 0 || bbox.height === 0) {
@@ -263,10 +270,13 @@ const setGradientStrokeRoundedness = svgTag => {
 
 /**
  * In-place, convert passed SVG to something consistent that will be rendered the way we want them to be.
- * @param {SVGSvgElement} svgTag root SVG node to operate upon
+ * All synchronous DOM transforms run first; the async iframe measurement
+ * (if needed) runs last.
+ * @param {SVGSVGElement} svgTag root SVG node to operate upon
  * @param {boolean} [fromVersion2] True if we should perform conversion from version 2 to version 3 svg.
+ * @returns {Promise<void>} Resolves when normalization (including any async measurement) is complete.
  */
-const normalizeSvg = (svgTag, fromVersion2) => {
+const normalizeSvg = async (svgTag, fromVersion2) => {
     if (fromVersion2) {
         // Fix gradients. Scratch 2 exports no x2 when x2 = 0, but
         // SVG default is that x2 is 1. This must be done before
@@ -279,13 +289,13 @@ const normalizeSvg = (svgTag, fromVersion2) => {
     if (fromVersion2) {
         // Transform all text elements.
         transformText(svgTag);
-        // Transform measurements.
-        transformMeasurements(svgTag);
         // Fix stroke roundedness.
         setGradientStrokeRoundedness(svgTag);
+        // Transform measurements
+        await transformMeasurements(svgTag);
     } else if (!svgTag.getAttribute('viewBox')) {
         // Renderer expects a view box.
-        transformMeasurements(svgTag);
+        await transformMeasurements(svgTag);
     } else if (!svgTag.getAttribute('width') || !svgTag.getAttribute('height')) {
         svgTag.setAttribute('width', svgTag.viewBox.baseVal.width);
         svgTag.setAttribute('height', svgTag.viewBox.baseVal.height);
@@ -300,14 +310,13 @@ const normalizeSvg = (svgTag, fromVersion2) => {
  * mimic Scratch 2.0's SVG rendering.
  * @param {!string} svgString String of SVG data to draw in quirks-mode.
  * @param {boolean} [fromVersion2] True if we should perform conversion from version 2 to version 3 svg.
- * @returns {SVGSVGElement} The normalized SVG element.
+ * @returns {Promise<SVGSVGElement>} Resolves with the normalized SVG element.
  */
-const loadSvgString = (svgString, fromVersion2) => {
+const loadSvgString = async (svgString, fromVersion2) => {
     // Parse string into SVG XML.
     const parser = new DOMParser();
 
-    // Since we're adding user-provided SVG to document.body as part of normalization,
-    // sanitization is required. This should not affect bounding box calculation.
+    // Sanitization is required before any processing.
     const sanitizedSvgString = sanitizeSvgText(svgString);
     const svgDom = parser.parseFromString(sanitizedSvgString, 'text/xml');
     if (svgDom.childNodes.length < 1 ||
@@ -315,7 +324,7 @@ const loadSvgString = (svgString, fromVersion2) => {
         throw new Error('Document does not appear to be SVG.');
     }
     const svgTag = svgDom.documentElement;
-    normalizeSvg(svgTag, fromVersion2);
+    await normalizeSvg(svgTag, fromVersion2);
     return svgTag;
 };
 
diff --git a/packages/scratch-svg-renderer/src/svg-renderer.js b/packages/scratch-svg-renderer/src/svg-renderer.js
index e95b32776d6..57afb134ab0 100644
--- a/packages/scratch-svg-renderer/src/svg-renderer.js
+++ b/packages/scratch-svg-renderer/src/svg-renderer.js
@@ -77,11 +77,12 @@ class SvgRenderer {
      * @param {!string} svgString String of SVG data to draw in quirks-mode.
      * @param {?boolean} fromVersion2 True if we should perform conversion from
      *     version 2 to version 3 svg.
+     * @returns {Promise<void>} Resolves when the SVG has been loaded and normalized.
      */
-    loadString (svgString, fromVersion2) {
+    async loadString (svgString, fromVersion2) {
         // New svg string invalidates the cached image
         this._cachedImage = null;
-        const svgTag = loadSvgString(svgString, fromVersion2);
+        const svgTag = await loadSvgString(svgString, fromVersion2);
 
         this._svgTag = svgTag;
         this._measurements = {
@@ -99,8 +100,9 @@ class SvgRenderer {
      * @param {Function} [onFinish] - An optional callback to call when the SVG is loaded and can be rendered.
      */
     loadSVG (svgString, fromVersion2, onFinish) {
-        this.loadString(svgString, fromVersion2);
-        this._createSVGImage(onFinish);
+        this.loadString(svgString, fromVersion2).then(() => {
+            this._createSVGImage(onFinish);
+        });
     }
 
     /**

From f99b4f87729a916916f92778155d383f888f50db Mon Sep 17 00:00:00 2001
From: Kaloyan Manolov <kmanolov3@gmail.com>
Date: Mon, 11 May 2026 18:30:38 +0300
Subject: [PATCH 5/8] feat: update usage of consumers of loadSvgString

---
 packages/scratch-render/src/SVGSkin.js        | 100 +++++++++++-------
 .../scratch-vm/src/import/load-costume.js     |  18 +++-
 2 files changed, 77 insertions(+), 41 deletions(-)

diff --git a/packages/scratch-render/src/SVGSkin.js b/packages/scratch-render/src/SVGSkin.js
index 71b38ffef6c..f54715d1fd3 100644
--- a/packages/scratch-render/src/SVGSkin.js
+++ b/packages/scratch-render/src/SVGSkin.js
@@ -54,6 +54,14 @@ class SVGSkin extends Skin {
          * @type {number}
          */
         this._maxTextureScale = 1;
+
+        /**
+         * Generation counter for cancelling stale setSVG loads.
+         * Incremented each time setSVG is called; async callbacks
+         * compare their captured generation to skip outdated results.
+         * @type {number}
+         */
+        this._svgGeneration = 0;
     }
 
     /**
@@ -192,46 +200,64 @@ class SVGSkin extends Skin {
      * @fires Skin.event:WasAltered
      */
     setSVG (svgData, rotationCenter) {
-        const svgTag = loadSvgString(svgData);
-        const svgText = serializeSvgToString(svgTag, true /* shouldInjectFonts */);
         this._svgImageLoaded = false;
 
-        const {x, y, width, height} = svgTag.viewBox.baseVal;
-        // While we're setting the size before the image is loaded, this doesn't cause the skin to appear with the wrong
-        // size for a few frames while the new image is loading, because we don't emit the `WasAltered` event, telling
-        // drawables using this skin to update, until the image is loaded.
-        // We need to do this because the VM reads the skin's `size` directly after calling `setSVG`.
-        // TODO: return a Promise so that the VM can read the skin's `size` after the image is loaded.
-        this._size[0] = width;
-        this._size[1] = height;
-
-        // If there is another load already in progress, replace the old onload to effectively cancel the old load
-        this._svgImage.onload = () => {
-            if (width === 0 || height === 0) {
-                super.setEmptyImageData();
-                return;
-            }
-
-            const maxDimension = Math.ceil(Math.max(width, height));
-            let testScale = 2;
-            for (testScale; maxDimension * testScale <= MAX_TEXTURE_DIMENSION; testScale *= 2) {
-                this._maxTextureScale = testScale;
-            }
-
-            this.resetMIPs();
-
-            if (typeof rotationCenter === 'undefined') rotationCenter = this.calculateRotationCenter();
-            // Compensate for viewbox offset.
-            // See https://github.com/LLK/scratch-render/pull/90.
-            this._rotationCenter[0] = rotationCenter[0] - x;
-            this._rotationCenter[1] = rotationCenter[1] - y;
-
-            this._svgImageLoaded = true;
-
-            this.emit(Skin.Events.WasAltered);
-        };
+        // Pre-parse the SVG to extract viewBox synchronously so that
+        // `_size` is available immediately after `createSVGSkin` returns.
+        const parser = new DOMParser();
+        const svgDoc = parser.parseFromString(svgData, 'text/xml');
+        const svgEl = svgDoc.documentElement;
+        if (svgEl.localName === 'svg' && svgEl.viewBox.baseVal) {
+            this._size[0] = svgEl.viewBox.baseVal.width;
+            this._size[1] = svgEl.viewBox.baseVal.height;
+        }
+
+        // Increment generation so that if setSVG is called again before
+        // the async pipeline finishes, the stale result is discarded.
+        const generation = ++this._svgGeneration;
+
+        // Full async pipeline: sanitize, normalize, serialize, render.
+        loadSvgString(svgData).then(svgTag => {
+            // A newer setSVG call supersedes this one.
+            if (this._svgGeneration !== generation) return;
+
+            const svgText = serializeSvgToString(svgTag, true /* shouldInjectFonts */);
+            const {x, y, width, height} = svgTag.viewBox.baseVal;
+
+            // Update size from the normalized SVG (normalization may have
+            // changed dimensions, e.g. for Scratch 2 quirks-mode SVGs).
+            this._size[0] = width;
+            this._size[1] = height;
+
+            this._svgImage.onload = () => {
+                if (this._svgGeneration !== generation) return;
+
+                if (width === 0 || height === 0) {
+                    super.setEmptyImageData();
+                    return;
+                }
+
+                const maxDimension = Math.ceil(Math.max(width, height));
+                let testScale = 2;
+                for (testScale; maxDimension * testScale <= MAX_TEXTURE_DIMENSION; testScale *= 2) {
+                    this._maxTextureScale = testScale;
+                }
+
+                this.resetMIPs();
+
+                if (typeof rotationCenter === 'undefined') rotationCenter = this.calculateRotationCenter();
+                // Compensate for viewbox offset.
+                // See https://github.com/LLK/scratch-render/pull/90.
+                this._rotationCenter[0] = rotationCenter[0] - x;
+                this._rotationCenter[1] = rotationCenter[1] - y;
+
+                this._svgImageLoaded = true;
+
+                this.emit(Skin.Events.WasAltered);
+            };
 
-        this._svgImage.src = `data:image/svg+xml;utf8,${encodeURIComponent(svgText)}`;
+            this._svgImage.src = `data:image/svg+xml;utf8,${encodeURIComponent(svgText)}`;
+        });
     }
 
 }
diff --git a/packages/scratch-vm/src/import/load-costume.js b/packages/scratch-vm/src/import/load-costume.js
index 25dba394654..67dedbcf2cc 100644
--- a/packages/scratch-vm/src/import/load-costume.js
+++ b/packages/scratch-vm/src/import/load-costume.js
@@ -3,13 +3,14 @@ const log = require('../util/log');
 const {loadSvgString, serializeSvgToString} = require('@scratch/scratch-svg-renderer');
 
 const loadVector_ = function (costume, runtime, rotationCenter, optVersion) {
-    return new Promise(resolve => {
+    return (async () => {
         let svgString = costume.asset.decodeText();
         // SVG Renderer load fixes "quirks" associated with Scratch 2 projects
         if (optVersion && optVersion === 2) {
             // scratch-svg-renderer fixes syntax that causes loading issues,
             // and if optVersion is 2, fixes "quirks" associated with Scratch 2 SVGs,
-            const fixedSvgString = serializeSvgToString(loadSvgString(svgString, true /* fromVersion2 */));
+            const svgTag = await loadSvgString(svgString, true /* fromVersion2 */);
+            const fixedSvgString = serializeSvgToString(svgTag);
 
             // If the string changed, put back into storage
             if (svgString !== fixedSvgString) {
@@ -19,10 +20,19 @@ const loadVector_ = function (costume, runtime, rotationCenter, optVersion) {
                 costume.assetId = costume.asset.assetId;
                 costume.md5 = `${costume.assetId}.${costume.dataFormat}`;
             }
+        } else if (!/<svg[^>]*\bviewBox\s*=/i.test(svgString)) {
+            // SVGs without a viewBox require async iframe measurement (via transformMeasurements)
+            // to determine their dimensions. Pre-process the SVG here so that the resulting string
+            // already has viewBox+width+height set before it reaches SVGSkin.setSVG. This ensures
+            // the synchronous pre-parse in setSVG reads the correct dimensions, and therefore
+            // getSkinSize() returns the right value immediately after createSVGSkin() returns.
+            const svgTag = await loadSvgString(svgString);
+            svgString = serializeSvgToString(svgTag);
         }
 
         // createSVGSkin does the right thing if rotationCenter isn't provided, so it's okay if it's
         // undefined here
+        // eslint-disable-next-line require-atomic-updates -- costume is call-site-owned; no concurrent modification
         costume.skinId = runtime.renderer.createSVGSkin(svgString, rotationCenter);
         costume.size = runtime.renderer.getSkinSize(costume.skinId);
         // Now we should have a rotationCenter even if we didn't before
@@ -33,8 +43,8 @@ const loadVector_ = function (costume, runtime, rotationCenter, optVersion) {
             costume.bitmapResolution = 1;
         }
 
-        resolve(costume);
-    });
+        return costume;
+    })();
 };
 
 const canvasPool = (function () {

From 1438d2a0b4ce7906f903c3c6e0a56046f056e989 Mon Sep 17 00:00:00 2001
From: Kaloyan Manolov <kmanolov3@gmail.com>
Date: Tue, 12 May 2026 17:19:23 +0300
Subject: [PATCH 6/8] feat: update setSvg to be awaitable; update usages

---
 packages/scratch-render/src/RenderWebGL.js        | 12 ++++++------
 packages/scratch-render/src/SVGSkin.js            | 14 +++-----------
 .../test/integration/skin-size-tests.js           |  4 ++--
 packages/scratch-vm/src/import/load-costume.js    | 15 ++++-----------
 4 files changed, 15 insertions(+), 30 deletions(-)

diff --git a/packages/scratch-render/src/RenderWebGL.js b/packages/scratch-render/src/RenderWebGL.js
index 888356475f2..54a06cdb16a 100644
--- a/packages/scratch-render/src/RenderWebGL.js
+++ b/packages/scratch-render/src/RenderWebGL.js
@@ -355,14 +355,14 @@ class RenderWebGL extends EventEmitter {
      * @param {!string} svgData - new SVG to use.
      * @param {?Array<number>} rotationCenter Optional: rotation center of the skin. If not supplied, the center of the
      * skin will be used
-     * @returns {!int} the ID for the new skin.
+     * @returns {Promise<number>} A promise that resolves with the skin ID once the skin's
+     *     dimensions are available via getSkinSize.
      */
     createSVGSkin (svgData, rotationCenter) {
         const skinId = this._nextSkinId++;
         const newSkin = new SVGSkin(skinId, this);
-        newSkin.setSVG(svgData, rotationCenter);
         this._allSkins[skinId] = newSkin;
-        return skinId;
+        return newSkin.setSVG(svgData, rotationCenter).then(() => skinId);
     }
 
     /**
@@ -398,16 +398,16 @@ class RenderWebGL extends EventEmitter {
      * @param {!string} svgData - new SVG to use.
      * @param {?Array<number>} rotationCenter Optional: rotation center of the skin. If not supplied, the center of the
      * skin will be used
+     * @returns {Promise<void>} A promise that resolves once the skin's dimensions are updated.
      */
     updateSVGSkin (skinId, svgData, rotationCenter) {
         if (this._allSkins[skinId] instanceof SVGSkin) {
-            this._allSkins[skinId].setSVG(svgData, rotationCenter);
-            return;
+            return this._allSkins[skinId].setSVG(svgData, rotationCenter);
         }
 
         const newSkin = new SVGSkin(skinId, this);
-        newSkin.setSVG(svgData, rotationCenter);
         this._reskin(skinId, newSkin);
+        return newSkin.setSVG(svgData, rotationCenter);
     }
 
     /**
diff --git a/packages/scratch-render/src/SVGSkin.js b/packages/scratch-render/src/SVGSkin.js
index f54715d1fd3..d3768dede50 100644
--- a/packages/scratch-render/src/SVGSkin.js
+++ b/packages/scratch-render/src/SVGSkin.js
@@ -202,22 +202,14 @@ class SVGSkin extends Skin {
     setSVG (svgData, rotationCenter) {
         this._svgImageLoaded = false;
 
-        // Pre-parse the SVG to extract viewBox synchronously so that
-        // `_size` is available immediately after `createSVGSkin` returns.
-        const parser = new DOMParser();
-        const svgDoc = parser.parseFromString(svgData, 'text/xml');
-        const svgEl = svgDoc.documentElement;
-        if (svgEl.localName === 'svg' && svgEl.viewBox.baseVal) {
-            this._size[0] = svgEl.viewBox.baseVal.width;
-            this._size[1] = svgEl.viewBox.baseVal.height;
-        }
-
         // Increment generation so that if setSVG is called again before
         // the async pipeline finishes, the stale result is discarded.
         const generation = ++this._svgGeneration;
 
         // Full async pipeline: sanitize, normalize, serialize, render.
-        loadSvgString(svgData).then(svgTag => {
+        // Resolves after _size is updated; callers that need correct dimensions
+        // must await the returned Promise.
+        return loadSvgString(svgData).then(svgTag => {
             // A newer setSVG call supersedes this one.
             if (this._svgGeneration !== generation) return;
 
diff --git a/packages/scratch-render/test/integration/skin-size-tests.js b/packages/scratch-render/test/integration/skin-size-tests.js
index 2d7db354150..aea4d1b2115 100644
--- a/packages/scratch-render/test/integration/skin-size-tests.js
+++ b/packages/scratch-render/test/integration/skin-size-tests.js
@@ -14,8 +14,8 @@ const indexHTML = path.resolve(__dirname, 'index.html');
 
     await test('SVG skin size set properly', async t => {
         t.plan(1);
-        const skinSize = await page.evaluate(() => {
-            const skinID = render.createSVGSkin(`<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 100"></svg>`);
+        const skinSize = await page.evaluate(async () => {
+            const skinID = await render.createSVGSkin(`<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 100"></svg>`);
             return render.getSkinSize(skinID);
         });
         t.same(skinSize, [50, 100]);
diff --git a/packages/scratch-vm/src/import/load-costume.js b/packages/scratch-vm/src/import/load-costume.js
index 67dedbcf2cc..2bbbea096de 100644
--- a/packages/scratch-vm/src/import/load-costume.js
+++ b/packages/scratch-vm/src/import/load-costume.js
@@ -20,20 +20,13 @@ const loadVector_ = function (costume, runtime, rotationCenter, optVersion) {
                 costume.assetId = costume.asset.assetId;
                 costume.md5 = `${costume.assetId}.${costume.dataFormat}`;
             }
-        } else if (!/<svg[^>]*\bviewBox\s*=/i.test(svgString)) {
-            // SVGs without a viewBox require async iframe measurement (via transformMeasurements)
-            // to determine their dimensions. Pre-process the SVG here so that the resulting string
-            // already has viewBox+width+height set before it reaches SVGSkin.setSVG. This ensures
-            // the synchronous pre-parse in setSVG reads the correct dimensions, and therefore
-            // getSkinSize() returns the right value immediately after createSVGSkin() returns.
-            const svgTag = await loadSvgString(svgString);
-            svgString = serializeSvgToString(svgTag);
         }
 
         // createSVGSkin does the right thing if rotationCenter isn't provided, so it's okay if it's
-        // undefined here
-        // eslint-disable-next-line require-atomic-updates -- costume is call-site-owned; no concurrent modification
-        costume.skinId = runtime.renderer.createSVGSkin(svgString, rotationCenter);
+        // undefined here. costume is call-site-owned with no concurrent modification; the
+        // require-atomic-updates warning is a false positive.
+        // eslint-disable-next-line require-atomic-updates
+        costume.skinId = await runtime.renderer.createSVGSkin(svgString, rotationCenter);
         costume.size = runtime.renderer.getSkinSize(costume.skinId);
         // Now we should have a rotationCenter even if we didn't before
         if (!rotationCenter) {

From 28e5b2ad08aa40c1728265cf16f2d436a7738ab5 Mon Sep 17 00:00:00 2001
From: Kaloyan Manolov <kmanolov3@gmail.com>
Date: Tue, 12 May 2026 17:25:40 +0300
Subject: [PATCH 7/8] fix: lint error

---
 packages/scratch-vm/src/import/load-costume.js | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/packages/scratch-vm/src/import/load-costume.js b/packages/scratch-vm/src/import/load-costume.js
index 2bbbea096de..db3254ee7cf 100644
--- a/packages/scratch-vm/src/import/load-costume.js
+++ b/packages/scratch-vm/src/import/load-costume.js
@@ -23,8 +23,7 @@ const loadVector_ = function (costume, runtime, rotationCenter, optVersion) {
         }
 
         // createSVGSkin does the right thing if rotationCenter isn't provided, so it's okay if it's
-        // undefined here. costume is call-site-owned with no concurrent modification; the
-        // require-atomic-updates warning is a false positive.
+        // undefined here.
         // eslint-disable-next-line require-atomic-updates
         costume.skinId = await runtime.renderer.createSVGSkin(svgString, rotationCenter);
         costume.size = runtime.renderer.getSkinSize(costume.skinId);

From a069b2906a03be1aab6e72e923c614368c936ddf Mon Sep 17 00:00:00 2001
From: Kaloyan Manolov <kmanolov3@gmail.com>
Date: Wed, 13 May 2026 17:18:30 +0300
Subject: [PATCH 8/8] feat: add tests for the updated usages of svg measurement

---
 .../test/integration/svg-skin-async-tests.js  | 111 +++++
 .../playwright/load-svg-string-harness.html   |  18 +
 .../test/playwright/load-svg-string.spec.js   | 381 ++++++++++++++++++
 .../test/integration/load-costume-async.js    | 124 ++++++
 4 files changed, 634 insertions(+)
 create mode 100644 packages/scratch-render/test/integration/svg-skin-async-tests.js
 create mode 100644 packages/scratch-svg-renderer/test/playwright/load-svg-string-harness.html
 create mode 100644 packages/scratch-svg-renderer/test/playwright/load-svg-string.spec.js
 create mode 100644 packages/scratch-vm/test/integration/load-costume-async.js

diff --git a/packages/scratch-render/test/integration/svg-skin-async-tests.js b/packages/scratch-render/test/integration/svg-skin-async-tests.js
new file mode 100644
index 00000000000..0edaf866984
--- /dev/null
+++ b/packages/scratch-render/test/integration/svg-skin-async-tests.js
@@ -0,0 +1,111 @@
+/* global render, requestAnimationFrame */
+/**
+ * Integration tests for SVGSkin.setSVG async pipeline and generation counter.
+ *
+ * Verifies that:
+ * - Rapid successive setSVG calls discard stale results (generation counter).
+ * - The async loadSvgString pipeline correctly updates skin size.
+ * - Superseded setSVG calls do not corrupt skin state.
+ *
+ * Requires built dist bundles: run `npm run build` in scratch-render and
+ * scratch-svg-renderer before running these tests.
+ */
+const {chromium} = require('playwright-chromium');
+const test = require('tap').test;
+const path = require('path');
+
+const indexHTML = path.resolve(__dirname, 'index.html');
+
+(async () => {
+    const browser = await chromium.launch();
+    const page = await browser.newPage();
+
+    await page.goto(`file://${indexHTML}`);
+
+    // Wait for the renderer to be ready.
+    await page.waitForFunction(() => typeof render !== 'undefined' && render.createSVGSkin);
+
+    await test('createSVGSkin with viewBox SVG resolves with correct size', async t => {
+        const skinSize = await page.evaluate(async () => {
+            const svg = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 75 120" width="75" height="120">' +
+                '<rect width="75" height="120" fill="red"/></svg>';
+            const skinId = await render.createSVGSkin(svg);
+            return render.getSkinSize(skinId);
+        });
+        t.same(skinSize, [75, 120]);
+    });
+
+    await test('createSVGSkin with viewBox but no width/height resolves with correct size', async t => {
+        const skinSize = await page.evaluate(async () => {
+            const svg = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 63 47">' +
+                '<rect width="63" height="47" fill="blue"/></svg>';
+            const skinId = await render.createSVGSkin(svg);
+            return render.getSkinSize(skinId);
+        });
+        t.same(skinSize, [63, 47]);
+    });
+
+    await test('rapid updateSVGSkin calls: only last SVG dimensions persist', async t => {
+        const result = await page.evaluate(async () => {
+            const small = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 10 10" width="10" height="10">' +
+                '<rect width="10" height="10" fill="red"/></svg>';
+            const medium = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50" width="50" height="50">' +
+                '<rect width="50" height="50" fill="green"/></svg>';
+            const large = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 150" width="200" height="150">' +
+                '<rect width="200" height="150" fill="blue"/></svg>';
+
+            // Create initial skin
+            const skinId = await render.createSVGSkin(small);
+
+            // Fire three rapid updates without awaiting the first two.
+            render.updateSVGSkin(skinId, small);
+            render.updateSVGSkin(skinId, medium);
+            const lastPromise = render.updateSVGSkin(skinId, large);
+
+            // Wait for the last one to settle.
+            await lastPromise;
+
+            // Give a frame for img.onload to fire.
+            await new Promise(resolve => requestAnimationFrame(resolve));
+
+            return render.getSkinSize(skinId);
+        });
+
+        // Only the last SVG (200x150) should be reflected.
+        t.same(result, [200, 150]);
+    });
+
+    await test('superseded setSVG load is discarded when a newer call wins', async t => {
+        const result = await page.evaluate(async () => {
+            // SVG without viewBox forces the async measurement path (slower).
+            const slowSvg = '<svg xmlns="http://www.w3.org/2000/svg">' +
+                '<rect x="0" y="0" width="30" height="25" fill="red"/></svg>';
+            // SVG with viewBox takes the fast path.
+            const fastSvg = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 99 77" width="99" height="77">' +
+                '<rect width="99" height="77" fill="blue"/></svg>';
+
+            const skinId = await render.createSVGSkin(
+                '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1 1" width="1" height="1"></svg>'
+            );
+
+            // First: fire the slow measurement path (no viewBox).
+            render.updateSVGSkin(skinId, slowSvg);
+            // Immediately supersede with the fast path.
+            const fastPromise = render.updateSVGSkin(skinId, fastSvg);
+
+            await fastPromise;
+            // Wait for any stale callbacks to potentially fire.
+            await new Promise(resolve => setTimeout(resolve, 200));
+
+            return render.getSkinSize(skinId);
+        });
+
+        // The fast SVG (99x77) should win; the slow SVG's stale result should be discarded.
+        t.same(result, [99, 77]);
+    });
+
+    await browser.close();
+})().catch(err => {
+    console.error(err.message);
+    process.exit(1);
+});
diff --git a/packages/scratch-svg-renderer/test/playwright/load-svg-string-harness.html b/packages/scratch-svg-renderer/test/playwright/load-svg-string-harness.html
new file mode 100644
index 00000000000..dcad96bcb6f
--- /dev/null
+++ b/packages/scratch-svg-renderer/test/playwright/load-svg-string-harness.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>loadSvgString Integration Test Harness</title>
+</head>
+<body>
+<!--
+    Loads the pre-built web bundle which exposes window.ScratchSVGRenderer.
+    Run `npm run build` in packages/scratch-svg-renderer before running these tests.
+-->
+<script src="../../dist/web/scratch-svg-renderer.js"></script>
+<script>
+    // Expose loadSvgString at the top level for test convenience.
+    window.loadSvgString = ScratchSVGRenderer.loadSvgString;
+</script>
+</body>
+</html>
diff --git a/packages/scratch-svg-renderer/test/playwright/load-svg-string.spec.js b/packages/scratch-svg-renderer/test/playwright/load-svg-string.spec.js
new file mode 100644
index 00000000000..bd6fdee9093
--- /dev/null
+++ b/packages/scratch-svg-renderer/test/playwright/load-svg-string.spec.js
@@ -0,0 +1,381 @@
+const {test, expect} = require('@playwright/test');
+
+/**
+ * Integration tests for loadSvgString — the full async pipeline from raw SVG
+ * string through sanitization, normalization, and (when needed) sandboxed
+ * iframe measurement via transformMeasurements.
+ */
+
+// --- Test fixtures ---
+
+// SVG with viewBox + width + height: takes the sync fast-path (no measurement).
+const SVG_WITH_VIEWBOX = '<svg xmlns="http://www.w3.org/2000/svg" ' +
+    'viewBox="0 0 100 80" width="100" height="80">' +
+    '<rect x="10" y="10" width="50" height="30" fill="blue"/>' +
+    '</svg>';
+
+// SVG with viewBox but no width/height: sets them from viewBox.baseVal (no measurement).
+const SVG_VIEWBOX_NO_DIMS = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 150">' +
+    '<circle cx="100" cy="75" r="50" fill="green"/>' +
+    '</svg>';
+
+// SVG without viewBox: triggers transformMeasurements (async iframe path).
+const SVG_NO_VIEWBOX = '<svg xmlns="http://www.w3.org/2000/svg">' +
+    '<rect x="5" y="10" width="60" height="40" fill="red"/>' +
+    '</svg>';
+
+// SVG without viewBox and with a stroke: tests stroke-width enlargement.
+const SVG_NO_VIEWBOX_WITH_STROKE = '<svg xmlns="http://www.w3.org/2000/svg">' +
+    '<rect x="10" y="20" width="80" height="50" fill="none" stroke="black" stroke-width="4"/>' +
+    '</svg>';
+
+// SVG with negative bbox coordinates (like some Scratch 2 costumes).
+const SVG_NEGATIVE_COORDS = '<svg xmlns="http://www.w3.org/2000/svg">' +
+    '<circle cx="-20" cy="-10" r="30" fill="purple"/>' +
+    '</svg>';
+
+// Scratch 2-style SVG: no viewBox, has text elements that need quirks transforms.
+const SVG_V2_WITH_TEXT = '<svg xmlns="http://www.w3.org/2000/svg">' +
+    '<text x="10" y="20" font-family="Helvetica" font-size="14">Hello World</text>' +
+    '</svg>';
+
+// SVG with a linear gradient missing x2 (Scratch 2 quirk).
+const SVG_V2_GRADIENT = '<svg xmlns="http://www.w3.org/2000/svg">' +
+    '<defs><linearGradient id="g1"><stop offset="0" stop-color="red"/>' +
+    '<stop offset="1" stop-color="blue"/></linearGradient></defs>' +
+    '<rect x="0" y="0" width="100" height="100" fill="url(#g1)"/>' +
+    '</svg>';
+
+// Malformed SVG that should cause an error.
+const SVG_MALFORMED = '<not-svg>this is not valid</not-svg>';
+
+// SVG with text using a Scratch font family.
+const SVG_WITH_SCRATCH_FONT = '<svg xmlns="http://www.w3.org/2000/svg">' +
+    '<text x="0" y="20" font-family="Sans Serif" font-size="18">Test text</text>' +
+    '</svg>';
+
+// A large SVG with many elements (for performance testing).
+const generateLargeSvg = (elementCount) => {
+    let rects = '';
+    for (let i = 0; i < elementCount; i++) {
+        rects += `<rect x="${i % 100}" y="${Math.floor(i / 100)}" width="1" height="1" fill="red"/>`;
+    }
+    return `<svg xmlns="http://www.w3.org/2000/svg">${rects}</svg>`;
+};
+
+test.beforeEach(async ({page}) => {
+    await page.goto('load-svg-string-harness.html');
+    await page.waitForFunction(
+        () => typeof window.loadSvgString === 'function'
+    );
+});
+
+test('SVG with viewBox and dimensions resolves with correct attributes', async ({page}) => {
+    const result = await page.evaluate(async (svg) => {
+        const svgTag = await window.loadSvgString(svg);
+        return {
+            width: svgTag.getAttribute('width'),
+            height: svgTag.getAttribute('height'),
+            viewBox: svgTag.getAttribute('viewBox'),
+            tagName: svgTag.tagName
+        };
+    }, SVG_WITH_VIEWBOX);
+
+    expect(result.tagName).toBe('svg');
+    expect(result.width).toBe('100');
+    expect(result.height).toBe('80');
+    expect(result.viewBox).toBe('0 0 100 80');
+});
+
+test('SVG with viewBox but no dimensions gets width/height from viewBox', async ({page}) => {
+    const result = await page.evaluate(async (svg) => {
+        const svgTag = await window.loadSvgString(svg);
+        return {
+            width: svgTag.getAttribute('width'),
+            height: svgTag.getAttribute('height'),
+            viewBox: svgTag.getAttribute('viewBox')
+        };
+    }, SVG_VIEWBOX_NO_DIMS);
+
+    expect(result.width).toBe('200');
+    expect(result.height).toBe('150');
+    expect(result.viewBox).toBe('0 0 200 150');
+});
+
+test('SVG without viewBox gets viewBox/width/height from iframe measurement', async ({page}) => {
+    const result = await page.evaluate(async (svg) => {
+        const svgTag = await window.loadSvgString(svg);
+        return {
+            width: Number(svgTag.getAttribute('width')),
+            height: Number(svgTag.getAttribute('height')),
+            viewBox: svgTag.getAttribute('viewBox')
+        };
+    }, SVG_NO_VIEWBOX);
+
+    // The rect is at (5, 10) with size (60, 40), bbox = (5, 10, 60, 40).
+    // transformStrokeWidths adds default stroke-width=1 to graphics elements,
+    // so findLargestStrokeWidth returns 1, halfStrokeWidth = 0.5, enlarging by 1.
+    expect(result.width).toBeCloseTo(61, 0);
+    expect(result.height).toBeCloseTo(41, 0);
+    expect(result.viewBox).toBeDefined();
+    // viewBox origin shifts by -halfStrokeWidth
+    const vb = result.viewBox.split(' ').map(Number);
+    expect(vb[0]).toBeCloseTo(4.5, 0);
+    expect(vb[1]).toBeCloseTo(9.5, 0);
+    expect(vb[2]).toBeCloseTo(61, 0);
+    expect(vb[3]).toBeCloseTo(41, 0);
+});
+
+test('SVG without viewBox applies stroke-width enlargement to measured bbox', async ({page}) => {
+    const result = await page.evaluate(async (svg) => {
+        const svgTag = await window.loadSvgString(svg);
+        return {
+            width: Number(svgTag.getAttribute('width')),
+            height: Number(svgTag.getAttribute('height')),
+            viewBox: svgTag.getAttribute('viewBox')
+        };
+    }, SVG_NO_VIEWBOX_WITH_STROKE);
+
+    // Rect at (10, 20), size (80, 50), stroke-width 4 → half = 2
+    // Expected: viewBox = (8, 18, 84, 54), width = 84, height = 54
+    expect(result.width).toBeCloseTo(84, 0);
+    expect(result.height).toBeCloseTo(54, 0);
+    const vb = result.viewBox.split(' ').map(Number);
+    expect(vb[0]).toBeCloseTo(8, 0);
+    expect(vb[1]).toBeCloseTo(18, 0);
+    expect(vb[2]).toBeCloseTo(84, 0);
+    expect(vb[3]).toBeCloseTo(54, 0);
+});
+
+test('SVG with negative bbox coordinates measured correctly', async ({page}) => {
+    const result = await page.evaluate(async (svg) => {
+        const svgTag = await window.loadSvgString(svg);
+        return {
+            width: Number(svgTag.getAttribute('width')),
+            height: Number(svgTag.getAttribute('height')),
+            viewBox: svgTag.getAttribute('viewBox')
+        };
+    }, SVG_NEGATIVE_COORDS);
+
+    // Circle at (-20, -10), r=30 → bbox = (-50, -40, 60, 60).
+    // Default stroke-width=1 enlargement: +1 on each dimension.
+    expect(result.width).toBeCloseTo(61, 0);
+    expect(result.height).toBeCloseTo(61, 0);
+    const vb = result.viewBox.split(' ').map(Number);
+    expect(vb[0]).toBeCloseTo(-50.5, 0);
+    expect(vb[1]).toBeCloseTo(-40.5, 0);
+});
+
+test('v2 SVG applies text transforms and measures correctly', async ({page}) => {
+    const result = await page.evaluate(async (svg) => {
+        const svgTag = await window.loadSvgString(svg, true /* fromVersion2 */);
+        // Check that text transforms were applied
+        const textEl = svgTag.querySelector('text');
+        const hasAlignmentBaseline = textEl ?
+            textEl.getAttribute('alignment-baseline') === 'text-before-edge' : false;
+        return {
+            hasViewBox: svgTag.hasAttribute('viewBox'),
+            hasWidth: svgTag.hasAttribute('width'),
+            hasHeight: svgTag.hasAttribute('height'),
+            hasAlignmentBaseline,
+            width: Number(svgTag.getAttribute('width')),
+            height: Number(svgTag.getAttribute('height'))
+        };
+    }, SVG_V2_WITH_TEXT);
+
+    expect(result.hasViewBox).toBe(true);
+    expect(result.hasWidth).toBe(true);
+    expect(result.hasHeight).toBe(true);
+    expect(result.hasAlignmentBaseline).toBe(true);
+    // Dimensions should be non-zero (measured from iframe)
+    expect(result.width).toBeGreaterThan(0);
+    expect(result.height).toBeGreaterThan(0);
+});
+
+test('v2 SVG applies gradient x2 fixup', async ({page}) => {
+    const result = await page.evaluate(async (svg) => {
+        const svgTag = await window.loadSvgString(svg, true /* fromVersion2 */);
+        const gradient = svgTag.querySelector('linearGradient');
+        return {
+            x2: gradient ? gradient.getAttribute('x2') : null,
+            hasViewBox: svgTag.hasAttribute('viewBox')
+        };
+    }, SVG_V2_GRADIENT);
+
+    // Scratch 2 quirk: missing x2 should be set to '0'
+    expect(result.x2).toBe('0');
+    expect(result.hasViewBox).toBe(true);
+});
+
+test('malformed SVG rejects with an error', async ({page}) => {
+    const error = await page.evaluate(async (svg) => {
+        try {
+            await window.loadSvgString(svg);
+            return null;
+        } catch (e) {
+            return {message: e.message};
+        }
+    }, SVG_MALFORMED);
+
+    expect(error).not.toBeNull();
+    expect(error.message).toContain('does not appear to be SVG');
+});
+
+test('multiple loadSvgString calls share a single measurement iframe', async ({page}) => {
+    const result = await page.evaluate(async () => {
+        // Two SVGs without viewBox — both trigger measurement.
+        const svg1 = '<svg xmlns="http://www.w3.org/2000/svg">' +
+            '<rect x="0" y="0" width="30" height="20" fill="red"/></svg>';
+        const svg2 = '<svg xmlns="http://www.w3.org/2000/svg">' +
+            '<rect x="0" y="0" width="50" height="40" fill="blue"/></svg>';
+
+        await window.loadSvgString(svg1);
+        await window.loadSvgString(svg2);
+
+        // Count iframes in the document — the singleton sandbox
+        // should create only one.
+        const iframeCount = document.querySelectorAll('iframe').length;
+        return {iframeCount};
+    });
+
+    expect(result.iframeCount).toBe(1);
+});
+
+test('concurrent loadSvgString calls resolve with correct results', async ({page}) => {
+    const results = await page.evaluate(async () => {
+        const svg1 = '<svg xmlns="http://www.w3.org/2000/svg">' +
+            '<rect x="0" y="0" width="30" height="20" fill="red"/></svg>';
+        const svg2 = '<svg xmlns="http://www.w3.org/2000/svg">' +
+            '<rect x="0" y="0" width="70" height="55" fill="blue"/></svg>';
+        const svg3 = '<svg xmlns="http://www.w3.org/2000/svg">' +
+            '<rect x="5" y="5" width="100" height="80" fill="green"/></svg>';
+
+        // Fire all three concurrently
+        const [tag1, tag2, tag3] = await Promise.all([
+            window.loadSvgString(svg1),
+            window.loadSvgString(svg2),
+            window.loadSvgString(svg3)
+        ]);
+
+        return {
+            w1: Number(tag1.getAttribute('width')),
+            h1: Number(tag1.getAttribute('height')),
+            w2: Number(tag2.getAttribute('width')),
+            h2: Number(tag2.getAttribute('height')),
+            w3: Number(tag3.getAttribute('width')),
+            h3: Number(tag3.getAttribute('height'))
+        };
+    });
+
+    // Each SVG gets +1 from default stroke-width enlargement.
+    expect(results.w1).toBeCloseTo(31, 0);
+    expect(results.h1).toBeCloseTo(21, 0);
+    expect(results.w2).toBeCloseTo(71, 0);
+    expect(results.h2).toBeCloseTo(56, 0);
+    expect(results.w3).toBeCloseTo(101, 0);
+    expect(results.h3).toBeCloseTo(81, 0);
+});
+
+test('first loadSvgString call succeeds (iframe created on demand)', async ({page}) => {
+    // This test verifies that the very first call — when no iframe exists
+    // yet — waits for iframe load and then resolves correctly.
+    const result = await page.evaluate(async () => {
+        const svg = '<svg xmlns="http://www.w3.org/2000/svg">' +
+            '<rect x="0" y="0" width="42" height="33" fill="red"/></svg>';
+
+        // Ensure no iframes exist before the call.
+        const before = document.querySelectorAll('iframe').length;
+        const svgTag = await window.loadSvgString(svg);
+        const after = document.querySelectorAll('iframe').length;
+
+        return {
+            beforeIframes: before,
+            afterIframes: after,
+            width: Number(svgTag.getAttribute('width')),
+            height: Number(svgTag.getAttribute('height'))
+        };
+    });
+
+    expect(result.beforeIframes).toBe(0);
+    expect(result.afterIframes).toBe(1);
+    // +1 from default stroke-width enlargement
+    expect(result.width).toBeCloseTo(43, 0);
+    expect(result.height).toBeCloseTo(34, 0);
+});
+
+test('large SVG with many elements does not time out', async ({page}) => {
+    // The generated SVG has no viewBox, so it triggers the full sandbox
+    // measurement path (transformMeasurements via the iframe).
+    const largeSvg = generateLargeSvg(5000);
+
+    const result = await page.evaluate(async (svg) => {
+        const start = performance.now();
+        const svgTag = await window.loadSvgString(svg);
+        const elapsed = performance.now() - start;
+        return {
+            hasViewBox: svgTag.hasAttribute('viewBox'),
+            width: Number(svgTag.getAttribute('width')),
+            height: Number(svgTag.getAttribute('height')),
+            elapsed
+        };
+    }, largeSvg);
+
+    expect(result.hasViewBox).toBe(true);
+    expect(result.width).toBeGreaterThan(0);
+    expect(result.height).toBeGreaterThan(0);
+    // Should complete well within the sandbox timeout (30s).
+    // 10s is generous; typical should be <2s.
+    expect(result.elapsed).toBeLessThan(10000);
+});
+
+test('text SVG with Scratch font produces non-zero bbox', async ({page}) => {
+    const result = await page.evaluate(async (svg) => {
+        const svgTag = await window.loadSvgString(svg, true /* fromVersion2 */);
+        return {
+            width: Number(svgTag.getAttribute('width')),
+            height: Number(svgTag.getAttribute('height')),
+            hasViewBox: svgTag.hasAttribute('viewBox')
+        };
+    }, SVG_WITH_SCRATCH_FONT);
+
+    expect(result.hasViewBox).toBe(true);
+    // Text should have measurable dimensions
+    expect(result.width).toBeGreaterThan(0);
+    expect(result.height).toBeGreaterThan(0);
+});
+
+test('text measurement via sandbox matches direct getBBox in parent', async ({page}) => {
+    // Verifies that the sandbox measures text the same way as the parent DOM.
+    // A system font (monospace) is used so both contexts see identical glyphs
+    // without any font injection. fromVersion2 is omitted so no text transforms
+    // are applied before the sandbox measurement — the sandbox and parent both
+    // measure the same SVG.
+    const svgWithSystemFont = '<svg xmlns="http://www.w3.org/2000/svg">' +
+        '<text font-family="monospace" font-size="18">Test text</text>' +
+        '</svg>';
+
+    const result = await page.evaluate(async (svg) => {
+        // Direct measurement in the parent document (no transforms applied).
+        const container = document.createElement('span');
+        container.innerHTML = svg;
+        document.body.appendChild(container);
+        const directBbox = container.children[0].getBBox();
+        document.body.removeChild(container);
+
+        // Measurement via loadSvgString (sandbox path, no viewBox → async measurement).
+        const svgTag = await window.loadSvgString(svg);
+        const viewBox = svgTag.viewBox.baseVal;
+
+        return {
+            directWidth: directBbox.width,
+            directHeight: directBbox.height,
+            // viewBox dimensions include the default stroke-width enlargement (+1px each).
+            iframeWidth: viewBox.width,
+            iframeHeight: viewBox.height
+        };
+    }, svgWithSystemFont);
+
+    // The sandbox must produce the same bbox as the parent DOM
+    expect(result.iframeWidth).toBe(result.directWidth + 1);
+    expect(result.iframeHeight).toBe(result.directHeight + 1);
+});
diff --git a/packages/scratch-vm/test/integration/load-costume-async.js b/packages/scratch-vm/test/integration/load-costume-async.js
new file mode 100644
index 00000000000..3cee61f9dce
--- /dev/null
+++ b/packages/scratch-vm/test/integration/load-costume-async.js
@@ -0,0 +1,124 @@
+/**
+ * Tests that loadVector_ correctly awaits the async loadSvgString pipeline.
+ *
+ * Uses t.mockRequire to substitute a delayed loadSvgString, verifying that
+ * load-costume properly awaits the async result before proceeding.
+ */
+const tap = require('tap');
+
+const ORIGINAL_SVG = '<svg xmlns="http://www.w3.org/2000/svg"><rect/></svg>';
+const FIXED_SVG = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 10 10" width="10" height="10"><rect/></svg>';
+
+const createMockAsset = (svgString, assetId = 'test-asset-id') => ({
+    assetId,
+    assetType: {runtimeFormat: 'svg'},
+    dataFormat: 'svg',
+    data: Buffer.from(svgString, 'utf8'),
+    _text: svgString,
+    decodeText () {
+        return this._text;
+    },
+    encodeTextData (text, format, generateId) {
+        this._text = text;
+        this.data = Buffer.from(text, 'utf8');
+        if (generateId) {
+            this.assetId = `new-asset-id-${text.length}`;
+        }
+    }
+});
+
+const createMockRuntime = () => ({
+    storage: {
+        DataFormat: {SVG: 'svg'},
+        AssetType: {ImageVector: {runtimeFormat: 'svg'}}
+    },
+    renderer: {
+        createSVGSkin () {
+            return Promise.resolve(42);
+        },
+        getSkinSize () {
+            return [100, 80];
+        },
+        getSkinRotationCenter () {
+            return [50, 40];
+        }
+    }
+});
+
+tap.test('loadVector_ awaits async loadSvgString before creating skin', async t => {
+    let resolveLoad;
+    const loadPromise = new Promise(resolve => {
+        resolveLoad = resolve;
+    });
+
+    const {loadCostumeFromAsset} = t.mockRequire('../../src/import/load-costume', {
+        '@scratch/scratch-svg-renderer': {
+            loadSvgString () {
+                return loadPromise;
+            },
+            serializeSvgToString () {
+                return FIXED_SVG;
+            }
+        }
+    });
+
+    const runtime = createMockRuntime();
+    let skinCreated = false;
+    runtime.renderer.createSVGSkin = () => {
+        skinCreated = true;
+        return Promise.resolve(42);
+    };
+
+    const costume = {
+        asset: createMockAsset(ORIGINAL_SVG),
+        assetId: 'id',
+        md5: 'id.svg',
+        dataFormat: 'svg',
+        name: 'test'
+    };
+
+    const resultPromise = loadCostumeFromAsset(costume, runtime, 2);
+
+    // Skin should not be created yet — loadSvgString hasn't resolved.
+    t.equal(skinCreated, false, 'skin not created before loadSvgString resolves');
+
+    // Now resolve the async load.
+    resolveLoad({mock: true});
+    await resultPromise;
+
+    t.equal(skinCreated, true, 'skin created after loadSvgString resolves');
+    t.equal(costume.skinId, 42);
+});
+
+tap.test('loadVector_ handles loadSvgString rejection gracefully', async t => {
+    const {loadCostumeFromAsset} = t.mockRequire('../../src/import/load-costume', {
+        '@scratch/scratch-svg-renderer': {
+            loadSvgString () {
+                return Promise.reject(new Error('measurement failed'));
+            },
+            serializeSvgToString () {
+                return '';
+            }
+        }
+    });
+
+    const runtime = createMockRuntime();
+    runtime.storage.defaultAssetId = {ImageVector: 'default-vector-id'};
+    runtime.storage.get = assetId => createMockAsset(
+        '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1 1"></svg>',
+        assetId
+    );
+
+    const costume = {
+        asset: createMockAsset(ORIGINAL_SVG, 'broken-id'),
+        assetId: 'broken-id',
+        md5: 'broken-id.svg',
+        dataFormat: 'svg',
+        name: 'broken-costume'
+    };
+
+    const result = await loadCostumeFromAsset(costume, runtime, 2);
+
+    t.ok(result.broken, 'costume is marked as broken on rejection');
+    t.equal(result.broken.assetId, 'broken-id');
+});