From b2465e7c3023c5b2a7656ba75c4234a62d13f72b Mon Sep 17 00:00:00 2001
From: jason yang <jasonyangshadow@gmail.com>
Date: Thu, 5 Oct 2023 08:44:01 +0000
Subject: [PATCH] init push

Signed-off-by: jason yang <jasonyangshadow@gmail.com>
---
 .dockerignore                           |    8 +
 .github/ISSUE_TEMPLATE.md               |   30 +
 .github/dependabot.yml                  |    6 +
 .github/workflows/golang-build-test.yml |   23 +
 .github/workflows/golangci-lint.yml     |   27 +
 .github/workflows/gotest-coverage.yml   |   37 +
 .github/workflows/license-check.yml     |   27 +
 .gitignore                              |   10 +
 .golangci.yml                           |   62 +
 .testcoverage.yml                       |   28 +
 CHANGELOG.md                            |    9 +
 CODE_OF_CONDUCT.md                      |    1 +
 CONTRIBUTING.md                         |    1 +
 Dockerfile                              |   16 +
 LICENSE                                 |  201 +++
 MAINTAINERS.md                          |    1 +
 NOTICE                                  |    3 +
 README.md                               |   30 +
 SECURITY.md                             |    1 +
 doc/apptainer.png                       |  Bin 0 -> 57745 bytes
 doc/workflow.plantuml                   |   45 +
 go.mod                                  |   46 +
 go.sum                                  |  124 ++
 internal/cgroup/cgroup.go               |   60 +
 internal/cgroup/parser/parser.go        |   75 ++
 internal/monitor/instance.go            |   94 ++
 internal/network/wrapper.go             |  135 ++
 internal/push/push.go                   |   38 +
 internal/util/util.go                   |   16 +
 main.go                                 |  335 +++++
 storage/diskmetricstore.go              |  609 +++++++++
 storage/diskmetricstore_test.go         | 1571 +++++++++++++++++++++++
 storage/interface.go                    |  177 +++
 testutil/main/main.go                   |   29 +
 testutil/metric_families.go             |   41 +
 35 files changed, 3916 insertions(+)
 create mode 100644 .dockerignore
 create mode 100644 .github/ISSUE_TEMPLATE.md
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/golang-build-test.yml
 create mode 100644 .github/workflows/golangci-lint.yml
 create mode 100644 .github/workflows/gotest-coverage.yml
 create mode 100644 .github/workflows/license-check.yml
 create mode 100644 .gitignore
 create mode 100644 .golangci.yml
 create mode 100644 .testcoverage.yml
 create mode 100644 CHANGELOG.md
 create mode 100644 CODE_OF_CONDUCT.md
 create mode 100644 CONTRIBUTING.md
 create mode 100644 Dockerfile
 create mode 100644 LICENSE
 create mode 100644 MAINTAINERS.md
 create mode 100644 NOTICE
 create mode 100644 README.md
 create mode 100644 SECURITY.md
 create mode 100644 doc/apptainer.png
 create mode 100644 doc/workflow.plantuml
 create mode 100644 go.mod
 create mode 100644 go.sum
 create mode 100644 internal/cgroup/cgroup.go
 create mode 100644 internal/cgroup/parser/parser.go
 create mode 100644 internal/monitor/instance.go
 create mode 100644 internal/network/wrapper.go
 create mode 100644 internal/push/push.go
 create mode 100644 internal/util/util.go
 create mode 100644 main.go
 create mode 100644 storage/diskmetricstore.go
 create mode 100644 storage/diskmetricstore_test.go
 create mode 100644 storage/interface.go
 create mode 100644 testutil/main/main.go
 create mode 100644 testutil/metric_families.go

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..0b35429
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,8 @@
+.build/
+.tarballs/
+
+!.build/linux-amd64/
+!.build/linux-armv7
+!.build/linux-arm64
+!.build/linux-ppc64le
+!.build/linux-s390x
diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
new file mode 100644
index 0000000..464fa00
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE.md
@@ -0,0 +1,30 @@
+## Feature request
+**Use case. Why is this important?**
+
+*“Nice to have” is not a good use case. :)*
+
+## Bug Report
+**What did you do?**
+
+**What did you expect to see?**
+
+**What did you see instead? Under which circumstances?**
+
+**Environment**
+
+* System information:
+
+		Insert output of `uname -srm` here.
+
+* Apptheus version:
+
+		Insert output of `apptheus--version` here.
+
+* Apptheus command line:
+
+		Insert full command line.
+
+* Logs:
+```
+Insert Apptheus logs relevant to the issue here.
+```
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..202ae23
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "monthly"
diff --git a/.github/workflows/golang-build-test.yml b/.github/workflows/golang-build-test.yml
new file mode 100644
index 0000000..1c4540b
--- /dev/null
+++ b/.github/workflows/golang-build-test.yml
@@ -0,0 +1,23 @@
+name: golang-build-test
+on:
+  push:
+    branches:
+      - master
+      - main
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.21.x'
+      - name: Install dependencies
+        run: go get .
+      - name: Build
+        run: go build -v ./...
+      - name: Test with the Go CLI
+        run: go test ./...
\ No newline at end of file
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
new file mode 100644
index 0000000..7c983b4
--- /dev/null
+++ b/.github/workflows/golangci-lint.yml
@@ -0,0 +1,27 @@
+name: golangci-lint
+on:
+  push:
+    branches:
+      - master
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '1.21'
+          cache: false
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: "latest"
+          args: --timeout=30m
\ No newline at end of file
diff --git a/.github/workflows/gotest-coverage.yml b/.github/workflows/gotest-coverage.yml
new file mode 100644
index 0000000..ac1c21b
--- /dev/null
+++ b/.github/workflows/gotest-coverage.yml
@@ -0,0 +1,37 @@
+name: gotest-coverage
+on:
+  push:
+    branches:
+      - master
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  go-test-coverage:
+    name: Go test coverage check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.21.x'
+
+      - name: Install dependencies
+        run: go get .
+
+      - name: Build
+        run: go build -v ./...
+
+      - name: generate test coverage
+        run: go test ./... -coverprofile=./cover.out
+    
+      - name: check test coverage
+        uses: vladopajic/go-test-coverage@v2
+        with:
+          config: ./.testcoverage.yml
\ No newline at end of file
diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml
new file mode 100644
index 0000000..a61b966
--- /dev/null
+++ b/.github/workflows/license-check.yml
@@ -0,0 +1,27 @@
+name: license-check
+on:
+  push:
+    branches:
+      - master
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  license-check:
+    runs-on: ubuntu-latest
+    steps:
+        - uses: actions/checkout@v4
+        - name: Setup Go
+          uses: actions/setup-go@v4
+          with:
+            go-version: '1.21.x'
+        - name: Install dependencies
+          run: go get .
+        - name: Install go-license
+          run: go install github.com/google/go-licenses@latest
+        - name: Check license
+          run: go-licenses check --include_tests github.com/jasonyangshadow/apptheus...
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..57ee0ac
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,10 @@
+/apptheus
+/.build
+/.release
+/.tarballs
+*.test
+*~
+*.exe
+*.tar.gz
+/vendor
+/testutil/main/main
diff --git a/.golangci.yml b/.golangci.yml
new file mode 100644
index 0000000..a457343
--- /dev/null
+++ b/.golangci.yml
@@ -0,0 +1,62 @@
+linters:
+  enable-all: true
+  disable:
+    - maligned
+    - interfacer
+    - scopelint
+    - golint
+    - dupl
+    - funlen
+    - gomnd
+    - lll
+    - gochecknoglobals
+    - varnamelen
+    - ireturn
+    - gomoddirectives
+    - godox
+    - gocyclo
+    - exhaustivestruct
+    - exhaustruct
+    - tagliatelle
+    - wsl
+    - forbidigo
+    - makezero
+    - depguard
+    - wrapcheck
+    - gocritic
+    - gci
+    - godot 
+    - cyclop 
+    - gocognit 
+    - maintidx 
+    - goerr113 
+    - errname 
+    - nilnil 
+    - prealloc 
+    - ifshort 
+    - nlreturn 
+    - exhaustive 
+    - nestif 
+    - forcetypeassert 
+    - containedctx 
+    - contextcheck 
+    - wastedassign 
+    - promlinter 
+    - nonamedreturns
+    - nosnakecase 
+    - gochecknoinits
+    - goconst
+    - goheader
+    - paralleltest
+    - errcheck
+    - thelper
+    - usestdlibvars
+
+linters-settings:
+  goheader:
+    values:
+      const:
+        COMPANY: CIQ, Inc
+    template: |-
+      SPDX-FileCopyrightText: Copyright (c) {{ YEAR-RANGE }}, {{ COMPANY }}. All rights reserved
+      SPDX-License-Identifier: Apache-2.0
\ No newline at end of file
diff --git a/.testcoverage.yml b/.testcoverage.yml
new file mode 100644
index 0000000..186cc6b
--- /dev/null
+++ b/.testcoverage.yml
@@ -0,0 +1,28 @@
+# (mandatory) 
+# Path to coverprofile file (output of `go test -coverprofile` command)
+profile: cover.out
+
+# Holds coverage thresholds percentages, values should be in range [0-100]
+threshold:
+  # (optional; default 0) 
+  # The minimum coverage that each file should have
+  file: 80
+
+  # (optional; default 0) 
+  # The minimum coverage that each package should have
+  package: 80
+
+  # (optional; default 0) 
+  # The minimum total coverage project should have
+  total: 80
+
+#override:
+  # Increase coverage threshold to 100% for `foo` package (default is 80, as configured above)
+  #- threshold: 100
+  #  path: ^pkg/lib/foo$
+
+# Holds regexp rules which will exclude matched files or packages from coverage statistics
+exclude:
+  # Exclude files or packages matching their paths
+  paths:
+    - ^storage/interface
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..008eb93
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,9 @@
+## 0.1.0 / 2023-10-01
+
+### Feature
+1. Add SO_PASSCRED verification
+
+### Changes
+1. Removed most unused code
+2. Add new ci configuration for github actions
+3. Refactor existing code base
\ No newline at end of file
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000..8d65dea
--- /dev/null
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1 @@
+# Apptheus Community Code of Conduct
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..4d218d9
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1 @@
+# Contributing
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..4e561a8
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,16 @@
+ARG ARCH="amd64"
+ARG OS="linux"
+FROM quay.io/prometheus/busybox-${OS}-${ARCH}:latest
+LABEL maintainer="The Apptheus Contributors"
+
+ARG ARCH="amd64"
+ARG OS="linux"
+COPY --chown=nobody:nobody apptheus /bin/apptheus
+
+EXPOSE 9091
+RUN mkdir -p /apptheus && chown nobody:nobody /apptheus
+WORKDIR /apptheus
+
+USER 65534
+
+ENTRYPOINT [ "/bin/apptheus" ]
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..261eeb9
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/MAINTAINERS.md b/MAINTAINERS.md
new file mode 100644
index 0000000..7af87e3
--- /dev/null
+++ b/MAINTAINERS.md
@@ -0,0 +1 @@
+* Jason Yang <jasonyangshadow@gmail.com> @JasonYangShadow
diff --git a/NOTICE b/NOTICE
new file mode 100644
index 0000000..c5d4190
--- /dev/null
+++ b/NOTICE
@@ -0,0 +1,3 @@
+Apptheus for ephemeral and batch jobs. 
+
+Copyright 2023-2024 The Apptheus Contributors
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..96990c8
--- /dev/null
+++ b/README.md
@@ -0,0 +1,30 @@
+# Apptheus
+
+A redesigned Prometheus Pushgateway for ephemeral and batch jobs.
+
+## Background
+To provide a unified way of collecting the Apptainer stats data. We plan to employ the cgroup feature, which requires putting starter (starter-suid) program under a created
+sub cgroup so that container stats can be collected and visualized.
+
+To collect the cgroup stats, we are planning to deeply custormize the [Pushgateway](https://github.com/jasonyangshadow/apptheus) tool, tailing features and adding additional security policy. We call this tool `Apptheus`, meaning Apptainer links to Prometheus.
+
+> Note that this tool can be used for monitoring any programs, this tool comes from the development of one Apptainer RFE.
+
+## Features
+1. Disabled the default Pushgateway's push endpoints for security purpose, so users can not directly push the data to Apptheus. Push can only be called via internal function calls.
+2. Added a customized verification step, any incoming request through a unix socket will be verified (Check whether the process is trusted one).
+3. Apptheus can manipulate the cgroup and put the process into a newly created cgroup sub group and collect cgroup stat.
+4. The only available endpoint is:
+```
+GET /metrics
+```
+
+## Workflow
+
+> Note that Apptheus should be started with privileges, which means the unix socket created by Apptheus is also privileged, so during the implementation, the permission of this newly created unix socket is changed to `0o777`, that is also the reason why we need to do additional security check, i.e., checking whether the program is trusted.
+
+### Apptainer uses Apptheus
+![workflow](doc/apptainer.png)
+
+https://github.com/JasonYangShadow/apptheus/assets/2051711/b33c5f20-a030-4b91-a6a7-bc62fe1fc6b8
+
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..553d692
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1 @@
+# Reporting a security issue
\ No newline at end of file
diff --git a/doc/apptainer.png b/doc/apptainer.png
new file mode 100644
index 0000000000000000000000000000000000000000..9903e6ba8d8086d805991771a9d25480e403f421
GIT binary patch
literal 57745
zcmdSBbySpZ*9JODw@3-n-D7}AixR>}H{yT-lF|)Q5>f(^A|Wx--AIWb-6h?vbmzGT
z)c5zE@BLz}^Ve}LVb(J<_jAYI*S_|(_k+KJoD?251vUf%!IOS0t^|Rgkc0n&m{-9S
z6w&$?@Qck>Lc><i!qUmi;H51@%D~*f`nj!vKJ5!9S|eLqO93d<((Jjpt=%g#Zas@v
zgtz!9!B<I)RWxk>T!&l%!#Ku8s+yXP-XcCVZ+0)gc7wc~se_v8CHb%3;$oQ5<3Tre
z+<_V^agvt4Z^nD84ySU3jH|flhcW^JixVlUHhLdQ&DlJd{0+2|&7H7(9Gi)lxwI+q
zq1_*TEzu6PGI8b2?;h`7FAp2DW<IcZS@FJmy-etnpHEa;`-`G{;l}istVd@<&Xjde
ze7cP2`ZZ{)J#TAuJVIej5w|in-g(dZ<|eWA)-8oX3e_)nsa;}-vqpv}6z}N=EZzI~
zB{6*3QXmE&N+;2=D8%W(duDCKnHuNW!bU^H+rg+C@L=-V9lE8smJTLMe)SF34?!}v
zJOj2OjW1^Of2N>LmW`0RyubA&oe2x)7gltaWn;M|Mc@X0aJ1ypP{iXG8tgHG$^%z@
z#Eb|ApVYVe&`}hTtwM;Iyo9mLNlC^gf})OJX1Bj#<9If!Qdzhta94AgSL03#5sO9v
z=Dh@2^TwG^tRi2(u+;uo(--HYp1;HQo~G|-Ku*%mX6@8x14ND&LS}V~Nz1^PUZXIz
z6-`>(-)>qvD0aInBs8ELD{fS`4|mS9TYw_Z(=g^R7~z;kdGLL6>DTkZ-~q|@7RxI^
z&ApK-6fYzgIp^J6$`shI6sE$zHJLjYe|qE-v;D)EooS8I?$!VfZsPNj2eCaLsDtYY
z)pN5@!%|AZBT^4A=g4Y(Q%#@KzKEhS?8dD5pe)BH*VaiU)aYP`E^`_&NJ8dSiBXoS
zrhqfN{!Kj~4{A5dlNrUE*T>%$br#+2e-}q1s^b=4Je?iq1RG~b3$udz+#5YAW!mu6
zPsTBRYwMq+DaYrGCV4wcr4AgLay~gM1h}{JE2g@uv~4qco!#A^RU9Oe9n_JNcOHkY
z&t>2J9D+mkC=VmeP;8&aank3Q2BrD)q;vdg%iE><RP^Fw3dsrDaQXEp1ny@!t(peN
z+VzOC=*cVyu0d-_@*ZuD!|^S1QrDv?cZR%n1tKEH8!plJ4c}F+DfqI}!!T@*BF~3!
z-X<5!6o25fhaO<LD*##c-Z+CiFMEprbaqP=0`Y)Ii;Jl^!hgnNIjRhdpF_o(uU>f{
z>doox&G_CsN0Gg|`#Pyu|3eLx2Z39p#KbryCxHe;-Vm(^m{&<FJ!#Xc#E8>bC5t@_
zUJ+sn`d^8qEj+yXoN)WRBW`-mdaXMAL(7u|?#Zt0*N&Zs@w*crT)LtK4VjhDfG0vA
z8^qGM7cU^up3z8Ghip(fvRz#1`g0-9#3=)Zj9V`8Y=k3kPA-;bydhS|=_rD&LdSIz
z;dlbM5hpKl=-QiV+`3<N$YanNGz9<n`f$r&lNh4=Jjey3dz9oE7c}zY@zK{eOiWDC
z*`FdghN_O&zRa*e>hi1hC(h4K*Vox6S6-5gXTR)9;7CA&WC!%DLn<qiv*r=Z@(H;@
zLPab68L+#Coy782Aihj|4pCdL&CPr00u8S~vR-%zdbs5-fq6=YbIu_i7a4YuB0tuM
z>Y(I+NEC!Z+?r4wAg9_r8%pMwaO@Z?qA}_5NVl~r$N?46*p(d{iEpq9I!88L<|mdc
zcIrnJ+gGO?o>*dZcah*h=Y6LT9v^OfjqiW9yx583F?std)dNv=o~nqOUeQ-y*8ksc
z^05^r{XP}fS#d+D?#aQX+{!9U6?S>E6Gx1VC@_!XZkTL>P>T6@9h-91hDn9vqFq63
z6Y@UEt%4cr+|PA%GPQcU;>jSjvnTkLKQ)He-S|X!dAV-gVr9>i9?BJ-c<oSK80(Hm
z<QVaTvooX&tmZ+Dh6_syo1Y!7c5+-Sf6<}$x(>YltTK7mW)ZD!{eA@srKsE9+3~38
z*+F>X>%BZ8mYUO{TKuzlXco2Or<B6a7XzxpS7^=;48Pb@$^0yv4H2DaowX(CXnPu)
zFmZ>Km6eXpsxwYPl~mf{Q5e@#d(jiib;;oRhmURw?R2M{A9i8E!&%Obh6eU0&mpRB
z-@g4hwC?}<SZ>R6Nm#56<<#$^B)On{eM|V{rdnQg6d4iG(=0VExF$F9VB*H4VXm%N
zumpHg)w^qlTW!_CE+W?nd&=R}&iy%qI^Vl5H)Rh0mid@|<);X%T+O0|#wM0A8~OOu
z)HyVqv-Ui3>4KonxI@XJm(nWXXYstIBI{pU<~fbWq$7H}NPclZd2N?41!^N=1a?bw
z&Yc-U`uGC^O^+sAZsJo3Y_EM;ot>Fc&u(@=Jf7f>pBcy!6>u*8Ira6uVS<x=_b0lC
zyfUeuKj*+t>Fi2Oho<A=nvQnJ>jJj6ML#d>tcNimY|l>{p_ON6`{9mRiKjmobza*&
z5Q)-8n#28y@Th}>>w5>-kq-1B#U=yxy{TiT$ALIF@_CxuA)WDGuy{Z0{5h>ughBSR
zWB)sy;^*pg42`+AN71>?hcg^HlF^)+Vl@G|ww1S*b!7V7lO1J~o;tB;Ib0Vzsz`o4
zgOE!Qa#*i6W|4D+8CQO3{Qh0hn?!o=JY*{t7M=UEo31UAo|;TW!!ZC(okYQOwiyC-
zig!Oh*3i(n4|7<FsCGMDtTJkPSKrXEP&M#bcGNLU>G$-Hj{eNPKTjvo1REi9=`L2*
z7?`-Y$v8UXhR#!-@7#}{&PU3rSG#UTLR0o9Cll6CgkXaK!oObfI%&TJ+klBY3L>b)
zqG^Bn<R<57$aa^zn;&AClIs2j9yD1!OEKk^dVpix&Vc%{%kGhZxVT=6+^>-mACm}H
z?iyN)`oQ{c3?`#kn3(CRSyA0_T+~_@e%cb>KNOwcq@G^oFSK>CU5oIQ7vbLt=9?I)
zKF(JNhKV}BAt&#`1wCw_1NqMxre&g`HCqM|CauRwJQ9ww)MWH>Ym8n<A8mjMALv4t
z%@0`e<T}H)>7CB01nrZbE_TNI$t9eu{V2Et&wOIJiCHaCY+ll;=7q!$OKX<hT_#Tb
zdBUMQ1#7)6%u@@;lLK`cw{n8<Y!>;1Br|w&+67XzP}Ln8x_U(?^VDAV2~=4|6t7`z
zwGFq#i-)@98m+rzfa7p9GI~>A-zTI54vOB)uRPV!eyHZOOJhX3M|gisS;aPi%*WfC
zQoz<1G3oA}vZZQkon}6i`z?sv#z!gVaz@>i;e&Nd*;Rwu6%W7F*PoxR>j{0ank8#>
zdpuhDD`l8{mdUvi353OKkkrX@xA)=Ii}i-C5rbN;>$SDQ?y1jS)Us@J9mHvO{@xgu
zNm$Q0=JBq}L(GLaq3>=8-%i5GqVIbVTsk$r16E2Ap`izRqvvg+!~l@+g01HsFZ<#>
zRZ`Mo)sdK|ijq>x(UQV<SQ~3R-iuG=)f+C{ci$^YG%dM~3Po%89*i$W=YBq4vd~I0
zlGX)@{k}HtM?iD7zA`|A`22ZO4V=Nz@#G{!nbf1jg-+u>X62<s>B~bMr25owHmkHh
zzTfAG;=Vg<crM_yHTI6m$NjL4-Q1{Ii1*cqSx2mUcjV)9B`wp<XNCG`;}}ckb?aDT
zjQkaG@nh1c%ZmYfHPNljMiLH>=ngssY4UY4!t^KYQpu)5++D+mtdw@rM5|@PMoLVJ
zY)-+Y;Y`(00lSr6wgiD)-ubMhIXT&6^|x!CbaZrhH}4%Cc74f)pC%Q)%S4*TKM$kj
z+3qUeE&60DBO{c`o;HW7UT;CW)?6J?9wDJ*^*kN((Ng(;EX`wisi$!AY;S&U&SiBF
zFDNL8)Gf<qp`CALCUydVAMn&7Lul%JOk-s99x#Akwf>eN8y_*{xD8n@VWD~*5eIWh
ze#X}8e_^U_ECcVuSNo;I<Wet#XOW<XlIf7!!zdW}zDDk(^gjZo(3fz53b}aVW%0{E
zCiDg6*6!+lLt3Jn9XQ`gyN`W+Pv6m;XBNI|vObkdPUN6~x8i+;UAa3w9N*t!x03pp
z<##+Art&ZbhtH*zih+T_!ZIo7w1qp(BA3ZFw9W{?%X9=ru7$)Jl|?xdh5wJC_<xM|
zX9rE90cjA(w>z&Zr`J>0WG<};YYhUXamh%|I{3&U{S0M(jXK!2yl1*(GKUK@<6lBp
zFNw@0R^K?q|CGg1sRdst>MA_}G>0vu+jXR9ajD!2I$3V@NC*vbgVb5{e6Q@htD8@`
ztk`-!*8OZdaYhqTm-+Y00UAXwJF+$NKEf@kcLzH@@-@D}sGI8k;@p$m*vbb;*DI~H
zFY7fN)S{5V@8u4V>SsLzyGm})M@wJ5z=Y^tvpl`3i^ge(xY-MvKDLG2Ak(geXk39k
zTi#HDcu=4XK_O~&O6met#E?&tUw3glNb>t5@u6stbj5#sQ`1E1CWIN~_lGO#s)><2
z(L>JTzax&6kDS?Hzl>1oP<b-23$8%wrZh|t_fn$^`}w%8+`4kFj8Phi%yq8dvM(6q
z07*TweGzIV;I{{of7Y4&m$&|oSqHnK%gb4!1lDu~5`+fkUe^GwL0s|w!^<f{k@J&n
z^>(?_qg|aaMy_EQPgAquLJ3!tE0B|5y6OmoeespPM>wgd9;Qz|+(BOd1iKtubLC@H
z-OerOK!$Rf6~rh!G7=4nhU<Mf%M;vfrD6>@<iSm6KX7xD=NXX{aBPSu3KUKI3LN_e
z4lJi1?C}A)Bij@<uw9KmJMiwFt~2m84)7&C@THMZ@U6Q^M9{_>W@bsdH`~kn(D~-9
ziXRPjRTD`Nu%b#d<haU+=vaOm=BH_f9kEPNP65`_>XIhtWKEIk%J&o{RjelbpR#`B
zV3<IDc>F39%_Grj4bhn>n)v>`(x{w?3A;ff1$C14L1b9$*Ed$eM)e!zN!OwF^Ymbn
zOQc}iPl9Zqk%@`&h}z;u{(!`6(U-<SwTjbUjh61N3^1hex}UkK%V-ixQM+z;@I5Ux
zBd4SstF&7U5j~3`3G@8OX91U#lzjXcb9eh_HO~gdvM$!_w$;KSdOX}k!DG~&t_Zko
zWsYW%uX_0G45cG))D){Aowbb(+s$j&u91-N>NkhJe}CP8*FXzDP^WuIrle5lblhRG
zdT+#Zf5HVyg%)4%;jW>QI9zu3Mm*SN5A$gU6o`jt&z4fP^KNo)h{(~>Hv-Yr2JoXj
zP~#i5uro0!DYb}e%=P!L!|bag92yx=Fz`9q*|iGwu@EiT`N_jYhRS>XED5aK+|+{h
zoCpxd+nx?&s=}7M5ky2pY}GFsu}vgM^KBM8t70jgh@#Zu-xN~7vLu)E-F64m5eNhh
zDd(qy{O8{y1|s6G-MnW;J4t@yMl(aMEh4Br=JuOj2FajLC{BCBhHSF-G8Z%dhBVUk
zw{ihh5suYYAtt1yl9|pKuaEZza-Rt@FuXBf6C2K}J&QFMR;{*Kl#4>38uaz`J%bt;
zJIzgfeG?(#vX`yze&bt!Q9;_zwec@(viKgoTw29bIYu%LN99?glED-MIZyYCx<nWl
z>N!}$_^j?=81P072Hfh57nIsOIB<-zo4_I;3=IthK`I+wtwn8ke_4iHT2>aZ<B5X7
zTJ3)BCZl}0&$Dx{uR_wL#aV#qdrVptO1`5Ojt!V_oW(;<tSN~6TcMfif}GFw2t0gz
zu*V2hhAlH)UD`J5X3Gr|Ex1W%9KXJ-hEIEYJAuf7hk7`J1--l=+x1MWFnQ6_Vz9A<
zgoJa78e=4nO3lXw1o&09q3(w`1eHG`?_4J)7B?=GiQwko2rurcDx~3xtCEL6c>R}B
zH^^xq0%8@C?~jvIwX<2IiS_aQ4dO+etl_P_nS@TInnf>r<E7ZHw(IA2JWvr^@?JO`
zHcXU_x#j648_Sbn#{6hP+$dL-QH6*e3kxd(USdL``9V2N&X_kMZ7BB{Y%L8i5+^4o
z&U(uN4g*GheogBmZJClto68&9Dxr_Nm}lrHqkWb#T|cb%!C^~?kLMz=UmMdbTxYGd
zG$dc^Noh)Y<cCiqGFD_L-^#6#?=fHtZ`B@|sCHSm<>X%3;v7Bg%hRdVYkEh;Z>`@L
zKmurtzQoVj+S;?-JP8SjHy8v_Wh;X@qrP}Io4w2?sy=w>Lp8J?Oo%7gE6urX6%-Ui
zbar(?xw&7uM5+jer48$)j*V$Y&EH>cJ)~roi(?($hi&@W;ztfdXtL<8^WP$k(#pVF
zMsV($X4dT(Ic2oBKM4TInR^sQH1{(ZG4@I@Z{{{&|5?B`A|i-un5tTpDm!@1$24j}
z+xl8LgJExceSLwOi=1qH(|@mV0y071)Vxk%#l<|Of*;F{rrr=#+AjA3k3h$xumzd>
zr%xXH%uS8_&3&CLwQi@*0&@T}zBe@$J=@M4h%n|?wV!vzpL9F^<&8zuEYkZS>8?Dt
z>;W|mjH3t{U%uBXag-nf&dY~wFjfC;gC9<8w<!N&7H$=>B^m%PTO8n3Zs>6A@~eLl
zbG9J*YSdLE9KLuAHOQcPRks5$SN&guMj&d8v7QiI4x!5lK>r);%9LSDbZcuX1%}7H
z9efao(7^<Fk%Rj>u|Y179ql)=f8csr`sB9Y?&?tDLy-rMN|mN4cFYMUA3&C_gHQPG
zC`FC*pnG5$^`=VuFdDb0VMA__T^;}g@*O!Z-4{~`2t)+qe|U)tPOBsZ4?+Y1?l+L%
zFY^ky6br4Zx>vz>^C`f1(|^Xu`W=F%Y;5Ndj4h%2!c(^$8&ADJyn0mgjdK_K3i3-r
z-ySI2y>lmMnC%fZ$7JU$Rl2zq`~vI_BnFb_m;sCCu0Gjn%gD(1`t|GP<|Ya{?vF~l
zER7blF)iBhOzqdMJYxyME`^1KD+5_Wz*6=n-E}yl#E6=kn-4adXq>!zmzS4S<+59`
z-5MNhwx4w|*MSY3z<@v!XGx#~K%kla=0_v!ymPd>3XGgXE!$|arut(1^RbKZDapHQ
zPv)WX^Yc3Hr@JX3BJ8AXpRkHeht>eF&xL`|q?Fp~ud4Yq<iOm#W|jN~P89*z#wHFp
z`~CX|y$INge*B88o)jr%(Vm{3h)<k>la+R+;1qzTs}x&KKO~)7odm$Cr>D2r@lk4d
zw9G>O<2|n1w{LTDnk{uFspo1x=jG4#r_AXDZb3mqqm!kUgB@({&mi?~XMIvsNT}-h
zH(vnQ!VYVcrX09UL|Pb+Nur=S31MM`*RS^iuRlHBFDifV<VlcP7{u;i!e!mSz+e;8
z?)dC@efvW?b=XS#{Gw-*s{F`8$H%*O?=J7k%FF9iSTo_YDpD0cJl?PvE8jfX?&@2X
zm6L-P8-=;5@fd9{bTH7<!yTv5GQZEr$wB2=G2T-Zr^Fg!+<DRP7Ks^E_!Sdj3{q<4
zqE82URHabiQuF9QcAseEfM=@b!9k!t7|eN^_v{NZanIIRwadP;J@C~#PFwn<i6XC^
z?d|tAXPaO!*zl2xm7(X!Qc4It1B2+n6bfnFT|>Dt^KqacI8E34q$N17Afn;#)zu`j
zwnbha#qrzt8kAJN>iaA!CU%7iv*Md#iX=#Mg7^%v=(6lQROnb(($dr44mJZK)hZks
z2SgKJvyLGhcP>)aPx!{Wva+%UG~KRehl>%PF%$g<3E2#}MG2}@c2mO!o)*27b#gic
zn+gD>!OJ=hH`DnbuWAcBKDRGTzNoKJDh)M|C?e*L0d}Auf3;AOK&WMZ0#!4h%I=$i
zI!LiG;<G!OY#8>wVU|GU%G<hCqX}jRr0%I>BkWm?>j$;4(pRJCXlOm|g8+%!Xp|NA
zK$ztOLGWyDPCrUcT3S&gB#CLIgKsh@IC#9mhK1lW0zn061){CBHI~=(JIA)bRjqh3
zGP3P#wKD6a^5&)d;@+@)@4+idXm^-6UjzCyHKiLB6&@We<z_Td<y1WQp6`WNA)4&R
zd(~M9RQF~Q&vw#4Tu}cZstyuRtPpi0nlS5yt?fFPsys!9H?yXa5`6=|9J;EotAOZM
zA5)pQklR$<6*r3bICz2r)#LjnAq3vN($dn<+LJq{Fk@0%htkXx(_qZ1z=c;2yEHEN
zdmRTnz~*@Gm6le5+tIQVwUf6*^RpiJCe7IE5vt$$i^Y3PcKk$7#HdpT6yFnGyH>~1
zmeta;qFrP4G;8$P7kj&3BfOlPL5-$Exg8(3OSiHIub2!(KgzY*UmGXcqgpCns{uSM
z0$y%O7ylsXWn(;bu1>Ao_tkiZi6r-7smE1@ISfjj;%?NA87tB${vc@;7Z(p*94)s>
zQP7(1{KQEY$4#B)y<(ibwPS+E*dQ!&?Zwty3vrnHe#iK5<~vZ?(9z3?)S9pF6OB6h
z%miVs`vMQJ+MH?Z?pBBzJW3ScVsA~OEl!RTuw!Rpn%^DLS^P@MrA16aqN-MjGP;%$
zptiULj)>=*L0eS3sQZ~8&|oa5uUatSHqB~bu;Q}llTS~ByfaRBxwp6X9hD&9&$YnO
zPpo_>C%(0RxVv7lm;k5+mQ@ZzZ)`=Vs<1Kc7JPLmPyO{>BfLyr?D)j``iD`>qaCvm
zQ&s|rsv^r_eEPr#j`lXD9)R5LyrHRSad9zxQ`r9J4V+5Br@pr;2jB8~0Emvnkw4d1
zA-P(I3hc6H>wIt2BAlz-YW90eI7_0-S_Ke03zD&jm^Y{x!CA!Lx1tYRTv&K%XsApy
z@0J1N@$Nf!^}geh#_?HD?>>MH4P>bUJ*7otnjSdup)>PTs?9sKGTUZwdO*n&;9Z}r
z75%;N^pfvwNko8tesMot)d9F$oGlkGz)MT}38}C~YN)38VQXryzAb*qt*<Jt1+Zdo
zZ5-CeKy;0WNO|}tzSbL);5){>sUR+F#Y<Yl8fF2!PYDKR3RP>NU`hQN_SCMhM%b+m
zf}|lM-(nWztH(dyJ#e`6N8UGJ^}B77i+@)SGLBy$l!OEZ;$UOT$jCTP`;dW?=n618
zb=+(uOZlbX<$l!~;30skzVicPW6dhZ+c;Z3p;6mAJ3Hz+uS@FBDxSmPa4jt@kdN?(
zfLj*`0A0kmKRqn-o8<)mqpVSYPod#ifbu<jcvW>O$9vlG;VPtL(2>9RR-g69*jSmx
z;LkGn3menlK;o?im`g(@g|JHVjFwa?uMJ(6bMMynHb}B>Qc}i!_@JqvpzwPm9x~fC
zyd?x?1OO;aajr-UxI?v5`rA&Fb9C*<G<8$j>2zViP`XFH`Lf1A6*h}NUoNgc1@@gQ
z@S;N(*!O8+4}X-i59HPr_@)v>g@`LHT|S8SDHD=A94cMr;t)9Y(iOc5BE1eZf3SUe
zwJH$EBft@MJPOAA3tpO9Z7BUW`7p#)E)p)I{<a82<g^>Tu*>o4UMdii%B&$8(9a&J
zhhM2H|C6m=<m-TLY2aP59!MfG^FlHaJfIS6@c+lRE=bA+qxh57gWMhBQGnD7Vs2cd
z_?x-Wm5!S;0VEuNY&Bf9m|D{Zk^*2tQ#Mue2>YKuHh22u)6&u`CTpH?ZeP!pM~6Ue
zfSW-Qm1UuJz~>LQ7ePc4U}k2%eY?j&G80LtrbPa-u8kkCUq1@;rs_Na$OZ=o%Suac
zE)%i&hJ$jpcGCr?yr6#`Se8SuO$<fA4P<|&j&7EOWrA7O!I10sjefzW%<>iw0&%Xl
z4`b(yh>B)sWxbZS5i21=4)HLogDvA%evwvY<eHwq@aQafmWqvom`AYx>_ULF79?$;
zW)M?baej7u_s$)YsS1$yfvkTSA8Y__Fo3QiV3#^)ThZ-`C1%6d?Xe*#5GX<r@VZ+(
z)Glo3?oUXFh{7WxPzBLE&c06Aj9&pepOo=Add6(L(r#nwD{m1N6<7`GpIy5layo7U
zfmo9L*<n!Ddj`IAc}x%@aB_c6?5FS$71+%i6vzWYcOw#W0MuC5=z>#jC{?0>As<~F
zv`2LBKR#F$v4-58Zsdn~^Y^v?ehb13xHmXEB%%G^UglH$aLK(~=7sf~Fnj%D)G355
z2B6!%$nmnST<nL(!~q~fI#;-rfg7qbO2YuvCMY!<rmrcwvT^-#x=VOkevA;@&ImT;
z28VkP_*IuKJ1|c7&32gGO208B1f7wC0|$(0f!sxwTTltpUNi_UX0;vQ&l{v*B90()
zxW$8fK?pWQ2&v&9cc%&y%q9W27A{^D@doeZ)IBD^HXx^XK=FI_&W{%1GKCD19X|dc
z1?c#A$hREXkVm%TYXjxAS$I-P*%`|V<J=}5Ou8{pm(xnUJ$ZiSFw@|l^Rx^f{KLfs
z^y2l#SByrPwW-14@ywsM;i8gEttg6;RY2I<;Qg~u7Wm4^;Wir^Tgfj_b5c^vo+jkY
zuc?%<va<Sk?-fWG1z(L6*Vot2HiZDLS8CXm@Iu%jzy3D+W}6~NaCA_9Z>r@C0$^Ci
zQnWp*SQZreB5NU8B5<Vi)zdt<u(j6qVwVFVg2c)(9ORU(=%}dT5)ydicT!VR#o;;$
zZvR07>iU-igtw2BfEJsy6uoEku{9Mso5L8Gg6}?X-5+<z1A<QV{sfFci2y{cR7{TE
zSb{(sNA*f!Ndp@ey=UF`uMJ{JP27dKSTa8Yr*J@F`b!uC;uy5TKANQtWj_ME6r`Vz
zWQ0HtTJ^SM1u*^R&!<6F!A3Vc^l%8~q>dX~2cm$gmR6<i*Q@MQ_snhtws92g)On%=
z1_VTLYCbg9iqRxIZ3-)t7upoJvf2bl!3Nm8wo}&EHyFx<ftU@Ajfy_PE_-j$>|eIW
zh#`<Nju@zpYRZIT=}O2gd<$TADM%UBQ@Q7GXAo@&Uz~jN=My!oZ2(XN*W!tt*fz0I
zAmxy!0TFPM$(q+7XX$Ki*430z*jvr3eW__rwKi4}j#PSfc5H`Wnp!O&5Tx^nh$I-y
zM`|AZOXlIJ4=`FrT*^GFw-HZ^jp!`wmb&SpRF%@?s4^dPKH$s`2f+$~flv8q=j`;D
zO_oq?PG2N@NsflzS@2><Tdb^UTi+TQ7RnS))ImJh3FC>8CY@A591OIa8H=h-^fo20
zLcQ-n&oxUAHcLMI)pE!a-HwcbCI<2jBQyg<=4Wvu)-H5(^g>R*u{VXW?460jsAy=4
zY+M_c8V!MXf+~LI;>E5+1!5!zIodO4iLc_}Lej7INKfAtfn>hPCk{JKYE;T*{5Q=e
z$lDt=AX}>>fOG_e<Q5JigpU~zzEcGW?xA|C$w&s>5F>%R9U2tW$yr+$&g~du=dpFM
zV+?HHX8$Ni-qr}5L`X1P)vN0OvT>tF`uRFPSYYM8E67%e+dDg>Fa#aeIENh~bjpiH
zc9(i)yFordK(jVn#9~0ksZnPl05#x#wLVepAW(Dd=1o}G$;rvg%!|@+Nu{R=^Tu>-
zdow$$L+ijyq~1|#7QB!EnL^}%3L87S$#9{8uCA`RIS?%x{E1cvb6l2^{4|!qYo=pv
z8WBE<Kob5BAqDRghsRnp<nYCv`nQz2I`t!OL4B$h>l`#p*DG#xGi@k6ut;}C3NqMd
z|1QXsF#JQ1Ih@d6M1U09e60L-);D^<Jkw%95D5+mG5nI?6sD&20kPaO_VCdo1_lNi
zw}WXwa?;h5=K*sCV8BvF2n4mhx9{Gqjg)Y3907*O@+2lSF7AnhE$y6yw?*Qn+?=K!
zRf>sCPC*>y+pY9@W8_Q$*z3HR6z>Lc;9`>ORy8C1P_(*0<Qsp$<S!on20ipkFs&Q9
z40xaTgn(}>p#m}7^mp8-2H1$iR0tdyz~pt|>>M1X0H?htDv=<Jg9Kqupt)Rr1^@v>
z{zsuf8}ZZ~ptz`Omq!*xUUh$9p|=^22eG69pZ4ei5%_&7lXg8MhT#8K0dA*#@7JiZ
zvNBW4jdiBFjFxEJe+55VOdWqgyOoH<L?~+38+C!(^t`T9y!@14<J3?<kn=NyuK>*h
zB!1Q=CMK4amaeWR9#>F+nA!^4U!R=JQqMcGXWazJP+M#!?Kqu)fOB&w-Q?^2_-l*h
zH$vXNb({;60-|o~Oat%<Aj*(YQ&Uq=#70Jz01a<Z)-jGD1gZ0gy+Ic}Y?1#Sd~^R-
z*<>NT&Vv-~TDNCGl_-f7E!~G!6}-Y_>>S9>p_mwxaT-(Ht}2zT1YzK1a-DC~j*^p;
zNjTJsEhZC?GAHMqJJvuLM%XWO#=|tRC&s@%+bEgaS?&uF-unU2&!_xBq?NT^IJ4}^
zj{=6aUZEC5M}qM2M~j*Y*TXF`9aph!hl$iyx?JswLJ;33PZs!q8fuHamN_R}{CQen
zU|lS6>7;xtHsNU`(taUNo|LSG@cJ75OCstF2dzu39C^(Q;VklQD;a5XgjWu=l+@Hn
z2?>*e+N_w)PWLDK7&T+thrzs@!YFf?b8)}YVlY#V1L}E`&m3S2niC^CdjNeISk=8(
zS}$I_(9rk+kfkNG0K5MeIF#AhS<`{c#=@UE_ypGhTTK=tx_*6WKog_{IMn>ssX$@?
zi2`uapQB~#AOb`PHw)4c2|4c=t$1oPGad9nGxNcEL0uQ<u^><QIa!<7IRDt8OKtTN
zfPf2$DB^v1I2kCM#=Qw0STO`i(T5Koc6w9O((<$`-t!W^3!I*7-;T{>k$J%X!e@_M
z`8EH6<rjx_<}zW6i7M=1lzsuyp^H<yL9iag8)W!jr6L)dlLIR!??SE9TXR{>pk!jq
zukw9fg*=VK7O)orp$$k|Z-iXjeML=qU$t;{zbRyWs5Ry0?H3K%nnjNG3+*33Y)NVW
zG7*q|?YHKnwZ>aKt9N=~*;nmG)8rEY4cN#I4NYqy1L<s^CKneM5X2dAN{#zI1N9h=
zzg3<BY8v;<V!CCTd$%V42v-l?qSc#QS^x+qN4f!}SyNLpGI*V~9c)gsQr|T&@XJT(
z)Dc2i1M*Lvv;(20wXKbSN&u9iXp<s620twBmdHg=4iJ`f#;mk`^*#QF-qkPgAV<#%
z$pbz7GX_r!zHhW&Xhl&`ms%08#f0n69|b43RYCWOG2wgl&vvT`E^A>@s0UgP+qNGF
z3UN<4$3;Cl>$w@s{lq_IK%Cle<Gw{(xzqN`cmX?a+MKT-;Q$tqnJ-%QSVo4OoBOk^
zmevR$F`Dr}TYcFPTfk%2#(uFa%1TNqG-Osw1O5Q!ji1*G!SY4`P0@^XhRMk-kTetJ
z?|@|g@Qna}y;%u<z)=K2lCuKPIYdF`)6v$(!N&Gn(|5~9*C^g;;Ao48Ny<(<=kDht
z>uyVnn!}f7W<Nn$$Vp)pqPn;sa6!nC*qPwO*7<9+jDYg~21vw2x0)F^ual6>f3;yl
zFL@2BdWYubIlSMUPMT=kh3tREoZPfj6^T~5XC>kt2S)XM5_2s(U$pXRwKFdhsH8MH
zc!cpzW57^RQS<L3jPa|uXe2}^<-^@owZ8pJS=xQ_E~;@}xVdOcj#W%E$;%`PW4>rW
zfb}`%MC9N#t<#?%T!Vk~^z^*EcC+7uA965d8YT=42`E~tNc9WoWkNA_pG>S0xF5U`
zO1JZHHBUft{ee0Q`lWX!&TQWs1IZpedZg*x{Yk9#RB0|0czjMts({sA&nQyGem)81
z1%}${e5W|J{0^!fP>gGj2J*aV3qVInX?Qg#=D6&y86YL4baNH5%6UzvxHMx=brDQy
zpwfbT1mJ@E!8FF<9&IVY|J$sVyk_ys8OC%wg?_{5&*@;{(+fGxuG-bkkq98NI%#Lo
zpjVWEShmfVYN>6l(j`PAu`13+D0#UOI~QQm5fKqUC5^`@!S8M<xF~I?p}=Jv92XEH
zWfn+@DDl4441i?NMdZ3xvFN<J(iniOI04-Vz{%G7rs5u8-VP3yWLm45yt6>ecU;XW
zWB)lhn}U+`p?k~zaBCh!j;$m=YHK8(Hsf^*0PV(zWpdUO5E~$&0Bz4nA4rxFOnzb=
zKu{X~;$T5a<~xgAyN!)aQBl$ITpQm~_Z6TX?Sbe)jMSC#D9OoN@ML|m!;ym3xag%|
zm8>Afn?=ztz-s*gFl(V#e(W1+z-Iy9tG1rUuC__P6JojxG+i2j0iZ$6nH?}Zm@Y?+
zFiZ$Zwo9H%f0u6eT}20f@E0foH;Y=)<k@+2h9G4Aq^#fWLQ8;fgtSL)Zf?+$$i}wp
zLk9nJzO>y7B)l-q3`0M)zVnks(ZbK{>A8j^dmzSawtnARBmzkZ4XjUV0N^;l86RI?
z`;~s_)fD;(amuN+B!J+mAnyc@54!hiMM3qo3WFb%N$@Z+KZ!WafyiC_Jq>{XO;?~q
z0g7REoSnyHg<JRKC##$Qa)KJlW^p?dUKNAJXZGVkn?3OV>({RvVZxn21hnmM#cyG)
zI+zLUv1k1%is+5?5C1eM7N$df`-Qlpqa(m`<AkaKK<ou=mmWj{O(7bp(>bekI=8sk
zmjSZI&h~arR#siH%bgnP|A#NEN8yrEEo9}@XeGV&$ZP_kt@K4>Kp+{k^-U&-iMqTX
z)duVV8{(j7$5n>~${;K>lIM!U1$urO%t!?w%d>hBDFyW7ZYWXb1GVPh;Gn#`T<2tl
z3>L+y`1%Q`2}5q({;t7q(hHL|c^l~={nhjrx%<g1&GH?yq1<ths5!4!@3Ye=gRURQ
zlc3vb?_zh5DUz;z04)@`-(dHE;(qzAG@vvOEWjq_`j2ao5EJuUge9_YM>fzw^6BL;
zDB^&Wpgb(u7NogbTU#62*bq~%%PB&HzXhvkYiolN1jvNmo&v#&@^@zbpe!_u9tTJ%
z4DQ#MF3M=XHI1ck0B~uksjM{OSbz2dDLn|F*1F(Bx~~F9LtefVMgA#S{6k6kUtenA
z{a=`<9vhTNn%7om9%bOi+X4OKy<eaJC;5RZo%xR#lY#+N)q^>95UA)e2&A<dgVHLS
zsHjfR)$pr-G$R1n%lM$09wM~W407T|3J2wRtu+R3D^oKH*H0@!&GOc^wmU$1tT|p2
zq>fexJ(6l~(DB^1!V`mT@~w?p)aID2<M)39kkrU}i|y}<ffg0@3C#__Az*G*U$ni4
z@}B=|(9r}?0V-&szA5CGe{Ip9Lp>M3^devFp{$vinW7>gPNjt10+vU@?eBs&flWOE
z@|}e1`RP6=FLDCE`~`wM6Em}~j}IP|K*XS<+J|o+q0cHoDqI8N24~j53D7!%Z}Qau
zoj&V<!Uf-IZLPw8WH&b77Hz1n@9phvyVU(0G?H_|4b&Ten9|J4%*fcy|KGAK4Q&y6
zm=PXb95#Q|E1%O4RVi_COe-fe^p1^;w1n$kBo2Iv30K^rG)h2z6#`OZ{JR1IvDY2p
zXt=?SVM|1S72wM9Rul7o^e18w*{DO|6g2FN1D+o*<n+D@pKAqLz4Kln(eQX@8EDSr
zNh&3WZwVPdNN*ek9&ZEMLbM{$B4!un=0Ig4Eb@bZoe5x_fnRzD0MP`18bTuqlxqRd
zBS~s@QBwN~<O6Q7Cno*rpzv65pJwPVsQ`ORnNCXN5F~@|(}-v4dk808w}V$;%ofSc
z=yT7)=vF7HkJ$vDRoZ?Ka=HV(T4(u|%wGg}R9&~@PsDvt>^!kS6c-nN^CKv-1t<(W
z%kg#8)G)|;ouZgjKGF!-f~M|iP%k9e^Lqp;OW8Rl23O|G=e#wJK;`$uDwg9JA~khm
zQ6p2k#+4r^7l_01PJ&?7&_uAUT>Lqn_TJ@|whcf9U+vFeK;>97znB<cPAACnnyg=3
zTwHq~<QC<OM6&!J&GTsg51-)BExrf4bM@-gxn2GUMCleM%!qd#RGh)R*$PYs*lS)r
z&MKsozMX3_7@6zk<psE%&lHG3mG-|VNJ+m_4CX%j*yz-yicdHGntg7gRZ&q9@O{Qf
zb#69+MI=Ghf90d=V^1_te)5=2OcRdUeq}FV^+KAJwW}h2^E!72@PFk>i9pg!mqeeA
z2U;AJYTJNO75w@|C1CsGivtwLL^Vpe!)hLgaO{aNCKeXx)6$>7T19~_<%2^OF$e;x
zH(N^&yOMq92Oi_zJhxpAI*p`pao%@}N}n-m{Xbobpac6#4IpEia9-t-Y5&NV2S|pG
zj}Iu=f?A^?&?Gc{nwuYEZyh0LV3Q0=SD-INrIkUB-6m6%n}v^$Pf+j}$PHVkO15rb
z*)FF?b^##s(=nFKq<k3jo-&8tV6mS?vmIc9>FW^r;Rb2fdT%V(S{2af0%~2&fgb#S
zRbJ2m0M-b)u3nSuS!9LHO2c3{SXjmY%K>%Q@Zq;v09N?eZa&JeB$nuR5cG6xkT#Ip
zZJHnZ8}NX6fjIN>D@bjMje3$nH3`t&{x{a2*!`}3W|Yc$JW-*4{yGEjg|b(pd;7KL
zry#9Z&s}}MPs6eapdDm*w@2`qA`;E6rd%ovKobY}2Jx`+{5L`R&zT{0g#X$E_)e!P
zg7I+WtP}uEf4|D)?mDVSy1dl>?3Js!;z3p!7x3Objd1kaqQT!iV(r`vh|Vm`If0nI
zXJ<k85V`&RCK(d5^zfmL#@(MhYtKmY)T>k?4>lpfb!ll=9dZBMKe(kTV%<6See9-^
z$gi>08>Xd$SN<Mwf>XwSY8?pd8$o8Xf3v#{(MoH;Y8MmT6IKAt1-*BVHC}Wjih^d*
zS@0B2GXt<;;tH^oV&lH+L`0x*+ZUh8dA^lI&C^+<($?73Rp^-GcJ?D_bON;>?kvhB
z;lTL}U%o`gzyO65WIBj84;uD<cS6`wlX7b}d&#|f_Sh(x;|cs-718_$V*CwoCMi-O
zpDQG!q?8}-Iz<keWo!ZXVg($~Mu0~oSMBv8QI>+>hk7$lx4&isa(xh!v9Ym%2ih<9
zB7WEZ8;u9rFA_BR$y-2$&(7u~b)Sz^uXI><JK9+W#LsTISE8c4w^GD(kTW43SXaz#
zJ@%iX+7kfAL0bMk&lx1<aOY(vu*9Xlv@SsX9Mv8-_i2IFW@K{txvJ^}B-|j1&EW9^
z>e$uUDdKigezN}kKEFL(5^wG;C;lxtm9EqiNXz1;=-xv^J5W)sdYi&K3b1=`WneWZ
z9<&K=n3t@m^WPo_&u~rhr2faMBI4Sjp-rG!i6<vsU+@C?kZ~(ME{^lurlOT8igXIZ
zpQmN!sy`CZ!2?btWMs+$TwK3E)i7J`5>+)~opnimPnze|2oDsRmzwHr5DA2I*7Jk{
z%IP0I-h<`!bMwuDio)SrD7O0{*V+tWua@JAc<hp0CD@BY<m_H#g5!KT<?yFC@*R*}
zz>~mkgTN_mZvravGxZ}aMPg!NCta0_5AFPa{R=BIL9$px%QawzDf!?5BvAPXVC>v0
zC%>%(C#|e-K*i@SD)9iufTj?}H`kojk+Jn7i&DMPWy?Au{=PqsVPqk4&z@$sixNfD
z(rfLive0&ACOk>H(~b3)CIBl31N~cN{b3{y*8r50Q-2xsU8ZvvAj=a#&tVd<UCMV@
zhm)H1BugkNhE-8KGNlFiM2W!j&>YQLx9XL!_go4h(U}*s*xev+m5Xb5=ERNQeVVhV
zq_rD~HIQw2C-P=JB>g!L^d7Rr<&m`64pVdm+4xYNj;Pg)IN$?W+D0t0vHc)I_SplI
z<5rn1HXFVJg@&+iG*>xov%*Avf@lJS;h*DQ_ySGw7(=#;)mUC1?a=k9!Qpak?oXcJ
zS~RzGbaZrfe%6av|2?184UT>RtLurko?o4W4uE3-mb69x4)_VzBvb;57h*b~&g`AN
z(gGZNj+z2e`^l+b85>C&f(_v&-+b{vuV(sX-MJ!>olNVn>^mtG&Z#oX2|_$Atu6@p
zLe`*7V?`7QA&iWvz@vbwtY?+uIcJqHxWXtZS_|?VV1_{GK|@2UqFV$_L_ppJ|5$7u
z^u7Gb9#Y+ERf1ppFo%f6>JB%w=HNv!l?<!syX@`+E>$<siwdCQ{rmSw?TsXE=yI~i
z4j-Vh#8E;aHQ#Soi2R-}b_{q-YcDM2dI}`wDpC#sz1fAFAWLQgljG)I1Ko)h;IW>9
z8!=@6;JIygfVKpZh4l1vplIk+JF9Y{FQEO!!wZq&QYZFE@{G<@_?d=YH}<D8idUrq
zTDtQ=vG=kJIco}?m-smICAaFwUC0r}WnB+hAC&ok28lt}(;fxm-JnQxW|Kw_LGB^o
zBByqQ)Qbqt0;lZ-(0DpEH3j+tB01Cx>61A4iM7iupZ{&9@&QU-{sHKkI@({Sp{AYy
zjf*v}j}rtP-l>vSCO2%&w}IO2!-o%n$$mQdavK79lWbkvP51kj8Q8pK{g(=sQDmX`
zf03C~ut@CIC*se8W7(8H=R5u<j2y}{GwZtKg3l_f4K8)8Ezq2A)l+4<bYVBL9WEJ2
zUZ$p|@d1?fj6qs1E$wfTah-j}eSRNQwKBmkFjJ6ea^_H$6&FV!^5E4Jl$4wxKf6KJ
z@x?dyqH3!$36pl{ZdFq&F?2uKl)4yi95koO$;p9E921ijpd|PxF{w11Q&2GhPNm@t
z7y>XqJRBT7<;-Va?&Wn|&(*(ji~O(81M1TG{5bi(mn>c1H+QQq#l<SDOhYB0%~J#e
zY;}Kretsx|fLf?I5vKS82nvf`iRaUPG~C+db;k}O9N_6bbMQFI-*YAbvcWSspZd@G
z1_rY60=un|96;GXx+nA(K!4C7)z;S50&8q&$p6%>>XXeUv-5K}{8uz60XEIGglonv
z)Y|_V0jwR!BFR8pt*Y791i7WnUkXvPr}VoGWNfGTLLLX2H_%prd4OzUyBCywkOChD
z1_+zriCg4d8pq)#po#<-Fpz3N7-!sWm;rs>fYnG`X7YfpIKEyix?Tv0!Tn>@n<dei
z<Wp`COR7Itkj&decfI0or5l+Jo8w*BkqvMxhyt>4|KAGenLA2n5^>xRNI43U-7Nm#
zR`T(A@4{9fhBq_WbLAGt-($FNsQ<N$4k*;c2mgmDfp%JOBb7ebvnod`(2)$<7GHSs
zrCZyAu7Zn)D;7cW0NNR=ub`j<iTQVPhMXkmB|-Mpg6B9Ks#P>Khqt>#6G8tl5m6st
z4U^;<NHcy=g3RX+D2J;1!2r>bkpm5KX>##eB_{LA45~;Bx2XHu<j{-k$!M1#1U>ym
zcsDM-?~3xbP2tbZd>R3u@ebt3kQ?Nq5}El5))%cIOt7dE<P%w-8x44z4B=69FE3Io
zn8NuJKR?Sr8%@E}db7x;@F!0g89?C10Bsgxf7#_wHSrtK&jJ4a#)H}9KS4hNvet6Z
znDG4>v=L||O@I`+9vuTULqQhV^&rxu2W{L~UQa-QJm9@pX&lfTA&~C7V0sr_Ge9c&
z^Ad=Xf0lY-7*l+N|E25UKOWb=K=QKuL*;t9I|N;N13KWA>7-#Q?Ds-%19awtK-`#w
zgidUvd#^_ZfCiSjJRl{$&3$~+5FQZp78UvUj_&P+u0&`h{j1D9CFG+MxO#V74=iKP
z)7|9T-8UVsp&lv%i+>8*EmShiu8LioBbz@F8a;*wJZVAG+X7zPdm@^+uhtm#4Ea&j
z^=Ks?Pg=~az=<2X@7<~+^reE1u7lp{kBpBrwGeZ7!fWCR^WIfGH&G8IHk7XE^S*kz
zqi)cB?M_hi`?S}7O>mj!R>gZgCTlXUhvvs8Xw!Xxx+JF7_frwd_Qv;GRsS=`HW*u0
zMe<6qYU`J3F$Fx(&Eb{J?8t@zm<Q-lFd_NpV<e=8<{m8f9eDTHMRt|4S$P;4vs6c^
z0?%`^*PUafY9<dFZK{uXu|kYA^4t=$JJTj6X>ps1uIY1rg^7g@phD;C?m|J|dwE{X
zQD$+m?N=|fe%BxQ&pA8CJnsAwOrSav<!Kcq<5W#x<HCyaF__2PC8(|T_2MG>$ng=!
z_)c`D)r*!NSfXw<;f1wssRRb1vHT80iBZbQ$EO4vo^v_0&6Zx#UbI<Q@K#T7CN^th
z{3g^iG+l-5c&vRQGfu|@^g-me9y`UxJ<jKR7-hOWCh<!vbqELhB}v=?V?u7uv$T`&
zSDd5e&lyOcqYh@YN$C?N_|WQMU2MuvVTUQt=p&%q1A0SANGP`F#dRK`E5Vud<oIe=
zkcv-zA*N>TK{IQ>x~nPqFs&06i}6BP?yHeZRX^fk)}X>kw+(++&Vks=4Y{UId^ibX
zVq{bZ2bxhlpp5+)%I#P3>2r#QHh(-;W#tSEoe#jqNjs<|J%2SFW3?rqwah$C7%@>a
z_lrr7#b|&I&z;Awu-0XU?JP9_mX0O%{dyHKs+eThd9{j}87FVc#d8cuZt?*|S7OUn
z+`Ho`!2M{x9nyi@N+j5A^!gPOi2@wV$+tNohk9i4;_h>enAhHK6-YflZX!#;z%`>F
z=}27Jq^HCA$JqTKn|WGdq6#W4fR2D1^DahRz??C=$=Hu+3HF=nA5ADS0tBOck~nt*
zZSON-TB`%oL?xFv+gEZ+J(9%sqNVw}p}MqCGzK&=XHqb6P1yrkR1C>YB~Y)t5k!o-
zta)M5Ut#>ZaFc_LX_}RoIF?tFuiu1u(F*^y({|W$B9Q3Wy3kO?jtDP?*-*kq_LqzY
zuk1H0Zcl9G)qnejFl4klB`|Nemg;a}jNa9Y_{axto;pC!<oK2F0?kW$iKSuXgpWcy
zkv<Zt2p*CZ3#I;#ubq;A;he`(Oh&*>4Z_stz9i74fWHIaMGJnm3S~;4_hjtKZ>60o
zlJ7^EY-!NG#{OeJy3SBLqr>A<w;rY{u{YhJq1kG$_}XLBvX%9=Ql^a*@+NlW%h+Zo
z-qR4^As-&4Z8oX5puc~sELxzFUQ~e7b+5T+vg){J9`9*QOl|6-ydZnlK+K8JeOKY)
zykox|s3RL@VeAxwGG-Kpw|3UOqZ6X?U3y4#{GM}N9k3n!Qr54D!`;IgB5o#<FO(iD
zDEI{p9-o(vIGxykeP>)t9rlBfnX~w7H@voLYcrbDZMDc<mf{X4T_qM?fo1#sK@`9J
z<zfA~WC7Uur1wE{ItVnz9a1-9L)u(){X1;P3_h1);^RKCh$^<8;UQJ|6>2-%_p56W
z7t^Afmj9kxk3|#K>xZPERR)|kIHvYri00Th$3+x_IC04|;Kgyy?kE|smtR`s3G}Q4
zZt}+$2CBI~{``EUd$CZf#Ev>~`y|GE|8!?A(~eB!=w}9oOZCn{IHw#n_c6;pjl1D1
z<Fh7)W8A6u=Eb_AH95(pRC%?<yQcRFvj<)09+}EAFeh)us_Sr^>yIYQuM?~c_Br|G
z3EhobaCPpGyl0ps-|Y1lK`N^Ig-cAs?<#zk?$DdXKRXqUnm8{TXerp_lr?-aMgY?}
zJxKiO>Df7JjOFh)3IEn>V9LiE`0n{~MEU2|rpH>$-^W`p<B4mJ>AFlhq(q7bd156c
z7EfQAwYaR#BebY`8Ru<CkGwfqFHS9gf6TL@IwE{gNz885`lAF^YhiIzS9d^oZJ0i?
z#8+PBZoomex~A_v6_U6<r<rruJZfV1#js@*>=FY7&y!$_%FU9)PC?=Y&K)dGg-fRc
zf1$(3a^LSIuDcj{p5+niV|cJ($qZNQJr1pBhZ=7Kf4<$SARg^)XcV+^xFhGKwH>C;
zaMN~o*1gacY~@3Ox%R;>=M-s2)HV~l$KjmX3o+ZCwY6CSe9cP8jcR7~ine|vr9KzV
z5_4Q{AzxiPz2(cLv%uxFbfszkfca#_{eTpayMJmsljqhkqqQf&A!5<Lo=#&;GACzW
zQ<Cj42-OgB_^~}KT5;YWNYlIzlemXHd-iC;|4X>l_5Rq9DlN6FQe{68hxu8ke6E%h
ziK8M2EiTcytmpbSoibwHe(w~F<I&gXO0*ZMe#zj^p5BR97y(=d^G*P81c9=(zG;4x
znq$kNLJlXk4<0q5UFIsHJUoo4%BzVRA-T=BtA4EeFXdZaXF6z7MNZJ|i>}m!#rMxl
zjJ~L7C8l9D+z$AGlVc|X2Wh_Fr6j}HG*5clIPWhW-sT}PNL-WqF0EiHvSk9?sPd7d
zX=dmIr}5!IMis032+b&S8af90%g?2(j(P>#_<8P?uf*5Srtv6vLV{CJRN`;yvjH>$
zkpO_4xSGFL{HXA!VrBhQRyjo1o}JJ&u)#x@_UO_@bz=w?=JUc=I$wG0vB7z9b?-~S
z9~dstY*O4(R~xFD^fFC1m9|;uuMH<vt2B<=uPn8?-eAMrioQS;aALZ)P*u7j<&M~U
zJ^)PJFX0#jeZcxsQ#iIigaJ-Ti10xULxclv9a9I}6jo}N%Wx|q@S@d0f-e&6R=8XE
zKGHm`P}}|Z`Woth$DdtiN1O~MY+YOn`g4s^iGq#!2be_Q-zzU_U2>0dgw4}7zARo-
z(fhZBKBv!0<x$FwczA8j?w?Bpn4F75W;LR!2$Tf`wN{nB^(OgwrVJDT_*AHy3IY_&
zJ!zY}o%LrpT0hbC>-8j7ts~5ye0aEPc7Aj_{*{B=aA|62sUVjNRZi(+hTvkIK2V%t
z>Cz7wIV0&+VeglsFis6l$Q@1bGZ}*{8zzK-@0Xet;7zHk9%{=Bqk7SvrnfFCwK9XC
zre#<5N*O&ksY`UfI{JM|oTtT{Klsh*Lz|9%5jvi$*uVn}_kV`D9VxTjQozQG94RGX
znPYOALBx0ugVhmS7{HCguP}p`BZY$YkJIF&ANd6kZM{bxRyT4}ns05riN?k%FxdY^
zlt!P&EPp<EE?s*VOiTj>WmJic<8{PhLduuy{`}{<x}SD>skV2#8F`~pN8Z7y;OwG0
zCOr=`m754v;?YsX+%71BZx{`-k*M^i@cv`b^NO7j)80sq$bqX@Rbp{z%wgx#1iibf
zk@4y1?x&_tH&Q}?USj6I;83L^{3YyYV7v>FoNOk!5-!jFk;BiIwpsq~(Us33xOJkK
zpM>`IQCStLRcZYiVV9+6c(oizw!Wgw`=h)dg>E)Ma3RA}c=YjmH|7FA)zX_*+HqVl
zF|5H<rpLu$4)vi9IARLH7XkkBQIR3XoA04CRm4LJ9i@(s9~<!QX|Ifwe2GmTVP^Si
zQ5)%fs?;T|G!ox+@M6s|quK=#N7-cP`r$)l{H?k1hu2hQFXsjrAq>9q72{RP8Q44>
z*XMy{7VB^OI>LSwNof_%<ud=At->Nw5t&uSJ6m&5ayonl4`_k2`b=ypWw*SeD%CYJ
zGho35WU!g$9|LBpLq``)Jw27a`QFn})mVC)r_ClICCJ|PG5^&<zj(#IHaVrRmdQx}
zo@?OkMsCSh(g6{vEbESJlJNpclD@@ODGO$Fm|K3xqc#D4In@pu$d*!c;${jz3f6d6
zNbL2A;xbtNa9MjW4m*650AhugEd%l=?!`}AWc2vIye^Cd5#|b#Ai^(c5|V8pgM`y%
z>Hr|fBic(vob`>|OoD2k67R=H7shfCsHYGoY~!)$IsTjFYG~>*St|ebZu>d{pX&Y5
zZg~ASM7IJP2W%u?EL$Ob>kG`%>Z;a2@&9W)u$H<x_{x&vs17dU>`4b-?|fTnZO2$q
znnoJ)yhHTV3~F(vaieh7XN1W;zZ1qk3*_T*%;$Msc|*U_ZG6u#GUMr;r^p8piQ1w^
z&s?n^zwJ+YQ|#_evN>9YFz!oj5NG3jLLs11Y28RzYX^(vk(PO!4_Hi63I_gqUr|dl
zg4eU-BclBY+kFig`La_IlL0JBe)`>Y3m2oI{G|S}Jli$x`Enkh1R~yIg0_d$n|$oE
z4<GVlbEw9b4yt6FFD91BGVp5x<+0GFS>e)Ck>OBZRxa+^n<x6Vl@8Hz@r4;MGUF|M
zskr8ruz&zFj??~((h#)xrp5NKO1p5mga~f!&;(~0pvOza32EDx+MblFXt4)VY7YCm
z;tPRzKi3=k;7L&N%U~6_`Ei6zH?5WU=X<YGy{;~g@Gkc<8TYdq|HyAO;YsXEdzIV}
z!S=!?p_@X&ZbVD@^*l+F<<AWt>4)gZBNy`}1b<|!a*=xUPF_%WEMGJ}wQcJDdYLfc
zb7L<gpQ$!+nVAtvh+?J^`T00HQo19Szn6`TJtT|~{MoL{iS&I|f+wgbS*sg7ziR!g
zhO@CrU2S%o-*PJV5cB^b?XAPAY{GZZrAP=8N{DnQNVgyeNC-#@EV`9WX=x=yLIEiO
zkzBMi(jXuWl7e)1FS^exRK)Lh_St)1=fCgrTfFbgyfaVS&wW30^|L%Q^)r{!qK^BX
zEX~yg)w2*p41^#}&9*?ZEcq*_$qfdQzK?;PA74VmHAk!S!-MS|*=<Z@bUVm~>Jr|d
z(QzpamdIE7YLzEvYgxpVumL1KYt~iZ!9>g52bo+-6YD;+!9u^Bz|JQ=*3w9#2ddF*
zBG=gOJK^2VX(&+NAYd{lH*600(4=uUPU=U7y-I}R<k|QkJwbw!OZ`I*PxG=^FA*6J
zurC}rE%=g~$CWo@f646(N%5nbqiz!=d}IdJ4|cNu92M(LJEa#Qyw9QmXb@7UOL~&H
z1;){E>6f=Wkt|X=?sWWH!AZuo-Yra$TIG_sw7iqG!r#FloHosmgYiq8l?F={7e|J!
zceEF+MDkisW*;krgoLLEAwrxGDYMIN2NEv3gJhe*t$u#iSA4E^HmjBQefbePJ5YV9
zg*sG_3WP{OWR5FiH*RDk8OvyxWrWfwVTt2Iv2nXA|5y%P8<t0j;pJ93>GIS=Ye1d>
z-M^2=bjng?e25b)diCU1=-IL#?N|)GPAKFYa_k!{3hn!B`^{=JtRbj)<sp@C-ithH
z&}`3wrbS>RHc(R?x2Yp?@Jo?fRz#G^knVTS+AH_WbNLy7E7@@qSriq>^TB{6-yU*Y
zYC>zNR=Il{D&7@+b}p_{n?K{SvgA|A@V&aA{U?cIeH)2h@`4R$@?Yk&8(hC4#6<xP
z_OEQ^s}!>32+_S4&!NuFBP&DUFc3{3A_tKEjM}0$Y%5&4$?{q@jx0Q)?=}q$FWps;
zMIHg9^UUz2fBmdcNAAYS%lyt$o=HQ@K>w?RQ1I9<_p7hQqO?yzfA5Q5Y?H$Z2#zFZ
ze;w5PtVn-ZX?+58NW5Ga0U|@A;BU#-rXQcIKX7uAw-^-VHfyjP?lLj?X@e!i`^#h^
zEZ0MA|NgA<XW~D<zUq>R5o@e}L`z#I3sS{jJJKDu=GFB|JX{ZHgF`Z%r&P;$SN0JJ
zus#<su&mjUlNsP|lZ-yq^nh3>=lt_sW~uic<M*XF{go?%SS)1&*yi7Vs<&2(gqUpw
z)gN03oWTE2!~ZGZ35uEY2`Q;3-XD*4sUmC+o)fdNHqS-TLmt0y9%$9M01bO`q)vo_
zB5YijPC%Q8_2FQdQq~mH)y#5_n=Zv-j+yz@`fnZ!5B_=9tBFbwVRWxgbay3zU_wDY
zr0}UvFA$|SYTO`jIn6${e7mY_;L(f|>RpKVRLZ!Bvs@90j`f8<TA|^w_&bT?L#c@g
z;93>Ns=7;UyZ1L0rW(3^Fv9Kc-oQ5q7_MTHiJ`eeBdMp?-I)O5m#0=XFZB0q=%_`|
zuZHm21@Ejme#>0;FLWvhi!zCEbuKHkfl*61Jl`_rh0^g3Mx1Hb@5n^ozH|GhKLK+V
zN$eemwTP$BU{0HyzRKS<nSXpQGEB5@Qn&uGpN5t3@wQwE->qM<P7|wVWSLZ@^JCDd
z;ZSpJkSi}uhB!U`D*<f*muVQM`3EMRr{0`q$_BAf95A+L=6?5WlPyP*LuoClK<za-
zQu~HWX7K0L2Qi_~TnNPo^cJCX46WB4VVNHYP1=dlD>QlSB#1bhuHSa)sw}r#43p6+
zlL)2do9s!I8W`x_m{KrF=d{tEncrFyCx09g(v3<EWh-R0Ers&+NBi|rn$;K0Ch?}h
zx18_&GvG*;p+2BRg2hv$JK35nt8O<!p-cj!5fp3hgLPe)74$rK--q4Czd6)xV$wZP
z_pZgjK%v0!DK@@o0KeL$h$`nFJHdW1t%VE|MLHHadb&~uiA}*5ogt&uI+C&u$%+b4
zvN9a2Diar~B3mPaCuYWavo`4t*<84vMf&{B+Qsdk%q$pOb)-ewfBeTaES9-x@IHU&
zd|<K=B2E(W+vYO^oA2<=W&6Ey&KE#+eUF0eaK+?K1TGH6j!r`5PYgAcvcZDJ9qBt%
zwO`EKr^LjAmvx;=sb#LV&`)Vzi3$`vn#hjt>wNzuQej2Yj7C`SK_-5GbkJhFdh9>n
z&?Y6|CWu(Xd4U)I()NXV5#b5gHi{g2XwsjFYb1)GnyhJy=RU$1N`2IVHIt#Vl%19P
zVl#_Di|u$XsnEUBf)=OMl>a4VHS7Ryu9t2I=~KT>&NWj^rnU>)=QCpa*gKEJUYn-<
zmCFF|>Dn5gn?{bhYw%hNms!_+VVNtPGY^VYz0QTO{z_4jhr88gpDhNucdl#fu7-yI
zZ!%CT493CdC|T(efD{6vYES}Kt#ATdorA5sffBe)Or$^XAhgnH!-Ty>nVi;%)SqI^
zhO|V*6Na_yW&_)E+CIqFch<JeoUMwwZ`SWcN$nqLe)v1sLqvtIcNO&g$vrgv0}9->
zLc?xXu6wQs;V}&6*35D&_U2gxQ_bDhF^gm_avLo)Q8bv|vCxPGJ|(jD%%|X@X5_9V
zTlS{qlY@FVSgV=2p`91Vs6$olDo@7I-WNG<JQ^zgArUrCZaz{$_m<phXzfw9*~U|A
zo_y+sh3?E8USjnRrJ5PBX6>R&!9|nmoARX4rLD3*r|%5kou~u>%>m9IBncQ&G&o53
zf5p*&kth_bavmapxR#=c;ZK0(Ng?5T?gQW~EmuWwZmR$S8k%PyRjV_dK`2qEhqy0=
z$Qh(pho+q|J2Tcr*@W}UvVm;)t5hk~={qbT0HFUtE!P#Yo2rvUf+^2U<_kKN=?j0R
z-2#j&1AJ{BM<4BM4*)bAqTPbO?`Vg{?tSj+fYC>|x-8Y}Pn1&_GpaI3NIem5@+`m?
zvUglI-rDMsUs$j&wo-|3ek3dAOYsJgy;Fd3`qLqN*XEpfk>v=&OCl7!l88ayL<}le
z?+S~OW8=HrS4c@fy!-C$TiG-5E)63R4itu1KK4MyCD@)<+Pt?njYDEjkJ(oV#4(-r
zJRcnj92C#)>!Ep0n}TLoLIk)7XZNZC`n5hFp|lhXO9r9M^{Y5NNec`ldclk=^d$V(
zs)6+DRRvzotrB~)Jr<8!7LHKhscZjwO_0n}JJSKw3<`wDj{(GiGp+MynZA~2`!hUW
z>dUS1GBd>Gy&?p<oFPE|U$_L@{+440C0Yh(n+fu95NzUHS@?y0{qO%<pX(pTnja17
zrdWuj_<!F?V36ld_$+SuDkU`9->)OZQUOtuNk~Yr<L<f<P9O6k@fOGJGBY8ZWTX)e
z!$9^lmhiAQ40yN|c*%}ko}jD;*^AxZtjG5UU#`1+S$nZdoILi@%UwbN*AmdS(==>l
z77ai<n)iVaJaHTrc)L6@v3~6`WONGjYAGDan#W3WZ56_~a`ovBP|Iq!q=Bw)0zl^N
zNx^-E1%_7<76LxCg}Dmswx2xrMhR{Z@c|wfcz2B5arxZ3f@F=<t;b|e>8F5sjY}(w
z&^-f%6VTfM)q)qcz+L71YhN<+2Q3@wWkCb3>->nr<Q$sqfqO|?lI{f^b+a3blBVWx
zicAckugS*T`<$D*zPB+2s52`AAcey&@mlG2sJT(9+P(%BD0uX2r=!EGhIbV}sW+Jh
z(6MkaR)ZrWLF3fjJ|Lw6%!>d5ru<5iHO5oMV<2)(O-Vse4XJ>jYQ!w3Qf%AH%ZrW&
z$bJ2r7&a}#kDttOUcnT_TwtH#LROstmC0ln3>gK*P+uR>nFN<cI-c9~$&*gNHPm_X
z<SPSc>7X$4^5sjwoB$mHK+Ud+&k2wfLF0tSiWVbf+km>m$nrk5h=wMIPTz;>he<9k
zi9sE`T*~5+TMfsui|gr8>YlsT8O~t?R>MhW)g`^8gvS)fq{#BVVtwv|4g&p*FoGDG
z2WFwYhl))Gc++iEoSct<%2FN*-C8c_P>3dh<Y<Bxyb-e&GYfzr)rkXyTq)lA+~^hg
zBm#Fa^FU)XryWFR4?AaP-W+MN4Zt&}XJXRI)xCrdSbx%^&48DXjz7RI8EO!6v$;nd
zH#CEnN_*Oss3IE2+MWH*+kKZ<J%?hZx3{RP2EaCs0|+Q$lSUqDX8^unuXltK81McK
z`jNb6sIBiQbHQjGuK8k-PHqFG9Gwkle<FG6vGX0dB4cv+kVS~KhAKFi*c(zRaT%>X
z5mrxM>>1VqgK98tAMRbjzDyQk>pWOjFBM{{F_i#)2vbT>SWywgLC$2FDJ+7a-h~pc
zwmf>}NyR-wgR^I-I<*|GW>)#wfkrQX_tec@?o(-%S>JMG(Mel$rGt}GsYJkyk)Imn
z-D-6mpzCL4mc$c-$J5+7c{touOs`iAxGe_l_9lg~v@}oH4oL)D*T;qA!y_Z-42~;D
zJx<*`SaMq8-VqTh*^8A)YRt19VIJK%(pUJlw?gEN2eAa4_Lg|qOE=SO*q(hl=&S{&
zWBROBktMjIW@?&o_qwBFh`{slmlB{$8e7hTz@+(iuWz9m<X0b#tXWoUGz11-OW>%0
zKdI5z_gYAMC9h;O4a*d~mgF5L?a>%d&VWLR40(fUoKDfHfaw=)mJYgT1Tc>sj_$Vk
z2h4t!0@S<jt*^7C>ea~wG*wk4u1nE<dcW>)WIk9(H&1K2-^e-@FMSVi&y(XkPMj#k
zca{gHa-KRP_sAn<!UHSpwte-&SVK+ht{tRT3Q1goOkPo^M=OMiB+jaX>{ttIyi(9$
z3Uo0n0$eeK77(yzQ(`RPrj^GEBCoFjn*S0YG#zd)(R$reN0*Khh-J3i7^rk9F0L2H
zp3TV2zA*qgjH;7td>OLDIJm|0Jf83+50LbDiSDEd9-Fk~bOd^_58SgDe6#ibj?|W}
z9exkPhj&D(;b0k}^z`-h-)w<~Y86>sAyLvE1-f5$&entcd_Cy&04qI)*FNJ36p-){
z8mjN#38EkO`@aF5)?}rmmIjNK0L8s|S62$<`HaRMD!D7`nc!Y{A|owLVxHspM?t@~
z%gSPA4#5oI1dbAzkMv7*#PX?-Bm$as;?%Ps{uDPNLz1v&W}PZc9z3J4$jDtFK0C<#
zpj~6v`!(YMHB0+75q&@_B>nMwkP(PMrr~!g2*tyQZdjY7FAjmu5jQ7vhWp$72cwRB
zb>+}iIgL=29l;MDdO=(|!iA(R9rnJ8IDki19}Sx2tc;X9BIt2C9{gIaWA6vj9B57{
zdFa$WlB$y40=o_qxdK<{Rv}()$0H_0;X86=0GPD7O8f#aXg~r2WS5MA#6IvxI8iXH
z4+Th>7>X>@-ocmSDIrX-YwGAf=Mp14YbH6-=paOBoeF0=n7N8BhDPRn4f^}nK<I95
z?JwMmQttgS?#-q6iQj+a8>AZ?|HdQv=9|Q?f_jh}K)I`e!i2nBC(bJIBpwheuxiHq
zz-d@ozkcloo-v@HiL5(P8PkpPx?b_Rf~*c`9XLm^XzJ)CSmZSnLXUZw?l7u;khpzx
z)$`lyYFw}i{S(xLx9@f;_=(lVQKTU{I3PxQ_TFzf04`6+aeLd{1JaDekr?GHR^o4{
zKl1R>%uXXedJ76YF<Y0tV$iAZRRHn2JF-kgZhQttp(Rw+hs>mWVjf4-m_+(t{ID~g
z(LL!uVYz?R!!y3`p%k50#O0l{_gb5#4_PMplCfj(do!s%baDbcXxfyaoo!LQ2}nhz
zkDfJjZcJqie6irPN!IK$?eYYj2E0&}bS$(B(pKG-vy;jA?=roWlrq_v{K<M`VW<3a
zxD@*2;jLS6t<yNyr_P%^ZqW@vk#)FCk6b()PY3)AcZaD{9@9&O;HXVK7yH61Zgjw`
zE*i_HSYX(jc{4mR(`G`y_R9U<TH$DJmOcT~#Xv<!GiqTNyD^<ExqzpT=Z(~e8{K-1
zSOuLTfbmdh71t6GE`NGbXiG~fAe|)M6GoR&p}`Hb`m&#rlf-9+b{gNkwcm9KSX`y$
zj?{Jyk&S&HL@NFkeK)C~7Uf!erOO?vjju>4+(8RHChNLR1fH*u80>fBMgnhjH-F-P
zU*)z?b=X#SYhaNic7e~8XJzn?QkNHY%Up)`{_!qD+$f>lVOlze?4{e}zjxIh8p>74
zkLrv0t;r5oBXmk$WR6zyMKIANeAZAp_<G57Y}A~E$3dDobbj?DW6{p4|J`g`!tQ7$
z)OfE;O)utN`c}hR8>YrFX~icL;ZczUE5{?pMzql;Rx>kfRz>%DdmK;Q!v(B`v+JBp
zCcX)xjQm-oolguGzAK%(7HGtwsyqxoj(DHg(*HTh{djtcwu6ZK-LK^^I(9DA4Gj^h
zuiskCoN%{O{-FGdDkPeSVYjW--{$zMEa#@<Zd|M}!Hi7th7sN5e8O8VH<8x2Z1eE6
z^rV(l$V<fwTOI5@`ymT>W3JcC&CA6{va!?8(sc`Jh1E-dG&s?AZd&B-NbApUxIg&c
zbfUIKwtkk<R=yjEOAB>AJ^A3F7sH*ol_E32Aae7kJzbL8d>Pc@-S@3+?jE%X(L>Nq
zK$(oo{xvz|qvwS)1NQF95X{tRnXOcO?kC$pPuzS;3>06fN~z-$ljG)_n95F6vwi?+
zWN6yyltHtPmw!@nCoE}4MX?!twcF(|C$#uU5vlJT(bBHu1IT+aj~atoF+~z1cUa6j
zDT<z%jDP)!MeAkK^YjoV3U+T&)F{i3oVa1o1fzd;URuY4BQ}<edRFn8Sfsd2>;x(#
zb$m?}oJITJJ3x}c5;RzS(i#D@5B)mi`_Dfo3R@b|(}j!)EDeN4Fe%P3C^z{475QC3
zoqL^?EiK7%v2Pbwjhb&Pj%o>XFLsHn8ttODw$4P3h~{)F>~C|g1T(vbW<L|(uP-iN
z_2+Nmz-d|j&No9X(WM|E#wI&5V(hRx0{2UOczdhh%OKdWOI9fbCpjeF<H#9;qIv7E
zA+i_DRoGq;6u#c4p>TYqb?RmOv#&5fUp+I-zl>SB1dUw8P&j~ctO!bWwF~YE06V7X
ze9__{tJA+9D42;M%Fj0*F8OJ=t}fiEFy4*y%jBLJv4>KZg3T|QoK6MEZQ=`O#Xmq@
zQZ*L`qI>nCZDoENktmfK!90<038GZ{|6yan#=B!a`e1QTsfw~d>ZbD)rt|ErecKo5
z>2UtggMJlydgEE?#ZIBBEt@vNeP*kioO>%4HJA5c_t#MM?e+%>;IPsC{ih^w{Ky(T
z&9tKw$u6<okuNe;vRYxq#*|}p&g;5+2_oY2r$ysNaY}x08z8FRI)bruZFV$@ZLgNY
zF_*=I8YG!TvBT-(s*D{v_~Bs%1qQ;^9g4-=`F0z}akWNbC^8=<;#?KdZ$U6IPGqkz
zA#47z@UO2WIF5!)KI>!LU))R(naQbnF+gkuZEtCrZjEwS4XZBUcIK3cy0K*W0tBun
z>H+eHog%%dK@VC^j^RubC(O|cJ<kMp*q`fWSruEtN#|+hB!xIkZh#^n?=BkYg!fei
zI{$B<_~E?*2NEeh+SeuTv}~H?H1~&L7|fPdPGLDuhe)E9;qXJJwtQTBtEGC1t(F}P
zJwsD)6Dv<Jqfp7xdau2FjqE||8F4xL%<oP1D}X>=GLDC`KzMcDTs>McGOV-jGrik5
zq{xaK40NcnT%k`255M^bg-0ueyrA$hIG?49Q?R!v3DlZj0;@JKqi~$>awswr`E7kJ
z?rvqV{RA%7AYh5`TNz5X7z$QVc!c?b=QwRl3QIOxc7BJL`}L_dJ4669=RgDj*a%<h
zrz53A%ODy)rl8P<!s~M4DzV$!`;%pO-;BS<VoQ;=OEoe_gVw{mM2X=?iS@IdQt^2-
z!4p*hRXo4UoQUekqk5K>!n@aJ0_Q-p$ZFOXt0ZrU?s%Yec;E%4B`D1F?8X&Iyveeh
z-JM+{8zg&)c5&asEQ`WA3CbO!+>l2b;&ol9H8e?1%b<FcOqvqDSdXo3_nv1B^Vs#G
z9d0G)9Q$XN%cj(i!K7xU?u`P!HB#2)SVirq<8xwc-TUNiPmp@#4XVdE_A6sL>4&rJ
zY{jaPmz6GEI77XkBck~=R>!Y9I#XWm%MN$RsDQV%{alG#5HO4A<>YgCeh5pE39t|*
z;=J3Z5~ztrkzgXa8$$hTrXe9oY_EwLem}Oj;`WLB^h_7FhpLZJ4F*foa)&zs!v-!F
z`0kH5Ds?h+1WQ|67}iE&$XuVSN(_}MzUvv&da=19g-Jp<q=WqM%7rs4Ibxdbk4`5p
zDVe6mu{fZ(Dgtk5ZAmj|RRv)IX!h5euFyC=+kLbjK4>f(o5;5oCO6FMklaX?L?Z*;
z_s6$sf2_Z`IYU?|H`OUmeRMdskl#A*g{^;ZylZgK&Yii=xVN1%qdquLkat5+UW7|l
zhqL_9a{rFND~b6z$C(*8-}|Q@VX#7DdDuV<pUQ!>T%<pT-Q#PwQRz^zI6*(cFlup6
zCHHt(7$VL@n6ogRqOh2X?T9eE8o2Y+Y|KJrH7ABh9uG8wvHqb=kKOiSR(Cf6F6}+7
z0vgrKLBNGJIuEO^7xqp!!zssCN8l?cyQ5}(ec1T;ThpO%AB}?|w1nRJCs)<cp_Bgi
zZSyxbZ2>OqR)?wbU>h3V3bnjwZ-H|tFlwE9siwwhso4~Rwuq`n%G;E)hn#uz>lq(3
z_sLH~LSu%?JWiFzjtu*hR5t$SGr-kM3bI;-ZA&>;T!zv>NlDzmj(_2JX7nns5;9(5
zEO$E$yo4l5wUm*`tW!k)g6=u;1=BMPg~2?vAdpqW+?U^xK6{#BF$C6Nw!jcZa{o_~
zhj3-+g?JD@UmXd9Vv88iSt}CsWG*9E6Mb?q4whi`4sJ2&mpz*Lfgvx3WK4G+l!6%e
zrKoVW1U~*P40)6bdkFE^t4O0RWSs06uKzsi-o<17D&jJP=gNiY{ohC3;1Lu9fYSWW
znDmj(r?6h{;T|s(ETG?H;IfM%Sc3@cCGH6zG0proHaD4%_PR{wSe7BH91erieQpO(
zMOm=3E;=^#j0p;X^f5BVoRp8iQc?`Oj8OPJt3qg9&0%r|UFz9$|4t5MxTwdEmBbN`
zf{^?TZNQ_(Pm?pk6oIRR_?`z9uOm!(2;=Zr5RbW#cWCl6-66Sxv2@uj-kI+y64l;g
zHXHPR6A$nr-%dGt$zNjzd;51ZO<fp9X%J{Wl7J1h5;uS7?XECKJ&gyxOEb!-U;OVp
z#5n!6*IsfWA)kd!!+4F|NyUk30%Cp64;M)aO#e_$CX!Ke%XselqxNVRXem2IK2yEX
z(xFswd>p073mSWZPBS0abWZnPI6b-a@qW2mL*V26eG3~KcJjExc$E_Sp_UM8D@i%4
zfy76f*Qrt5pRZdTJQSl^#7V4C#Bc{7R}W~>KQ0uCGsTY1g#0l7+&+%8GT95{GTzRw
z^Yw6=%N9hZ+x+Sk>au(CQRT#Vp!ejsy5!j$ITq<CtMk@6o#HB5S@eEqn1GwW=?>rN
zamVqgZNJtS9KGD0VgERzo>tb9*Ji8zai}FZ-wttuwf)%$a`ljQRy9Z;Jhi#Z6pn_*
zaRUM+KHuXi8d6v9Ov8fWetw9EScFMQq8FPV$3~8N=*j@0lvlRD|KO5+){}Q+E(|Oz
zjZ#Zfi=w@hqF!3%r+8Ztg%73fTn6#L<lop!(}D><8b48z_q10*LBTUyL6Jq!$+SSe
z#9>70_`oeeDU(3E5r|=kKV?4fmQeZV(fB;3?Pr(5AUnHp6V71Oi20MaCxxGMGl)13
zDsF6F5$ZmVpGXp5fie<!2{6!u_Gjr*P|d2le*oW=ei%B&W}MdEysvLx9Dng~=LF`U
z9_w{`v}Y1uqa)xq$lWD43_EXD>E26|+tT%9Rl+24)An=rq%fKI6Y;+5REUaNh`Cpt
zT>u_`VzvWJk8?moqnx>Bfx|*)0+MGoS@gD*+kxvzEUCx(T4YOevu6I5pJHn98#ws#
z-B@0JX(EIomm`Y8#*>2XGReRgenoDt)Qb|?p3U!BE1fjca_U`%r7G%Cw#VFDTHT%M
z5ZhNPeeb*#?90Fes}E4RY2mJtpp+`t!@v8cAaU6|3P&v|pkFF5*G$DJj9F{`E%$ts
zQCi6d1;um~mcjfx-9HjUdds*-1xRe~NapA3Kki-FyYHf$(S78)V7scRRANE=mV|EZ
z^CJu*Hcu?FK+J9lQBvWbp2%U5;%|wf#PMjbpid}n-lUZci<38w9FKBt7e*!F3LHnh
zsf6~P<d3->M`PLsTQPzuC;4SQTmBsV=t=X(L$Fa|xTKZ_HWwo!_;1;5H%D0j;awBZ
z5Vf~Qb9<zyl(^P+@Y&NFcTeXZ9o?%HS%0WRR!evzHw)&i`9UBSL=^_W>3VnoS_Jx=
zt|XHdJSF$jV@_Sj%7~Q9&XcjKyj5O3{iGw{i33==(-jqZ0*MTE(4Rv6T&f9Q6MAt6
z9<Fi>xoG_gL3wri7)?h%zQ%%)@<DeRi0`X_{<YLW-!%D;SY<vj;>xE^%_aDz$&ovO
z>%SJV%b|M3mW8JHu@4@L2Z8PjoDNy^*s{94loIayo;xcX*mFuw<o*wDlf9s*keZLu
zena@YmsMD>q*FL}`aEwGH>T?x&rN|9`teO>Yh_d<dw;Q10&>hWH<xf`#$=foXjz5k
zPPhBD;)*zj731$Dpkc?lwoqV(r>A5cP7?YGyu%}7%MX{Gq0saDB7Vse6=B@zxmM&D
zjGK`bAmA7&H{e~gJHo?%ELdaHp7+e=bCVP*E$bpqZ3Wwv>nU=2Qw=}O3AKbfwuHaE
zOnQC&pvH&5v+VCtyv7uMSG7lBa&3QeYiG#rc)L*FkN&1YofREj#se-TX2BOGA?syk
zg0D3iIu5ouT}xbPlr*Jts!S29e5(#;fWBPRAW0LGOq!*F0=Gj@u6QH`JxR7PXe_~S
zgm<xDPJm@I%les;?5nGRyxy#1nQ9D_j9Ykt%<@J=yyIzl-tNy6eBxJY_^$s6WWa!a
z_9~EpJ9Qk}T(?4`9T)L5lHiJ}5{L}C;cedPq`T{+x8&Lw$oSw>l&f1H*Y<KA7?-7Z
zE016FZL-nBRQg^ExO*=%cCXU8>osOZuplXR0<CB3gW8o^AGpwBsVzJ`O2GN-_#cUd
zpFH_iy4MdoYES&mY4=sWZk<(tCk3bX&bcRl9U+OgY(`hpUo9*5fD#u(IF($JSWI}`
zgGDx}A^o}y*FaSIg-hJ=S7>SZ2yEATeKYdzuQ5X}&-Btc?Y4vb8zkj2y1G!A7=odL
z9*|@&;4eS@s1A*={s9YcwYy_#k2so9TvC>TgLz5aJJf8aQjskyqlvE5O+UNNOvltN
zwY0}wB-Dm`!nd@34;JlsTo^-W<ZnKTT8M|d6XV5`hRd{luw>WH#V#*TX(0OeDwmlU
zze{(%LB^{mNK=iiYf1Qcok#n5t1~k;$6}n!Ot41*Pr;ZY7!y`UX1oCGHJxIflbaQ&
z{)N*QPyLSNkmDFrbr21X-#B#!#w*2u7WQlc#^8=G-#*U2PwUyRoxLU#OYbOpRf#gC
zi9s_@ID3oJgsNEYD)zyA4R8m-sgG3JV;Q*Z{W>1Kp*%+BPm=15dX2?nN|->dX-t{s
za_()1S&N|C8Z_7rg;1u1dEy6Y-0O6=5n{XF?wVNL-!#?SZdd)_u?+wwFUMVej`PP3
z=^CetUQ$QDyG{o|y=b{Lia(Rwho@|9MKGyzlCwP>M@2oI4UhYemmc2_xGWLVFGd?^
z9wwJG6<KAs!V-7tw_0^L!fj()@Q%cdqjzpi`6N+1=(~wYIt=!xgXx6DBSydODibmU
zl5pYFr(2Flx>uWS_=U!Jzlq{p*vWfVJrUmFYAhKi5a)3id%AN<5vY96^<GP=<@g=<
z%|Q-f!r06gLktyD?=;BWrv;C&j<vko4z>eq<vtBoIJH`dzbzXuj(~C!A^=v^Qy%s}
zBKbqM{!t{z#(4-1yx$QC{|=B(zl&t1Hzhwxc<PTMm!O7SEjRLzHoNjmOmS18#o^k}
zmv#a7r%7E}#peCYyR^2e9=nx-#F+1K_|*LuPqa0#ebcbsT}u+{b#E)$g^-|}qbA@5
zec3MQI@K)To<!lD@Eiln<?z%LZFhLDVG>*3<YS{G*F_ZGye$|lu<JZ7mWOHb+!*Q8
zyM~2FLkE$**rzsPVy%;tSPa^3yg%8Ua+6>g-lpyx_sYIaBrum0*1cJq-`IvLx?q3R
z`<sr68>iRS9vJ}{$3()ma3=|G#Vdgy%)<G=trKyXPIsVJ!c^X$l%9Injopo_5v|{M
zECaF5cgF_%`C!MzErM#>B$(xC3p{RSS|0`MtWE{4sctOls-(vLR=E{^i0`XEk?eEt
zh#O`4&E2%#@0^Sp$;IAP_<=WJw;vRPaEb-}_z=d<(Zg-wuC==|a%hYFfM<VdYKG6@
zL=SY}Dzggf&=p=k!hj>c#&F-sW!^~Az#_h<d;D5O_R}C^A=J`RIoANLD=yWQx~r}i
zKp;Q&9X=9R>6}iEzY){Fyk!FTmJ_m7Yx1|Z%qWks-ZJCO?$_2A3w{6i7-Ug8>BJmj
zRU9MFm3pd9#<bjb)WUJJ{QbiiHg=_S-dE?O9#<b`y9&*8C52--?_{}Fy0}+8XfL%@
zO2|dVn8skL)B)|PU+NCs+gIP*vilFv9p@^HOVhMEsX5yoP_$cM19QD&s2=Ugv^ZIx
zH?co7&#2}4)=22pQC@`~F6=bE4kKKrhJNs{{IG*}u_tGyOQ_-;0OJvsV$#{zl#NA?
z<}76ttZtW^9hQqTjg<Rt4yroBU~A$qZ_ajXp_4Pk4Cc>-m$eJFc=Tkd1R1t>OG*V0
zFgrsd#rLn#TshtC54w5Nk;m4d9I=!q)ps^Q*B2Qnsg<sz%{3J!tS{1J%Vy~lbu)6g
zeuoDDvL5qhBYJ@rlHlQ+Y&G_?Bi#F7nm-bOox{0}u*g%+0*D?tnL~7Zsx4oMH+fuE
z+3u=OhFj~khHdYhRP98EQ3$uZa9=I)B6IroU|s~fc?{|_7b{tvPG$a+b+9;y_+`8X
z_x|KsC@oANhSRSB0lbq_WgH&wwl0j6tH|VZwTir{zNr&t#Wa@hBL*<|oPyd1zN1zr
z57u8Uv_Ctr+t>I$xqJl)Re5n$a4Ai$Izk+E<MJOM1VmBx&87RZCjlP!`BbqIb8}$c
zcI(}=vP}lqNw36v*QO5G%0!)*FCgt(iak}W5nbF>l(@oV28J!j_#su>%Fg=+Gc9Hw
zD@CUFjSd}5hwkl!wnZl<29F)!e{peSB<6*9J!_oyf491t<G;A7qmKKG)!C`gjMigh
z2DA&qN14;4Ev$P>Tql@=aZ^w^p{=6Ocx~<PfdA&s4sue!Y90E~8riQnhr2UfPQ%(M
zg4(wzDn6^8qPan}l!Li)BOJfB3B(gAanU=+d(ZZDWp8I!sh>2h-mJdclPDT?cv!Xd
z{>Y>PK<J6@aPGLDlAYN0qVahML|}sbI>NhOQ1e+m9p3Qv*~sx|Vi|Fd*%n;2T08rP
zf&LR~w#oz35|3DXf&(X$&HO}7!Q4&qNcuSY-qf5SVl{srUI~;vzUzf}&q)P5M|u>V
z=92PGf7aSn$VF%E4UK@`YcWn#ra2<iN_>DJRA3f4&>x@T_8&+q>26XE4(cyRtC#_K
z*X63W*j24axKR=c1&#g$XiXqtT2$vtof@)G<y0VPHEc}Q8^nW=aC5tnUf*9^cc@yh
zPyU0$U4fF$j-|`x%m$no$6IDjcEQ2t{-Qh;_RtlKr==}$1Pi$*rQV@!Yl(JufDp?I
zj0}MNT7D6e_bMEiFiA}h{F2tFgPIy0MomNaXoDlg1&<O2RMu-T*bfWhlx(s=2w|E}
z%GY+RaB@!`31^e>%Ew^i#KWeLkRHMxZogucnkJsKMo?SQ^U|EXu1?Rbg1@uMv>Qq)
z$h@n2)v7Fsb>;c^*Y#tIo6PQ6&edVy<6HjEL386UZFgpQ5VI#+<v!4hmvijFCUc#_
zCOeVM6$%HFp=U^nV0xxzjZqDNEiUF)5?A7Ukjq7#veSYSQ<FvA#dD10N{8s?Gg90@
zBlfao_JeVxDECvhDECd7f}HXG>WBb2qYh=8Y;e6ziflNq^xg3NO_4I4H)LNC_*(j7
z+<kNFcSoif^xU(zGs;g7?It@Lg!q32Fp9MxfDv%a$*s_I?~s4Nz!W~_+Dp1H$-Thq
z5GLTmd`-)@{Q1VS%1zmQV}(N3Ww!h7ptwMAu+R^mr+C=%3aR~*3-e4<h^~^?t3MT)
z5=!IrprA+~W;Gq!8AHt^BAGtSermiw%T(RoCM{@fqnL{sM9LKYaoCmP7#?Xzx&C5_
zDc#+3#`>Y2Iu0}_B~!&HJmSj-p1g%<t{U|pz^(HCs%MqZsQXjdLF8O3j{wF1?m$BF
zoN=GzlXR_IynHHwf?d^hy7c`ADCCpT)6X~4rknNuG`s#1^jv^P%>vBM026`PHJ}Pf
z{qSd)?dWK3Z3S)JwlTRiH+mIo4CsGXmI0`YDI_&w)2c#noXDuUN?Vomtv{1_J!pEt
z$Q`e7jZ;Lb9;w-ix5;V<IrIHTQ1*D%p2bMS%{<M2eM6{Ip=gE!#J-V-_G_QmUOZQ}
z&dZZVzF@kx%fqYZyOM0x)lE%ILUuXox|>sHiw4Rpz%p{fQj0;i8PJFgNswocJ4ciA
zg=r1;H;*{rzwwssvnN;9IzED%o3sJvr6F+tps}&lt1__0Zu#fxisOlfQ7n<h{EG_a
zlY6|GxT%5zyn409Y@o&dQR!yYnpHK3XdWe0yV$=3sMM|X>99T8k6KTH+4Lo5?fVxD
z=+AKskc@2z#_3e^>`te*#}pqa=Y;I7?Rx$V)j))2+nqer`0n_%<vsJCFDnm~eRrG-
z%}q~FbcXXbv3;?u2>G4&!sr~mci`0e{wJ@hH{ZQoaoui6D&Vy~JwD~teYnQ&qEcNv
z#{&Acz>9AZ$$kW~Yx}fxP@C8F(~F8b&f1Hy|DnWG>3C3n^$+L=!Vc5Ff!HC&@ve(k
zQsXFSs@B!+uyUdZ&3XU6mPx~74z^3K+Ee8=)T!-$BpBg3nwJ-wGy1|#nHIns+?EQ0
zPxpf0V|zmZp%#6N?PHa^y-+D+>Pz5a4w=)f)a4^rrsRA+yQbyQV-DN7l#3uJKsP)z
zPT}hlI^Ua&)ij6o>NDkBd`=E4byvzF54I15!G}rq*q5AZC{qLRl^sWtin@A6|7Zc=
zNP)rdI+zz9uPE`lG&iOYzZh5y6gRRLM*9|;dd~&qkHuqOj(3rfSB^$9kr0?@5P`yg
zlhXj8Lmc!Kf5_P`J+Hlhg@EH+o(!K6Y;A7d%5Sht_#5~cbyx`6z3@^-;=MiyE{^ex
zEkBuOxw<kl7okxFZz~YIhfaDcrhzcXgJ~u1@RXJZ!d5F2^P>#9-_U>L`{E#q+-);P
z=f{BQWdN={rS^u(4t=>_T3TYb5(lp7*m*1}1a+pQ|Jk5*?k}hdflLmm&+5et*e=54
z)3b(7Ad6c#*kQpb(*rT0Z0sof`#Zrv5~t9!K`m7qb`Y}07vH_E@T`3hc3^-i#v&+;
z@3x(JY}c2b7aK$<w>BE*GG5b6PR=q0wo|R#a|nl_G!f_gYp`iBz6l-s60#@fjMizp
zA%Ilf=xps+Eog5rLE^QGgF4k<uXfq(E-dUN<L5nf|M4_uy(>SRNkcn*?VwfVr~<4F
zjSO>Zht+22{oN&-ShN*zz%05-l9O}Q3JO2*=eU~;geFuTp&9gmtK~iqDLbpBHaG}8
zeQ<jBR0do=;T_lAo#+!lhKcoXzG7p_N=nX3?MbKQ=uuReYir-wgjOsBBKTs>sk4c3
z{WpGmUA=|N@OXTz8XhiC1OF!SaTa!jc?<H;3;8^C7=BoYmv#dXNZylF=t%zlJHQIL
z40gn0taJWD0_+Cz*^kaot%%eebVNz@{yzyhVu5TfBF$$H`ug|lv6#{YLqKg7GVJrm
zfS=J&E&|TKp#QIw=c_B^iP#<apz-P%f96kd;38Ta9RI&9_#%M+W|Z?O{VyK+-`7H(
zqn)R*!STQHJT!;|>pz1tKyCC@al0`q`Vi^jw5(0(GIseakIC5th+25KFfG5v_x(k|
z5d$!Ydd)5?<3-Gx#`S{M^PFt*R8h)eNQ_!s!I`(nScqDzv&L)Ut-bQk#7DiQ8~`$?
zbe4B2r5ALGFl>uIa<zUD%~$N-;GT#wF8;H^skev$29u9u-fAG;YU6-vN~foHuS76q
z3@r56b@1Cj1_szE^N(07Lg5<W?%<-<iU+2>O(Y4%9PSkl0z5A}9dOy#b8eE?w;r?`
zi(NNTmlp!}%lcyVX5hcQCDItAVuL|+`TV1!T=kb>`th0gv-%@iIiM8bL{xx@M^%k{
zFv(@h9hwg}ys#D4Ml+7iAUx+e(!uJu)w0Y#qYb9)E?ws^BjB=<74Zdki_yDGz0HWi
zu|-1Z{6m7tAbfqAeB}G==o+!u;f|8&GMgJOCK+QU2-h1(lzZ@d+C0M2E*-XtbQER<
z9_*&Z@-3|E5%EW-NT>Iba$Y$HFaS>~M!ls2fN`+fg?Zo6aZQ`0Kq>jAe}$dAd{e$6
zbn5OA(mM5W+$q##g0{s%=#s@?a`#hKAD_I{gq363nL8O<1ul-Th!bXKC+V#pSeXm{
zCMiRE1=3FQQ4xO&(K_jT#%Skx7uekQih9fJdvoGkx2Dvl8o+nF2Qa*F+1LzdJ?9QC
z7bN8wv`-KP5R<ChSmj}Hn{y0BTaI1Wv!aoU*P7RUy@QMCW?~D7*2AM;y@p&Q+}tbr
zQ~m7%0NSNsOKQtGTG=#k=}DeVo!@tYo4z?xY-&Mimsm-Y@~v}L2@m5k78>UjdH~(U
z#ke3%u7>dWdSIY=sw})Ft{NQ@a31}7U8zrrxbZfUIoyn%&!LHbyi8_o)TRzxFJ=?k
z-kEUr`0vqocBQV;Hn^vEBDUXGyTBG%fTSU2J6!jzxZkf$da&YtUwpLt(Hmyx>fU%E
zE;0q^`CFHl2fC~0slo;Zi@L+BZ$XN@FW7_)GrBs_2@q3uC4!g|zv8|vbiyYfle*Hm
zImatJq9y0`f=w)I{#n)6rdZLExjoLR@3kTSuVH-ReS|>9&}nh59``b4RLX{h%eO{w
z?M#UmmV)RqIscis^D>(gFP9De55`4BRumFx!U2Eu`^9(ebORnwp}88&5Yl_&!qNYh
z4tscvpsmOww_cKf{&W6ks6uI5=VHnoTZ^%WU2@bg9<Kab_iK4%*bx!LQ*cICd2J10
zeC0@W_nbBLUuw$#uv7}Lh_XTg5>`lj#KoO;U&$n0H_~~kn~e0O=wF-uf5Hg-KPqp&
z2W^`Fp&d%x`wRbgU4ccY(}O6|u!A26pC9IC>_DCDAP-3{j?mgHJq1Y6Tf349B&A}q
zwMnyzF57}14PX2b*AE3c@pqi38$ktScFmv)0eVoadgFoW<P+|Tzx&azAai=qzjd8D
ze-obUPfyppI9w|0^XrEf?J8KVZVY*aM_Pqht0PN75+KurJVyHy)&T}3C{;)Hc_N`e
zZnIxtNj9fTN`V?QJSsn5a!El&M=Mq1`z1&-#=n191{-GCF3L$iR*2;llD!03uKUXp
z3R^Uz!>*K8!XBGKg7hN)MMs0<LCj||eF&>Mw#bsb)H(k3FSLFmtfVMRJhp0=1oGtO
z#rYQXf`)e}7fFa`Zt%PU2`HjxPVeH>!7u*xSO{Nxp~j1#eEwhhT7vyXLE}kLad1ax
z>E3t}PEidr*A%K?Z~}PK>%!~Qo<7^{E^ARY#ez<s{wd3$5L`z`Lh-73KajY}b-u)3
zscshas(|YQ$Zr>d?$xqly~&T+(;$%V6#cNvKHH7!6T_8%*{Q12i4iwUr=ANBwX#$*
zQcG$cdUAlaZ+4oKyPr09iK+;Gv0J}Vff>D&YP>V*@_o!~PyH7O7AfEx3^tuAq94I)
z4%~1xvRP>GntNn+SqozpW^07J9wjU}?N+vL`a51xXldN!(}U4n`l1|JmT~r@%GWtQ
zzc@#^XoYxQMm6w*Z>#{?V;phgE;6RPel=vK)ePL?(pyM30uH-2F?@68vBhv&e#8Af
zWO?5=^t&8R`5!N_VRJ1aYrd}TUoZO2&Lemg@pPS0RXa}ft<cdD&KKQF$IC|S38#6Y
z;r*W$dSG>9M-7ZQnDRy{j-sS&8N)$5j(ShYOnWg(u6g84m?iw;`!Xt+F>QlRV<+pr
zf)$Gyncz}R|9}8+v5}s<f<gG49_UF6Sk2Xw{tTj@OKv+U+3PL3xLQ@{eG&*V;yvsV
z-(oqXV!mV3Z1j`0RKR*32gDPP9)bG0ImHP9K{vk2oAj$D%exC|Ioj~G$@=^wSfu`e
zlupLeYtgGC2K$F=Qr>Pm1xjIuGJ*TiW}sqL+R~j(%A`g`{H8jVS3Z;`LuUOAzjG5D
z@J@H8f);d6!{KmHLsxaNo-7`d{j4Dc&Oj6<nO0l#W=D*VU6+?En!`$Bhllq4-N?-a
z-N&1=z2)4W)t=qM{p54%IEHDBzdc|vKsEFxeKTK-r4wgjjmwqk7k2dOk?Cics7?r(
zp!*SM`?^}ODH}o%o!&y<Q3r$;+@Rm4{gQGB&HxaI3}+UZIgZ#zJ|8uP>u(Nce&dJ*
zB(x}?uvagZr9rtC>~k}=#~+`)(zR4NfbOknmYcwK7@l_ZLAW$FDUlhu=Jp076JSIy
znCS$J^ygG4M8xq+8GUc^Zi3Hz;@`i0e7u&oC3r%KYcbS<qNb)GalBJJ3*i)|M#tr?
zYjuWi37&?^#=R@LE-d*WSh9nk7ME&C@BmjXZJ??BGc>#Wut4}5+F?BlXrU-MQ>&mL
zJm@kjljU$1XHrfT_~7V;>+cA!Ptq?I;Lb5iw|P0Nt|3o?>-_%kCJ~zgh<c=L8e7Fe
zm|0kEn*7=fAe+-xzAgF%q$REDg?m1|K3`+=?ah=X2WBE$YgdM5J|CyV=sR~(M1jl3
zn;Hh^(iPd=RzIqf+`y$`esY40?S)G_e>fIN3PP_tpA2t!E`-YIgB$VaTlo2$6v%ox
zCKMwByq`d8dF|poPIo0WJUQE=n^Dw3GnAI)5bE$jef=h3YrF}~4<D{f&Ew<Kudwuw
z91lb=8L01VXfD|3y(RW7+--|dt!WAGElBP5zzf!K_WrEyQ{sQH{D5gYsv|9{3*#H|
zUtWlAh`L!i=v)21BW(00qJ?g-rpV*W{FcpJk5hLRh8rj98p;fm_LR?4w|eVP$v?DP
zR;dZFs#j^AklxGkZ+P92&mOf+P^|6RWxhN&6=V=I+peT6*jmn$N7=C#Xw&fl2qEB=
zKBF8}Wc+POW*rB&bV$_w<%refq)b%GJ__KACAQq{HxbhQ)Q0|+xmPLoRt_vtfN$+q
zoQKU(<wMQC7F;#CPdx+l`lKR=`#|3z5}PgcLs>!#ZJ4eyRsD3wDz6?pC?FDAs!6#V
z<dKz_H?jGXjV{O=4WMFX_f8_*W#dxFPgNaAI3>c{J~0(w5J-6YG3u-eT0+%x4d1qX
zF~Mc%a$R%DmlX8bl6^i{Nc3Q8sz<EPrD3-gqa~dArizW;Qh#fs(}|78L2bQwMD59(
zhw<ugu%WZJumDQAxSPXI7j4vkhiiIJpX2zJT+kida59>5cjaw5{J}L6p69I*ObFq{
z?c0~T<U9@(bH3~t3Y|?w@Z`g4skmj|&ZzHn&cX1UzVgxM{JgG>+El)5AjyWNZAiai
zvPQ=3o<81HLa<&7%HfiJ5_@BQIO<?3#)AbkGHJF(&f7}1gr1ILpSNVMSgkn?eW7&e
z;9$R9Q#t24*d(^XuT$|Mzu=iq*>D`e(LukBiZYa=j0e`QMH_TunQVJtA{Naaa-P|p
zSp|W;aX_I?!6zU{Nl78V$8QJMOnRsVf%&w>@)ZNE8~6v@BG9SsgNl+%0d+F--fB72
zXjjU5Xthhk9k+8bAb#=Pn!8F>4!f$hBNUouP>n^}mT`c(wwQ(VH^co(1!O0KF-NXT
zvzSVK-cWvut<c<x2M0?!?exzl6u})X;dXVHa1*WEONj9Hf-iW?$n+x^NKD4x*Ijg5
zn!P|I|JJ3{UB<mi)X-$5&4rQ{{3^a|{i4geSp=;mMEo<#zyGWwBO6N7yi^OL;pf-V
z{FsPv*5PRja^D~j<_j7R-RqGl>POU-5Al#st|A4$7>`B!lUWm3n`HdUv%1DO*$ox>
zmvyH44VM1;U$$B98!1H#9jU7r1btzHJn1rH7)7h!pE!QHl!oYr{kuwxcrlTBOLD}>
zt;O#g5`^z5CH62tKdN8EWW@jFb!RFvz;IhJ3;QJ79;3K63c3!^(-L!gfoGcNB)Q3y
zbM(d<L5P@-kb}?NG<Y>>YQ$hwY<|H)m-xbn;{xF2Pm!B+QYbyThbLn3v9~a%t19K}
zr4Y=UCzqT0g?~w45EFT)C^h0h44Qzb%~P6pQ7sNfMRO%-SEf~HhO7Knl5(`H7R}}b
z->k0zN9hAD%SLgve9S#g7YCRK9zl1C4E^zP0X-!a6q<aX>;ZA_@y&L3%sKW%hBv+^
z=2Ey*Hk>_|X6XLKA}NG=<|(K)az4F6`aqR7+tX;{7q$BU-6u9iN<2u}=B~7B6*6*I
z2&K;PX)|q}&FN2I5x{j?H5A{<07JN+kyAENR)0ovvCFHwJFPH`fMpilY`P|h&HR{d
zNj(-#_NLBvZX8^8_lhIUZ_@rwtnY>>##vte^_`m0i-4V4(y{VWkH8s?Sm2|>%KKs%
zDtTDYX$3r=eQ_+#VKuqV*JR5$n*C8YhD={7cI774%9xzv2)-@VNfjL3z_442CCc{$
z>#N!JP(OZ`Y21b&f%hiXI@cZNc~HhlrEtY}_3Dhrsw8C>Yi*$%f}mcLp=1Y7?qv(5
z>H3*xKS}?BAg7Xs%eV86b`0NYyf_&fDLOIh%bnHmH{X!3zqK4c!}WaJ>o2F=S<Eux
z7)Ou&HZ%?Qy5ws8&4pgN{oBsHce8WF$c_l>u-yB2uYY8&`e?;^h7SZW5b|_Bu-yKe
zham-&aQ*<|jaKH+;wasHpMYJ6b@3*mj(0lXvhe-}=!XHrCW+r!Q7TKjyW?S59ok49
z$)I4?AFbqR&^k{%7JSvZj^L?T&E=?H#k?QIVo32{wQ^HN9M`g^Yt~wt`WkGZ1$W<(
zhGx=e4`yd}7L@F$7r7U>@fBGxWL~4K-7*FDQrTF`M;<mRKfy7hxh%qsftZlVA2CiZ
zPvM2>@M=llAA8sq6zr(2E*)k)ym%pN{Jn8EmJ|}ytU1;-B>m~-WH3VvYQOPM37+;a
z?(Tu2UY0m0>P1Jeq_Vinr#$kzyL&*CT_M^FNgPzEKHT37FS~LGA24-(XF6;2ix!j(
z&$6E4wVna`4VFsLSY7}s*x-w&1;>l%9e5F3-6&lG+wf>(+=_sRR-QKBy;8Hcxha0~
zDX`yX-{HxOp5nK{Z(3wO9=3V8uhP+cGgjvR3&9{PNn<+9vRvjw*f#e_c#Hqxu(9I`
zJ2A$$O8Syf3iA%KQoM~M@+c)Tw}Z|c_ea3O_e`#J!{AQAt7awe8}dkKtG4LvV)opF
zhj~l)Gos>tOMTu)gG<Rj_?Fqi3WQbdmc+*P-wnGYTkVLow#O(r_oRS??!-_YES7a`
z+#AC8!GmJgh<&VIth2smy8TYuf2g{8aUmoBLB^#%7+|mT0P6Pdv3{|N<o?h|7V3XN
z>howA38eFfy5B~i!!~`{umlmM{VX*F!j+%b^L0$e1e`K4@GXKKP?6tuS|Wc+vk9N~
z732&u)=xqSj=ELe*w{5<yw-ST2)_AJ>BEBAp9+Y-3v^23Q#o1w#gI2F>t;g5R5*m8
zU<F!uvy&iDl`|0#*>t#X!{c5*0EQ9YYce2C@V2onttE0=e|8PrK~|c%uxDMmEy<H^
zQ<lLPWJ)nBz7~07(}XjV>@Q-6u<%p83YV=9Z?So*e+etE&Z!pIA@QbKy@ZdiZ~)ZR
zYj?Jn>2@DD&HSR&U-RSZJK8s7v7TaNf~|Q}zn7~SJ7wNAcUylYU42?5UA><&(BCA6
z8J{Kn$;VQ;XI0Ea(1Bl^YqQ{~4>V3Dx{3BvqIGWqQyJU{U;(Ahb~{-MlEokSB0<q_
zObGX>M2^-iEFafWP>{q?qquQUs%`vHG`8veo!-iFSNHxT-(jH+yuKzc@@GE*1%Jq)
z)(@@!Q9#D0Z2HzDqBmC&c+Rp?Tk>8<;NDBub_FaF<DFq!fG9v0iT_AG|9sCJaE*A$
zzTv?POS>?p5&>%b4&dfPq2U++n}}6X=zco+Eyb+w!wTuEY6$#1Z98*`FOe@)`8;t7
z!|ni?(ozuu^SO_}d|W1K@#Xl#LjhwrMP`ZE5@&%vGJTQwKfVSyO#+<01h1n-o!pi&
z8dbDO-5vA&EDnZ%hPN0_yWbvVzc||XI6R!iti_Ik*+S3kU>4>7KgI%)ka%$a&dF7y
zVyif|=en~+{bl*m^*WIK^XwOxIwey&!fO$P5rD~d<nlvF*bsE-*+%uaG<}{(g3~zn
zhmLOxBmf^`<8pkU4vp_XL2TJ*wnOf|&6RVuIxE7#V*(t0GQlTokHOgKaOLD!;oohA
z2prBB`9t?;xm8$1Z(;s>_7PEp1ZWZZUsC>`po4IIbTd9gZJgtm>hjei&1h3lc6eA>
z`=7ZXQhsNj|G6%ZZS?<45WEtyi2pyo!bN8OnP)fy;r@c~f8PBb^StEo_h<jk8pvru
z)N>g^^_P18XRR*QED)1i5|uJ({hl&pm5MDG7=B31X)3Cs{W$KJ(QUVUs|GbCbTMf}
zOx^%=ORuc?&y?+9u!?V^m3FO6c0(41rLrV~vP=Cv)h7%^CL%x)<euTTL+~gZbT!{b
z`Ogyce~!38!UM#yhNac78Ut@}Iu}ajXg=n5exgnk9??BnZzxqm8`tT56@*+qKAcwC
zZ9`|mTSlwjy4xRlg>3EM!ASpoaA}0|shjD@Amc9g`ioty?#7mO*iD^e#Z==~0wS&!
zbGnjKchG5y*?DC^#O<&FWaDC)%3aN&c3XF4qD7xIX4p(Umq$Dq^4}+ajsV1-s(l$h
z`E1;14x_ZkxZ#$+og~MQF**jgd@`Jw1$%>r#~~07hw>H*<=%ocgWIb9Xi*XVF`I#D
zMopQ(ZAl}~Z3gc%Y}8GKS=?!1d&y+)`M!Q`$p>w>ALeutGU1uZ+UmCpi|v=vbOcR*
zNRn0pZmcB<a|Ys(7cx%}o|a`7LUTKH$jn)vp|~9mg-d>qOPy(bhJA7b!oS&edhnNR
zF?V%-t54_GCsdu1#0+;k4I#Ht|J^k#c@ezUp7+e-T~^b#_^b5l^d|sST56%5UQqZ2
zCedvGtfO3e<Aj@}RTc&UKT^KwRU55OQMY=ur8yw)|4LoXb|ruc5fCaufrNxgAFk-l
z+coov%TzRO|C;@p?CA!%O+cCD7kxiQX{pe$S&gC=J1QJ@<D(b*k19MbM+*whI@F_s
z>m66iTRI~7vhAGIZWWoU+5gY?An;tXzQPZzl$nKv3yVK$)FCem{^E~_L$erdnhs=8
z*)JB;`*e<;g8m`{D?=in<$>vc_oa%CRJu>vJ5mn8Lp8c&e}9T(2!!kPe-3qKuL39l
zXG%pbgB}NWaKO3WoA^%<OJ4+47JAhyS6T{ZxrQQz20D)}V*lsFe+SsE))xzngW{_2
z*vQnJ+Rs(TD_PlEdCbTUkuE^z2(Pb_4uiJ(1I|W!YsD;)oUFk$qAT|iKl|4fYH2ZT
z)8!dt3=c1RUTy;Vev*GbuvrES?`C9rcl8ceg%0{fAopyUc#3*cy{iG}JI?x_ze@)?
z8%(Uf(ED#=0!dT(Pp(7+<Tg)o)^9%ii-j`FZ~?G8Ui&|5^uM&Cw~7CooT0zGAW=Fu
z`hRsVx`-^T?2EeTwkbVxL@I99<-VE+NW>R#1jNbv98q@Ste*dk@rwNww+xtFt-(jq
zWY8Xg<zI&Yg2DNo@~&`|?u8yhrZnoULT*Op{aluP2no1a;vC!pAEjSeYT-&6D$%^T
z4qQ(MehDJ@p9D|~9QI;euSWp@PB85Ybly&c+bFpoaE{mpt%Ig(?AOau?wGG?(%+2_
z{C|4;3aBWz_TRxGR6tr%5u`ySrKM%0h7yoLK|oqcIz$j@L13gMh7Kj9K@pLZ8l*uQ
zhVF*D2lX7~obTT6uKQp2taSk4otgda_t{TBzu&oNflxqur%`nuYhnVha>Zr=`sTWG
zK=##ZLNxClD|lwDM6hMZ639c7J7C%sui3IgvBmn|x7UXPb;+UK_Tqxw(i>KOMW)7T
zI+4~IFm?VdX9k@69Oj0`Fvc!x!;(1ukg_Kc#_h<nmCI*DRs#plAfj2t$~kmEB@8!Y
zC%dwJCr4iF0Qb7g-MA1qT}{GzOnV@`47?Nf6tCB@<6wqF?)lw+HuA}&o70KTdFd8<
zP$%MS1UDGI=)E%2k60*gots`KwfHN5@;#sIwww8Q9W%W9SNMj+`!&EJA9U1zsU9B#
z<*LF!7k|EHN}_r93W0l>eX@Gi^!RN-=kTivN$(8QORWV}4)!TJMcsu(R^+lbMtn_H
z#?fUfSIp}PZyJn#islW7=1)tMH2H!bQMoMB#co=YENW&@NLd%+A+blH9*CW+88MM~
zC2!`G7v(>!TRPG^d>IprohIPYRTc+$1a?k0Ny(yVDyzy`z<>c?&6CAo-T)hQH4>fs
zZJ@p7*Whnn$9!LV?9H_ymk3H<vTya0BwvCXK9h1;#43h+h}9LIU5`xQ>K@^|cQ0tR
zN9AUAFq>G-!M0Ka8J&iLSb6$J-6P&Wx<l`+>zNb;GI^{`lCuB0@w3WMA0t)O38G*G
z8E)wLd8$5{p6%6lMk={`6O`65YnT8`5A;9Y0SQl8?Yyc+QsA*B99fj@!uo=`AoZK-
zqH)ZJ?#$QbpJ8_bH@|kZwbP=w>q7+Hd{C>5f}`5*{UnSSEE}j@rwxQJM|9hrprZWq
zc$QTasiFM6+8tMoBFKW0HE5FV;VKZ{Ljc_^+ISt0cT^PQuLnFnk<^WRlssoXB2gMO
zGjMaenb{QWcql_2=eTdbQ$zkR2}~iqy+x|=B_bi6ps617;VyC4HpJ9BL+FxO8=n!X
z|EM8{p2P`mtN(^s$Df`NdgmJq(-2v<HY?ki7DH26_v{R)h@HfiS$OVe!)q2fz*S@*
zi`>Typ4Leu`MH2Rw2jzHO;PjL;g^7vF^0!9VK#{Fx-Xcg*l*XDyCN$CCf_~865Yz}
zLJ2NP52H(N;8SW-L<B`IrEds^MqMQS(zQAECEb6et-N?(1EA~<pc%djnnFHapwu!t
zL44v*KW#k+={;EjLW*@Z(Bnu~=M*&cHKN?3qZ3KtzZ0nup2cna2(4Diaho}2dsY2`
zv=0e2BjXB{&W~vf*B@XAoihLofzTL}R%r#5=(yzD#HGcz9bZJ3fd?tE%X#+_okZn<
zb64)c-c-*9TDjPj4+wqVtkjYHG!RP^bs_+h9BzuS_9hv7UT_q|3-<~Y?^Dnf^9xzz
zr!7#6lW5;mQ>NP4IIrn)sp0?ZNdi~<pU!T1I`}Q_x#P}MVkD6f13Fr(V0^dy*+jH6
z)$K|e=5VNs9pa+!-6|T<yZC70WA^fW9+LS|q8+_u=Ge%V_4ck^e{sx&d*;{|y!9t<
zlsV_yXP=fRJ#He~cK3e8)MBHYaLfu7xp5#byJ*XQDgo%q=uOD=K{LOR(gl1q8dJM9
zO5Q59yVT>~Kd#U$e_VO^dl>_0dZysWvI(-C&s@zCCsSQGt_yb$KFyR23Wg`wA@Bm8
zxlTqcCA?9*`gbMz$OBr&Oe6GgISTJ)%ZDSH=t!%+m(QOjcK?OLaG*T+`uYlP95c08
ze7w8hx5+6nO)kz&;Vq8ox1bkbD(>zECbcJ7MXMTHGf<kT>>%tG4N}`0hQ>|a?ljYl
z5i1cfCMGL}ApzuBHEoGIxcGOD`f&<edkym7?}iIAI=XybT$eikTCAmdKd7%T)M`0c
z(C+cLyF{F95Cb|qxl!^9v2)w^OZG{r&n}n`(;hTQH=O!Y5F86p-ncwg@ptBWC0k-T
zW$79UOXd|~nTbhCMrOPdFiAPRgKu9(KJj3{8R*Zp#wJo(zR}y4PyMVHO2(*Own8{6
zc}N!XJ<)fZs{zM;;*jy;pzc7<ddSPQd8*y0=z)6xym6a$o<m1Ji#$=1_u84O=D-<_
zv6P?}-nu_$G1g^GD)>Adi#u(*k<G@c4a%i%{m4jO^4BdS*I{m9t&acoS@O*;Kjmc?
zsOT}1o{Ws-NVam7yh`gNHIzfn{&Ggg3JIWRad*~4$?t5j{M{!n8oAIDTD2*%t(lTF
z*7)hL{Jj@whu0JMHkj;AU92m#J$8AqQZqvnrMypZlK5(hCxR@wgMSfSf=45X@=R7-
zUH&rRkLoLWSCcNutxAa&Hf2yrqgJQojc<E)CaoKavbzR<uT>yF6h`o;asa{-A{H5P
zUuqPcH9@fBz8r9aLtbk8^spP}>!mA}R_@T-e(E6I$iA$%P=p<aLtoh4Z}lZ#Li@DG
zoRY(4x4(D2GYBIloMmLrkdk+1<z-43rQd3GeJ_|R@r980dwM4cJ;=fpz#gCyS)7k{
zuXZW9KxIN@3|Hh)_^W9A$(ql`uKG56MGe@0#w@|IP_R*<t>6CwZy+Yi^FP6_61UWu
z@yhiSF}ugA!gfI|G_u~1G$*LgS0<==BU;DO&tixO=W-3Zl~j(gW2_h#Z<6R{dg9LY
zGe)ubUxA|cy$+tLY}{nLh|SX}SuuZ78Jg&*4&^D8D}I6#=_~2W-n2ZX&Srv`=Nj*^
z8WUl9OXSnB5ELX&WoZ-NTTCP~hmtYTqgn|((lePK6L;Z?0X-kb8N=UX%xTu0*?o~(
zjI+C}f~}t|uZ_1mT@%ZMASx;!+7@$vL}CZ6Y0#@xkn+9%-4)mVmO_(vZhZSY?Q1ic
zu3(zu?XBF$I5e+fvhXB*P4Ay;7BGy<3C?Q69IKlxZo4V)?T-YR0zBNv#IMORMD~q8
zw-mMZ&F-4lWl4RZosW#ib2lK_<#8ya`{d$p39HPc4+?5bdunQOEE+I+{=7Ai@Vf6;
z0|N83c>f}R?X!KJtJ*jJhH3AOfy5HVVoQbo_Zf3h+&uP~Bu)~+%?WvU_Ogj;3spMq
z+fb0Ry4n6CUA2cw#?H}3{#-ppBG`KMX^NyX%?YV5uON|Y`-`@|MyWg~CzM>0;>}E9
zQ{hDHpy;7!e4|;7imcU+e{MMoKe**-Hofa-vD#iNeXy#(XLBqJ5KP3l{FHx&VHl4;
z?EK$7<{#*Pga*HLK>nu`hq`G7)a)bHNr)-#pV}!l69m7|N^6r4eDS2e$4$=sOyB&|
z9{s1}3k1b>%zFokrGJfYKrr%W9B@>KI##bT%Rs_{sZB6hKWzL{S*A)6ve=MXtUniD
zQiLK^5{nbHd8lDx(%F^utVrX2Fh1nP-vjkWb_6sdA?EwKOq*ZN?d^d?+?<zJ88Hk@
z%8L*Fjm>rx0_|v{{nHY@R&4amQJduKt~UW%i+^?_9ocsfp_*SttD4!*=B!^z0dPj1
z-rmO?dl2XTXi4HRKmK^rSUDnW#_KWJ#ojDUu=*#ro{|Vy^gSde@BUOq0=a~BEZRe}
z7KK~(+O<TJISfVsq)4Og+?T2lPl4l?{peO=oKV}{0DtEZ_`R&jsbH^A6fVQ5s_<Gl
zZ4q!3qD~)k0spmY=_u`j1lSoo0)Lu?qv!T#ka$!;JXW9ie^2cFn{1Iv0;DHT?_;7Q
zl!&Z9e_^ct8YJD|m^T4hhAb{#<avl=F>J|)^PYgLOy(KI!<VM`<<TwTM1Kkbs8~)g
zitfDxy|`SiAI%B7h72idFFjMU?ddW<69)Oy@)UK!yh22i3V9-O)89mKXGmh3cKO!@
zCXRhkH?Sz%{W;;UzCt$VK22C;so+cS1)u2%BH-;i%j6%R1D}pS2MlC4i<d)8F%j*{
z01INK4yJ_HL&6|av^>TlqWhj?K3P$or+kX``m^vj4q|#U>aX=0Q_~+i!BC@7KOf~y
z7=GSQc!6_PWOk>+&irGc61{g46uWiP@(m49)nfAlEJa_Z+j$KAd*Q}MQDt*q+k!-i
zFo*>gKM{0}H-rYAx3Qf$s?7Ca=Im||7(etmPa*EIDK9np6#I@9?Wij@LF6;?bJTY;
z$`4bFnqMkz%!RJaLpKMFX^)oIbu-R#@KG15pi@{dE%NrOM{_+(Mv1xNHlBa?ejn8@
zx?z2Q{J5J_9S)PwDb8GbdJ<LT1|n&<%>{X_)bf(vsj1H1f*TwMPv+8hp7ZfN`c+|5
zqo58{GzXo%RQ#|950FODUMFrcaB*O!CY9uQI>B^@!H}u#8ag&O0Sw~_YCS4Y)`Xx=
z9#dB|)saLVtqEzx!>Iu6mJzDvq#d2z5g7){sH`rZHghy6BlvChUPIbI4CHE;MpiPk
zFtc%)P6Aih=1?pVWPT{r-BM$?M))lDlccC>uqjdn%vNPVV$ch+o2qf0TE)SDm8Dfg
z#B4yILMxpOg2p=LsOLsRu7K2QDI37bd|0NM)<YRVXLVNPk%I?c<}MhwpPxS(w^!%E
zr)T)OGGX%)u2CQU1OKk4-N#}myCa6rC-0o@{cdESQQ|DDNO;HR!wiKjn;_>s=7h?4
zA*KX((?gkm-31Gf_^vvzcOJ!!dJS-*)-Obh*ZUNinM^BpUE=1xO5!yLdY#MPK*_i7
z$fM9isqc(>u4PmLBt-wqN5gFj0IYa3b8&#hWhVJ76_4EfT}pv#?>{x%?<?$aXK5cA
z9(<I#2?dy^4q8qVMK_(NG3ye|2Y^<My}>j##AO>+JZJ4si;H|X=BPX=M9t=P@^;rt
zN&Bb?GcuyGFRstsZi>t}14KFBFdNaXYn)tm7EH=3E!RG^!|l9V@DSI2ku%}U#`I-}
zhb}&tpbfgliW$FW4FYGZl#Wd#ZlR2A<5H{mbO^weB50RtI)atb9}F_WbQ;%UI*s>o
z`D6)1XbdbhvtP13(O28vwsE&BZD&W3%HbbVuCdy9j+ok$*vA!tH;u4!p3$#B6K%m%
zJoKgw!`%t&KXZ-eIY<dWi*b%3C^sQ)V9HHYbigLDw_yOJMn@wLrw(~A2vW0uH-}<u
z6eXBV1C`1}%KFA6>oI+*1~XjHRV#E4P$<Q9zPC`cw4CJazPDUU493y^JpPz!2rW#p
z$c*V=-^gM5<zQ9iZ*yfwIY5wo^z@c$Vlly3A~Lig>z^4*UF479DlJXjiT%pG4tLvE
z$4s7WW(VveVDjB89nDCyv9U!yZ)`FfEVi1Q67Al3P9^o=@vfTNafj$=Veu~;tI(N&
z2m1y7{@Qn9>s@p5s*V{qjQ>Lv$mV{q8e35j%V%*<>&1;@-492X;BLETgb}%4#`~w6
zaqWBM)U7K8AATZo{ipKJ|3$aV|E#f7yn_K9z=1qIt`q*vu-Ydffks_)3-J$N;Rsq;
znV!{46FbyWS6Nq6<c*P5G2CROg1js_=2?My)p<&(vAXt+dAl8+`9A4Z5!r;pip(Um
z-)mF8fTYF+bw0=?>%S)TkMhO3Oxmm*3Y-e3oAxIo%#Y8pv>c(gru1WysXcaVTjRvh
z*KX~wu%|e!n$C$8UW5SPuRoF_g6%MnFv}@!oN{JTidJ9Ca9y7M76eEoTD&)+G2`Cn
zts;MBFWVzIcud1*R39IMqv=|s>pJHtbxQl!gcHUawvT(1VesWq-8uA7902Bd<9V<@
zY|x~prd3N(xw29dQ)DJ<JJ|+0n{|17d<soo$s-UkgCZ1%pkO5@b?h|9Jz`OiK5a1|
zcR1_O{_=9BH*3J_U)7|@vl!*wi@|9TFnn0QKbKdfozW=y;=O8`nl^*ors+<I=^4md
z{Nq`hoX8ac8}Dd-%^8^>R&`Rcjv61kX~H-mSzm%C6I_c)>jPm9J;g*xB6mJ34U@#7
z!i4|yPJWR)ds8#y)o(x%DRK!6$mktNFT7dFyuoddBztL(OP95Jfr&DNnk9{~u=mFR
z@?#<}fZQz{3t&{XCq4qS+LLE$_tZK))VLv@_QxF5GQ~oa-U0n)e6a-^U8Vh;95GWP
zBVAr52BjoCZP8FO`;B58sNi90OG!W-nl})Y?g9yMkFn}vU44Aw@-qO{t5?g${APRA
zY)%YR-988&v$wiXj0-Gxq#hq%x(hnbiT~6#G{uo+dqMo#L6i~d+I>JP-sgaP&^qST
z{Twt%xXGQB!obAO4~Tql{#m!l%0qH`j0LUbx$~A==%~EzDl*fU`U)yfJW_wUw4hF;
ze-;o8jo&M5Hp}w?pwA<Jfd>4jlE`yJ3?@EfO1yvVZVe#QQua8OC9_vlKN_KEZH{`?
zm80`ycVkFhpgiRiX70fHc+DHs^9S?6jB<`lP@`oxXSqfHT#W>%JBbS)f7kV*a9?<8
z*znkF8<q_y5pf@XV5!>jogh4jJlyp#u>Y3}1T8rxo^HmU1ak_1s>N;?D5q0W{}~DV
z2sQs{KYl}7{TU(thTisfSK&Y7*8j5J&xMR6B4a-VVc<I^EpaIA%*d1Jh7ORh<9SWc
z>-Sdyo`*^eJJW>&M&Nt@t-YO&JER2XST05n>f~4HG83sY{l35X%wcsU_tV^@`c035
zS8_6Pckg(<^_C-g|7n_-aPn!%rDnZeS0(Ag)w)$j+NJ3Wh%qluDqI||7hZV5-1PY0
zFP+2VRKm8VBeW;H-Q#zQ!QV6X3McalI#s_@ZFph8rIWw7Y<KnM@TZL2%-q~uwS9C<
zRUDN42G#9&^mii86*L-N^h`NoOVQhO30Ch?+IoLH(T)<`=ggAWD1U{GO}=V<X}vpW
zs4}RKC;4rg<3{f*WB}PkX=xefvi9P<cTTG;Q_=R5t^8#UA+h~AG0PkMbqR;&<5N_C
z1WS>HEi3oQUJ00%miZDa6F^qS+f6a-uH%;L*V|X)BUAna%p9iKEv6*|HoOWNxM%&T
zuEMD+N@X{Dt>sRSRjq&a#wUWhAbuIn_EZIi%lPvaeO#0-LUkDq0KD<Kb75$dNvwO>
zb(<9H?;jdEzXS!00|xF=t%BZkgBM=R6>7YWEaQ~}#@AMq1<w~@!_iG#K_H1Zu0v2z
z5H!&gv{)TdlE9WHtR<-L{mxkFVSm*oJlW$=^(*h}-oa+w*SJu@&!1&vo?Fi#>vDCw
zd;yY&W(;qWz@e+brsY`M<uP<tP>hv^(0y8bI?K8Kv`ED`({q$0r2xyeZfp7IJ_?Pl
zCJnu?v47CbS@NN$oIh#xD|hN06)NG8$L$pTDhs*BN(S@VW95s1R#n$?tA{9r-V1tk
zFc?g?$?+xza0>R8bW$XJz~xdu565%j+PoMj9Ihy-tHZ^(F~*krLasp*zrUD&@+&VZ
zD+)HE`*3Hvz5Wx0S%%hB0GHx7YeD3j4?Sf?g1TBJcGHhn?2tt(E2{X0Nl*l{(&wa&
zUe;B+G&qaq;y`atK2nf_6L4?HXQ-h9>Ux5095iTd5;?&Q<1Iy7iRWJj2?broi(P_s
zeMi3Bv`P3_FFC`5@^fLiJ^QUrUGt)zoBa*FjH|?S?i5ZouOdjd9T$)YR7bk63U?g7
zkJ~#~b(Qu<;k^k2a~i(|r4z}+9H*MZR(Uh|8j)dV(ojO*Z?KGX@}PG#6APkSA1H(c
zR-VSC+<NvZEr#x_e`iZwTpi(Q#R?br@7oYpg2*?HPwz_$q0LcT9M01q7TQO5g_64^
z@evg%Yzj_3=*|rd>6uGw;`g0fkC1$DZ>|-Y5-ut$GMJ$?fmUpNH3#FQG!T;KmpbTF
zqQWMi6g#Be?)l1Y@60*D^Bl*CZ4)vL_eV&SHMyO+LV)a4c9}!&Y=%@^TbnNq?Y88s
zTzgnF@+l}p)L;1Y1+vRRLe5uI`t9-zXun1gJNcv+@{Er2nZLNFJy~o@+ECc7i60Pf
zWf3~xXWzIBQ`x0nw@WjM$QriqZrF@HLl9h1oWkQ+Gm>=ueX^b8-ke5mps*LwCa?2a
z1I)T?y9)L4GH=LbiJ?XjNEu=j`EudcL!fm5_y$)z>LcT6x48?Y0~9rM-qlQZv8}Lx
z3E5Ecq~xEwF|s@s+8v08M~@KQH8<$WMDJ-81WvXnY1j(x_gps^t*xh$uBj5<xNC2O
z`n5+jmj@q9j)yFIOVu1?jN<xYB%>pU*Ni?Snv&Ol&n=09dUmE8PPILkr^;loF(-FA
zYVlupj%gaHd<~F7)vENaUXYI;IQhnf1&%kv`BS0+2VnBmJ1<<LwcxbdMBXu$FsMq~
z=klpPq|Gton(5crdhF;N9je1sF{VQeh>wgblf>_*oEMIl`1aUw2|`FPo7X_qpCKfM
zem%+VX(TM5@)J&?Hr}6S%S}cB-smnL$5Nyz%bY$sxca+VG_4?!NLQSog$zQMVR8;X
zmF54;ZyyjZ#%un*#4#ixUd(a5tnHk!<4cgn1;1CF-vL*1>2kF9Rz7j;=9uP?lzDo?
zd({V7_75J6Z4MP6oaqr+SG<YH;F**aBrEU*ZVD&nxaWd!F7?Bu5hL5l!iDy+z_~d-
z8lkJLau*$0yu+^isXp!J;F-%i>l~cb6&M^)8=F46nJ^R+40ejpJM8k1NZuJPp9;k8
zIT>2{w8Y$YXcR$G-}q#_igZj(jo>vHAS6l@|A*-EI%lBt7q3aw58DuUE+8FQQp$g7
z>-CGgPMAA24i7KnWEW1h(3!E)2D48&0siRkr6dx}p2uHd9|UjA?j4VFxWQGLq7acx
z1jiHdA(WR|z-p@`;qtNjwYK0v=<PVyI}ve%sj5tKBobA}_x;N(@(wRRf+91hL$yGs
zaV`^lcA!`L{mFp+O$pnnoWe<bi1VlP=t8-C2v_2MSCb8iwAbmw<ce-^b4x$A31cow
z@FH9(>W~R8H2xMRHEr8#Mr$+ZxAaS##+6S(yvfok>)e=XpqB?HM4yHFW~RRgETC;{
zZobE)@Ar(p6=|M!$y?civF42kUwpdBuM1VgKkveDE(eWQ5s&=P56o}CdwBDN?J9cz
z&|=A+cwm7YatlHiexAM)tU#t8sQOoL4(R^;?ahp}ElD>u<58gtKmuW4&T_%#u<ld^
zNr$ct3=0BDA*&#PH|BNB5Ui`j`7KI`Gn@MhBk~Q=jA>SPK43nOWD$Cqgb%rO_%b7C
z2`uTn59SDV><rpEj35amC^3sz`Rgw@+cLM8VWWEOmhz-dyz3#)U(qAqs}f4=q)#qN
zy^ZrCl*mwt*k0}fJ|YC-joVtGCN2H>le6-eEz9~TNShxe81ELrg1CNF;2%se+QxhE
zR84a{Fb2`#OF4{yDM27{>C0}IOP6jEh;F@!CcU==gS@l@Uml#~Lee<0K=hs=PT){E
zvdn*gVr_u~BHr@>YJv^N`_TOz38|?oU#!Y9I!#_d0%4#5Urtf{S3imOd>^#^`yIan
zWU7-~r@x#17oW>B9>hOXLZzP!=wKYEF#DlAm90~(7}p6I`dB{I_Y`sB{DtyRtnWGt
zrBk%_iYLV-z(R?noHMXao*BUZ&bG6;7=k#l1c>Owz2vwUpQK7cswD1cSCDuDPH6}c
zAbt}CZM)w&99cY1eS|($0-S0zAAY{^U;hToFJKRNeqL-3fy)am!QNbsc40}z<K@4b
zvPY{r^t2Z6NYQvAI`At<9=#|>MDtlh4?Id!O3005^fy;-vA>kth`aikT<=aaPljv=
zt%-?=LNrf9LqjP5vFegvCe$n*%Z$Coxp|kLW{J9j1ci0<6rMgWam;vzP4Hx<19^*d
zdwY9SIVY5`Y<^&3VnW1a!+fA*8N=eGtzBjd`Y+ft@h{$x${{B>D3cv@rULxe=_egG
z?;Wj{6K?w1pEPMYj8#fvuF5EMz-_8EVHmKBbt(!e2;}(ExeG+Xv>xim!|vT<$Di%a
z8wQ+6fF}}QqLY5x`L>oEBH9O7nhFaG0W(*{N+Vmo+!g>0m?R-3MW&?%G_}0G{>jdL
zg+27jiVsV8ltx_$os~eK=l9vXYWMF?vA+th-m#W$uPHR?lnQ3IL5DQ+Uyte7pv|Fq
zT-ulzZF$+WI46kB_Xdr9eC-J!a602*r#w&jl{Mkh2&$1(ZjA<TRV;bQoulGwW)Cyg
zwQH9~B9UNbjubc9lr5+dWiC%IxOA|)xHw#W7%EG90cr3hIAZ%-;|;gZq?&*^$@rt!
zX?hO!V0P!FkJz6_CJ=gXINW_Ur`UfD{58io=pwfaNdvXddy9U5JTUB=sI4r0`?eo5
z4Zme<$#hXSoUNlqv4I|OP@nWFM=fz)L|f>)O@t)xpajY?z^>AHy_qb#JIo}_33jCe
ziY2a}t|;%wVjqenZeD-BVF3x4p#VC=v!o<?CuXA2rB_O#p}saOmOXE8(fWG}u(PuV
zR;s1WgGoT~@b_ljinQ8nO#ro1M`{PmX7gmyzO1KzXBz;(>G=H%d%jASf%&>`1&x49
zA~8-Th|&+QhA#cI`uNmTK!=jpzFG>H%w_MOmnAD*lO@~ld+u+!`Dos=Nj+Pt(kFe8
z%w#tC#%$5UK9hLVi%!&O&%4TTByhY-4`TUJsH`ef#>Lj!Bv+IfY5~Ut@p$6E>6S_@
zhS~?(+S+r-8yrsaMcrrcsb5D#F!J5kqU;K1X3{2z0idS@3f?YnH3R&2xnltHoj+`Z
zK&mW1zvFS$h1taYB*Ee2bvr~>t>f9oM3q+vn`kE9Q677&OJr(HpimDflInd~n|t;B
zouaS@FYc7CHb|y1;k^rQEM(y4*Bocp%9pwu2^i$G*#wXgpMXSAREv_UD1Xi8wj2;p
z83`6zP(GUp5SF>`B|xKib9^@f(5@lZ;f!@U%J|6TFs>*+qj}?-Ew3m?xJ5nt-UzY`
ziD1jUPG5{~jp0{%h!2=#qX9#=crsdHM6!Cpi(J=EMN6yqTaJ$Jxr_ApbWY<Jv^p!*
z$_hh7cc#0a6HJVczlbGe(*P7&O%7p!k75dWbEq4Oqrsyn0%8Z~`Z(YfC3@BF8>T8i
z@{|B}S~QOd=3EI@fG4M(rJ?J({5jtaz$?pi?ZS+PYl|L+LOu5Ef311K_qmeDdieCG
z*Vhf^jusvY_XjMF8B1|EM>@|Bjdb2z;JA_Cx^mlWvc~7EbSksp+AJqCyC#?{?d<F<
zx0}&-lkBZjt4#%B)F^nv7=X7Y8G+Hqevoq>cH;|(?bwiP7iljJ3=GuB(FW{!=3rt|
zB}>|HxXKN%9+FrlgYnKJDnK%JQP}Y<`wn0hTPT~&t*8)IVX%~PyfCr2)hv_kdr<a;
zB9CZ{gV{H)VnsfLR-{(?EFRuC)oi1d;%W+@m{i98j>PDDN}?`k*NcJET?2a7T&G{6
zY~sHo-{Ai+FBsLDkrcTKzWt?L9a-c^i(;8DDr{>AV?LffXP87nVE7p2089riAazUt
z|1SX}jM42~)gFiaSgt;=3xORY_z1;fc(De99BFq_jCR)oPeFu`3fyD?$G|K9aEZ7p
zSKkVzVO2bHXe~OjNAv-xYq7ONXK-j;nY^9=^WX}CtV`xUmj8b+SHD@f{|{#IhdDm8
z7;pB=HedPx)_Z9N^W|TE@<u@~%Fqlt#_6W>F=V{DZA!KW=vyzDFD;aUI}MW$6O2kR
zTED!+KYbZ&*4vN3<jK~+GqbbJQRymCQBfB!Ufkc^)GGjk(Mm&{>4mWsXPxB21TSh9
zSgR|NR!ygXrwOS!11uxaDy+ZQ%BnLpXv^Atqt{qAm>NSSi8)CDVZ|(?$UCE^e7TJo
zHRN$9!1#IOVaV#kK|{cG0F$n6n{|!<Gtj>ybyQX)95~&KM5D@+)dxGX;P?X`JT`WA
zSMa8WlYl>PvHI{Jm`3RRqxR8gv)t{Cek;Q&zXu<iwE%wz_|Mtd8Hh4Q6|S0@qrD~R
zfNJM+UYl-iZthePa~rP@#m1)=a9p|%hOY@|1RusT+h`YCa@fS?u8f6<!2y^-QfNg*
z#rEn{Ol1+#I$H75I(VHzyzot+lSo>C<}iwG0i1Q$nV5{f#@=M2wj2<()JWo6KoO^5
zIW&g!B@nlBnl7e9y(s3!(B2aAEy4OiUn7X9`T>>#YJjy_S9uOWe(&+eA=a-#ixn)Y
zsr7qvb8{0-2#-TRm||$C33oy^$MTwe+n!1Q*k_gxRCB9#&@on3T9Z20b@&Km11a8N
z7&dPYyDV0M$Aj2@$3t2~0Q`b`<xl1v06S<4|L{GJ{dJ&}NTa~nj}dh%a~cIE`0Ab4
zk88GB!6n5dv#nx>_lAl(jBlf|gw7+DvY(wf-&blob+EttC4`QP+pvJEYD+&$Bj*6{
zp*Gz~<CLC%#$Y<8C}K_dIL$TfK&mo*-<OSe`N>s4(+gw(NF{ilnGZfaufa<%RexQ6
zf9h*ov3W0jXAHm9*QTadGaK{$tzbwzDM^A>9uE)iz2zWlXGBB<jiBAzNcp+`oSr~K
zkiSU=F47GesH)2DeSm^<1$4LysjO??wX|FSHqI^y{Zu|pF%EzQDhcRG52UW=Mu<X_
z;DaV5WkB_LOw&iZt+mVA+SmX@!}~^p_AI7!3@TI(XunQRp$VaNCbaat*u7tm27*;*
zeX`TPwnB})6$v~y(;W_wiMg>4P(XqyuG6!zv5AQtA_1RJls*>^J1S345Ay(?hy@}u
z(%rxyJi!?P+JPkLvrhV8?;aksB}yVVby<m^k?a=%ziqQ!nZHf93=bVKMu-es_%F2J
zy|SK)bI|6FD<df)2ulwVT9-2UB5c>_fL1~U2=WqH8B2iU2{{oc=H;Rfm%r;D7DmKd
zjAyH9>zs6H8#pf-d2oyO!$oG@;9=io>&ei}i(hXu;SWNx_;p~ne*#>UJKsM(6Fb}k
z+*7{IXY}0GyWID8{G`B%5Zjr)5;bE-+AassyzhAI%%pL;RM^<3jS#uBp;cqSIRnn7
zVO`)wqf}KyxOD+hk#$<U!1)r@DpijpIBLe1>d)1g0_Mu3M}Ux1UsepX(dbxJ+An`5
zZ=$!=ET7FSZ|2tpn<H$}!4M_py7hQOuIli>WrQIgP-#uZ-n5l69FYj76)6MK0_Cby
zo76Gs%8W2kRqT1Mw0bQvHEHA4Kzm~Zo5$9OFQ9`Aq7~`ua|eoi@@pJhG_P%J?hU7v
zall#Y3inATv=0e!2Dib=$w|xe=;d_S{(KUEqr|P&kJe7(WEnGJ{8MN<3HXP;dV|OS
zC~S{Yo3$0;;&ZNmfY%%VyvWGZd19SxZq01gRdDp7vMfndAf<oc4lB_A><_PW2CnD&
z!XT#U`o=0?_N~b#At6agOG|Lu=mqB_Y+J*qC7O{_bBv4@Bff8qS|}eV0L;(um>4$g
zx9_VTkJRj}&sGDIY82e5?oCR?Z+Xwi$Os%0I+wY3=`OCAgV_Df;LBCT*q&Tnp^-AF
zXE!>{HF`n;`X?apUG%p7-#wTgTAg7I2@%J}#8}S&Y7mG@JoA82^gdq^{+~@7CJmAF
zgdC#Cn19Ed3=in6`<U=SZB<`VBoY7id>5AM(=vUFbSA*ijP2pb68C@#M4~v{jv0Nx
z694&A)f!B@vi&*Y#EY{z-?$(Qe#$v^dd@642OUJ<eaW?R^dNFXiP|$iUi<e&YY^v*
zPrd|Pz=O)qhjGZ^1AA2RSg#sFcuu0I<KzVLTb>?(quBymu{q?T!~vx|x<DITzyL0A
zn?Z*2_u<otR^0#SCF-{G(Ad}kK+AFlp>Tn*iS<SYsd=^$WkxJOxeW8ck+2@Cv!CmE
zm!8hd#Ka^fRvmnFAp{~`vW!IBppzmcA;G!AIB*Ay?5XOfC;|-!fz$*YR)Drxvk8yy
zNCH!G5RG5r*=mL2va+()1=I8=N@91m1OlOU*<4_8;yevr@t_U?Z*)zbk1_^0L}?*~
zsz6WFC}K@3r4PxS#^C_l0Jf`9Pdhp!1Dp&YhlRkn6Kzq-`$!(~N4Q<`1YU?6PLol_
zoaJ-*f(Py_kQZmu*3Uw2(W|kEC<8sQ=DU8D@C>;7Wf(*`?X5djjd;3788}brLyu14
zP-N?QUL!oZWz1UM-~tB;0`aT`;sCxg0EY^EyJT%T3mS`c`0P!W121yV!icX9JZ!y_
z8Sgmi2h2wXKf!m~+HCi|<uCKZq8XXH>ud~;2isF!yVyAVw}T+Jb!W<QrnQ|i_=g;A
z+mohPS*vg>L=PNy=ZlB8fjP~TgnZYjb*<W-?B}x_FiKc@iV9<Ft=`}0M>9jbNvmZc
zIU0636{tZ6C4lhoX+!8-is<&kFJ7n5qAo+0I94Y`CWo&@drG}!Wr@lSJ|TX0+2vH5
zsdRTE6d2?#cNeU0%~9N4m`i~ZQLMCbKda;}qW<hln-hdsYg+A&83H7kR@OcruGGAA
z3&Ymgk%D`M6MN#kY4xvze!dK7>ir;69gaw)@zZiQv0gxSvL98bQP%)=ZX9ujAkF{r
z%csSiSUz2wi=qW*>=wOGC{Hi6>-N#7ysE+Z9syQ-dkv<V8qQ-mFdpwByk+v4!pR^z
z@-1L*XD|&+Y0#-@0EE>YOe-f+s5fyygZ%_Y@tx*Yu16gyCbQp+&(XTJ=No3tcfr`)
zH0+2f)l^hAFLKk)e9Q5zWQHSIS6DH(_BbSkwBcS&hIaeWCyx<fJz3aW$u0oJY!CQ)
zh{v97cW&Onb}NU+PG^|y*BRryDD9boq*oJ2xcl~eLF<B!3Td#O(*zB-UTs^cEjbz4
z6SKZT6HCi4S_PBccOS<3*8`_}?Ck>tpVbikl`(#Dy}iSO^*mi81#SS*3~d#hrB=Dj
zmerN6g0Si<?5}wFnpoe3u=;U8)`0V@Zn=YpMg01QlePr~w&<=bV~zKi&8lGx(_nDI
zrSi*FE(i`={iZ{A{^H7Rc6MZ1+>_`>8(bb*si^QD8-u`kygRR2>y<wh6D{fn&@xLw
zl!HdGEQZR)^JpeL=$A=Ta7mZ+RZL3Va@bk(Z6UiCSujF)d#=M+nyCq@Yuh4ly^7v?
zv65hK(<6j`^)p40MgKwR)VJ`6dBBZs-~WD|j0=7N8d_w1y%vh7Dsgj}h~yyk*c&U-
zgl}Ubqvgh@$k}ywydI&S5xftkSf=~rt9La(Bim6rmh)iny+!p4;K43Fvnsd9cluU3
zb+E9%DOLn;0*S~|xClAz&~e7tCA=a&{g#=b%I@)o&oTT6M5KF_>vq#g?D)LDZ&O)W
zxzJ|fux}MvyU1E2*AT&ZK$<mFwyj;<e)=rgSv^LLvb(QG!2m<GR1|N7QBIJ6G?Da9
z_H>G4#$Y)?tdr5lTwOiC!WWh|Z(2wPv){;cr{gu_ytidOT(xh&a$}V=B65LLj27Hb
z#omgJQCx`FP<xVe>Ky`#Yme5^{LM-0vrwTYbLR2u=&Z$P=_ez|OL8Sr9S^xiyfxE{
zE|@767_~?#AW@ud^jzYN)_xF>`64|#9M5I{_2xbp?Rmwfo9#S1X*MX+Dwq}W;^buF
zTa6Wy;%t*iwws)xQlX-3f-G?P!0z?#VSQTvVF3{J=H1|^n+EPUcR;ODmeVTPJCdkv
ziN)$_r|C9me!e!PI?tmv@r<iP6BEAKX|JWDqO{Iurh|waBx=GtCniT2e(Z7d+|d@t
z>$j9Hl*QEgY3kayND_!tS&wNTqgj3}cL9!G>x^Mz8^mm>ib`i+uv`FjL26Xqc!|`n
zjXcXmZ5r#p-H_EpQA)1Wzu0Z%i4#Y~7d}6<zaC5zVU!{Apt1RaYAp+@uNCHv@VYcY
zbo*7McZ8&w;vAb=$#t{fEeprd+FigB&gr!t&ce9S$!6zY0b%*Vc%sCkF3pi8lut7$
zUv3`W$a3{Aq5#UElG5tGF$8tnTmBjtI2<17ZaEnap3}{h^VXj>=5m!1Yz_O6>A<ma
z*`VeL=;-WhYTRg88$Q?w+fSP&%4iiWx4PY6jzrC{OFOdQ5GjTh;zz!9%lVuyp;K7D
zw>3sHIRacV6D!&2K?i=np}y6h>tQ*8Gx((cA;O_GqIFBE&tz3(Hd}P^%DjK(>-+9?
zQ~9yF^nUbi8ikv1`8^o{Q`Cg~<ckZ3m#dL7fuY-9qg~SgB>F^tFjNI73gdXEp*`g{
zI>qs$tl&6-_)-^m&hui@F5bMhk?dNG)C+UHAs`2#Gj|bq{l&Je`=DvlAEO3i=}l<Z
zAM9!e82aGTxkpXc)dhic;J*G$2l?vi+2(?sb*d#qwJ_5_e2Ja)a(29k3)?(&hS&)U
z7OZ+IJ$=U}18l``ZprB3;TYZFK;`a-opmJ8bVQwPIIE!9)pw#vkBm)akF7&7X3^_(
zfHXB>`-ec>)Y~>%Uw;T?p9`0|8cJ76l5sW9W50YalJe6^aquYiHQUK#BN{{!Q@o?h
zI7SYG*FhGqtI{P8B!~hoS8Wbq&xuJR<Tx1ICFljyfZyouygIzUP=SQ%z3uipI{s;L
z+St&Zs&D#Qi8Z=Gl=jjZ8cpCSzYw=_8&kJ){NQ=3CED<zk<ob?=Z5k{OIRP`ht5mG
zxl{zy5GVkIA{;=vM?t&DG}%>is?dZ0C@(MtFGC~r#C_?blfF>o_6AZHcB33Ebb*p}
z*zfyq53W&n<7qHb4pdLTL6(Ivm1e6V=oM0qtfQYaq+BC+PwzqL+%_)ThFsF$CbX75
zqX|S>9a29m+1*nwDS6Q=fR^5)|NVZJMkV}ij|C9%IeQ|FxlpMD(jbJtBu4c7q+tkq
zG%Uq$%?}7X(>t6?ye=CCy5(f4NaVys+)YDyzZFuZBDJFz>2|{#yD{b~U4dae<Hsu?
z7sUU5H>?*a%kl|-*nZ4;yWlBDnfKpa&SN`y#~ugb+Jwre3i<QRidJ9_!y@Yit@!;`
zTrYRVU(tXrS7l$whvMdh!!3|qn^P4@C;FI~B6Z|_?9pNsYPW+ISye1gCP}yUE?#ro
z>8^f1Z2cup>|iTd@D!v<x_L^+vUITfBcP+wEgJ<6lZGtTrR*({6OW3L%qEbhKzzOj
zT(XmSK%ho@-Wi}<PHs_O&!Y3#!`<~Jh?kd_2Yy@XkQi`TtxmOBNOynxQ6RbqLL1=7
njvo1}5F%_YjQ96a;1Jud-JZ0DBr+cS6LMQxQ7TvBzSsW(d1sMZ

literal 0
HcmV?d00001

diff --git a/doc/workflow.plantuml b/doc/workflow.plantuml
new file mode 100644
index 0000000..0b758f0
--- /dev/null
+++ b/doc/workflow.plantuml
@@ -0,0 +1,45 @@
+@startuml apptainer
+participant Apptainer
+participant Apptheus
+participant Cgroup
+
+== Apptheus Initialization ==
+    activate Apptheus #Red
+    Apptheus -> Apptheus: Socket creation & Metrics endpoints expose
+
+== Apptainer Container Creation ==
+
+    activate Apptainer #Green
+    Apptainer -> Apptheus: SO_PEERCRED verification request via socket
+    Apptheus -> Apptheus: Retrieve the caller PID info \nand verifies caller info against\n --trust.path
+
+    alt #Pink Failure
+        Apptheus ->x Apptainer: Connection refused
+    else #Cyan Success
+        Apptheus -> Apptainer: Connection established
+        Apptainer -> Apptainer: Save the socket connection
+
+        Group Cgroup manipulation
+            Apptheus -> Cgroup: Create sub-group under \nmetric-gateway group
+            Apptheus -> Cgroup: Request to move caller process \ninto the newly created sub-group
+            note left: the caller \nactually is \nstarter (starter-suid)
+            Apptheus -> Apptheus: Launch a monitor goroutine
+            loop every 500ms (configurable)
+                Apptheus -> Cgroup: Check whether there are any processes running
+                Apptheus <- Cgroup: PIDs data
+                Apptheus -> Apptheus: If no processes are live, monitor routine \nwill exit (close the socket connection)
+                Apptheus -> Cgroup: Retrieve sub-group stats
+                Apptheus <- Cgroup: Stats data
+                Apptheus -> Apptheus: Push metrics into storage
+            end
+        end
+    end
+
+
+== Apptainer Container Cleanup ==
+
+    Apptainer -> Apptainer: Close the saved socket connection
+    deactivate Apptainer
+
+    deactivate Apptheus
+@enduml
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..7086478
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,46 @@
+module github.com/jasonyangshadow/apptheus
+
+go 1.21
+
+require (
+	github.com/alecthomas/kingpin/v2 v2.3.2
+	github.com/go-kit/log v0.2.1
+	github.com/golang/protobuf v1.5.3
+	github.com/golang/snappy v0.0.4
+	github.com/opencontainers/runc v1.1.9
+	github.com/prometheus/client_golang v1.17.0
+	github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16
+	github.com/prometheus/common v0.44.0
+	github.com/prometheus/exporter-toolkit v0.10.0
+	golang.org/x/sys v0.11.0
+	toolman.org/net/peercred v0.6.1
+)
+
+require (
+	github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cilium/ebpf v0.7.0 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/go-logfmt/logfmt v0.5.1 // indirect
+	github.com/godbus/dbus/v5 v5.0.6 // indirect
+	github.com/jpillora/backoff v1.0.0 // indirect
+	github.com/julienschmidt/httprouter v1.3.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/moby/sys/mountinfo v0.5.0 // indirect
+	github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f // indirect
+	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect
+	github.com/prometheus/procfs v0.11.1 // indirect
+	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/xhit/go-str2duration/v2 v2.1.0 // indirect
+	golang.org/x/crypto v0.8.0 // indirect
+	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/oauth2 v0.8.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+)
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..a19eaec
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,124 @@
+github.com/alecthomas/kingpin/v2 v2.3.2 h1:H0aULhgmSzN8xQ3nX1uxtdlTHYoPLu5AhHxWrKI6ocU=
+github.com/alecthomas/kingpin/v2 v2.3.2/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE=
+github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=
+github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cilium/ebpf v0.7.0 h1:1k/q3ATgxSXRdrmPfH8d7YK0GfqVsEKZAX9dQZvs56k=
+github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
+github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/frankban/quicktest v1.11.3 h1:8sXhOn0uLys67V8EsXLc6eszDs8VXWxL3iRvebPhedY=
+github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
+github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU=
+github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
+github.com/go-logfmt/logfmt v0.5.1 h1:otpy5pqBCBZ1ng9RQ0dPu4PN7ba75Y/aA+UpowDyNVA=
+github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro=
+github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
+github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA=
+github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
+github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4dN7jwJOQ1U=
+github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
+github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
+github.com/moby/sys/mountinfo v0.5.0 h1:2Ks8/r6lopsxWi9m58nlwjaeSzUX9iiL1vj5qB/9ObI=
+github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
+github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU=
+github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/opencontainers/runc v1.1.9 h1:XR0VIHTGce5eWPkaPesqTBrhW2yAcaraWfsEalNwQLM=
+github.com/opencontainers/runc v1.1.9/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
+github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc=
+github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q=
+github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY=
+github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 h1:v7DLqVdK4VrYkVD5diGdl4sxJurKJEMnODWRJlxV9oM=
+github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
+github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
+github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
+github.com/prometheus/exporter-toolkit v0.10.0 h1:yOAzZTi4M22ZzVxD+fhy1URTuNRj/36uQJJ5S8IPza8=
+github.com/prometheus/exporter-toolkit v0.10.0/go.mod h1:+sVFzuvV5JDyw+Ih6p3zFxZNVnKQa3x5qPmDSiPu4ZY=
+github.com/prometheus/procfs v0.11.1 h1:xRC8Iq1yyca5ypa9n1EZnWZkt7dwcoRPQwX/5gwaUuI=
+github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646 h1:RpforrEYXWkmGwJHIGnLZ3tTWStkjVVstwzNGqxX2Ds=
+github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
+github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
+github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
+github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/xhit/go-str2duration/v2 v2.1.0 h1:lxklc02Drh6ynqX+DdPyp5pCKLUQpRT8bp8Ydu2Bstc=
+github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
+golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8=
+golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
+golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+toolman.org/net/peercred v0.6.1 h1:xAjw6yxNJRO2asnmqMPfbzOwKpb1wUJF3iKoTvqH0zk=
+toolman.org/net/peercred v0.6.1/go.mod h1:soGaSNwoDm9E75fpgElzOOMDapKLnrwWeDdMUKbsUmo=
diff --git a/internal/cgroup/cgroup.go b/internal/cgroup/cgroup.go
new file mode 100644
index 0000000..6d754e1
--- /dev/null
+++ b/internal/cgroup/cgroup.go
@@ -0,0 +1,60 @@
+// SPDX-FileCopyrightText: Copyright (c) 2023, CIQ, Inc. All rights reserved
+// SPDX-License-Identifier: Apache-2.0
+package cgroup
+
+import (
+	"bytes"
+	"fmt"
+
+	"github.com/jasonyangshadow/apptheus/internal/cgroup/parser"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/manager"
+	"github.com/opencontainers/runc/libcontainer/configs"
+)
+
+const gateway = "metric_gateway"
+
+type CGroup struct {
+	cgroups.Manager
+}
+
+func NewCGroup(path string) (*CGroup, error) {
+	cg := &configs.Cgroup{Resources: &configs.Resources{}}
+	cg.Path = fmt.Sprintf("/%s/%s", gateway, path)
+	mgr, err := manager.New(cg)
+	if err != nil {
+		return nil, err
+	}
+	return &CGroup{Manager: mgr}, nil
+}
+
+func (c *CGroup) HasProcess() (bool, error) {
+	pids, err := c.GetPids()
+	return len(pids) != 0, err
+}
+
+func (c *CGroup) CreateStats() ([]parser.StatFunc, error) {
+	stat, err := c.Manager.GetStats()
+	if err != nil {
+		return nil, err
+	}
+
+	statManager := &parser.StatManager{Stats: stat}
+	statManager.WithCPU().WithMemory().WithMemorySwap().WithMemoryKernel().WithPid()
+	return statManager.All(), nil
+}
+
+func (c *CGroup) Marshal(buffer *bytes.Buffer) (*bytes.Buffer, error) {
+	stats, err := c.CreateStats()
+	if err != nil {
+		return nil, err
+	}
+
+	// write stats
+	for _, stat := range stats {
+		key, val := stat()
+		fmt.Fprintf(buffer, "%s %f\n", key, val)
+	}
+
+	return buffer, nil
+}
diff --git a/internal/cgroup/parser/parser.go b/internal/cgroup/parser/parser.go
new file mode 100644
index 0000000..dc8c978
--- /dev/null
+++ b/internal/cgroup/parser/parser.go
@@ -0,0 +1,75 @@
+// SPDX-FileCopyrightText: Copyright (c) 2023, CIQ, Inc. All rights reserved
+// SPDX-License-Identifier: Apache-2.0
+
+package parser
+
+import (
+	"bytes"
+
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+)
+
+type Marshal interface {
+	Marshal(*bytes.Buffer) (*bytes.Buffer, error)
+}
+
+type StatManager struct {
+	funcs []StatFunc
+	*cgroups.Stats
+}
+
+func (s *StatManager) add(fc StatFunc) {
+	s.funcs = append(s.funcs, fc)
+}
+
+func (s *StatManager) WithCPU() *StatManager {
+	s.add(func() (string, float64) {
+		return "cpu_usage", float64(s.CpuStats.CpuUsage.TotalUsage)
+	})
+	return s
+}
+
+func (s *StatManager) WithMemory() *StatManager {
+	s.add(func() (string, float64) {
+		return "memory_usage", float64(s.MemoryStats.Usage.Usage)
+	})
+	return s
+}
+
+func (s *StatManager) WithMemorySwap() *StatManager {
+	s.add(func() (string, float64) {
+		return "memory_swap_usage", float64(s.MemoryStats.SwapUsage.Usage)
+	})
+	return s
+}
+
+func (s *StatManager) WithMemoryKernel() *StatManager {
+	s.add(func() (string, float64) {
+		return "memory_kernel_usage", float64(s.MemoryStats.KernelUsage.Usage)
+	})
+	return s
+}
+
+func (s *StatManager) WithPid() *StatManager {
+	s.add(func() (string, float64) {
+		return "pid_usage", float64(s.PidsStats.Current)
+	})
+	return s
+}
+
+func (s *StatManager) All() []StatFunc {
+	return s.funcs
+}
+
+type StatFunc func() (string, float64)
+
+type Stat interface {
+	CreateStats() ([]StatFunc, error)
+}
+
+type ContainerInfo struct {
+	FullPath string
+	Pid      uint64
+	Exe      string
+	ID       string
+}
diff --git a/internal/monitor/instance.go b/internal/monitor/instance.go
new file mode 100644
index 0000000..be74be6
--- /dev/null
+++ b/internal/monitor/instance.go
@@ -0,0 +1,94 @@
+// SPDX-FileCopyrightText: Copyright (c) 2023, CIQ, Inc. All rights reserved
+// SPDX-License-Identifier: Apache-2.0
+package monitor
+
+import (
+	"bytes"
+	"time"
+
+	"github.com/go-kit/log"
+	"github.com/go-kit/log/level"
+	"github.com/jasonyangshadow/apptheus/internal/cgroup"
+	"github.com/jasonyangshadow/apptheus/internal/cgroup/parser"
+	"github.com/jasonyangshadow/apptheus/internal/push"
+	"github.com/jasonyangshadow/apptheus/storage"
+)
+
+type Instance struct {
+	*cgroup.CGroup
+	ticker *time.Ticker
+
+	ErrCh chan error
+	Done  chan struct{}
+}
+
+func New(ticker *time.Ticker) *Instance {
+	ins := &Instance{}
+	ins.ticker = ticker
+	ins.ErrCh = make(chan error, 1)
+	ins.Done = make(chan struct{}, 1)
+	return ins
+}
+
+func (i *Instance) Start(container *parser.ContainerInfo, ms storage.MetricStore, logger log.Logger) {
+	defer i.ticker.Stop()
+
+	c, err := cgroup.NewCGroup(container.ID)
+	if err != nil {
+		level.Error(logger).Log("msg", "while validating cgroup info", "err", err, "container id", container.ID)
+		i.ErrCh <- err
+		return
+	}
+	i.CGroup = c
+
+	err = i.Apply(int(container.Pid))
+	if err != nil {
+		level.Error(logger).Log("msg", "while adding proc to cgroup info", "err", err, "container id", container.ID)
+		i.ErrCh <- err
+		return
+	}
+
+	defer i.Destroy()
+
+	var buffer bytes.Buffer
+	labels := make(map[string]string)
+	labels["job"] = container.ID
+
+	for range i.ticker.C {
+		ok, err := i.HasProcess()
+		if err != nil {
+			level.Error(logger).Log("msg", "while verifying if there are any processes inside current cgroup", "err", err, "container id", container.ID)
+			i.ErrCh <- err
+			return
+		}
+
+		// No processes left in the current cgroup
+		if !ok {
+			level.Info(logger).Log("msg", "no processes in current cgroup, exit", "container id", container.ID)
+			// also need to remove the related job metrics
+			ms.SubmitWriteRequest(storage.WriteRequest{
+				Labels:    labels,
+				Timestamp: time.Now(),
+			})
+			i.Done <- struct{}{}
+			return
+		}
+
+		buffer.Reset()
+		buffer, err := i.Marshal(&buffer)
+		if err != nil {
+			level.Error(logger).Log("msg", "while marshing the stat info", "err", err, "container id", container.ID)
+			i.ErrCh <- err
+			return
+		}
+		data := buffer.Bytes()
+
+		// send request to pushgate
+		err = push.Push(ms, data, labels)
+		if err != nil {
+			level.Error(logger).Log("msg", "while pushing data to pushgateway", "err", err, "container id", container.ID)
+			i.ErrCh <- err
+			return
+		}
+	}
+}
diff --git a/internal/network/wrapper.go b/internal/network/wrapper.go
new file mode 100644
index 0000000..d2b065e
--- /dev/null
+++ b/internal/network/wrapper.go
@@ -0,0 +1,135 @@
+// SPDX-FileCopyrightText: Copyright (c) 2023, CIQ, Inc. All rights reserved
+// SPDX-License-Identifier: Apache-2.0
+package network
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/go-kit/log"
+	"github.com/go-kit/log/level"
+	"github.com/jasonyangshadow/apptheus/internal/cgroup/parser"
+	"github.com/jasonyangshadow/apptheus/internal/monitor"
+	"github.com/jasonyangshadow/apptheus/storage"
+	"github.com/prometheus/exporter-toolkit/web"
+	"golang.org/x/sys/unix"
+	"toolman.org/net/peercred"
+)
+
+type ServerOption struct {
+	Server      *http.Server
+	WebConfig   *web.FlagConfig
+	MetricStore storage.MetricStore
+	Logger      log.Logger
+	SocketPath  string
+	TrustedPath string
+	Interval    *time.Ticker
+	ErrCh       chan error
+}
+
+type WrappedInstance struct {
+	*parser.ContainerInfo
+	*monitor.Instance
+	net.Conn
+	Err error
+}
+
+type WrappedListener struct {
+	*peercred.Listener
+	TrustedPath string
+	Option      *ServerOption
+	ErrCh       chan *WrappedInstance
+	DoneCh      chan *WrappedInstance
+}
+
+func (l *WrappedListener) Accept() (net.Conn, error) {
+	conn, err := l.Listener.Accept()
+	if err != nil {
+		return nil, err
+	}
+
+	pid := conn.(*peercred.Conn).Ucred.Pid
+
+	dirfd, err := unix.Open(fmt.Sprintf("/proc/%d", pid), unix.O_DIRECTORY, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	pidfd, err := unix.PidfdOpen(int(pid), 0)
+	if err != nil {
+		if !errors.Is(err, errors.ErrUnsupported) {
+			return nil, err
+		}
+		level.Warn(l.Option.Logger).Log("alert", "host kernel does not support pidfd_open, silently ignored")
+	}
+
+	if err == nil {
+		if err = unix.PidfdSendSignal(pidfd, 0, nil, 0); err != nil {
+			return nil, err
+		}
+	}
+
+	buf := make([]byte, 4096)
+	n, err := unix.Readlinkat(dirfd, "exe", buf)
+	if err != nil {
+		return nil, err
+	}
+	link := string(buf[:n])
+
+	exe := filepath.Base(link)
+	verify := false
+	for _, path := range strings.Split(l.TrustedPath, ";") {
+		if strings.TrimSpace(link) == strings.TrimSpace(path) {
+			verify = true
+		}
+	}
+
+	if !verify {
+		if conn != nil {
+			conn.Close()
+		}
+		level.Error(l.Option.Logger).Log("msg", fmt.Sprintf("%s is not trusted, connection rejected", link))
+		return conn, nil
+	}
+
+	// container and monitor instance info
+	container := &parser.ContainerInfo{
+		FullPath: link,
+		Pid:      uint64(pid),
+		Exe:      exe,
+		ID:       fmt.Sprintf("%s_%d", exe, pid),
+	}
+	instance := monitor.New(l.Option.Interval)
+
+	// save the container info for further usage
+	wrappedInstance := &WrappedInstance{
+		ContainerInfo: container,
+		Instance:      instance,
+		Conn:          conn,
+	}
+
+	// fire monitor thread
+	go instance.Start(container, l.Option.MetricStore, l.Option.Logger)
+
+	// fire a goroutine to retrieve the error or done message
+	go func() {
+		select {
+		case err := <-instance.ErrCh:
+			wrappedInstance.Err = err
+			l.ErrCh <- wrappedInstance
+			return
+		case <-instance.Done:
+			l.DoneCh <- wrappedInstance
+			return
+		}
+	}()
+
+	level.Info(l.Option.Logger).Log("msg", "New connection established", "container id", container.ID, "container pid", container.Pid, "container full path", container.FullPath)
+
+	return conn, nil
+}
diff --git a/internal/push/push.go b/internal/push/push.go
new file mode 100644
index 0000000..fe3cade
--- /dev/null
+++ b/internal/push/push.go
@@ -0,0 +1,38 @@
+// SPDX-FileCopyrightText: Copyright (c) 2023, CIQ, Inc. All rights reserved
+// SPDX-License-Identifier: Apache-2.0
+package push
+
+import (
+	"bytes"
+	"errors"
+	"time"
+
+	"github.com/jasonyangshadow/apptheus/storage"
+	"github.com/prometheus/common/expfmt"
+)
+
+func Push(ms storage.MetricStore, data []byte, labels map[string]string) error {
+	if _, ok := labels["job"]; !ok {
+		return errors.New("job should be set in labels")
+	}
+
+	var parser expfmt.TextParser
+	metricFamilies, err := parser.TextToMetricFamilies(bytes.NewReader(data))
+	if err != nil {
+		return err
+	}
+
+	errCh := make(chan error, 1)
+	ms.SubmitWriteRequest(storage.WriteRequest{
+		Labels:         labels,
+		Timestamp:      time.Now(),
+		MetricFamilies: metricFamilies,
+		Replace:        false,
+		Done:           errCh,
+	})
+
+	for err := range errCh {
+		return err
+	}
+	return nil
+}
diff --git a/internal/util/util.go b/internal/util/util.go
new file mode 100644
index 0000000..00dba9c
--- /dev/null
+++ b/internal/util/util.go
@@ -0,0 +1,16 @@
+// SPDX-FileCopyrightText: Copyright (c) 2023, CIQ, Inc. All rights reserved
+// SPDX-License-Identifier: Apache-2.0
+package util
+
+import (
+	"os/user"
+)
+
+func IsRoot() (bool, error) {
+	u, err := user.Current()
+	if err != nil {
+		return false, err
+	}
+
+	return u.Username == "root", nil
+}
diff --git a/main.go b/main.go
new file mode 100644
index 0000000..59108db
--- /dev/null
+++ b/main.go
@@ -0,0 +1,335 @@
+// SPDX-FileCopyrightText: Copyright (c) 2023, CIQ, Inc. All rights reserved
+// SPDX-License-Identifier: Apache-2.0
+
+// Copyright 2014 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"compress/gzip"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"os/signal"
+	"path"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/alecthomas/kingpin/v2"
+	"github.com/go-kit/log"
+	"github.com/go-kit/log/level"
+	"github.com/golang/snappy"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/prometheus/common/promlog"
+	"github.com/prometheus/common/route"
+	"github.com/prometheus/common/version"
+	"github.com/prometheus/exporter-toolkit/web"
+	webflag "github.com/prometheus/exporter-toolkit/web/kingpinflag"
+
+	dto "github.com/prometheus/client_model/go"
+	promlogflag "github.com/prometheus/common/promlog/flag"
+
+	"github.com/jasonyangshadow/apptheus/internal/network"
+	"github.com/jasonyangshadow/apptheus/internal/util"
+	"github.com/jasonyangshadow/apptheus/storage"
+	"toolman.org/net/peercred"
+)
+
+const (
+	VERSION = "0.1.0"
+)
+
+func init() {
+	prometheus.MustRegister(version.NewCollector("apptheus"))
+}
+
+// logFunc in an adaptor to plug gokit logging into promhttp.HandlerOpts.
+type logFunc func(...interface{}) error
+
+func (lf logFunc) Println(v ...interface{}) {
+	lf("msg", fmt.Sprintln(v...))
+}
+
+func main() {
+	var (
+		app                 = kingpin.New(filepath.Base(os.Args[0]), "The Apptheus")
+		webConfig           = webflag.AddFlags(app, ":9091")
+		metricsPath         = app.Flag("web.telemetry-path", "Path under which to expose metrics.").Default("/metrics").String()
+		externalURL         = app.Flag("web.external-url", "The URL under which the Apptheus is externally reachable.").Default("").URL()
+		routePrefix         = app.Flag("web.route-prefix", "Prefix for the internal routes of web endpoints. Defaults to the path of --web.external-url.").Default("").String()
+		persistenceFile     = app.Flag("persistence.file", "File to persist metrics. If empty, metrics are only kept in memory.").Default("").String()
+		persistenceInterval = app.Flag("persistence.interval", "The minimum interval at which to write out the persistence file.").Default("5m").Duration()
+		promlogConfig       = promlog.Config{}
+		socketPath          = app.Flag("socket.path", "Socket path for communication.").Default("/run/apptheus/gateway.sock").String()
+		trustedPath         = app.Flag("trust.path", "Multiple trusted apptainer starter paths, use ';' to separate multiple entries").Default("").String()
+		monitorInterval     = app.Flag("monitor.inverval", "The internval for sending system status.").Default("0.5s").Duration()
+	)
+	promlogflag.AddFlags(app, &promlogConfig)
+	version.Version = VERSION
+	app.Version(version.Print("apptheus"))
+	app.HelpFlag.Short('h')
+	kingpin.MustParse(app.Parse(os.Args[1:]))
+	logger := promlog.New(&promlogConfig)
+
+	*routePrefix = computeRoutePrefix(*routePrefix, *externalURL)
+	level.Info(logger).Log("msg", "starting apptheus", "version", version.Info())
+
+	// verify the caller is root or not
+	isRoot, err := util.IsRoot()
+	if err != nil {
+		level.Error(logger).Log("msg", "Could not verify the caller", "err", err)
+		os.Exit(-1)
+	}
+
+	if !isRoot {
+		level.Info(logger).Log("msg", "Please launch using root user", "version", version.Info())
+		os.Exit(-1)
+	}
+
+	// flags is used to show command line flags on the status page.
+	// Kingpin default flags are excluded as they would be confusing.
+	flags := map[string]string{}
+	boilerplateFlags := kingpin.New("", "").Version("")
+	for _, f := range app.Model().Flags {
+		if boilerplateFlags.GetFlag(f.Name) == nil {
+			flags[f.Name] = f.Value.String()
+		}
+	}
+
+	ms := storage.NewDiskMetricStore(*persistenceFile, *persistenceInterval, prometheus.DefaultGatherer, logger)
+
+	// Create a Gatherer combining the DefaultGatherer and the metrics from the metric store.
+	g := prometheus.Gatherers{
+		prometheus.DefaultGatherer,
+		prometheus.GathererFunc(func() ([]*dto.MetricFamily, error) { return ms.GetMetricFamilies(), nil }),
+	}
+
+	// server error channel
+	errCh := make(chan error, 2)
+
+	// verification server route
+	verifyRoute := route.New()
+	vmux := http.NewServeMux()
+	vmux.Handle("/", decodeRequest(verifyRoute))
+	verifyServer := &http.Server{Handler: vmux, ReadHeaderTimeout: time.Second}
+
+	// create necessary parent folder for socket path
+	parentFolder := path.Dir(*socketPath)
+	if _, err := os.Stat(parentFolder); os.IsNotExist(err) {
+		err := os.MkdirAll(parentFolder, 0o755)
+		if err != nil {
+			level.Error(logger).Log("msg", "Failed to create parent folder", "err", err)
+		}
+	}
+
+	verificationOption := &network.ServerOption{
+		Server:      verifyServer,
+		WebConfig:   webConfig,
+		MetricStore: ms,
+		Logger:      logger,
+		SocketPath:  *socketPath,
+		TrustedPath: *trustedPath,
+		Interval:    time.NewTicker(*monitorInterval),
+		ErrCh:       errCh,
+	}
+	go startVerificationServer(verificationOption)
+
+	// metrics server
+	metricsRoute := route.New()
+	mmux := http.NewServeMux()
+	metricsRoute.Get(
+		path.Join(*routePrefix, *metricsPath),
+		promhttp.HandlerFor(g, promhttp.HandlerOpts{
+			ErrorLog: logFunc(level.Error(logger).Log),
+		}).ServeHTTP,
+	)
+	mmux.Handle("/", decodeRequest(metricsRoute))
+	metricServer := &http.Server{Handler: mmux, ReadHeaderTimeout: time.Second}
+
+	metricOption := &network.ServerOption{
+		Server:      metricServer,
+		WebConfig:   webConfig,
+		MetricStore: ms,
+		Logger:      logger,
+		ErrCh:       errCh,
+	}
+	go startMetricsServer(metricOption)
+
+	err = shutdownServerOnQuit(*socketPath, []*network.ServerOption{verificationOption, metricOption}, ms, errCh, logger)
+	if err != nil {
+		level.Error(logger).Log("msg", "Failed to clean up the server", "err", err)
+	}
+}
+
+func decodeRequest(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		defer r.Body.Close() // Make sure the underlying io.Reader is closed.
+		switch contentEncoding := r.Header.Get("Content-Encoding"); strings.ToLower(contentEncoding) {
+		case "gzip":
+			gr, err := gzip.NewReader(r.Body)
+			if err != nil {
+				http.Error(w, err.Error(), http.StatusBadRequest)
+				return
+			}
+			defer gr.Close()
+			r.Body = gr
+		case "snappy":
+			r.Body = io.NopCloser(snappy.NewReader(r.Body))
+		default:
+			// Do nothing.
+		}
+
+		h.ServeHTTP(w, r)
+	})
+}
+
+// computeRoutePrefix returns the effective route prefix based on the
+// provided flag values for --web.route-prefix and
+// --web.external-url. With prefix empty, the path of externalURL is
+// used instead. A prefix "/" results in an empty returned prefix. Any
+// non-empty prefix is normalized to start, but not to end, with "/".
+func computeRoutePrefix(prefix string, externalURL *url.URL) string {
+	if prefix == "" {
+		prefix = externalURL.Path
+	}
+
+	if prefix == "/" {
+		prefix = ""
+	}
+
+	if prefix != "" {
+		prefix = "/" + strings.Trim(prefix, "/")
+	}
+
+	return prefix
+}
+
+// shutdownServerOnQuit shutdowns the provided server upon closing the provided
+// quitCh or upon receiving a SIGINT or SIGTERM.
+func shutdownServerOnQuit(socketPath string, options []*network.ServerOption, ms *storage.DiskMetricStore, errCh <-chan error, logger log.Logger) error {
+	notifier := make(chan os.Signal, 1)
+	signal.Notify(notifier, os.Interrupt, syscall.SIGTERM)
+
+	select {
+	case <-notifier:
+		level.Info(logger).Log("msg", "received SIGINT/SIGTERM; exiting gracefully...")
+		break
+	case err := <-errCh:
+		level.Warn(logger).Log("msg", "received error when launching server, exiting gracefully...", "err", err)
+		break
+	}
+
+	defer os.Remove(socketPath)
+
+	var retErr error
+	for _, option := range options {
+		err := option.Server.Shutdown(context.Background())
+		if err != nil {
+			level.Error(logger).Log("msg", "unable to shutdown the server", "err", err)
+			retErr = errors.Join(retErr, err)
+		}
+	}
+
+	err := ms.Shutdown()
+	if err != nil {
+		level.Error(logger).Log("msg", "unable to shutdown the storage service", "err", err)
+		retErr = errors.Join(retErr, err)
+	}
+	return retErr
+}
+
+// startVerificationServer starts a verification server listening the unix socket
+// it is also responsible for authentication via pid.
+func startVerificationServer(option *network.ServerOption) {
+	level.Info(option.Logger).Log("msg", "Start verification server")
+	unixListener, err := peercred.Listen(context.Background(), option.SocketPath)
+	if err != nil {
+		level.Error(option.Logger).Log("msg", "Could not create local unix socket", "err", err)
+		option.ErrCh <- err
+		return
+	}
+
+	// chmod socketPath
+	err = os.Chmod(option.SocketPath, 0o777)
+	if err != nil {
+		level.Error(option.Logger).Log("msg", "Could not chmod local unix socket", "err", err)
+		option.ErrCh <- err
+		return
+	}
+
+	listener := network.WrappedListener{
+		Listener:    unixListener,
+		TrustedPath: option.TrustedPath,
+		Option:      option,
+		ErrCh:       make(chan *network.WrappedInstance, 1),
+		DoneCh:      make(chan *network.WrappedInstance, 1),
+	}
+
+	quitCh := make(chan struct{}, 1)
+
+	go func() {
+		err = web.Serve(&listener, option.Server, option.WebConfig, option.Logger)
+		if err != nil {
+			if errors.Is(err, http.ErrServerClosed) {
+				level.Info(option.Logger).Log("msg", "Verification server stopped")
+			} else {
+				level.Error(option.Logger).Log("msg", "Verification server stopped with error", "err", err)
+				option.ErrCh <- err
+			}
+		}
+
+		quitCh <- struct{}{}
+	}()
+
+	for {
+		select {
+		case <-quitCh:
+			// stop all loop
+			return
+		case wrappedInstance := <-listener.ErrCh:
+			level.Error(option.Logger).Log("msg", "Container monitor instance receieved error", "container id", wrappedInstance.ContainerInfo.ID, "err", wrappedInstance.Err)
+			// server side closes the connection in case client side misses (in theory client will close the connection first)
+			if wrappedInstance.Conn != nil {
+				wrappedInstance.Conn.Close()
+			}
+		case wrappedInstance := <-listener.DoneCh:
+			level.Info(option.Logger).Log("msg", "Container monitor instance completed, will close the connection", "container id", wrappedInstance.ContainerInfo.ID)
+			// server side closes the connection in case client side misses (in theory client will close the connection first)
+			if wrappedInstance.Conn != nil {
+				wrappedInstance.Conn.Close()
+			}
+		}
+	}
+}
+
+// startMetricsServer starts the `/metrics` endpoints, exposing metrics
+func startMetricsServer(option *network.ServerOption) {
+	level.Info(option.Logger).Log("msg", "Start metrics server")
+	err := web.ListenAndServe(option.Server, option.WebConfig, option.Logger)
+	if err != nil {
+		if errors.Is(err, http.ErrServerClosed) {
+			level.Info(option.Logger).Log("msg", "Metrics server stopped")
+		} else {
+			level.Error(option.Logger).Log("msg", "Metrics server stopped", "err", err)
+			option.ErrCh <- err
+		}
+	}
+}
diff --git a/storage/diskmetricstore.go b/storage/diskmetricstore.go
new file mode 100644
index 0000000..9b1abb7
--- /dev/null
+++ b/storage/diskmetricstore.go
@@ -0,0 +1,609 @@
+// SPDX-FileCopyrightText: Copyright (c) 2023, CIQ, Inc. All rights reserved
+// SPDX-License-Identifier: Apache-2.0
+
+// Copyright 2014 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package storage
+
+import (
+	"encoding/gob"
+	"errors"
+	"fmt"
+	"os"
+	"path"
+	"sort"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/go-kit/log"
+	"github.com/go-kit/log/level"
+
+	//nolint:staticcheck // Ignore SA1019. Dependencies use the deprecated package, so we have to, too.
+	"github.com/golang/protobuf/proto"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/common/model"
+
+	dto "github.com/prometheus/client_model/go"
+)
+
+const (
+	pushMetricName       = "push_time_seconds"
+	pushMetricHelp       = "Last Unix time when changing this group in the Pushgateway succeeded."
+	pushFailedMetricName = "push_failure_time_seconds"
+	pushFailedMetricHelp = "Last Unix time when changing this group in the Pushgateway failed."
+	writeQueueCapacity   = 1000
+)
+
+var errTimestamp = errors.New("pushed metrics must not have timestamps")
+
+// DiskMetricStore is an implementation of MetricStore that persists metrics to
+// disk.
+type DiskMetricStore struct {
+	lock            sync.RWMutex // Protects metricFamilies.
+	writeQueue      chan WriteRequest
+	drain           chan struct{}
+	done            chan error
+	metricGroups    GroupingKeyToMetricGroup
+	persistenceFile string
+	predefinedHelp  map[string]string
+	logger          log.Logger
+}
+
+type mfStat struct {
+	pos    int  // Where in the result slice is the MetricFamily?
+	copied bool // Has the MetricFamily already been copied?
+}
+
+// NewDiskMetricStore returns a DiskMetricStore ready to use. To cleanly shut it
+// down and free resources, the Shutdown() method has to be called.
+//
+// If persistenceFile is the empty string, no persisting to disk will
+// happen. Otherwise, a file of that name is used for persisting metrics to
+// disk. If the file already exists, metrics are read from it as part of the
+// start-up. Persisting is happening upon shutdown and after every write action,
+// but the latter will only happen persistenceDuration after the previous
+// persisting.
+//
+// If a non-nil Gatherer is provided, the help strings of metrics gathered by it
+// will be used as standard. Pushed metrics with deviating help strings will be
+// adjusted to avoid inconsistent expositions.
+func NewDiskMetricStore(
+	persistenceFile string,
+	persistenceInterval time.Duration,
+	gatherPredefinedHelpFrom prometheus.Gatherer,
+	logger log.Logger,
+) *DiskMetricStore {
+	// TODO: Do that outside of the constructor to allow the HTTP server to
+	//  serve /-/healthy and /-/ready earlier.
+	dms := &DiskMetricStore{
+		writeQueue:      make(chan WriteRequest, writeQueueCapacity),
+		drain:           make(chan struct{}),
+		done:            make(chan error),
+		metricGroups:    GroupingKeyToMetricGroup{},
+		persistenceFile: persistenceFile,
+		logger:          logger,
+	}
+	if err := dms.restore(); err != nil {
+		level.Error(logger).Log("msg", "could not load persisted metrics", "err", err)
+	}
+	if helpStrings, err := extractPredefinedHelpStrings(gatherPredefinedHelpFrom); err == nil {
+		dms.predefinedHelp = helpStrings
+	} else {
+		level.Error(logger).Log("msg", "could not gather metrics for predefined help strings", "err", err)
+	}
+
+	go dms.loop(persistenceInterval)
+	return dms
+}
+
+// SubmitWriteRequest implements the MetricStore interface.
+func (dms *DiskMetricStore) SubmitWriteRequest(req WriteRequest) {
+	dms.writeQueue <- req
+}
+
+// Shutdown implements the MetricStore interface.
+func (dms *DiskMetricStore) Shutdown() error {
+	close(dms.drain)
+	return <-dms.done
+}
+
+// Healthy implements the MetricStore interface.
+func (dms *DiskMetricStore) Healthy() error {
+	// By taking the lock we check that there is no deadlock.
+	dms.lock.Lock()
+	defer dms.lock.Unlock()
+
+	// A pushgateway that cannot be written to should not be
+	// considered as healthy.
+	if len(dms.writeQueue) == cap(dms.writeQueue) {
+		return fmt.Errorf("write queue is full")
+	}
+
+	return nil
+}
+
+// Ready implements the MetricStore interface.
+func (dms *DiskMetricStore) Ready() error {
+	return dms.Healthy()
+}
+
+// GetMetricFamilies implements the MetricStore interface.
+func (dms *DiskMetricStore) GetMetricFamilies() []*dto.MetricFamily {
+	dms.lock.RLock()
+	defer dms.lock.RUnlock()
+
+	result := []*dto.MetricFamily{}
+	mfStatByName := map[string]mfStat{}
+
+	for _, group := range dms.metricGroups {
+		for name, tmf := range group.Metrics {
+			mf := tmf.GetMetricFamily()
+			if mf == nil {
+				level.Warn(dms.logger).Log("msg", "storage corruption detected, consider wiping the persistence file")
+				continue
+			}
+			stat, exists := mfStatByName[name]
+			if exists {
+				existingMF := result[stat.pos]
+				if !stat.copied {
+					mfStatByName[name] = mfStat{
+						pos:    stat.pos,
+						copied: true,
+					}
+					existingMF = copyMetricFamily(existingMF)
+					result[stat.pos] = existingMF
+				}
+				if mf.GetHelp() != existingMF.GetHelp() {
+					level.Info(dms.logger).Log("msg", "metric families inconsistent help strings", "err", "Metric families have inconsistent help strings. The latter will have priority. This is bad. Fix your pushed metrics!", "new", mf, "old", existingMF)
+				}
+				// Type inconsistency cannot be fixed here. We will detect it during
+				// gathering anyway, so no reason to log anything here.
+				existingMF.Metric = append(existingMF.Metric, mf.Metric...)
+			} else {
+				copied := false
+				if help, ok := dms.predefinedHelp[name]; ok && mf.GetHelp() != help {
+					level.Info(dms.logger).Log("msg", "metric families overlap", "err", "Metric family has the same name as a metric family used by the Pushgateway itself but it has a different help string. Changing it to the standard help string. This is bad. Fix your pushed metrics!", "metric_family", mf, "standard_help", help)
+					mf = copyMetricFamily(mf)
+					copied = true
+					mf.Help = proto.String(help)
+				}
+				mfStatByName[name] = mfStat{
+					pos:    len(result),
+					copied: copied,
+				}
+				result = append(result, mf)
+			}
+		}
+	}
+	return result
+}
+
+// GetMetricFamiliesMap implements the MetricStore interface.
+func (dms *DiskMetricStore) GetMetricFamiliesMap() GroupingKeyToMetricGroup {
+	dms.lock.RLock()
+	defer dms.lock.RUnlock()
+	groupsCopy := make(GroupingKeyToMetricGroup, len(dms.metricGroups))
+	for k, g := range dms.metricGroups {
+		metricsCopy := make(NameToTimestampedMetricFamilyMap, len(g.Metrics))
+		groupsCopy[k] = MetricGroup{Labels: g.Labels, Metrics: metricsCopy}
+		for n, tmf := range g.Metrics {
+			metricsCopy[n] = tmf
+		}
+	}
+	return groupsCopy
+}
+
+func (dms *DiskMetricStore) loop(persistenceInterval time.Duration) {
+	lastPersist := time.Now()
+	persistScheduled := false
+	lastWrite := time.Time{}
+	persistDone := make(chan time.Time)
+	var persistTimer *time.Timer
+
+	checkPersist := func() {
+		if dms.persistenceFile != "" && !persistScheduled && lastWrite.After(lastPersist) {
+			persistTimer = time.AfterFunc(
+				persistenceInterval-lastWrite.Sub(lastPersist),
+				func() {
+					persistStarted := time.Now()
+					if err := dms.persist(); err != nil {
+						level.Error(dms.logger).Log("msg", "error persisting metrics", "err", err)
+					} else {
+						level.Info(dms.logger).Log("msg", "metrics persisted", "file", dms.persistenceFile)
+					}
+					persistDone <- persistStarted
+				},
+			)
+			persistScheduled = true
+		}
+	}
+
+	for {
+		select {
+		case wr := <-dms.writeQueue:
+			lastWrite = time.Now()
+			if dms.checkWriteRequest(wr) {
+				dms.processWriteRequest(wr)
+			} else {
+				dms.setPushFailedTimestamp(wr)
+			}
+			if wr.Done != nil {
+				close(wr.Done)
+			}
+			checkPersist()
+		case lastPersist = <-persistDone:
+			persistScheduled = false
+			checkPersist() // In case something has been written in the meantime.
+		case <-dms.drain:
+			// Prevent a scheduled persist from firing later.
+			if persistTimer != nil {
+				persistTimer.Stop()
+			}
+			// Now draining...
+			for {
+				select {
+				case wr := <-dms.writeQueue:
+					if dms.checkWriteRequest(wr) {
+						dms.processWriteRequest(wr)
+					} else {
+						dms.setPushFailedTimestamp(wr)
+					}
+				default:
+					dms.done <- dms.persist()
+					return
+				}
+			}
+		}
+	}
+}
+
+func (dms *DiskMetricStore) processWriteRequest(wr WriteRequest) {
+	dms.lock.Lock()
+	defer dms.lock.Unlock()
+
+	key := groupingKeyFor(wr.Labels)
+
+	if wr.MetricFamilies == nil {
+		// No MetricFamilies means delete request. Delete the whole
+		// metric group, and we are done here.
+		delete(dms.metricGroups, key)
+		return
+	}
+	// Otherwise, it's an update.
+	group, ok := dms.metricGroups[key]
+	if !ok {
+		group = MetricGroup{
+			Labels:  wr.Labels,
+			Metrics: NameToTimestampedMetricFamilyMap{},
+		}
+		dms.metricGroups[key] = group
+	} else if wr.Replace {
+		// For replace, we have to delete all metric families in the
+		// group except pre-existing push timestamps.
+		for name := range group.Metrics {
+			if name != pushMetricName && name != pushFailedMetricName {
+				delete(group.Metrics, name)
+			}
+		}
+	}
+	wr.MetricFamilies[pushMetricName] = newPushTimestampGauge(wr.Labels, wr.Timestamp)
+	// Only add a zero push-failed metric if none is there yet, so that a
+	// previously added fail timestamp is retained.
+	if _, ok := group.Metrics[pushFailedMetricName]; !ok {
+		wr.MetricFamilies[pushFailedMetricName] = newPushFailedTimestampGauge(wr.Labels, time.Time{})
+	}
+	for name, mf := range wr.MetricFamilies {
+		group.Metrics[name] = TimestampedMetricFamily{
+			Timestamp:            wr.Timestamp,
+			GobbableMetricFamily: (*GobbableMetricFamily)(mf),
+		}
+	}
+}
+
+func (dms *DiskMetricStore) setPushFailedTimestamp(wr WriteRequest) {
+	dms.lock.Lock()
+	defer dms.lock.Unlock()
+
+	key := groupingKeyFor(wr.Labels)
+
+	group, ok := dms.metricGroups[key]
+	if !ok {
+		group = MetricGroup{
+			Labels:  wr.Labels,
+			Metrics: NameToTimestampedMetricFamilyMap{},
+		}
+		dms.metricGroups[key] = group
+	}
+
+	group.Metrics[pushFailedMetricName] = TimestampedMetricFamily{
+		Timestamp:            wr.Timestamp,
+		GobbableMetricFamily: (*GobbableMetricFamily)(newPushFailedTimestampGauge(wr.Labels, wr.Timestamp)),
+	}
+	// Only add a zero push metric if none is there yet, so that a
+	// previously added push timestamp is retained.
+	if _, ok := group.Metrics[pushMetricName]; !ok {
+		group.Metrics[pushMetricName] = TimestampedMetricFamily{
+			Timestamp:            wr.Timestamp,
+			GobbableMetricFamily: (*GobbableMetricFamily)(newPushTimestampGauge(wr.Labels, time.Time{})),
+		}
+	}
+}
+
+// checkWriteRequest return if applying the provided WriteRequest will result in
+// a consistent state of metrics. The dms is not modified by the check. However,
+// the WriteRequest _will_ be sanitized: the MetricFamilies are ensured to
+// contain the grouping Labels after the check. If false is returned, the
+// causing error is written to the Done channel of the WriteRequest.
+//
+// Special case: If the WriteRequest has no Done channel set, the (expensive)
+// consistency check is skipped. The WriteRequest is still sanitized, and the
+// presence of timestamps still results in returning false.
+func (dms *DiskMetricStore) checkWriteRequest(wr WriteRequest) bool {
+	if wr.MetricFamilies == nil {
+		// Delete request cannot create inconsistencies, and nothing has
+		// to be sanitized.
+		return true
+	}
+
+	var err error
+	defer func() {
+		if err != nil && wr.Done != nil {
+			wr.Done <- err
+		}
+	}()
+
+	if timestampsPresent(wr.MetricFamilies) {
+		err = errTimestamp
+		return false
+	}
+	for _, mf := range wr.MetricFamilies {
+		sanitizeLabels(mf, wr.Labels)
+	}
+
+	// Without Done channel, don't do the expensive consistency check.
+	if wr.Done == nil {
+		return true
+	}
+
+	// Construct a test dms, acting on a copy of the metrics, to test the
+	// WriteRequest with.
+	tdms := &DiskMetricStore{
+		metricGroups:   dms.GetMetricFamiliesMap(),
+		predefinedHelp: dms.predefinedHelp,
+		logger:         log.NewNopLogger(),
+	}
+	tdms.processWriteRequest(wr)
+
+	// Construct a test Gatherer to check if consistent gathering is possible.
+	tg := prometheus.Gatherers{
+		prometheus.DefaultGatherer,
+		prometheus.GathererFunc(func() ([]*dto.MetricFamily, error) {
+			return tdms.GetMetricFamilies(), nil
+		}),
+	}
+	if _, err = tg.Gather(); err != nil {
+		return false
+	}
+	return true
+}
+
+func (dms *DiskMetricStore) persist() error {
+	// Check (again) if persistence is configured because some code paths
+	// will call this method even if it is not.
+	if dms.persistenceFile == "" {
+		return nil
+	}
+	f, err := os.CreateTemp(
+		path.Dir(dms.persistenceFile),
+		path.Base(dms.persistenceFile)+".in_progress.",
+	)
+	if err != nil {
+		return err
+	}
+	inProgressFileName := f.Name()
+	e := gob.NewEncoder(f)
+
+	dms.lock.RLock()
+	err = e.Encode(dms.metricGroups)
+	dms.lock.RUnlock()
+	if err != nil {
+		f.Close()
+		os.Remove(inProgressFileName)
+		return err
+	}
+	if err := f.Close(); err != nil {
+		os.Remove(inProgressFileName)
+		return err
+	}
+	return os.Rename(inProgressFileName, dms.persistenceFile)
+}
+
+func (dms *DiskMetricStore) restore() error {
+	if dms.persistenceFile == "" {
+		return nil
+	}
+	f, err := os.Open(dms.persistenceFile)
+	if os.IsNotExist(err) {
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	d := gob.NewDecoder(f)
+
+	return d.Decode(&dms.metricGroups)
+}
+
+func copyMetricFamily(mf *dto.MetricFamily) *dto.MetricFamily {
+	return &dto.MetricFamily{
+		Name:   mf.Name,
+		Help:   mf.Help,
+		Type:   mf.Type,
+		Metric: append([]*dto.Metric{}, mf.Metric...),
+	}
+}
+
+// groupingKeyFor creates a grouping key from the provided map of grouping
+// labels. The grouping key is created by joining all label names and values
+// together with model.SeparatorByte as a separator. The label names are sorted
+// lexicographically before joining. In that way, the grouping key is both
+// reproducible and unique.
+func groupingKeyFor(labels map[string]string) string {
+	if len(labels) == 0 { // Super fast path.
+		return ""
+	}
+
+	labelNames := make([]string, 0, len(labels))
+	for labelName := range labels {
+		labelNames = append(labelNames, labelName)
+	}
+	sort.Strings(labelNames)
+
+	sb := strings.Builder{}
+	for i, labelName := range labelNames {
+		sb.WriteString(labelName)
+		sb.WriteByte(model.SeparatorByte)
+		sb.WriteString(labels[labelName])
+		if i+1 < len(labels) { // No separator at the end.
+			sb.WriteByte(model.SeparatorByte)
+		}
+	}
+	return sb.String()
+}
+
+// extractPredefinedHelpStrings extracts all the HELP strings from the provided
+// gatherer so that the DiskMetricStore can fix deviations in pushed metrics.
+func extractPredefinedHelpStrings(g prometheus.Gatherer) (map[string]string, error) {
+	if g == nil {
+		return nil, nil
+	}
+	mfs, err := g.Gather()
+	if err != nil {
+		return nil, err
+	}
+	result := map[string]string{}
+	for _, mf := range mfs {
+		result[mf.GetName()] = mf.GetHelp()
+	}
+	return result, nil
+}
+
+func newPushTimestampGauge(groupingLabels map[string]string, t time.Time) *dto.MetricFamily {
+	return newTimestampGauge(pushMetricName, pushMetricHelp, groupingLabels, t)
+}
+
+func newPushFailedTimestampGauge(groupingLabels map[string]string, t time.Time) *dto.MetricFamily {
+	return newTimestampGauge(pushFailedMetricName, pushFailedMetricHelp, groupingLabels, t)
+}
+
+func newTimestampGauge(name, help string, groupingLabels map[string]string, t time.Time) *dto.MetricFamily {
+	var ts float64
+	if !t.IsZero() {
+		ts = float64(t.UnixNano()) / 1e9
+	}
+	mf := &dto.MetricFamily{
+		Name: proto.String(name),
+		Help: proto.String(help),
+		Type: dto.MetricType_GAUGE.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Gauge: &dto.Gauge{
+					Value: proto.Float64(ts),
+				},
+			},
+		},
+	}
+	sanitizeLabels(mf, groupingLabels)
+	return mf
+}
+
+// sanitizeLabels ensures that all the labels in groupingLabels and the
+// `instance` label are present in the MetricFamily. The label values from
+// groupingLabels are set in each Metric, no matter what. After that, if the
+// 'instance' label is not present at all in a Metric, it will be created (with
+// an empty string as value).
+//
+// Finally, sanitizeLabels sorts the label pairs of all metrics.
+func sanitizeLabels(mf *dto.MetricFamily, groupingLabels map[string]string) {
+	gLabelsNotYetDone := make(map[string]string, len(groupingLabels))
+
+metric:
+	for _, m := range mf.GetMetric() {
+		for ln, lv := range groupingLabels {
+			gLabelsNotYetDone[ln] = lv
+		}
+		hasInstanceLabel := false
+		for _, lp := range m.GetLabel() {
+			ln := lp.GetName()
+			if lv, ok := gLabelsNotYetDone[ln]; ok {
+				lp.Value = proto.String(lv)
+				delete(gLabelsNotYetDone, ln)
+			}
+			if ln == string(model.InstanceLabel) {
+				hasInstanceLabel = true
+			}
+			if len(gLabelsNotYetDone) == 0 && hasInstanceLabel {
+				sort.Sort(labelPairs(m.Label))
+				continue metric
+			}
+		}
+		for ln, lv := range gLabelsNotYetDone {
+			m.Label = append(m.Label, &dto.LabelPair{
+				Name:  proto.String(ln),
+				Value: proto.String(lv),
+			})
+			if ln == string(model.InstanceLabel) {
+				hasInstanceLabel = true
+			}
+			delete(gLabelsNotYetDone, ln) // To prepare map for next metric.
+		}
+		if !hasInstanceLabel {
+			m.Label = append(m.Label, &dto.LabelPair{
+				Name:  proto.String(string(model.InstanceLabel)),
+				Value: proto.String(""),
+			})
+		}
+		sort.Sort(labelPairs(m.Label))
+	}
+}
+
+// Checks if any timestamps have been specified.
+func timestampsPresent(metricFamilies map[string]*dto.MetricFamily) bool {
+	for _, mf := range metricFamilies {
+		for _, m := range mf.GetMetric() {
+			if m.TimestampMs != nil {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// labelPairs implements sort.Interface. It provides a sortable version of a
+// slice of dto.LabelPair pointers.
+type labelPairs []*dto.LabelPair
+
+func (s labelPairs) Len() int {
+	return len(s)
+}
+
+func (s labelPairs) Swap(i, j int) {
+	s[i], s[j] = s[j], s[i]
+}
+
+func (s labelPairs) Less(i, j int) bool {
+	return s[i].GetName() < s[j].GetName()
+}
diff --git a/storage/diskmetricstore_test.go b/storage/diskmetricstore_test.go
new file mode 100644
index 0000000..40d1478
--- /dev/null
+++ b/storage/diskmetricstore_test.go
@@ -0,0 +1,1571 @@
+// SPDX-FileCopyrightText: Copyright (c) 2023, CIQ, Inc. All rights reserved
+// SPDX-License-Identifier: Apache-2.0
+
+// Copyright 2014 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//nolint:testpackage
+package storage
+
+import (
+	"errors"
+	"fmt"
+	"math"
+	"os"
+	"path"
+	"sort"
+	"testing"
+	"time"
+
+	"github.com/go-kit/log"
+	//nolint:staticcheck // Ignore SA1019. Dependencies use the deprecated package, so we have to, too.
+	"github.com/golang/protobuf/proto"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/common/model"
+
+	dto "github.com/prometheus/client_model/go"
+
+	"github.com/jasonyangshadow/apptheus/testutil"
+)
+
+var (
+	logger = log.NewNopLogger()
+	// Example metric families. Keep labels sorted lexicographically!
+	mf1a = &dto.MetricFamily{
+		Name: proto.String("mf1"),
+		Type: dto.MetricType_UNTYPED.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String("instance2"),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+				},
+				Untyped: &dto.Untyped{
+					Value: proto.Float64(-3e3),
+				},
+			},
+		},
+	}
+	mf1b = &dto.MetricFamily{
+		Name: proto.String("mf1"),
+		Type: dto.MetricType_UNTYPED.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String("instance2"),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+				},
+				Untyped: &dto.Untyped{
+					Value: proto.Float64(42),
+				},
+			},
+		},
+	}
+	mf1c = &dto.MetricFamily{
+		Name: proto.String("mf1"),
+		Type: dto.MetricType_UNTYPED.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String("instance1"),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job2"),
+					},
+				},
+				Untyped: &dto.Untyped{
+					Value: proto.Float64(42),
+				},
+			},
+		},
+	}
+	mf1d = &dto.MetricFamily{
+		Name: proto.String("mf1"),
+		Type: dto.MetricType_UNTYPED.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String("instance2"),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job3"),
+					},
+				},
+				Untyped: &dto.Untyped{
+					Value: proto.Float64(42),
+				},
+			},
+		},
+	}
+	mf1e = &dto.MetricFamily{
+		Name: proto.String("mf1"),
+		Type: dto.MetricType_UNTYPED.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+				},
+				Untyped: &dto.Untyped{
+					Value: proto.Float64(42),
+				},
+			},
+		},
+	}
+	// mf1acd is merged from mf1a, mf1c, mf1d.
+	mf1acd = &dto.MetricFamily{
+		Name: proto.String("mf1"),
+		Type: dto.MetricType_UNTYPED.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String("instance2"),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+				},
+				Untyped: &dto.Untyped{
+					Value: proto.Float64(-3e3),
+				},
+			},
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String("instance1"),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job2"),
+					},
+				},
+				Untyped: &dto.Untyped{
+					Value: proto.Float64(42),
+				},
+			},
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String("instance2"),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job3"),
+					},
+				},
+				Untyped: &dto.Untyped{
+					Value: proto.Float64(42),
+				},
+			},
+		},
+	}
+	// mf1be is merged from mf1b and mf1e, with added empty instance label for mf1e.
+	mf1be = &dto.MetricFamily{
+		Name: proto.String("mf1"),
+		Type: dto.MetricType_UNTYPED.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String("instance2"),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+				},
+				Untyped: &dto.Untyped{
+					Value: proto.Float64(42),
+				},
+			},
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String(""),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+				},
+				Untyped: &dto.Untyped{
+					Value: proto.Float64(42),
+				},
+			},
+		},
+	}
+	// mf1ts is mf1a with a timestamp set.
+	mf1ts = &dto.MetricFamily{
+		Name: proto.String("mf1"),
+		Type: dto.MetricType_UNTYPED.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String("instance2"),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+				},
+				Untyped: &dto.Untyped{
+					Value: proto.Float64(-3e3),
+				},
+				TimestampMs: proto.Int64(103948),
+			},
+		},
+	}
+	mf2 = &dto.MetricFamily{
+		Name: proto.String("mf2"),
+		Help: proto.String("doc string 2"),
+		Type: dto.MetricType_GAUGE.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("basename"),
+						Value: proto.String("basevalue2"),
+					},
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String("instance2"),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+					{
+						Name:  proto.String("labelname"),
+						Value: proto.String("val2"),
+					},
+				},
+				Gauge: &dto.Gauge{
+					Value: proto.Float64(math.Inf(+1)),
+				},
+			},
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String("instance2"),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+					{
+						Name:  proto.String("labelname"),
+						Value: proto.String("val1"),
+					},
+				},
+				Gauge: &dto.Gauge{
+					Value: proto.Float64(math.Inf(-1)),
+				},
+			},
+		},
+	}
+	mf3 = &dto.MetricFamily{
+		Name: proto.String("mf3"),
+		Type: dto.MetricType_UNTYPED.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String("instance1"),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+				},
+				Untyped: &dto.Untyped{
+					Value: proto.Float64(42),
+				},
+			},
+		},
+	}
+	mf4 = &dto.MetricFamily{
+		Name: proto.String("mf4"),
+		Type: dto.MetricType_UNTYPED.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String("instance2"),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job3"),
+					},
+				},
+				Untyped: &dto.Untyped{
+					Value: proto.Float64(3.4345),
+				},
+			},
+		},
+	}
+	mf5 = &dto.MetricFamily{
+		Name: proto.String("mf5"),
+		Type: dto.MetricType_SUMMARY.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String("instance5"),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job5"),
+					},
+				},
+				Summary: &dto.Summary{
+					SampleCount: proto.Uint64(0),
+					SampleSum:   proto.Float64(0),
+				},
+			},
+		},
+	}
+	mfh1 = &dto.MetricFamily{
+		Name: proto.String("mf_help"),
+		Help: proto.String("Help string for mfh1."),
+		Type: dto.MetricType_GAUGE.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String(""),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+				},
+				Gauge: &dto.Gauge{
+					Value: proto.Float64(3948.838),
+				},
+			},
+		},
+	}
+	mfh2 = &dto.MetricFamily{
+		Name: proto.String("mf_help"),
+		Help: proto.String("Help string for mfh2."),
+		Type: dto.MetricType_GAUGE.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String(""),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job2"),
+					},
+				},
+				Gauge: &dto.Gauge{
+					Value: proto.Float64(83),
+				},
+			},
+		},
+	}
+	// Both mfh metrics with mfh1's help string.
+	mfh12 = &dto.MetricFamily{
+		Name: proto.String("mf_help"),
+		Help: proto.String("Help string for mfh1."),
+		Type: dto.MetricType_GAUGE.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String(""),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+				},
+				Gauge: &dto.Gauge{
+					Value: proto.Float64(3948.838),
+				},
+			},
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String(""),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job2"),
+					},
+				},
+				Gauge: &dto.Gauge{
+					Value: proto.Float64(83),
+				},
+			},
+		},
+	}
+	// Both mfh metrics with mfh2's help string.
+	mfh21 = &dto.MetricFamily{
+		Name: proto.String("mf_help"),
+		Help: proto.String("Help string for mfh2."),
+		Type: dto.MetricType_GAUGE.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String(""),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+				},
+				Gauge: &dto.Gauge{
+					Value: proto.Float64(3948.838),
+				},
+			},
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String(""),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job2"),
+					},
+				},
+				Gauge: &dto.Gauge{
+					Value: proto.Float64(83),
+				},
+			},
+		},
+	}
+	// mfgg is the usual go_goroutines gauge but with a different help text.
+	mfgg = &dto.MetricFamily{
+		Name: proto.String("go_goroutines"),
+		Help: proto.String("Inconsistent doc string, fixed version in mfggFixed."),
+		Type: dto.MetricType_GAUGE.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String(""),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+				},
+				Gauge: &dto.Gauge{
+					Value: proto.Float64(5),
+				},
+			},
+		},
+	}
+	// mfgc is the usual go_goroutines metric but mistyped as counter.
+	mfgc = &dto.MetricFamily{
+		Name: proto.String("go_goroutines"),
+		Help: proto.String("Number of goroutines that currently exist."),
+		Type: dto.MetricType_COUNTER.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String(""),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+				},
+				Counter: &dto.Counter{
+					Value: proto.Float64(5),
+				},
+			},
+		},
+	}
+	mfggFixed = &dto.MetricFamily{
+		Name: proto.String("go_goroutines"),
+		Help: proto.String("Number of goroutines that currently exist."),
+		Type: dto.MetricType_GAUGE.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{
+					{
+						Name:  proto.String("instance"),
+						Value: proto.String(""),
+					},
+					{
+						Name:  proto.String("job"),
+						Value: proto.String("job1"),
+					},
+				},
+				Gauge: &dto.Gauge{
+					Value: proto.Float64(5),
+				},
+			},
+		},
+	}
+	mfUnlabelled = &dto.MetricFamily{
+		Name: proto.String("mf_unlabelled"),
+		Help: proto.String("Metric with no labels to check sanitizeLabels."),
+		Type: dto.MetricType_GAUGE.Enum(),
+		Metric: []*dto.Metric{
+			{
+				Label: []*dto.LabelPair{},
+				Gauge: &dto.Gauge{
+					Value: proto.Float64(42),
+				},
+			},
+		},
+	}
+)
+
+func addGroup(
+	mg GroupingKeyToMetricGroup,
+	groupingLabels map[string]string,
+	metrics NameToTimestampedMetricFamilyMap,
+) {
+	mg[groupingKeyFor(groupingLabels)] = MetricGroup{
+		Labels:  groupingLabels,
+		Metrics: metrics,
+	}
+}
+
+func TestGetMetricFamilies(t *testing.T) {
+	testTime := time.Now()
+
+	mg := GroupingKeyToMetricGroup{}
+	addGroup(
+		mg,
+		map[string]string{
+			"job":      "job1",
+			"instance": "instance1",
+		},
+		NameToTimestampedMetricFamilyMap{
+			"mf2": TimestampedMetricFamily{
+				Timestamp:            testTime,
+				GobbableMetricFamily: (*GobbableMetricFamily)(mf2),
+			},
+		},
+	)
+	addGroup(
+		mg,
+		map[string]string{
+			"job":      "job1",
+			"instance": "instance2",
+		},
+		NameToTimestampedMetricFamilyMap{
+			"mf1": TimestampedMetricFamily{
+				Timestamp:            testTime,
+				GobbableMetricFamily: (*GobbableMetricFamily)(mf1a),
+			},
+			"mf3": TimestampedMetricFamily{
+				Timestamp:            testTime,
+				GobbableMetricFamily: (*GobbableMetricFamily)(mf3),
+			},
+		},
+	)
+	addGroup(
+		mg,
+		map[string]string{
+			"job":      "job2",
+			"instance": "instance1",
+		},
+		NameToTimestampedMetricFamilyMap{
+			"mf1": TimestampedMetricFamily{
+				Timestamp:            testTime,
+				GobbableMetricFamily: (*GobbableMetricFamily)(mf1c),
+			},
+		},
+	)
+	addGroup(
+		mg,
+		map[string]string{
+			"job":      "job3",
+			"instance": "instance1",
+		},
+		NameToTimestampedMetricFamilyMap{},
+	)
+	addGroup(
+		mg,
+		map[string]string{
+			"job":      "job3",
+			"instance": "instance2",
+		},
+		NameToTimestampedMetricFamilyMap{
+			"mf4": TimestampedMetricFamily{
+				Timestamp:            testTime,
+				GobbableMetricFamily: (*GobbableMetricFamily)(mf4),
+			},
+			"mf1": TimestampedMetricFamily{
+				Timestamp:            testTime,
+				GobbableMetricFamily: (*GobbableMetricFamily)(mf1d),
+			},
+		},
+	)
+	addGroup(
+		mg,
+		map[string]string{
+			"job": "job4",
+		},
+		NameToTimestampedMetricFamilyMap{},
+	)
+
+	dms := &DiskMetricStore{metricGroups: mg}
+
+	if err := checkMetricFamilies(dms, mf1acd, mf2, mf3, mf4); err != nil {
+		t.Error(err)
+	}
+}
+
+func TestAddDeletePersistRestore(t *testing.T) {
+	tempDir, err := os.MkdirTemp("", "diskmetricstore.TestAddDeletePersistRestore.")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tempDir)
+	fileName := path.Join(tempDir, "persistence")
+	dms := NewDiskMetricStore(fileName, 100*time.Millisecond, nil, logger)
+
+	// Submit a single simple metric family.
+	ts1 := time.Now()
+	grouping1 := map[string]string{
+		"job":      "job1",
+		"instance": "instance1",
+	}
+	errCh := make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping1,
+		Timestamp:      ts1,
+		MetricFamilies: testutil.MetricFamiliesMap(mf3),
+		Done:           errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp := newPushTimestampGauge(grouping1, ts1)
+	pushFailedTimestamp := newPushFailedTimestampGauge(grouping1, time.Time{})
+	if err := checkMetricFamilies(
+		dms, mf3,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	// Submit two metric families for a different instance.
+	ts2 := ts1.Add(time.Second)
+	grouping2 := map[string]string{
+		"job":      "job1",
+		"instance": "instance2",
+	}
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping2,
+		Timestamp:      ts2,
+		MetricFamilies: testutil.MetricFamiliesMap(mf1b, mf2),
+		Done:           errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp.Metric = append(
+		pushTimestamp.Metric, newPushTimestampGauge(grouping2, ts2).Metric[0],
+	)
+	pushFailedTimestamp.Metric = append(
+		pushFailedTimestamp.Metric, newPushFailedTimestampGauge(grouping2, time.Time{}).Metric[0],
+	)
+	if err := checkMetricFamilies(
+		dms, mf1b, mf2, mf3,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	// Submit a metric family with the same name for the same job/instance again.
+	// Should overwrite the previous metric family for the same job/instance
+	ts3 := ts2.Add(time.Second)
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping2,
+		Timestamp:      ts3,
+		MetricFamilies: testutil.MetricFamiliesMap(mf1a),
+		Done:           errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp.Metric[1] = newPushTimestampGauge(grouping2, ts3).Metric[0]
+	if err := checkMetricFamilies(
+		dms, mf1a, mf2, mf3,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	// Add a new group by job, with a summary without any observations yet.
+	ts4 := ts3.Add(time.Second)
+	grouping4 := map[string]string{
+		"job": "job5",
+	}
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping4,
+		Timestamp:      ts4,
+		MetricFamilies: testutil.MetricFamiliesMap(mf5),
+		Done:           errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp.Metric = append(
+		pushTimestamp.Metric, newPushTimestampGauge(grouping4, ts4).Metric[0],
+	)
+	pushFailedTimestamp.Metric = append(
+		pushFailedTimestamp.Metric, newPushFailedTimestampGauge(grouping4, time.Time{}).Metric[0],
+	)
+	if err := checkMetricFamilies(
+		dms, mf1a, mf2, mf3, mf5,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	// Shutdown the dms.
+	if err := dms.Shutdown(); err != nil {
+		t.Fatal(err)
+	}
+
+	// Load it again.
+	dms = NewDiskMetricStore(fileName, 100*time.Millisecond, nil, logger)
+	if err := checkMetricFamilies(
+		dms, mf1a, mf2, mf3, mf5,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+	// Spot-check timestamp.
+	tmf := dms.metricGroups[groupingKeyFor(map[string]string{
+		"job":      "job1",
+		"instance": "instance2",
+	})].Metrics["mf1"]
+	if expected, got := ts3, tmf.Timestamp; !expected.Equal(got) {
+		t.Errorf("Expected timestamp %v, got %v.", expected, got)
+	}
+
+	// Delete two groups.
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels: map[string]string{
+			"job":      "job1",
+			"instance": "instance1",
+		},
+	})
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels: map[string]string{
+			"job": "job5",
+		},
+		Done: errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp = newPushTimestampGauge(grouping2, ts3)
+	pushFailedTimestamp = newPushFailedTimestampGauge(grouping2, time.Time{})
+	if err := checkMetricFamilies(
+		dms, mf1a, mf2,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	// Submit another one.
+	ts5 := ts4.Add(time.Second)
+	grouping5 := map[string]string{
+		"job":      "job3",
+		"instance": "instance2",
+	}
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping5,
+		Timestamp:      ts5,
+		MetricFamilies: testutil.MetricFamiliesMap(mf4),
+		Done:           errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp.Metric = append(
+		pushTimestamp.Metric, newPushTimestampGauge(grouping5, ts5).Metric[0],
+	)
+	pushFailedTimestamp.Metric = append(
+		pushFailedTimestamp.Metric, newPushFailedTimestampGauge(grouping5, time.Time{}).Metric[0],
+	)
+	if err := checkMetricFamilies(
+		dms, mf1a, mf2, mf4,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	// Delete a job does not remove anything because there is no suitable
+	// grouping.
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels: map[string]string{
+			"job": "job1",
+		},
+		Done: errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	if err := checkMetricFamilies(
+		dms, mf1a, mf2, mf4,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	// Delete another group.
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels: grouping5,
+		Done:   errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp = newPushTimestampGauge(grouping2, ts3)
+	pushFailedTimestamp = newPushFailedTimestampGauge(grouping2, time.Time{})
+	if err := checkMetricFamilies(
+		dms, mf1a, mf2,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+	// Check that no empty map entry for job3 was left behind.
+	if _, stillExists := dms.metricGroups[groupingKeyFor(grouping5)]; stillExists {
+		t.Error("An instance map for 'job3' still exists.")
+	}
+
+	// Shutdown the dms again, directly after a number of write request
+	// (to check draining).
+	for i := 0; i < 10; i++ {
+		dms.SubmitWriteRequest(WriteRequest{
+			Labels:         grouping5,
+			Timestamp:      ts5,
+			MetricFamilies: testutil.MetricFamiliesMap(mf4),
+		})
+	}
+	grouping6 := map[string]string{
+		"job":      "job4",
+		"instance": "instance1",
+	}
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping6,
+		Timestamp:      ts5,
+		MetricFamilies: testutil.MetricFamiliesMap(mfUnlabelled),
+	})
+	if err := dms.Shutdown(); err != nil {
+		t.Fatal(err)
+	}
+	pushTimestamp.Metric = append(
+		pushTimestamp.Metric,
+		newPushTimestampGauge(grouping5, ts5).Metric[0],
+		newPushTimestampGauge(grouping6, ts5).Metric[0],
+	)
+	pushFailedTimestamp.Metric = append(
+		pushFailedTimestamp.Metric,
+		newPushFailedTimestampGauge(grouping5, time.Time{}).Metric[0],
+		newPushFailedTimestampGauge(grouping6, time.Time{}).Metric[0],
+	)
+	mfLabelled := proto.Clone(mfUnlabelled).(*dto.MetricFamily)
+	// SanitizeLabels should add these labels to the unlabelled metric.
+	mfLabelled.Metric[0].Label = []*dto.LabelPair{
+		{
+			Name:  proto.String("instance"),
+			Value: proto.String("instance1"),
+		},
+		{
+			Name:  proto.String("job"),
+			Value: proto.String("job4"),
+		},
+	}
+	if err := checkMetricFamilies(
+		dms, mf1a, mf2, mf4, mfLabelled,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+}
+
+func TestNoPersistence(t *testing.T) {
+	dms := NewDiskMetricStore("", 100*time.Millisecond, nil, logger)
+
+	ts1 := time.Now()
+	grouping1 := map[string]string{
+		"job":      "job1",
+		"instance": "instance1",
+	}
+	errCh := make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping1,
+		Timestamp:      ts1,
+		MetricFamilies: testutil.MetricFamiliesMap(mf3),
+		Done:           errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp := newPushTimestampGauge(grouping1, ts1)
+	pushFailedTimestamp := newPushFailedTimestampGauge(grouping1, time.Time{})
+	if err := checkMetricFamilies(
+		dms, mf3,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	if err := dms.Shutdown(); err != nil {
+		t.Fatal(err)
+	}
+
+	dms = NewDiskMetricStore("", 100*time.Millisecond, nil, logger)
+	if err := checkMetricFamilies(dms); err != nil {
+		t.Error(err)
+	}
+
+	if err := dms.Ready(); err != nil {
+		t.Error(err)
+	}
+
+	if err := dms.Healthy(); err != nil {
+		t.Error(err)
+	}
+}
+
+func TestRejectTimestamps(t *testing.T) {
+	dms := NewDiskMetricStore("", 100*time.Millisecond, nil, logger)
+
+	ts1 := time.Now()
+	grouping1 := map[string]string{
+		"job":      "job1",
+		"instance": "instance2",
+	}
+	errCh := make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping1,
+		Timestamp:      ts1,
+		MetricFamilies: testutil.MetricFamiliesMap(mf1ts),
+		Done:           errCh,
+	})
+	var err error
+	for err = range errCh {
+		if !errors.Is(err, errTimestamp) {
+			t.Errorf("Expected error %q, got %q.", errTimestamp, err)
+		}
+	}
+	if err == nil {
+		t.Error("Expected error on pushing metric with timestamp.")
+	}
+	pushTimestamp := newPushTimestampGauge(grouping1, time.Time{})
+	pushFailedTimestamp := newPushFailedTimestampGauge(grouping1, ts1)
+	if err := checkMetricFamilies(
+		dms,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	if err := dms.Shutdown(); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestRejectInconsistentPush(t *testing.T) {
+	dms := NewDiskMetricStore("", 100*time.Millisecond, nil, logger)
+
+	ts1 := time.Now()
+	grouping1 := map[string]string{
+		"job": "job1",
+	}
+	errCh := make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping1,
+		Timestamp:      ts1,
+		MetricFamilies: testutil.MetricFamiliesMap(mfgc),
+		Done:           errCh,
+	})
+	err := <-errCh
+	if err == nil {
+		t.Error("Expected error pushing inconsistent go_goroutines metric.")
+	}
+	pushTimestamp := newPushTimestampGauge(grouping1, time.Time{})
+	pushFailedTimestamp := newPushFailedTimestampGauge(grouping1, ts1)
+	if err := checkMetricFamilies(
+		dms,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	ts2 := ts1.Add(time.Second)
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping1,
+		Timestamp:      ts2,
+		MetricFamilies: testutil.MetricFamiliesMap(mf1a),
+		Done:           errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp = newPushTimestampGauge(grouping1, ts2)
+	if err := checkMetricFamilies(
+		dms, mf1a,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	ts3 := ts2.Add(time.Second)
+	grouping3 := map[string]string{
+		"job":      "job1",
+		"instance": "instance2",
+	}
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping3,
+		Timestamp:      ts3,
+		MetricFamilies: testutil.MetricFamiliesMap(mf1b),
+		Done:           errCh,
+	})
+	err = <-errCh
+	if err == nil {
+		t.Error("Expected error pushing duplicate mf1 metric.")
+	}
+	pushTimestamp.Metric = append(
+		pushTimestamp.Metric, newPushTimestampGauge(grouping3, time.Time{}).Metric[0],
+	)
+	pushFailedTimestamp.Metric = append(
+		pushFailedTimestamp.Metric, newPushFailedTimestampGauge(grouping3, ts3).Metric[0],
+	)
+	if err := checkMetricFamilies(
+		dms, mf1a,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	if err := dms.Shutdown(); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestSanitizeLabels(t *testing.T) {
+	dms := NewDiskMetricStore("", 100*time.Millisecond, nil, logger)
+
+	// Push mf1c with the grouping matching mf1b, mf1b should end up in storage.
+	ts1 := time.Now()
+	grouping1 := map[string]string{
+		"job":      "job1",
+		"instance": "instance2",
+	}
+	errCh := make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping1,
+		Timestamp:      ts1,
+		MetricFamilies: testutil.MetricFamiliesMap(mf1c),
+		Done:           errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp := newPushTimestampGauge(grouping1, ts1)
+	pushFailedTimestamp := newPushFailedTimestampGauge(grouping1, time.Time{})
+	if err := checkMetricFamilies(
+		dms, mf1b,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	// Push mf1e, missing the instance label. Again, mf1b should end up in storage.
+	ts2 := ts1.Add(1)
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping1,
+		Timestamp:      ts2,
+		MetricFamilies: testutil.MetricFamiliesMap(mf1e),
+		Done:           errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp = newPushTimestampGauge(grouping1, ts2)
+	if err := checkMetricFamilies(
+		dms, mf1b,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	// Push mf1e, missing the instance label, into a grouping without the
+	// instance label. The result in the storage should have an empty
+	// instance label.
+	ts3 := ts2.Add(1)
+	grouping3 := map[string]string{
+		"job": "job1",
+	}
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping3,
+		Timestamp:      ts3,
+		MetricFamilies: testutil.MetricFamiliesMap(mf1e),
+		Done:           errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp.Metric = append(
+		pushTimestamp.Metric, newPushTimestampGauge(grouping3, ts3).Metric[0],
+	)
+	pushFailedTimestamp.Metric = append(
+		pushFailedTimestamp.Metric, newPushFailedTimestampGauge(grouping3, time.Time{}).Metric[0],
+	)
+	if err := checkMetricFamilies(
+		dms, mf1be,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+}
+
+func TestReplace(t *testing.T) {
+	dms := NewDiskMetricStore("", 100*time.Millisecond, nil, logger)
+
+	// First do an invalid push to set pushFailedTimestamp and to later
+	// verify that it is retained and not replaced.
+	ts1 := time.Now()
+	grouping1 := map[string]string{
+		"job": "job1",
+	}
+	errCh := make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping1,
+		Timestamp:      ts1,
+		MetricFamilies: testutil.MetricFamiliesMap(mf1ts),
+		Done:           errCh,
+	})
+	var err error
+	for err = range errCh {
+		if !errors.Is(err, errTimestamp) {
+			t.Errorf("Expected error %q, got %q.", errTimestamp, err)
+		}
+	}
+	if err == nil {
+		t.Error("Expected error on pushing metric with timestamp.")
+	}
+	pushTimestamp := newPushTimestampGauge(grouping1, time.Time{})
+	pushFailedTimestamp := newPushFailedTimestampGauge(grouping1, ts1)
+	if err := checkMetricFamilies(
+		dms,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	// Now a valid update in replace mode. It doesn't replace anything, but
+	// it already tests that the push-failed timestamp is retained.
+	ts2 := ts1.Add(time.Second)
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping1,
+		Timestamp:      ts2,
+		MetricFamilies: testutil.MetricFamiliesMap(mf1a),
+		Done:           errCh,
+		Replace:        true,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp = newPushTimestampGauge(grouping1, ts2)
+	if err := checkMetricFamilies(
+		dms, mf1a,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	// Now push something else in replace mode that should replace mf1.
+	ts3 := ts2.Add(time.Second)
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping1,
+		Timestamp:      ts3,
+		MetricFamilies: testutil.MetricFamiliesMap(mf2),
+		Done:           errCh,
+		Replace:        true,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp = newPushTimestampGauge(grouping1, ts3)
+	if err := checkMetricFamilies(
+		dms, mf2,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	// Another invalid push in replace mode, which should only update the
+	// push-failed timestamp.
+	ts4 := ts3.Add(time.Second)
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping1,
+		Timestamp:      ts4,
+		MetricFamilies: testutil.MetricFamiliesMap(mf1ts),
+		Done:           errCh,
+		Replace:        true,
+	})
+	err = nil
+	for err = range errCh {
+		if !errors.Is(err, errTimestamp) {
+			t.Errorf("Expected error %q, got %q.", errTimestamp, err)
+		}
+	}
+	if err == nil {
+		t.Error("Expected error on pushing metric with timestamp.")
+	}
+	pushFailedTimestamp = newPushFailedTimestampGauge(grouping1, ts4)
+	if err := checkMetricFamilies(
+		dms, mf2,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	// Push an empty map (rather than a nil map) in replace mode. Should
+	// delete everything except the push timestamps.
+	ts5 := ts4.Add(time.Second)
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         grouping1,
+		Timestamp:      ts5,
+		MetricFamilies: testutil.MetricFamiliesMap(),
+		Done:           errCh,
+		Replace:        true,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp = newPushTimestampGauge(grouping1, ts5)
+	if err := checkMetricFamilies(
+		dms,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	if err := dms.Shutdown(); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestGetMetricFamiliesMap(t *testing.T) {
+	tempDir, err := os.MkdirTemp("", "diskmetricstore.TestGetMetricFamiliesMap.")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tempDir)
+	fileName := path.Join(tempDir, "persistence")
+
+	dms := NewDiskMetricStore(fileName, 100*time.Millisecond, nil, logger)
+
+	labels1 := map[string]string{
+		"job":      "job1",
+		"instance": "instance1",
+	}
+
+	labels2 := map[string]string{
+		"job":      "job1",
+		"instance": "instance2",
+	}
+
+	gk1 := groupingKeyFor(labels1)
+	gk2 := groupingKeyFor(labels2)
+
+	// Submit a single simple metric family.
+	ts1 := time.Now()
+	errCh := make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         labels1,
+		Timestamp:      ts1,
+		MetricFamilies: testutil.MetricFamiliesMap(mf3),
+		Done:           errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+	pushTimestamp := newPushTimestampGauge(labels1, ts1)
+	pushFailedTimestamp := newPushFailedTimestampGauge(labels1, time.Time{})
+	if err := checkMetricFamilies(
+		dms, mf3,
+		pushTimestamp, pushFailedTimestamp,
+	); err != nil {
+		t.Error(err)
+	}
+
+	// Submit two metric families for a different instance.
+	ts2 := ts1.Add(time.Second)
+	errCh = make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels:         labels2,
+		Timestamp:      ts2,
+		MetricFamilies: testutil.MetricFamiliesMap(mf1b, mf2),
+		Done:           errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+
+	// expectedMFMap is a multi-layered map that maps the labelset
+	// fingerprints to the corresponding metric family string
+	// representations.  This is for test assertion purposes.
+	expectedMFMap := map[string]map[string]string{
+		gk1: {
+			"mf3":                mf3.String(),
+			pushMetricName:       pushTimestamp.String(),
+			pushFailedMetricName: pushFailedTimestamp.String(),
+		},
+		gk2: {
+			"mf1":                mf1b.String(),
+			"mf2":                mf2.String(),
+			pushMetricName:       newPushTimestampGauge(labels2, ts2).String(),
+			pushFailedMetricName: newPushFailedTimestampGauge(labels2, time.Time{}).String(),
+		},
+	}
+
+	if err := checkMetricFamilyGroups(dms, expectedMFMap); err != nil {
+		t.Error(err)
+	}
+}
+
+func TestHelpStringFix(t *testing.T) {
+	dms := NewDiskMetricStore("", 100*time.Millisecond, prometheus.DefaultGatherer, logger)
+
+	ts1 := time.Now()
+	errCh := make(chan error, 1)
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels: map[string]string{
+			"job": "job1",
+		},
+		Timestamp: ts1,
+		MetricFamilies: map[string]*dto.MetricFamily{
+			"go_goroutines": mfgg,
+			"mf_help":       mfh1,
+		},
+	})
+	dms.SubmitWriteRequest(WriteRequest{
+		Labels: map[string]string{
+			"job": "job2",
+		},
+		Timestamp: ts1,
+		MetricFamilies: map[string]*dto.MetricFamily{
+			"mf_help": mfh2,
+		},
+		Done: errCh,
+	})
+	for err := range errCh {
+		t.Fatal("Unexpected error:", err)
+	}
+
+	// Either we have settled on the mfh1 help string or the mfh2 help string.
+	gotMFs := dms.GetMetricFamilies()
+	if len(gotMFs) != 4 {
+		t.Fatalf("expected 4 metric families, got %d", len(gotMFs))
+	}
+	gotMFsAsStrings := make([]string, len(gotMFs))
+	for i, mf := range gotMFs {
+		sort.Sort(metricSorter(mf.GetMetric()))
+		gotMFsAsStrings[i] = mf.String()
+	}
+	sort.Strings(gotMFsAsStrings)
+	gotGG := gotMFsAsStrings[0]
+	got12 := gotMFsAsStrings[1]
+	expectedGG := mfggFixed.String()
+	expected12 := mfh12.String()
+	expected21 := mfh21.String()
+
+	if gotGG != expectedGG {
+		t.Errorf(
+			"help strings weren't properly adjusted, got '%s', expected '%s'",
+			gotGG, expectedGG,
+		)
+	}
+	if got12 != expected12 && got12 != expected21 {
+		t.Errorf(
+			"help strings weren't properly adjusted, got '%s' which is neither '%s' nor '%s'",
+			got12, expected12, expected21,
+		)
+	}
+
+	if err := dms.Shutdown(); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestGroupingKeyForLabels(t *testing.T) {
+	sep := string([]byte{model.SeparatorByte})
+	scenarios := []struct {
+		in  map[string]string
+		out string
+	}{
+		{
+			in:  map[string]string{},
+			out: "",
+		},
+		{
+			in:  map[string]string{"foo": "bar"},
+			out: "foo" + sep + "bar",
+		},
+		{
+			in:  map[string]string{"foo": "bar", "dings": "bums"},
+			out: "dings" + sep + "bums" + sep + "foo" + sep + "bar",
+		},
+	}
+
+	for _, s := range scenarios {
+		if want, got := s.out, groupingKeyFor(s.in); want != got {
+			t.Errorf("Want grouping key %q for labels %v, got %q.", want, s.in, got)
+		}
+	}
+}
+
+func checkMetricFamilies(dms *DiskMetricStore, expectedMFs ...*dto.MetricFamily) error {
+	gotMFs := dms.GetMetricFamilies()
+	if expected, got := len(expectedMFs), len(gotMFs); expected != got {
+		return fmt.Errorf("expected %d metric families, got %d", expected, got)
+	}
+
+	expectedMFsAsStrings := make([]string, len(expectedMFs))
+	for i, mf := range expectedMFs {
+		sort.Sort(metricSorter(mf.Metric))
+		expectedMFsAsStrings[i] = mf.String()
+	}
+	sort.Strings(expectedMFsAsStrings)
+
+	gotMFsAsStrings := make([]string, len(gotMFs))
+	for i, mf := range gotMFs {
+		sort.Sort(metricSorter(mf.GetMetric()))
+		gotMFsAsStrings[i] = mf.String()
+	}
+	sort.Strings(gotMFsAsStrings)
+
+	for i, got := range gotMFsAsStrings {
+		expected := expectedMFsAsStrings[i]
+		if expected != got {
+			return fmt.Errorf("expected metric family '%s', got '%s'", expected, got)
+		}
+	}
+	return nil
+}
+
+func checkMetricFamilyGroups(dms *DiskMetricStore, expectedMFMap map[string]map[string]string) error {
+	mfMap := dms.GetMetricFamiliesMap()
+
+	if expected, got := len(expectedMFMap), len(mfMap); expected != got {
+		return fmt.Errorf("expected %d metric families in map, but got %d", expected, got)
+	}
+
+	for k, v := range mfMap {
+		if innerMap, ok := expectedMFMap[k]; ok {
+			if len(innerMap) != len(v.Metrics) {
+				return fmt.Errorf("expected %d metric entries for grouping key %s in map, but got %d",
+					len(innerMap), k, len(v.Metrics))
+			}
+			for metricName, metricString := range innerMap {
+				if v.Metrics[metricName].GetMetricFamily().String() != metricString {
+					return fmt.Errorf("expected metric %s to be present for key %s", metricString, metricName)
+				}
+			}
+		} else {
+			return fmt.Errorf("expected grouping key %s to be present in metric families map", k)
+		}
+	}
+	return nil
+}
+
+type metricSorter []*dto.Metric
+
+func (s metricSorter) Len() int {
+	return len(s)
+}
+
+func (s metricSorter) Swap(i, j int) {
+	s[i], s[j] = s[j], s[i]
+}
+
+func (s metricSorter) Less(i, j int) bool {
+	for n, lp := range s[i].Label {
+		vi := lp.GetValue()
+		vj := s[j].Label[n].GetValue()
+		if vi != vj {
+			return vi < vj
+		}
+	}
+	return true
+}
diff --git a/storage/interface.go b/storage/interface.go
new file mode 100644
index 0000000..ba7e92c
--- /dev/null
+++ b/storage/interface.go
@@ -0,0 +1,177 @@
+//nolint:goheader
+// Copyright 2014 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package storage
+
+import (
+	"sort"
+	"time"
+
+	//nolint:staticcheck // Ignore SA1019. Dependencies use the deprecated package, so we have to, too.
+	"github.com/golang/protobuf/proto"
+
+	dto "github.com/prometheus/client_model/go"
+)
+
+// MetricStore is the interface to the storage layer for metrics. All its
+// methods must be safe to be called concurrently.
+type MetricStore interface {
+	// SubmitWriteRequest submits a WriteRequest for processing. There is no
+	// guarantee when a request will be processed, but it is guaranteed that
+	// the requests are processed in the order of submission.
+	SubmitWriteRequest(req WriteRequest)
+	// GetMetricFamilies returns all the currently saved MetricFamilies. The
+	// returned MetricFamilies are guaranteed to not be modified by the
+	// MetricStore anymore. However, they may still be read somewhere else,
+	// so the caller is not allowed to modify the returned MetricFamilies.
+	// If different groups have saved MetricFamilies of the same name, they
+	// are all merged into one MetricFamily by concatenating the contained
+	// Metrics. Inconsistent help strings are logged, and one of the
+	// versions will "win". Inconsistent types and inconsistent or duplicate
+	// label sets will go undetected.
+	GetMetricFamilies() []*dto.MetricFamily
+	// GetMetricFamiliesMap returns a map grouping-key -> MetricGroup. The
+	// MetricFamily pointed to by the Metrics map in each MetricGroup is
+	// guaranteed to not be modified by the MetricStore anymore. However,
+	// they may still be read somewhere else, so the caller is not allowed
+	// to modify it. Otherwise, the returned nested map can be seen as a
+	// deep copy of the internal state of the MetricStore and completely
+	// owned by the caller.
+	GetMetricFamiliesMap() GroupingKeyToMetricGroup
+	// Shutdown must only be called after the caller has made sure that
+	// SubmitWriteRequests is not called anymore. (If it is called later,
+	// the request might get submitted, but not processed anymore.) The
+	// Shutdown method waits for the write request queue to empty, then it
+	// persists the content of the MetricStore (if supported by the
+	// implementation). Also, all internal goroutines are stopped. This
+	// method blocks until all of that is complete. If an error is
+	// encountered, it is returned (whereupon the MetricStorage is in an
+	// undefinded state). If nil is returned, the MetricStore cannot be
+	// "restarted" again, but it can still be used for read operations.
+	Shutdown() error
+	// Healthy returns nil if the MetricStore is currently working as
+	// expected. Otherwise, a non-nil error is returned.
+	Healthy() error
+	// Ready returns nil if the MetricStore is ready to be used (all files
+	// are opened and checkpoints have been restored). Otherwise, a non-nil
+	// error is returned.
+	Ready() error
+}
+
+// WriteRequest is a request to change the MetricStore, i.e. to process it, a
+// write lock has to be acquired.
+//
+// If MetricFamilies is nil, this is a request to delete metrics that share the
+// given Labels as a grouping key. Otherwise, this is a request to update the
+// MetricStore with the MetricFamilies.
+//
+// If Replace is true, the MetricFamilies will completely replace the metrics
+// with the same grouping key. Otherwise, only those MetricFamilies with the
+// same name as new MetricFamilies will be replaced.
+//
+// The key in MetricFamilies is the name of the mapped metric family.
+//
+// When the WriteRequest is processed, the metrics in MetricFamilies will be
+// sanitized to have the same job and other labels as those in the Labels
+// fields. Also, if there is no instance label, an instance label with an empty
+// value will be set. This implies that the MetricFamilies in the WriteRequest
+// may be modified be the MetricStore during processing of the WriteRequest!
+//
+// The Timestamp field marks the time the request was received from the
+// network. It is not related to the TimestampMs field in the Metric proto
+// message. In fact, WriteRequests containing any Metrics with a TimestampMs set
+// are invalid and will be rejected.
+//
+// The Done channel may be nil. If it is not nil, it will be closed once the
+// write request is processed. Any errors occurring during processing are sent to
+// the channel before closing it.
+type WriteRequest struct {
+	Labels         map[string]string
+	Timestamp      time.Time
+	MetricFamilies map[string]*dto.MetricFamily
+	Replace        bool
+	Done           chan error
+}
+
+// GroupingKeyToMetricGroup is the first level of the metric store, keyed by
+// grouping key.
+type GroupingKeyToMetricGroup map[string]MetricGroup
+
+// MetricGroup adds the grouping labels to a NameToTimestampedMetricFamilyMap.
+type MetricGroup struct {
+	Labels  map[string]string
+	Metrics NameToTimestampedMetricFamilyMap
+}
+
+// SortedLabels returns the label names of the grouping labels sorted
+// lexicographically but with the "job" label always first. This method exists
+// for presentation purposes, see template.html.
+func (mg MetricGroup) SortedLabels() []string {
+	lns := make([]string, 1, len(mg.Labels))
+	lns[0] = "job"
+	for ln := range mg.Labels {
+		if ln != "job" {
+			lns = append(lns, ln)
+		}
+	}
+	sort.Strings(lns[1:])
+	return lns
+}
+
+// LastPushSuccess returns false if the automatically added metric for the
+// timestamp of the last failed push has a value larger than the value of the
+// automatically added metric for the timestamp of the last successful push. In
+// all other cases, it returns true (including the case that one or both of
+// those metrics are missing for some reason.)
+func (mg MetricGroup) LastPushSuccess() bool {
+	fail := mg.Metrics[pushFailedMetricName].GobbableMetricFamily
+	if fail == nil {
+		return true
+	}
+	success := mg.Metrics[pushMetricName].GobbableMetricFamily
+	if success == nil {
+		return true
+	}
+	return (*dto.MetricFamily)(fail).GetMetric()[0].GetGauge().GetValue() <= (*dto.MetricFamily)(success).GetMetric()[0].GetGauge().GetValue()
+}
+
+// NameToTimestampedMetricFamilyMap is the second level of the metric store,
+// keyed by metric name.
+type NameToTimestampedMetricFamilyMap map[string]TimestampedMetricFamily
+
+// TimestampedMetricFamily adds the push timestamp to a gobbable version of the
+// MetricFamily-DTO.
+type TimestampedMetricFamily struct {
+	Timestamp            time.Time
+	GobbableMetricFamily *GobbableMetricFamily
+}
+
+// GetMetricFamily returns the normal GetMetricFamily DTO (without the gob additions).
+func (tmf TimestampedMetricFamily) GetMetricFamily() *dto.MetricFamily {
+	return (*dto.MetricFamily)(tmf.GobbableMetricFamily)
+}
+
+// GobbableMetricFamily is a dto.MetricFamily that implements GobDecoder and
+// GobEncoder.
+type GobbableMetricFamily dto.MetricFamily
+
+// GobDecode implements gob.GobDecoder.
+func (gmf *GobbableMetricFamily) GobDecode(b []byte) error {
+	return proto.Unmarshal(b, (*dto.MetricFamily)(gmf))
+}
+
+// GobEncode implements gob.GobEncoder.
+func (gmf *GobbableMetricFamily) GobEncode() ([]byte, error) {
+	return proto.Marshal((*dto.MetricFamily)(gmf))
+}
diff --git a/testutil/main/main.go b/testutil/main/main.go
new file mode 100644
index 0000000..2511fb4
--- /dev/null
+++ b/testutil/main/main.go
@@ -0,0 +1,29 @@
+package main
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"time"
+)
+
+func main() {
+	conn, err := net.Dial("unix", "/run/apptheus/gateway.sock")
+	if err != nil {
+		fmt.Printf("connection error: %v", err)
+		os.Exit(-1)
+	}
+
+	defer conn.Close()
+
+	for {
+		sum := uint64(0)
+		for i := 0; i < 10000000; i++ {
+			sum = sum + uint64(i)
+		}
+		uid := os.Getuid()
+		pid := os.Getpid()
+		fmt.Printf("calculation completed, my uid: %d, my pid: %d\n", uid, pid)
+		time.Sleep(time.Second * 5)
+	}
+}
diff --git a/testutil/metric_families.go b/testutil/metric_families.go
new file mode 100644
index 0000000..2e379d3
--- /dev/null
+++ b/testutil/metric_families.go
@@ -0,0 +1,41 @@
+// Copyright 2020 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package testutil
+
+import (
+	//nolint:staticcheck // Ignore SA1019. Dependencies use the deprecated package, so we have to, too.
+	"github.com/golang/protobuf/proto"
+
+	dto "github.com/prometheus/client_model/go"
+)
+
+// MetricFamiliesMap creates the map needed in the MetricFamilies field of a
+// WriteRequest from the provided reference metric families. While doing so, it
+// creates deep copies of the metric families so that modifications that might
+// happen during processing of the WriteRequest will not affect the reference
+// metric families.
+func MetricFamiliesMap(mfs ...*dto.MetricFamily) map[string]*dto.MetricFamily {
+	m := map[string]*dto.MetricFamily{}
+	for _, mf := range mfs {
+		buf, err := proto.Marshal(mf)
+		if err != nil {
+			panic(err)
+		}
+		mfCopy := &dto.MetricFamily{}
+		if err := proto.Unmarshal(buf, mfCopy); err != nil {
+			panic(err)
+		}
+		m[mf.GetName()] = mfCopy
+	}
+	return m
+}