From aed0e095e1f1072b175ed34b70b443d397fdf868 Mon Sep 17 00:00:00 2001
From: Razvan Dimescu <ssaricu@gmail.com>
Date: Tue, 24 Mar 2026 22:51:34 +0200
Subject: [PATCH 1/5] =?UTF-8?q?perf:=20optimize=20hot=20path=20=E2=80=94?=
 =?UTF-8?q?=20RwLock,=20inline=20filtering,=20pre-allocated=20strings?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Mutex → RwLock for cache, blocklist, and overrides (concurrent read access)
- Make cache.lookup() and overrides.lookup() take &self (read-only)
- Eliminate 3 Vec allocations per DnsPacket::write() via inline filtering
- Pre-allocate domain strings with capacity 64 in parse path
- Add criterion micro-benchmarks (hot_path + throughput)
- Add bench README documenting both benchmark suites

Measured improvement: ~14% faster parsing, ~9% pipeline throughput,
round-trip cached 733ns → 698ns (~2.3M queries/sec).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 Cargo.lock            | 267 ++++++++++++++++++++++++++++++++++++++++++
 Cargo.toml            |  11 ++
 Makefile              |  13 +-
 bench/README.md       |  87 ++++++++++++++
 benches/hot_path.rs   | 186 +++++++++++++++++++++++++++++
 benches/throughput.rs |  94 +++++++++++++++
 src/api.rs            |  51 ++++----
 src/cache.rs          |  18 +--
 src/ctx.rs            |  16 +--
 src/main.rs           |  10 +-
 src/override_store.rs |   7 +-
 src/packet.rs         |  38 +++---
 src/record.rs         |   8 +-
 13 files changed, 729 insertions(+), 77 deletions(-)
 create mode 100644 bench/README.md
 create mode 100644 benches/hot_path.rs
 create mode 100644 benches/throughput.rs

diff --git a/Cargo.lock b/Cargo.lock
index bd15955..a8563e2 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -17,6 +17,12 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "anes"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4b46cbb362ab8752921c97e041f5e366ee6297bd428a31275b9fcf1e380f7299"
+
 [[package]]
 name = "anstream"
 version = "0.6.21"
@@ -237,6 +243,12 @@ version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33"
 
+[[package]]
+name = "cast"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5"
+
 [[package]]
 name = "cc"
 version = "1.2.57"
@@ -261,6 +273,58 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
 
+[[package]]
+name = "ciborium"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42e69ffd6f0917f5c029256a24d0161db17cea3997d185db0d35926308770f0e"
+dependencies = [
+ "ciborium-io",
+ "ciborium-ll",
+ "serde",
+]
+
+[[package]]
+name = "ciborium-io"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05afea1e0a06c9be33d539b876f1ce3692f4afea2cb41f740e7743225ed1c757"
+
+[[package]]
+name = "ciborium-ll"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57663b653d948a338bfb3eeba9bb2fd5fcfaecb9e199e87e1eda4d9e8b240fd9"
+dependencies = [
+ "ciborium-io",
+ "half",
+]
+
+[[package]]
+name = "clap"
+version = "4.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b193af5b67834b676abd72466a96c1024e6a6ad978a1f484bd90b85c94041351"
+dependencies = [
+ "clap_builder",
+]
+
+[[package]]
+name = "clap_builder"
+version = "4.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f"
+dependencies = [
+ "anstyle",
+ "clap_lex",
+]
+
+[[package]]
+name = "clap_lex"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
+
 [[package]]
 name = "cmake"
 version = "0.1.57"
@@ -302,6 +366,73 @@ dependencies = [
  "cfg-if",
 ]
 
+[[package]]
+name = "criterion"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2b12d017a929603d80db1831cd3a24082f8137ce19c69e6447f54f5fc8d692f"
+dependencies = [
+ "anes",
+ "cast",
+ "ciborium",
+ "clap",
+ "criterion-plot",
+ "is-terminal",
+ "itertools",
+ "num-traits",
+ "once_cell",
+ "oorandom",
+ "plotters",
+ "rayon",
+ "regex",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "tinytemplate",
+ "walkdir",
+]
+
+[[package]]
+name = "criterion-plot"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6b50826342786a51a89e2da3a28f1c32b06e387201bc2d19791f622c673706b1"
+dependencies = [
+ "cast",
+ "itertools",
+]
+
+[[package]]
+name = "crossbeam-deque"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9dd111b7b7f7d55b72c0a6ae361660ee5853c9af73f70c3c2ef6858b950e2e51"
+dependencies = [
+ "crossbeam-epoch",
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-epoch"
+version = "0.9.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b82ac4a3c2ca9c3460964f020e1402edd5753411d7737aa39c3714ad1b5420e"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.8.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
+
+[[package]]
+name = "crunchy"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "460fbee9c2c2f33933d720630a6a0bac33ba7053db5344fac858d4b8952d77d5"
+
 [[package]]
 name = "data-encoding"
 version = "2.10.0"
@@ -348,6 +479,12 @@ version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
 
+[[package]]
+name = "either"
+version = "1.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
+
 [[package]]
 name = "env_filter"
 version = "1.0.0"
@@ -548,12 +685,29 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "half"
+version = "2.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ea2d84b969582b4b1864a92dc5d27cd2b77b622a8d79306834f1be5ba20d84b"
+dependencies = [
+ "cfg-if",
+ "crunchy",
+ "zerocopy",
+]
+
 [[package]]
 name = "hashbrown"
 version = "0.16.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
 
+[[package]]
+name = "hermit-abi"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc0fef456e4baa96da950455cd02c081ca953b141298e41db3fc7e36b1da849c"
+
 [[package]]
 name = "http"
 version = "1.4.0"
@@ -790,12 +944,32 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "is-terminal"
+version = "0.4.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46"
+dependencies = [
+ "hermit-abi",
+ "libc",
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "is_terminal_polyfill"
 version = "1.70.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
 
+[[package]]
+name = "itertools"
+version = "0.10.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473"
+dependencies = [
+ "either",
+]
+
 [[package]]
 name = "itoa"
 version = "1.0.17"
@@ -971,6 +1145,7 @@ version = "0.5.0"
 dependencies = [
  "arc-swap",
  "axum",
+ "criterion",
  "env_logger",
  "futures",
  "http-body-util",
@@ -1010,6 +1185,12 @@ version = "1.70.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
 
+[[package]]
+name = "oorandom"
+version = "11.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d6790f58c7ff633d8771f42965289203411a5e5c68388703c06e14f24770b41e"
+
 [[package]]
 name = "pem"
 version = "3.0.6"
@@ -1038,6 +1219,34 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 
+[[package]]
+name = "plotters"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5aeb6f403d7a4911efb1e33402027fc44f29b5bf6def3effcc22d7bb75f2b747"
+dependencies = [
+ "num-traits",
+ "plotters-backend",
+ "plotters-svg",
+ "wasm-bindgen",
+ "web-sys",
+]
+
+[[package]]
+name = "plotters-backend"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df42e13c12958a16b3f7f4386b9ab1f3e7933914ecea48da7139435263a4172a"
+
+[[package]]
+name = "plotters-svg"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51bae2ac328883f7acdfea3d66a7c35751187f870bc81f94563733a154d7a670"
+dependencies = [
+ "plotters-backend",
+]
+
 [[package]]
 name = "portable-atomic"
 version = "1.13.1"
@@ -1185,6 +1394,26 @@ dependencies = [
  "getrandom 0.3.4",
 ]
 
+[[package]]
+name = "rayon"
+version = "1.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "368f01d005bf8fd9b1206fb6fa653e6c4a81ceb1466406b81792d87c5677a58f"
+dependencies = [
+ "either",
+ "rayon-core",
+]
+
+[[package]]
+name = "rayon-core"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22e18b0f0062d30d4230b2e85ff77fdfe4326feb054b9783a3460d8435c8ab91"
+dependencies = [
+ "crossbeam-deque",
+ "crossbeam-utils",
+]
+
 [[package]]
 name = "rcgen"
 version = "0.13.2"
@@ -1346,6 +1575,15 @@ version = "1.0.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f"
 
+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
 [[package]]
 name = "serde"
 version = "1.0.228"
@@ -1589,6 +1827,16 @@ dependencies = [
  "zerovec",
 ]
 
+[[package]]
+name = "tinytemplate"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "be4d6b5f19ff7664e8c98d03e2139cb510db9b0a60b55f8e8709b689d939b6bc"
+dependencies = [
+ "serde",
+ "serde_json",
+]
+
 [[package]]
 name = "tinyvec"
 version = "1.11.0"
@@ -1807,6 +2055,16 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
 
+[[package]]
+name = "walkdir"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
+dependencies = [
+ "same-file",
+ "winapi-util",
+]
+
 [[package]]
 name = "want"
 version = "0.3.1"
@@ -1919,6 +2177,15 @@ dependencies = [
  "rustls-pki-types",
 ]
 
+[[package]]
+name = "winapi-util"
+version = "0.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "windows-link"
 version = "0.2.1"
diff --git a/Cargo.toml b/Cargo.toml
index fa52afa..ea71da7 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -28,3 +28,14 @@ time = "0.3"
 rustls = "0.23"
 tokio-rustls = "0.26"
 arc-swap = "1"
+
+[dev-dependencies]
+criterion = { version = "0.5", features = ["html_reports"] }
+
+[[bench]]
+name = "hot_path"
+harness = false
+
+[[bench]]
+name = "throughput"
+harness = false
diff --git a/Makefile b/Makefile
index d25d697..643c058 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-.PHONY: all build lint fmt check audit test clean deploy
+.PHONY: all build lint fmt check audit test bench clean deploy blog
 
 all: lint build
 
@@ -19,6 +19,17 @@ audit:
 test:
 	cargo test
 
+bench:
+	cargo bench
+
+blog:
+	@mkdir -p site/blog
+	@for f in blog/*.md; do \
+		name=$$(basename "$$f" .md); \
+		pandoc "$$f" --template=site/blog-template.html -o "site/blog/$$name.html"; \
+		echo "  $$f → site/blog/$$name.html"; \
+	done
+
 clean:
 	cargo clean
 
diff --git a/bench/README.md b/bench/README.md
new file mode 100644
index 0000000..7307369
--- /dev/null
+++ b/bench/README.md
@@ -0,0 +1,87 @@
+# Benchmarks
+
+Numa has two benchmark suites measuring different layers of performance.
+
+## Micro-benchmarks (`benches/`, criterion)
+
+Nanosecond-precision measurement of individual operations on the hot path.
+No running server required — these are pure Rust unit-level benchmarks.
+
+```sh
+cargo bench            # run all
+cargo bench --bench hot_path      # parse, serialize, cache, clone
+cargo bench --bench throughput    # pipeline QPS, buffer alloc
+```
+
+### What's measured
+
+**hot_path** — individual operations:
+
+| Benchmark | What it measures |
+|-----------|-----------------|
+| `buffer_parse` | Wire bytes → DnsPacket (typical response with 4 records) |
+| `buffer_serialize` | DnsPacket → wire bytes |
+| `packet_clone` | Full DnsPacket clone (what cache hit costs) |
+| `cache_lookup_hit` | Cache lookup on a single-entry cache |
+| `cache_lookup_hit_populated` | Cache lookup with 1000 entries |
+| `cache_lookup_miss` | HashMap miss (baseline) |
+| `cache_insert` | Insert into cache with packet clone |
+| `round_trip_cached` | Full cached path: parse query → cache hit → serialize response |
+
+**throughput** — pipeline capacity:
+
+| Benchmark | What it measures |
+|-----------|-----------------|
+| `pipeline_throughput/N` | N cached queries end-to-end (parse → lookup → serialize) |
+| `buffer_alloc` | BytePacketBuffer 4KB zero-init cost |
+
+### Reading results
+
+Criterion auto-compares against the previous run:
+
+```
+round_trip_cached  time: [710.5 ns 715.2 ns 720.1 ns]
+                   change: [-2.48% -1.85% -1.21%] (p = 0.00 < 0.05)
+                   Performance has improved.
+```
+
+- The three values are [lower bound, estimate, upper bound] of the mean
+- `change` shows the delta vs the last saved baseline
+- HTML reports with charts: `target/criterion/report/index.html`
+
+To save a named baseline for comparison:
+
+```sh
+cargo bench -- --save-baseline before
+# ... make changes ...
+cargo bench -- --baseline before
+```
+
+## End-to-end benchmark (`bench/dns-bench.sh`)
+
+Real-world latency comparison using `dig` against a running Numa instance
+and public resolvers. Measures millisecond-level latency including network I/O.
+
+```sh
+# Start Numa first (default port 15353 for testing)
+python3 bench/dns-bench.sh [port] [rounds]
+python3 bench/dns-bench.sh 15353 20    # default
+```
+
+### What's measured
+
+- **Numa (cold)**: cache flushed before each query — measures upstream forwarding
+- **Numa (cached)**: queries hit cache — measures local processing
+- **System / Google / Cloudflare / Quad9**: public resolver comparison
+
+Results saved to `bench/results.json`.
+
+### When to use which
+
+| Question | Use |
+|----------|-----|
+| Did my code change make parsing faster? | `cargo bench --bench hot_path` |
+| Is the cached path still sub-microsecond? | `cargo bench --bench hot_path` (round_trip_cached) |
+| How many queries/sec can we handle? | `cargo bench --bench throughput` |
+| Is Numa still competitive with system resolver? | `bench/dns-bench.sh` |
+| Did upstream forwarding regress? | `bench/dns-bench.sh` |
diff --git a/benches/hot_path.rs b/benches/hot_path.rs
new file mode 100644
index 0000000..ecd84ae
--- /dev/null
+++ b/benches/hot_path.rs
@@ -0,0 +1,186 @@
+use criterion::{black_box, criterion_group, criterion_main, Criterion};
+use std::net::Ipv4Addr;
+
+use numa::buffer::BytePacketBuffer;
+use numa::cache::DnsCache;
+use numa::header::{DnsHeader, ResultCode};
+use numa::packet::DnsPacket;
+use numa::question::{DnsQuestion, QueryType};
+use numa::record::DnsRecord;
+
+fn make_response(domain: &str) -> DnsPacket {
+    let mut pkt = DnsPacket::new();
+    pkt.header = DnsHeader::new();
+    pkt.header.id = 0x1234;
+    pkt.header.response = true;
+    pkt.header.recursion_desired = true;
+    pkt.header.recursion_available = true;
+    pkt.header.rescode = ResultCode::NOERROR;
+    pkt.questions
+        .push(DnsQuestion::new(domain.to_string(), QueryType::A));
+    pkt.answers.push(DnsRecord::A {
+        domain: domain.to_string(),
+        addr: Ipv4Addr::new(93, 184, 216, 34),
+        ttl: 300,
+    });
+    // Typical response includes authority + additional records
+    pkt.authorities.push(DnsRecord::NS {
+        domain: domain.to_string(),
+        host: format!("ns1.{domain}"),
+        ttl: 172800,
+    });
+    pkt.authorities.push(DnsRecord::NS {
+        domain: domain.to_string(),
+        host: format!("ns2.{domain}"),
+        ttl: 172800,
+    });
+    pkt.resources.push(DnsRecord::A {
+        domain: format!("ns1.{domain}"),
+        addr: Ipv4Addr::new(198, 51, 100, 1),
+        ttl: 172800,
+    });
+    pkt
+}
+
+fn to_wire(pkt: &DnsPacket) -> Vec<u8> {
+    let mut buf = BytePacketBuffer::new();
+    pkt.write(&mut buf).unwrap();
+    buf.filled().to_vec()
+}
+
+fn bench_buffer_parse(c: &mut Criterion) {
+    let pkt = make_response("example.com");
+    let wire = to_wire(&pkt);
+
+    c.bench_function("buffer_parse", |b| {
+        b.iter(|| {
+            let mut buf = BytePacketBuffer::from_bytes(black_box(&wire));
+            DnsPacket::from_buffer(&mut buf).unwrap()
+        })
+    });
+}
+
+fn bench_buffer_serialize(c: &mut Criterion) {
+    let pkt = make_response("example.com");
+
+    c.bench_function("buffer_serialize", |b| {
+        b.iter(|| {
+            let mut buf = BytePacketBuffer::new();
+            black_box(&pkt).write(&mut buf).unwrap();
+            black_box(buf.pos());
+        })
+    });
+}
+
+fn bench_packet_clone(c: &mut Criterion) {
+    let pkt = make_response("example.com");
+
+    c.bench_function("packet_clone", |b| b.iter(|| black_box(&pkt).clone()));
+}
+
+fn bench_cache_lookup_hit(c: &mut Criterion) {
+    let mut cache = DnsCache::new(10_000, 60, 86400);
+    let pkt = make_response("example.com");
+    cache.insert("example.com", QueryType::A, &pkt);
+
+    c.bench_function("cache_lookup_hit", |b| {
+        b.iter(|| {
+            cache
+                .lookup(black_box("example.com"), QueryType::A)
+                .unwrap()
+        })
+    });
+}
+
+fn bench_cache_lookup_miss(c: &mut Criterion) {
+    let mut cache = DnsCache::new(10_000, 60, 86400);
+
+    c.bench_function("cache_lookup_miss", |b| {
+        b.iter(|| cache.lookup(black_box("nonexistent.com"), QueryType::A))
+    });
+}
+
+fn bench_cache_insert(c: &mut Criterion) {
+    let pkt = make_response("example.com");
+
+    c.bench_function("cache_insert", |b| {
+        let mut cache = DnsCache::new(10_000, 60, 86400);
+        let mut i = 0u64;
+        b.iter(|| {
+            let domain = format!("bench-{i}.example.com");
+            cache.insert(&domain, QueryType::A, black_box(&pkt));
+            i += 1;
+            // Reset cache periodically to avoid filling up
+            if i % 5000 == 0 {
+                cache.clear();
+            }
+        })
+    });
+}
+
+fn bench_round_trip(c: &mut Criterion) {
+    // Simulates the cached hot path: parse query → cache hit → serialize response
+    let query_pkt = {
+        let mut q = DnsPacket::new();
+        q.header.id = 0xABCD;
+        q.header.recursion_desired = true;
+        q.questions
+            .push(DnsQuestion::new("example.com".to_string(), QueryType::A));
+        q
+    };
+    let query_wire = to_wire(&query_pkt);
+
+    let response = make_response("example.com");
+    let mut cache = DnsCache::new(10_000, 60, 86400);
+    cache.insert("example.com", QueryType::A, &response);
+
+    c.bench_function("round_trip_cached", |b| {
+        b.iter(|| {
+            // 1. Parse incoming query
+            let mut buf = BytePacketBuffer::from_bytes(black_box(&query_wire));
+            let query = DnsPacket::from_buffer(&mut buf).unwrap();
+            let qname = &query.questions[0].name;
+            let qtype = query.questions[0].qtype;
+
+            // 2. Cache lookup
+            let mut resp = cache.lookup(qname, qtype).unwrap();
+            resp.header.id = query.header.id;
+
+            // 3. Serialize response
+            let mut resp_buf = BytePacketBuffer::new();
+            resp.write(&mut resp_buf).unwrap();
+            black_box(resp_buf.pos());
+        })
+    });
+}
+
+fn bench_cache_populated_lookup(c: &mut Criterion) {
+    // Benchmark with a realistically populated cache (1000 entries)
+    let mut cache = DnsCache::new(10_000, 60, 86400);
+    for i in 0..1000 {
+        let domain = format!("domain-{i}.example.com");
+        let pkt = make_response(&domain);
+        cache.insert(&domain, QueryType::A, &pkt);
+    }
+
+    c.bench_function("cache_lookup_hit_populated", |b| {
+        b.iter(|| {
+            cache
+                .lookup(black_box("domain-500.example.com"), QueryType::A)
+                .unwrap()
+        })
+    });
+}
+
+criterion_group!(
+    benches,
+    bench_buffer_parse,
+    bench_buffer_serialize,
+    bench_packet_clone,
+    bench_cache_lookup_hit,
+    bench_cache_lookup_miss,
+    bench_cache_insert,
+    bench_round_trip,
+    bench_cache_populated_lookup,
+);
+criterion_main!(benches);
diff --git a/benches/throughput.rs b/benches/throughput.rs
new file mode 100644
index 0000000..688b4e0
--- /dev/null
+++ b/benches/throughput.rs
@@ -0,0 +1,94 @@
+use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion, Throughput};
+use std::net::Ipv4Addr;
+
+use numa::buffer::BytePacketBuffer;
+use numa::header::ResultCode;
+use numa::packet::DnsPacket;
+use numa::question::{DnsQuestion, QueryType};
+use numa::record::DnsRecord;
+
+fn make_query_wire(domain: &str) -> Vec<u8> {
+    let mut q = DnsPacket::new();
+    q.header.id = 0xABCD;
+    q.header.recursion_desired = true;
+    q.questions
+        .push(DnsQuestion::new(domain.to_string(), QueryType::A));
+    let mut buf = BytePacketBuffer::new();
+    q.write(&mut buf).unwrap();
+    buf.filled().to_vec()
+}
+
+fn make_response(domain: &str) -> DnsPacket {
+    let mut pkt = DnsPacket::new();
+    pkt.header.id = 0xABCD;
+    pkt.header.response = true;
+    pkt.header.recursion_desired = true;
+    pkt.header.recursion_available = true;
+    pkt.header.rescode = ResultCode::NOERROR;
+    pkt.questions
+        .push(DnsQuestion::new(domain.to_string(), QueryType::A));
+    pkt.answers.push(DnsRecord::A {
+        domain: domain.to_string(),
+        addr: Ipv4Addr::new(93, 184, 216, 34),
+        ttl: 300,
+    });
+    pkt
+}
+
+/// Simulates the complete cached query pipeline (sans network I/O):
+/// parse → cache lookup → TTL adjust → serialize response
+fn simulate_cached_pipeline(query_wire: &[u8], cache: &mut numa::cache::DnsCache) -> usize {
+    let mut buf = BytePacketBuffer::from_bytes(query_wire);
+    let query = DnsPacket::from_buffer(&mut buf).unwrap();
+    let q = &query.questions[0];
+
+    let mut resp = cache.lookup(&q.name, q.qtype).unwrap();
+    resp.header.id = query.header.id;
+
+    let mut resp_buf = BytePacketBuffer::new();
+    resp.write(&mut resp_buf).unwrap();
+    resp_buf.pos()
+}
+
+fn bench_pipeline_throughput(c: &mut Criterion) {
+    let domains: Vec<String> = (0..100)
+        .map(|i| format!("domain-{i}.example.com"))
+        .collect();
+
+    let mut cache = numa::cache::DnsCache::new(10_000, 60, 86400);
+    for d in &domains {
+        cache.insert(d, QueryType::A, &make_response(d));
+    }
+
+    let query_wires: Vec<Vec<u8>> = domains.iter().map(|d| make_query_wire(d)).collect();
+
+    let mut group = c.benchmark_group("pipeline_throughput");
+
+    for count in [1, 10, 100] {
+        group.throughput(Throughput::Elements(count));
+        group.bench_with_input(BenchmarkId::from_parameter(count), &count, |b, &count| {
+            let mut idx = 0usize;
+            b.iter(|| {
+                for _ in 0..count {
+                    let wire = &query_wires[idx % query_wires.len()];
+                    simulate_cached_pipeline(wire, &mut cache);
+                    idx += 1;
+                }
+            });
+        });
+    }
+    group.finish();
+}
+
+/// Measures the overhead of BytePacketBuffer allocation + zero-init
+fn bench_buffer_alloc(c: &mut Criterion) {
+    c.bench_function("buffer_alloc", |b| {
+        b.iter(|| {
+            let buf = BytePacketBuffer::new();
+            criterion::black_box(buf.pos());
+        })
+    });
+}
+
+criterion_group!(benches, bench_pipeline_throughput, bench_buffer_alloc,);
+criterion_main!(benches);
diff --git a/src/api.rs b/src/api.rs
index 2df9d73..1c6283c 100644
--- a/src/api.rs
+++ b/src/api.rs
@@ -220,7 +220,7 @@ async fn create_overrides(
         })
         .collect::<Result<Vec<_>, (StatusCode, String)>>()?;
 
-    let mut store = ctx.overrides.lock().unwrap();
+    let mut store = ctx.overrides.write().unwrap();
     let mut responses = Vec::with_capacity(parsed.len());
 
     for (domain, target, ttl, duration_secs) in parsed {
@@ -241,7 +241,7 @@ async fn create_overrides(
 }
 
 async fn list_overrides(State(ctx): State<Arc<ServerCtx>>) -> Json<Vec<OverrideResponse>> {
-    let store = ctx.overrides.lock().unwrap();
+    let store = ctx.overrides.read().unwrap();
     let entries: Vec<OverrideResponse> = store
         .list()
         .into_iter()
@@ -254,7 +254,7 @@ async fn get_override(
     State(ctx): State<Arc<ServerCtx>>,
     Path(domain): Path<String>,
 ) -> Result<Json<OverrideResponse>, StatusCode> {
-    let store = ctx.overrides.lock().unwrap();
+    let store = ctx.overrides.read().unwrap();
     let entry = store.get(&domain).ok_or(StatusCode::NOT_FOUND)?;
     Ok(Json(OverrideResponse::from(entry)))
 }
@@ -263,7 +263,7 @@ async fn remove_override(
     State(ctx): State<Arc<ServerCtx>>,
     Path(domain): Path<String>,
 ) -> StatusCode {
-    let mut store = ctx.overrides.lock().unwrap();
+    let mut store = ctx.overrides.write().unwrap();
     if store.remove(&domain) {
         StatusCode::NO_CONTENT
     } else {
@@ -272,7 +272,7 @@ async fn remove_override(
 }
 
 async fn clear_overrides(State(ctx): State<Arc<ServerCtx>>) -> StatusCode {
-    ctx.overrides.lock().unwrap().clear();
+    ctx.overrides.write().unwrap().clear();
     StatusCode::NO_CONTENT
 }
 
@@ -280,7 +280,7 @@ async fn load_environment(
     State(ctx): State<Arc<ServerCtx>>,
     Json(req): Json<EnvironmentRequest>,
 ) -> Result<(StatusCode, Json<EnvironmentResponse>), (StatusCode, String)> {
-    let mut store = ctx.overrides.lock().unwrap();
+    let mut store = ctx.overrides.write().unwrap();
 
     for entry in &req.overrides {
         let duration = entry.duration_secs.or(req.duration_secs);
@@ -307,7 +307,7 @@ async fn diagnose(
 
     // Check overrides
     {
-        let store = ctx.overrides.lock().unwrap();
+        let store = ctx.overrides.read().unwrap();
         let entry = store.get(&domain_lower);
         steps.push(DiagnoseStep {
             source: "override".to_string(),
@@ -319,7 +319,7 @@ async fn diagnose(
 
     // Check blocklist
     {
-        let bl = ctx.blocklist.lock().unwrap();
+        let bl = ctx.blocklist.read().unwrap();
         let blocked = bl.is_blocked(&domain_lower);
         steps.push(DiagnoseStep {
             source: "blocklist".to_string(),
@@ -345,7 +345,7 @@ async fn diagnose(
 
     // Check cache
     {
-        let mut cache = ctx.cache.lock().unwrap();
+        let cache = ctx.cache.read().unwrap();
         let cached = cache.lookup(&domain_lower, qtype);
         steps.push(DiagnoseStep {
             source: "cache".to_string(),
@@ -443,11 +443,11 @@ async fn query_log(
 async fn stats(State(ctx): State<Arc<ServerCtx>>) -> Json<StatsResponse> {
     let snap = ctx.stats.lock().unwrap().snapshot();
     let (cache_len, cache_max) = {
-        let cache = ctx.cache.lock().unwrap();
+        let cache = ctx.cache.read().unwrap();
         (cache.len(), cache.max_entries())
     };
-    let override_count = ctx.overrides.lock().unwrap().active_count();
-    let bl_stats = ctx.blocklist.lock().unwrap().stats();
+    let override_count = ctx.overrides.read().unwrap().active_count();
+    let bl_stats = ctx.blocklist.read().unwrap().stats();
 
     let upstream = ctx.upstream.lock().unwrap().to_string();
 
@@ -486,7 +486,7 @@ async fn stats(State(ctx): State<Arc<ServerCtx>>) -> Json<StatsResponse> {
 }
 
 async fn list_cache(State(ctx): State<Arc<ServerCtx>>) -> Json<Vec<CacheEntryResponse>> {
-    let cache = ctx.cache.lock().unwrap();
+    let cache = ctx.cache.read().unwrap();
     let entries: Vec<CacheEntryResponse> = cache
         .list()
         .into_iter()
@@ -500,7 +500,7 @@ async fn list_cache(State(ctx): State<Arc<ServerCtx>>) -> Json<Vec<CacheEntryRes
 }
 
 async fn flush_cache(State(ctx): State<Arc<ServerCtx>>) -> StatusCode {
-    ctx.cache.lock().unwrap().clear();
+    ctx.cache.write().unwrap().clear();
     StatusCode::NO_CONTENT
 }
 
@@ -508,7 +508,7 @@ async fn flush_cache_domain(
     State(ctx): State<Arc<ServerCtx>>,
     Path(domain): Path<String>,
 ) -> StatusCode {
-    ctx.cache.lock().unwrap().remove(&domain);
+    ctx.cache.write().unwrap().remove(&domain);
     StatusCode::NO_CONTENT
 }
 
@@ -519,7 +519,7 @@ async fn health() -> Json<serde_json::Value> {
 // --- Blocking handlers ---
 
 async fn blocking_stats(State(ctx): State<Arc<ServerCtx>>) -> Json<serde_json::Value> {
-    let stats = ctx.blocklist.lock().unwrap().stats();
+    let stats = ctx.blocklist.read().unwrap().stats();
     Json(serde_json::json!({
         "enabled": stats.enabled,
         "paused": stats.paused,
@@ -539,7 +539,7 @@ async fn blocking_toggle(
     State(ctx): State<Arc<ServerCtx>>,
     Json(req): Json<BlockingToggleRequest>,
 ) -> Json<serde_json::Value> {
-    ctx.blocklist.lock().unwrap().set_enabled(req.enabled);
+    ctx.blocklist.write().unwrap().set_enabled(req.enabled);
     Json(serde_json::json!({ "enabled": req.enabled }))
 }
 
@@ -557,12 +557,12 @@ async fn blocking_pause(
     State(ctx): State<Arc<ServerCtx>>,
     Json(req): Json<BlockingPauseRequest>,
 ) -> Json<serde_json::Value> {
-    ctx.blocklist.lock().unwrap().pause(req.minutes * 60);
+    ctx.blocklist.write().unwrap().pause(req.minutes * 60);
     Json(serde_json::json!({ "paused_minutes": req.minutes }))
 }
 
 async fn blocking_unpause(State(ctx): State<Arc<ServerCtx>>) -> Json<serde_json::Value> {
-    ctx.blocklist.lock().unwrap().unpause();
+    ctx.blocklist.write().unwrap().unpause();
     Json(serde_json::json!({ "paused": false }))
 }
 
@@ -570,12 +570,12 @@ async fn blocking_check(
     State(ctx): State<Arc<ServerCtx>>,
     Path(domain): Path<String>,
 ) -> Json<crate::blocklist::BlockCheckResult> {
-    let result = ctx.blocklist.lock().unwrap().check(&domain);
+    let result = ctx.blocklist.read().unwrap().check(&domain);
     Json(result)
 }
 
 async fn blocking_allowlist(State(ctx): State<Arc<ServerCtx>>) -> Json<Vec<String>> {
-    let list = ctx.blocklist.lock().unwrap().allowlist();
+    let list = ctx.blocklist.read().unwrap().allowlist();
     Json(list)
 }
 
@@ -588,7 +588,7 @@ async fn blocking_allowlist_add(
     State(ctx): State<Arc<ServerCtx>>,
     Json(req): Json<AllowlistRequest>,
 ) -> (StatusCode, Json<serde_json::Value>) {
-    ctx.blocklist.lock().unwrap().add_to_allowlist(&req.domain);
+    ctx.blocklist.write().unwrap().add_to_allowlist(&req.domain);
     (
         StatusCode::CREATED,
         Json(serde_json::json!({ "allowed": req.domain })),
@@ -599,7 +599,12 @@ async fn blocking_allowlist_remove(
     State(ctx): State<Arc<ServerCtx>>,
     Path(domain): Path<String>,
 ) -> StatusCode {
-    if ctx.blocklist.lock().unwrap().remove_from_allowlist(&domain) {
+    if ctx
+        .blocklist
+        .write()
+        .unwrap()
+        .remove_from_allowlist(&domain)
+    {
         StatusCode::NO_CONTENT
     } else {
         StatusCode::NOT_FOUND
diff --git a/src/cache.rs b/src/cache.rs
index 0586bc9..decde82 100644
--- a/src/cache.rs
+++ b/src/cache.rs
@@ -19,7 +19,6 @@ pub struct DnsCache {
     max_entries: usize,
     min_ttl: u32,
     max_ttl: u32,
-    query_count: u64,
 }
 
 impl DnsCache {
@@ -30,29 +29,16 @@ impl DnsCache {
             max_entries,
             min_ttl,
             max_ttl,
-            query_count: 0,
         }
     }
 
-    pub fn lookup(&mut self, domain: &str, qtype: QueryType) -> Option<DnsPacket> {
-        self.query_count += 1;
-
-        if self.query_count.is_multiple_of(1000) {
-            self.evict_expired();
-        }
-
+    /// Read-only lookup — expired entries are left in place (cleaned up on insert).
+    pub fn lookup(&self, domain: &str, qtype: QueryType) -> Option<DnsPacket> {
         let type_map = self.entries.get(domain)?;
         let entry = type_map.get(&qtype)?;
 
         let elapsed = entry.inserted_at.elapsed();
         if elapsed >= entry.ttl {
-            // Expired: remove this entry
-            let type_map = self.entries.get_mut(domain).unwrap();
-            type_map.remove(&qtype);
-            self.entry_count -= 1;
-            if type_map.is_empty() {
-                self.entries.remove(domain);
-            }
             return None;
         }
 
diff --git a/src/ctx.rs b/src/ctx.rs
index 925ab4a..80b9226 100644
--- a/src/ctx.rs
+++ b/src/ctx.rs
@@ -1,6 +1,6 @@
 use std::net::SocketAddr;
 use std::path::PathBuf;
-use std::sync::Mutex;
+use std::sync::{Mutex, RwLock};
 use std::time::{Duration, Instant, SystemTime};
 
 use arc_swap::ArcSwap;
@@ -27,10 +27,10 @@ use crate::system_dns::ForwardingRule;
 pub struct ServerCtx {
     pub socket: UdpSocket,
     pub zone_map: ZoneMap,
-    pub cache: Mutex<DnsCache>,
+    pub cache: RwLock<DnsCache>,
     pub stats: Mutex<ServerStats>,
-    pub overrides: Mutex<OverrideStore>,
-    pub blocklist: Mutex<BlocklistStore>,
+    pub overrides: RwLock<OverrideStore>,
+    pub blocklist: RwLock<BlocklistStore>,
     pub query_log: Mutex<QueryLog>,
     pub services: Mutex<ServiceStore>,
     pub lan_peers: Mutex<PeerStore>,
@@ -73,7 +73,7 @@ pub async fn handle_query(
     // Pipeline: overrides -> .tld interception -> blocklist -> local zones -> cache -> upstream
     // Each lock is scoped to avoid holding MutexGuard across await points.
     let (response, path) = {
-        let override_record = ctx.overrides.lock().unwrap().lookup(&qname);
+        let override_record = ctx.overrides.read().unwrap().lookup(&qname);
         if let Some(record) = override_record {
             let mut resp = DnsPacket::response_from(&query, ResultCode::NOERROR);
             resp.answers.push(record);
@@ -116,7 +116,7 @@ pub async fn handle_query(
                 }),
             }
             (resp, QueryPath::Local)
-        } else if ctx.blocklist.lock().unwrap().is_blocked(&qname) {
+        } else if ctx.blocklist.read().unwrap().is_blocked(&qname) {
             let mut resp = DnsPacket::response_from(&query, ResultCode::NOERROR);
             match qtype {
                 QueryType::AAAA => resp.answers.push(DnsRecord::AAAA {
@@ -136,7 +136,7 @@ pub async fn handle_query(
             resp.answers = records.clone();
             (resp, QueryPath::Local)
         } else {
-            let cached = ctx.cache.lock().unwrap().lookup(&qname, qtype);
+            let cached = ctx.cache.read().unwrap().lookup(&qname, qtype);
             if let Some(cached) = cached {
                 let mut resp = cached;
                 resp.header.id = query.header.id;
@@ -149,7 +149,7 @@ pub async fn handle_query(
                     };
                 match forward_query(&query, &upstream, ctx.timeout).await {
                     Ok(resp) => {
-                        ctx.cache.lock().unwrap().insert(&qname, qtype, &resp);
+                        ctx.cache.write().unwrap().insert(&qname, qtype, &resp);
                         (resp, QueryPath::Forwarded)
                     }
                     Err(e) => {
diff --git a/src/main.rs b/src/main.rs
index 8e23e78..7e739aa 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,5 +1,5 @@
 use std::net::SocketAddr;
-use std::sync::{Arc, Mutex};
+use std::sync::{Arc, Mutex, RwLock};
 use std::time::Duration;
 
 use arc_swap::ArcSwap;
@@ -170,14 +170,14 @@ async fn main() -> numa::Result<()> {
     let ctx = Arc::new(ServerCtx {
         socket: UdpSocket::bind(&config.server.bind_addr).await?,
         zone_map: build_zone_map(&config.zones)?,
-        cache: Mutex::new(DnsCache::new(
+        cache: RwLock::new(DnsCache::new(
             config.cache.max_entries,
             config.cache.min_ttl,
             config.cache.max_ttl,
         )),
         stats: Mutex::new(ServerStats::new()),
-        overrides: Mutex::new(OverrideStore::new()),
-        blocklist: Mutex::new(blocklist),
+        overrides: RwLock::new(OverrideStore::new()),
+        blocklist: RwLock::new(blocklist),
         query_log: Mutex::new(QueryLog::new(1000)),
         services: Mutex::new(service_store),
         lan_peers: Mutex::new(numa::lan::PeerStore::new(config.lan.peer_timeout_secs)),
@@ -541,7 +541,7 @@ async fn load_blocklists(ctx: &ServerCtx, lists: &[String]) {
 
     // Swap under lock — sub-microsecond
     ctx.blocklist
-        .lock()
+        .write()
         .unwrap()
         .swap_domains(all_domains, sources);
     info!(
diff --git a/src/override_store.rs b/src/override_store.rs
index a1c7bf8..2ae671c 100644
--- a/src/override_store.rs
+++ b/src/override_store.rs
@@ -64,6 +64,9 @@ impl OverrideStore {
         ttl: u32,
         duration_secs: Option<u64>,
     ) -> Result<QueryType> {
+        // Clean up expired entries on write
+        self.entries.retain(|_, e| !e.is_expired());
+
         let domain_lower = domain.to_lowercase();
         let (qtype, record) = parse_target(&domain_lower, target, ttl)?;
 
@@ -84,10 +87,10 @@ impl OverrideStore {
     }
 
     /// Hot path: assumes `domain` is already lowercased (the parser does this).
-    pub fn lookup(&mut self, domain: &str) -> Option<DnsRecord> {
+    /// Read-only — expired entries are left in place (cleaned up on write operations).
+    pub fn lookup(&self, domain: &str) -> Option<DnsRecord> {
         let entry = self.entries.get(domain)?;
         if entry.is_expired() {
-            self.entries.remove(domain);
             return None;
         }
         Some(entry.record.clone())
diff --git a/src/packet.rs b/src/packet.rs
index bca60c2..2c4c85a 100644
--- a/src/packet.rs
+++ b/src/packet.rs
@@ -46,7 +46,7 @@ impl DnsPacket {
         result.header.read(buffer)?;
 
         for _ in 0..result.header.questions {
-            let mut question = DnsQuestion::new("".to_string(), QueryType::UNKNOWN(0));
+            let mut question = DnsQuestion::new(String::with_capacity(64), QueryType::UNKNOWN(0));
             question.read(buffer)?;
             result.questions.push(question);
         }
@@ -68,34 +68,36 @@ impl DnsPacket {
     }
 
     pub fn write(&self, buffer: &mut BytePacketBuffer) -> Result<()> {
-        // Filter out UNKNOWN records (e.g. EDNS OPT) that we can't re-serialize
-        let answers: Vec<_> = self.answers.iter().filter(|r| !r.is_unknown()).collect();
-        let authorities: Vec<_> = self
-            .authorities
-            .iter()
-            .filter(|r| !r.is_unknown())
-            .collect();
-        let resources: Vec<_> = self.resources.iter().filter(|r| !r.is_unknown()).collect();
+        // Count known records without allocating filter Vecs
+        let answer_count = self.answers.iter().filter(|r| !r.is_unknown()).count() as u16;
+        let auth_count = self.authorities.iter().filter(|r| !r.is_unknown()).count() as u16;
+        let res_count = self.resources.iter().filter(|r| !r.is_unknown()).count() as u16;
 
         let mut header = self.header.clone();
         header.questions = self.questions.len() as u16;
-        header.answers = answers.len() as u16;
-        header.authoritative_entries = authorities.len() as u16;
-        header.resource_entries = resources.len() as u16;
+        header.answers = answer_count;
+        header.authoritative_entries = auth_count;
+        header.resource_entries = res_count;
 
         header.write(buffer)?;
 
         for question in &self.questions {
             question.write(buffer)?;
         }
-        for rec in answers {
-            rec.write(buffer)?;
+        for rec in &self.answers {
+            if !rec.is_unknown() {
+                rec.write(buffer)?;
+            }
         }
-        for rec in authorities {
-            rec.write(buffer)?;
+        for rec in &self.authorities {
+            if !rec.is_unknown() {
+                rec.write(buffer)?;
+            }
         }
-        for rec in resources {
-            rec.write(buffer)?;
+        for rec in &self.resources {
+            if !rec.is_unknown() {
+                rec.write(buffer)?;
+            }
         }
 
         Ok(())
diff --git a/src/record.rs b/src/record.rs
index f525cbb..b7522dc 100644
--- a/src/record.rs
+++ b/src/record.rs
@@ -70,7 +70,7 @@ impl DnsRecord {
     }
 
     pub fn read(buffer: &mut BytePacketBuffer) -> Result<DnsRecord> {
-        let mut domain = String::new();
+        let mut domain = String::with_capacity(64);
         buffer.read_qname(&mut domain)?;
 
         let qtype_num = buffer.read_u16()?;
@@ -110,7 +110,7 @@ impl DnsRecord {
                 Ok(DnsRecord::AAAA { domain, addr, ttl })
             }
             QueryType::NS => {
-                let mut ns = String::new();
+                let mut ns = String::with_capacity(64);
                 buffer.read_qname(&mut ns)?;
 
                 Ok(DnsRecord::NS {
@@ -120,7 +120,7 @@ impl DnsRecord {
                 })
             }
             QueryType::CNAME => {
-                let mut cname = String::new();
+                let mut cname = String::with_capacity(64);
                 buffer.read_qname(&mut cname)?;
 
                 Ok(DnsRecord::CNAME {
@@ -131,7 +131,7 @@ impl DnsRecord {
             }
             QueryType::MX => {
                 let priority = buffer.read_u16()?;
-                let mut mx = String::new();
+                let mut mx = String::with_capacity(64);
                 buffer.read_qname(&mut mx)?;
 
                 Ok(DnsRecord::MX {
-- 
2.34.1


From f8e340ca1724515bd428753d94c200361bdec7c2 Mon Sep 17 00:00:00 2001
From: Razvan Dimescu <ssaricu@gmail.com>
Date: Wed, 25 Mar 2026 06:14:00 +0200
Subject: [PATCH 2/5] chore: simplify benchmark code after review

- Remove redundant DnsHeader::new() (already set by DnsPacket::new())
- Remove unused DnsHeader import
- Change simulate_cached_pipeline to take &DnsCache (lookup is &self now)
- Remove unnecessary mut on cache in cache_lookup_miss bench

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 benches/hot_path.rs   | 5 ++---
 benches/throughput.rs | 4 ++--
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/benches/hot_path.rs b/benches/hot_path.rs
index ecd84ae..accfcf2 100644
--- a/benches/hot_path.rs
+++ b/benches/hot_path.rs
@@ -3,14 +3,13 @@ use std::net::Ipv4Addr;
 
 use numa::buffer::BytePacketBuffer;
 use numa::cache::DnsCache;
-use numa::header::{DnsHeader, ResultCode};
+use numa::header::ResultCode;
 use numa::packet::DnsPacket;
 use numa::question::{DnsQuestion, QueryType};
 use numa::record::DnsRecord;
 
 fn make_response(domain: &str) -> DnsPacket {
     let mut pkt = DnsPacket::new();
-    pkt.header = DnsHeader::new();
     pkt.header.id = 0x1234;
     pkt.header.response = true;
     pkt.header.recursion_desired = true;
@@ -93,7 +92,7 @@ fn bench_cache_lookup_hit(c: &mut Criterion) {
 }
 
 fn bench_cache_lookup_miss(c: &mut Criterion) {
-    let mut cache = DnsCache::new(10_000, 60, 86400);
+    let cache = DnsCache::new(10_000, 60, 86400);
 
     c.bench_function("cache_lookup_miss", |b| {
         b.iter(|| cache.lookup(black_box("nonexistent.com"), QueryType::A))
diff --git a/benches/throughput.rs b/benches/throughput.rs
index 688b4e0..e01a25c 100644
--- a/benches/throughput.rs
+++ b/benches/throughput.rs
@@ -37,7 +37,7 @@ fn make_response(domain: &str) -> DnsPacket {
 
 /// Simulates the complete cached query pipeline (sans network I/O):
 /// parse → cache lookup → TTL adjust → serialize response
-fn simulate_cached_pipeline(query_wire: &[u8], cache: &mut numa::cache::DnsCache) -> usize {
+fn simulate_cached_pipeline(query_wire: &[u8], cache: &numa::cache::DnsCache) -> usize {
     let mut buf = BytePacketBuffer::from_bytes(query_wire);
     let query = DnsPacket::from_buffer(&mut buf).unwrap();
     let q = &query.questions[0];
@@ -71,7 +71,7 @@ fn bench_pipeline_throughput(c: &mut Criterion) {
             b.iter(|| {
                 for _ in 0..count {
                     let wire = &query_wires[idx % query_wires.len()];
-                    simulate_cached_pipeline(wire, &mut cache);
+                    simulate_cached_pipeline(wire, &cache);
                     idx += 1;
                 }
             });
-- 
2.34.1


From 38b5cd2cce4b156fa7de16b66d7a1c58f78e2d66 Mon Sep 17 00:00:00 2001
From: Razvan Dimescu <ssaricu@gmail.com>
Date: Fri, 27 Mar 2026 00:30:50 +0200
Subject: [PATCH 3/5] site: landing page overhaul, blog, benchmarks, numa.rs
 domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Landing page:
- Split features into 3-layer card layout (Block & Protect, Developer Tools, Self-Sovereign DNS)
- Add DoH and conditional forwarding to comparison table
- Fix performance claim (2.3M → 2.0M qps to match benchmarks)
- Add all 3 install methods (brew, cargo, curl)
- Add OG tags + canonical URL for numa.rs
- Fix code block whitespace rendering
- Update roadmap with .onion bridge phase

Blog:
- Add "Building a DNS Resolver from Scratch in Rust" post
- Blog index + template for future posts

Other:
- CNAME for GitHub Pages (numa.rs)
- Benchmark results (bench/results.json)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 bench/results.json              |  50 +++
 blog/dns-from-scratch.md        | 363 ++++++++++++++++
 site/CNAME                      |   1 +
 site/blog-template.html         | 303 ++++++++++++++
 site/blog/dns-from-scratch.html | 717 ++++++++++++++++++++++++++++++++
 site/blog/index.html            | 188 +++++++++
 site/index.html                 | 465 ++++++++++++++++-----
 7 files changed, 1977 insertions(+), 110 deletions(-)
 create mode 100644 bench/results.json
 create mode 100644 blog/dns-from-scratch.md
 create mode 100644 site/CNAME
 create mode 100644 site/blog-template.html
 create mode 100644 site/blog/dns-from-scratch.html
 create mode 100644 site/blog/index.html

diff --git a/bench/results.json b/bench/results.json
new file mode 100644
index 0000000..934835e
--- /dev/null
+++ b/bench/results.json
@@ -0,0 +1,50 @@
+{
+  "Numa(cold)": {
+    "avg": 9,
+    "p50": 9,
+    "p99": 18,
+    "min": 8,
+    "max": 18,
+    "count": 50
+  },
+  "Numa(cached)": {
+    "avg": 0,
+    "p50": 0,
+    "p99": 0,
+    "min": 0,
+    "max": 0,
+    "count": 50
+  },
+  "System": {
+    "avg": 9.1,
+    "p50": 8,
+    "p99": 44,
+    "min": 7,
+    "max": 44,
+    "count": 50
+  },
+  "Google": {
+    "avg": 22.4,
+    "p50": 17,
+    "p99": 37,
+    "min": 13,
+    "max": 37,
+    "count": 50
+  },
+  "Cloudflare": {
+    "avg": 18.7,
+    "p50": 14,
+    "p99": 132,
+    "min": 12,
+    "max": 132,
+    "count": 50
+  },
+  "Quad9": {
+    "avg": 14.5,
+    "p50": 13,
+    "p99": 43,
+    "min": 12,
+    "max": 43,
+    "count": 50
+  }
+}
\ No newline at end of file
diff --git a/blog/dns-from-scratch.md b/blog/dns-from-scratch.md
new file mode 100644
index 0000000..ebd6993
--- /dev/null
+++ b/blog/dns-from-scratch.md
@@ -0,0 +1,363 @@
+---
+title: I Built a DNS Resolver from Scratch in Rust
+description: How DNS actually works at the wire level — label compression, TTL tricks, DoH, and what surprised me building a resolver with zero DNS libraries.
+date: March 2026
+---
+
+I wanted to understand how DNS actually works. Not the "it translates domain names to IP addresses" explanation — the actual bytes on the wire. What does a DNS packet look like? How does label compression work? Why is everything crammed into 512 bytes?
+
+So I built one from scratch in Rust. No `hickory-dns`, no `trust-dns`, no `simple-dns`. The entire RFC 1035 wire protocol — headers, labels, compression pointers, record types — parsed and serialized by hand. It started as a weekend learning project, became a side project I kept coming back to over 6 years, and eventually turned into [Numa](https://github.com/razvandimescu/numa) — which I now use as my actual system DNS.
+
+A note on terminology before we go further: Numa is currently a *forwarding* resolver — it parses and caches DNS packets, but forwards queries to an upstream (Quad9, Cloudflare, or any DoH provider) rather than walking the delegation chain from root servers itself. Think of it as a smart proxy that does useful things with your DNS traffic locally (caching, ad blocking, overrides, local service domains) before forwarding what it can't answer. Full recursive resolution — where Numa talks directly to root and authoritative nameservers — is on the roadmap, along with DNSSEC validation.
+
+Here's what surprised me along the way.
+
+## What does a DNS packet actually look like?
+
+You can see a real one yourself. Run this:
+
+```bash
+dig @127.0.0.1 example.com A +noedns
+```
+
+```
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15242
+;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
+
+;; QUESTION SECTION:
+;example.com.                   IN      A
+
+;; ANSWER SECTION:
+example.com.            53      IN      A       104.18.27.120
+example.com.            53      IN      A       104.18.26.120
+```
+
+That's the human-readable version. But what's actually on the wire? A DNS query for `example.com A` is just 29 bytes:
+
+```
+         ID    Flags  QCount ACount NSCount ARCount
+        ┌────┐ ┌────┐ ┌────┐ ┌────┐ ┌────┐ ┌────┐
+Header: AB CD  01 00  00 01  00 00  00 00  00 00
+        └────┘ └────┘ └────┘ └────┘ └────┘ └────┘
+         ↑      ↑      ↑
+         │      │      └─ 1 question, 0 answers, 0 authority, 0 additional
+         │      └─ Standard query, recursion desired
+         └─ Random ID (we'll match this in the response)
+
+Question: 07 65 78 61 6D 70 6C 65  03 63 6F 6D  00  00 01  00 01
+          ── ─────────────────────  ── ─────────  ──  ─────  ─────
+          7  e  x  a  m  p  l  e   3  c  o  m   end  A      IN
+          ↑                        ↑             ↑
+          └─ length prefix         └─ length     └─ root label (end of name)
+```
+
+12 bytes of header + 17 bytes of question = 29 bytes to ask "what's the IP for example.com?" Compare that to an HTTP request for the same information — you'd need hundreds of bytes just for headers.
+
+We can send exactly those bytes and capture what comes back:
+
+```python
+python3 -c "
+import socket
+# Hand-craft a DNS query: header (12 bytes) + question (17 bytes)
+q  = b'\xab\xcd\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00'  # header
+q += b'\x07example\x03com\x00\x00\x01\x00\x01'              # question
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+s.sendto(q, ('127.0.0.1', 53))
+resp = s.recv(512)
+for i in range(0, len(resp), 16):
+    h = ' '.join(f'{b:02x}' for b in resp[i:i+16])
+    a = ''.join(chr(b) if 32<=b<127 else '.' for b in resp[i:i+16])
+    print(f'{i:08x}  {h:<48s}  {a}')
+"
+```
+
+```
+00000000  ab cd 81 80 00 01 00 02 00 00 00 00 07 65 78 61   .............exa
+00000010  6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 07 65 78   mple.com......ex
+00000020  61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 00 00   ample.com.......
+00000030  00 19 00 04 68 12 1b 78 07 65 78 61 6d 70 6c 65   ....h..x.example
+00000040  03 63 6f 6d 00 00 01 00 01 00 00 00 19 00 04 68   .com...........h
+00000050  12 1a 78                                          ..x
+```
+
+83 bytes back. Let's annotate the response:
+
+```
+         ID    Flags  QCount ACount NSCount ARCount
+        ┌────┐ ┌────┐ ┌────┐ ┌────┐ ┌────┐ ┌────┐
+Header: AB CD  81 80  00 01  00 02  00 00  00 00
+        └────┘ └────┘ └────┘ └────┘ └────┘ └────┘
+         ↑      ↑      ↑      ↑
+         │      │      │      └─ 2 answers
+         │      │      └─ 1 question (echoed back)
+         │      └─ Response flag set, recursion available
+         └─ Same ID as our query
+
+Question: 07 65 78 61 6D 70 6C 65  03 63 6F 6D  00  00 01  00 01
+          (same as our query — echoed back)
+
+Answer 1: 07 65 78 61 6D 70 6C 65  03 63 6F 6D  00  00 01  00 01
+          ─────────────────────────────────────  ──  ─────  ─────
+          e  x  a  m  p  l  e  .  c  o  m       end  A      IN
+
+          00 00 00 19  00 04  68 12 1B 78
+          ───────────  ─────  ───────────
+          TTL: 25s     len:4  104.18.27.120
+
+Answer 2: (same domain repeated)  00 01  00 01  00 00 00 19  00 04  68 12 1A 78
+                                                                    ───────────
+                                                                    104.18.26.120
+```
+
+Notice something wasteful? The domain `example.com` appears *three times* — once in the question, twice in the answers. That's 39 bytes of repeated names in an 83-byte packet. DNS has a solution for this — but first, the overall structure.
+
+The whole thing fits in a single UDP datagram. The structure is:
+
+```
++--+--+--+--+--+--+--+--+
+|         Header         |  12 bytes: ID, flags, counts
++--+--+--+--+--+--+--+--+
+|        Questions       |  What you're asking
++--+--+--+--+--+--+--+--+
+|         Answers        |  The response records
++--+--+--+--+--+--+--+--+
+|       Authorities      |  NS records for the zone
++--+--+--+--+--+--+--+--+
+|       Additional       |  Extra helpful records
++--+--+--+--+--+--+--+--+
+```
+
+In Rust, parsing the header is just reading 12 bytes and unpacking the flags:
+
+```rust
+pub fn read(buffer: &mut BytePacketBuffer) -> Result<DnsHeader> {
+    let id = buffer.read_u16()?;
+    let flags = buffer.read_u16()?;
+    // Flags pack 9 fields into 16 bits
+    let recursion_desired = (flags & (1 << 8)) > 0;
+    let truncated_message = (flags & (1 << 9)) > 0;
+    let authoritative_answer = (flags & (1 << 10)) > 0;
+    let opcode = (flags >> 11) & 0x0F;
+    let response = (flags & (1 << 15)) > 0;
+    // ... and so on
+}
+```
+
+No padding, no alignment, no JSON overhead. DNS was designed in 1987 when every byte counted, and honestly? The wire format is kind of beautiful in its efficiency.
+
+## Label compression is the clever part
+
+Remember how `example.com` appeared three times in that 83-byte response? Domain names in DNS are stored as a sequence of **labels** — length-prefixed segments:
+
+```
+example.com → [7]example[3]com[0]
+```
+
+The `[7]` means "the next 7 bytes are a label." The `[0]` is the root label (end of name). That's 13 bytes per occurrence, 39 bytes for three repetitions. In a response with authority and additional records, domain names can account for half the packet.
+
+DNS solves this with **compression pointers** — if the top two bits of a length byte are `11`, the remaining 14 bits are an offset back into the packet where the rest of the name can be found. A well-compressed version of our response would replace the answer names with `C0 0C` — a 2-byte pointer to offset 12 where `example.com` first appears in the question section. That turns 39 bytes of names into 15 (13 + 2 + 2). Our upstream didn't bother compressing, but many do — especially when related domains appear:
+
+```
+Offset 0x20: [6]google[3]com[0]        ← full name
+Offset 0x40: [4]mail[0xC0][0x20]       ← "mail" + pointer to offset 0x20
+Offset 0x50: [3]www[0xC0][0x20]        ← "www" + pointer to offset 0x20
+```
+
+Pointers can chain — a pointer can point to another pointer. Parsing this correctly requires tracking your position in the buffer and handling jumps:
+
+```rust
+pub fn read_qname(&mut self, outstr: &mut String) -> Result<()> {
+    let mut pos = self.pos();
+    let mut jumped = false;
+    let mut delim = "";
+
+    loop {
+        let len = self.get(pos)?;
+
+        // Top two bits set = compression pointer
+        if (len & 0xC0) == 0xC0 {
+            if !jumped {
+                self.seek(pos + 2)?; // advance past the pointer
+            }
+            let offset = (((len as u16) ^ 0xC0) << 8) | self.get(pos + 1)? as u16;
+            pos = offset as usize;
+            jumped = true;
+            continue;
+        }
+
+        pos += 1;
+        if len == 0 { break; } // root label
+
+        outstr.push_str(delim);
+        outstr.push_str(&self.get_range(pos, len as usize)?
+            .iter().map(|&b| b as char).collect::<String>());
+        delim = ".";
+        pos += len as usize;
+    }
+
+    if !jumped {
+        self.seek(pos)?;
+    }
+    Ok(())
+}
+```
+
+This one bit me: when you follow a pointer, you must *not* advance the buffer's read position past where you jumped from. The pointer is 2 bytes, so you advance by 2, but the actual label data lives elsewhere in the packet. If you follow the pointer and also advance past it, you'll skip over the next record entirely. I spent a fun evening debugging that one.
+
+## TTL adjustment on read, not write
+
+This is my favorite trick in the whole codebase. I initially stored the remaining TTL and decremented it, which meant I needed a background thread to sweep expired entries. It worked, but it felt wrong — too much machinery for something simple.
+
+The cleaner approach: store the original TTL and the timestamp when the record was cached. On read, compute `remaining = original_ttl - elapsed`. If it's zero or negative, the entry is stale — evict it lazily.
+
+```rust
+pub fn lookup(&mut self, domain: &str, qtype: QueryType) -> Option<DnsPacket> {
+    let key = (domain.to_lowercase(), qtype);
+    let entry = self.entries.get(&key)?;
+    let elapsed = entry.cached_at.elapsed().as_secs() as u32;
+
+    if elapsed >= entry.original_ttl {
+        self.entries.remove(&key);
+        return None;
+    }
+
+    // Adjust TTLs in the response to reflect remaining time
+    let mut packet = entry.packet.clone();
+    for answer in &mut packet.answers {
+        answer.set_ttl(entry.original_ttl.saturating_sub(elapsed));
+    }
+    Some(packet)
+}
+```
+
+No background thread. No timer. Entries expire lazily. The cache stays consistent because every consumer sees the adjusted TTL.
+
+## Async per-query with tokio
+
+Each incoming UDP packet spawns a tokio task. The main loop never blocks:
+
+```rust
+loop {
+    let mut buffer = BytePacketBuffer::new();
+    let (_, src_addr) = socket.recv_from(&mut buffer.buf).await?;
+
+    let ctx = Arc::clone(&ctx);
+    tokio::spawn(async move {
+        if let Err(e) = handle_query(buffer, src_addr, &ctx).await {
+            error!("{} | HANDLER ERROR | {}", src_addr, e);
+        }
+    });
+}
+```
+
+Each `handle_query` walks a pipeline. This is the part where "from scratch" pays off — every step is just a function that either returns a response or says "not my problem, pass it on":
+
+```
+                     ┌─────────────────────────────────────────────────────┐
+                     │              Numa Resolution Pipeline               │
+                     └─────────────────────────────────────────────────────┘
+
+  Query ──→ Overrides ──→ .numa TLD ──→ Blocklist ──→ Zones ──→ Cache ──→ DoH
+    │        │              │             │             │         │         │
+    │        │ match?       │ match?      │ blocked?    │ match?  │ hit?    │
+    │        ↓              ↓             ↓             ↓         ↓         ↓
+    │      respond        respond       0.0.0.0      respond   respond   forward
+    │      (auto-reverts  (reverse      (ad gone)    (static   (TTL      to upstream
+    │       after N min)   proxy+TLS)                 records)  adjusted) (encrypted)
+    │
+    └──→ Each step either answers or passes to the next.
+         Adding a feature = inserting a function into this chain.
+```
+
+Want conditional forwarding for Tailscale? Insert a step before the upstream that checks the domain suffix. Want to override `api.example.com` for 5 minutes while debugging? Insert an entry in the overrides step — it auto-expires and the domain goes back to resolving normally. A DNS library would have hidden this pipeline behind an opaque `resolve()` call.
+
+This is one of those cases where Rust + tokio makes things almost embarrassingly simple. In a synchronous resolver, you'd need a thread pool or hand-rolled event loop. Here, each query is a lightweight future. A slow upstream query doesn't block anything — other queries keep flowing.
+
+## DNS-over-HTTPS: the "wait, that's it?" moment
+
+The most recent addition, and honestly the one that surprised me with how little code it needed. DoH (RFC 8484) is conceptually simple: take the exact same DNS wire-format packet you'd send over UDP, POST it to an HTTPS endpoint with `Content-Type: application/dns-message`, and parse the response the same way. Same bytes, different transport.
+
+```rust
+async fn forward_doh(
+    query: &DnsPacket,
+    url: &str,
+    client: &reqwest::Client,
+    timeout_duration: Duration,
+) -> Result<DnsPacket> {
+    let mut send_buffer = BytePacketBuffer::new();
+    query.write(&mut send_buffer)?;
+
+    let resp = timeout(timeout_duration, client
+        .post(url)
+        .header("content-type", "application/dns-message")
+        .header("accept", "application/dns-message")
+        .body(send_buffer.filled().to_vec())
+        .send())
+    .await??.error_for_status()?;
+
+    let bytes = resp.bytes().await?;
+    let mut recv_buffer = BytePacketBuffer::from_bytes(&bytes);
+    DnsPacket::from_buffer(&mut recv_buffer)
+}
+```
+
+The one gotcha that cost me an hour: Quad9 and other DoH providers require HTTP/2. My first attempt used HTTP/1.1 and got a cryptic 400 Bad Request. Adding the `http2` feature to reqwest fixed it. The upside of HTTP/2? Connection multiplexing means subsequent queries reuse the TLS session — ~16ms vs ~50ms for the first query. Free performance.
+
+The `Upstream` enum dispatches between UDP and DoH based on the URL scheme:
+
+```rust
+pub enum Upstream {
+    Udp(SocketAddr),
+    Doh { url: String, client: reqwest::Client },
+}
+```
+
+If the configured address starts with `https://`, it's DoH. Otherwise, plain UDP. Simple, no toggles.
+
+## "Why not just use dnsmasq + nginx + mkcert?"
+
+Fair question — I got this a lot when I first [posted about Numa](https://www.reddit.com/r/programare/). And the answer is: you absolutely can. Those are mature, battle-tested tools.
+
+The difference is integration. With dnsmasq + nginx + mkcert, you're configuring three tools: DNS resolution, reverse proxy rules, and certificate generation. Each has its own config format, its own lifecycle, its own failure modes. Numa puts the DNS record, the reverse proxy, and the TLS cert behind a single API call:
+
+```bash
+curl -X POST localhost:5380/services -d '{"name":"frontend","target_port":5173}'
+```
+
+That creates the DNS entry, generates a TLS certificate with the correct SAN, and starts proxying — including WebSocket upgrade for Vite HMR. One command, no config files.
+
+There's also a distinction people miss: **mkcert and certbot solve different problems.** Certbot issues certificates for public domains via Let's Encrypt — it needs DNS validation or an open port 80. Numa generates certificates for `.numa` domains that don't exist publicly. You can't get a Let's Encrypt cert for `frontend.numa`. They're complementary, not alternatives.
+
+Someone on Reddit told me the real value is "TLS termination + reverse proxy, simple to install, for developers — stop there." Honestly, they might be right about focus. But DNS is the foundation the proxy sits on, and having full control over the resolution pipeline is what makes auto-revert overrides and LAN discovery possible. Sometimes the "unnecessary" part is what makes the interesting part work.
+
+## The blocklist memory problem
+
+Numa's ad blocking loads the [Hagezi Pro](https://github.com/hagezi/dns-blocklists) list at startup — ~385,000 domains stored in a `HashSet<String>`. This works, but it consumes ~30MB of memory. For a laptop DNS proxy, that's fine. For embedded devices or a future where you want to run Numa on a router, it's too much.
+
+The obvious optimization is a **Bloom filter** — a probabilistic data structure that can tell you "definitely not in the set" or "probably in the set" using a fraction of the memory. A Bloom filter for 385K domains with a 0.1% false positive rate would use ~700KB instead of 30MB. The false positives (0.1% of queries hitting domains not in the list) would be blocked unnecessarily, which is acceptable for ad blocking.
+
+I haven't implemented this yet — the `HashSet` is simple, correct, and 30MB is nothing on a laptop. But if Numa ever needs to run on a router or a Raspberry Pi, this is the first optimization I'd reach for.
+
+## What I learned
+
+**DNS is a 40-year-old protocol that works remarkably well.** The wire format is tight, the caching model is elegant, and the hierarchical delegation system has scaled to billions of queries per day. The things people complain about (DNSSEC complexity, lack of encryption) are extensions bolted on decades later, not flaws in the original design.
+
+**"From scratch" gives you full control.** When I wanted to add ephemeral overrides that auto-revert, it was trivial — just a new step in the resolution pipeline. Conditional forwarding for Tailscale/VPN? Another step. Every feature is a function that takes a query and returns either a response or "pass to the next stage." A DNS library would have hidden this pipeline.
+
+**The hard parts aren't where you'd expect.** Parsing the wire protocol was straightforward (RFC 1035 is well-written). The hard parts were: browsers rejecting wildcard certs under single-label TLDs (`*.numa` fails — you need per-service SANs), macOS resolver quirks (scutil vs /etc/resolv.conf), and getting multiple processes to bind the same multicast port (`SO_REUSEPORT` on macOS, `SO_REUSEADDR` on Linux).
+
+**Terminology will get you roasted.** I initially called Numa a "DNS resolver" and got corrected on Reddit — it's a forwarding resolver (DNS proxy). It doesn't walk the delegation chain from root servers; it forwards to an upstream. The distinction matters to people who work with DNS for a living, and being sloppy about it cost me credibility in my first community posts. If you're building in a domain with established terminology, learn the vocabulary before you show up.
+
+## What's next
+
+Numa is at v0.5.0 with DNS forwarding, caching, ad blocking, DNS-over-HTTPS, .numa local domains with auto TLS, and LAN service discovery.
+
+On the roadmap:
+
+- **DoT (DNS-over-TLS)** — DoH was first because it passes through captive portals and corporate firewalls (port 443 vs 853). DoT has less framing overhead, so it's faster. Both will be available.
+- **Recursive resolution** — walk the delegation chain from root servers instead of forwarding. Combined with DNSSEC validation, this removes the need to trust any upstream resolver.
+- **[pkarr](https://github.com/pubky/pkarr) integration** — self-sovereign DNS via the Mainline BitTorrent DHT. Publish DNS records signed with your Ed25519 key, no registrar needed.
+
+But those are rabbit holes for future posts.
+
+[github.com/razvandimescu/numa](https://github.com/razvandimescu/numa)
diff --git a/site/CNAME b/site/CNAME
new file mode 100644
index 0000000..3004d18
--- /dev/null
+++ b/site/CNAME
@@ -0,0 +1 @@
+numa.rs
\ No newline at end of file
diff --git a/site/blog-template.html b/site/blog-template.html
new file mode 100644
index 0000000..61bdb3b
--- /dev/null
+++ b/site/blog-template.html
@@ -0,0 +1,303 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>$title$ — Numa</title>
+<meta name="description" content="$description$">
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link href="https://fonts.googleapis.com/css2?family=Instrument+Serif:ital@0;1&family=DM+Sans:ital,opsz,wght@0,9..40,400;0,9..40,500;0,9..40,600;1,9..40,400&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
+<style>
+*, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
+
+:root {
+  --bg-deep: #f5f0e8;
+  --bg-surface: #ece5da;
+  --bg-elevated: #e3dbce;
+  --bg-card: #faf7f2;
+  --amber: #c0623a;
+  --amber-dim: #9e4e2d;
+  --teal: #6b7c4e;
+  --teal-dim: #566540;
+  --violet: #64748b;
+  --text-primary: #2c2418;
+  --text-secondary: #6b5e4f;
+  --text-dim: #a39888;
+  --border: rgba(0, 0, 0, 0.08);
+  --border-amber: rgba(192, 98, 58, 0.22);
+  --font-display: 'Instrument Serif', Georgia, serif;
+  --font-body: 'DM Sans', system-ui, sans-serif;
+  --font-mono: 'JetBrains Mono', monospace;
+}
+
+html { scroll-behavior: smooth; }
+
+body {
+  background: var(--bg-deep);
+  color: var(--text-primary);
+  font-family: var(--font-body);
+  font-weight: 400;
+  line-height: 1.7;
+  -webkit-font-smoothing: antialiased;
+}
+
+body::before {
+  content: '';
+  position: fixed;
+  inset: 0;
+  background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 256 256' xmlns='http://www.w3.org/2000/svg'%3E%3Cfilter id='n'%3E%3CfeTurbulence type='fractalNoise' baseFrequency='0.9' numOctaves='4' stitchTiles='stitch'/%3E%3C/filter%3E%3Crect width='100%25' height='100%25' filter='url(%23n)' opacity='0.025'/%3E%3C/svg%3E");
+  pointer-events: none;
+  z-index: 9999;
+}
+
+/* --- Blog nav --- */
+.blog-nav {
+  padding: 1.5rem 2rem;
+  display: flex;
+  align-items: center;
+  gap: 1.5rem;
+}
+
+.blog-nav a {
+  font-family: var(--font-mono);
+  font-size: 0.75rem;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+  color: var(--text-dim);
+  text-decoration: none;
+  transition: color 0.2s;
+}
+.blog-nav a:hover { color: var(--amber); }
+
+.blog-nav .wordmark {
+  font-family: var(--font-display);
+  font-size: 1.4rem;
+  font-weight: 700;
+  color: var(--text-primary);
+  text-decoration: none;
+  letter-spacing: -0.02em;
+}
+.blog-nav .wordmark:hover { color: var(--amber); }
+
+.blog-nav .sep {
+  color: var(--text-dim);
+  font-family: var(--font-mono);
+  font-size: 0.75rem;
+}
+
+/* --- Article --- */
+.article {
+  max-width: 720px;
+  margin: 0 auto;
+  padding: 3rem 2rem 6rem;
+}
+
+.article-header {
+  margin-bottom: 3rem;
+  padding-bottom: 2rem;
+  border-bottom: 1px solid var(--border);
+}
+
+.article-header h1 {
+  font-family: var(--font-display);
+  font-weight: 600;
+  font-size: clamp(2rem, 5vw, 3rem);
+  line-height: 1.15;
+  margin-bottom: 1rem;
+  color: var(--text-primary);
+}
+
+.article-meta {
+  font-family: var(--font-mono);
+  font-size: 0.75rem;
+  color: var(--text-dim);
+  letter-spacing: 0.04em;
+}
+
+.article-meta a {
+  color: var(--amber);
+  text-decoration: none;
+}
+.article-meta a:hover { text-decoration: underline; }
+
+/* --- Prose --- */
+.article h2 {
+  font-family: var(--font-display);
+  font-weight: 600;
+  font-size: 1.8rem;
+  line-height: 1.2;
+  margin: 3rem 0 1rem;
+  color: var(--text-primary);
+}
+
+.article h3 {
+  font-family: var(--font-body);
+  font-weight: 600;
+  font-size: 1.2rem;
+  margin: 2rem 0 0.75rem;
+  color: var(--text-primary);
+}
+
+.article p {
+  margin-bottom: 1.25rem;
+  color: var(--text-secondary);
+  font-size: 1.05rem;
+}
+
+.article a {
+  color: var(--amber);
+  text-decoration: underline;
+  text-decoration-color: rgba(192, 98, 58, 0.3);
+  text-underline-offset: 2px;
+  transition: text-decoration-color 0.2s;
+}
+.article a:hover {
+  text-decoration-color: var(--amber);
+}
+
+.article strong {
+  color: var(--text-primary);
+  font-weight: 600;
+}
+
+.article ul, .article ol {
+  margin-bottom: 1.25rem;
+  padding-left: 1.5rem;
+  color: var(--text-secondary);
+}
+
+.article li {
+  margin-bottom: 0.4rem;
+  font-size: 1.05rem;
+}
+
+.article blockquote {
+  border-left: 3px solid var(--amber);
+  padding: 0.75rem 1.25rem;
+  margin: 1.5rem 0;
+  background: rgba(192, 98, 58, 0.04);
+  border-radius: 0 4px 4px 0;
+}
+
+.article blockquote p {
+  color: var(--text-secondary);
+  font-style: italic;
+  margin-bottom: 0;
+}
+
+/* --- Code --- */
+.article code {
+  font-family: var(--font-mono);
+  font-size: 0.88em;
+  background: var(--bg-elevated);
+  padding: 0.15em 0.4em;
+  border-radius: 3px;
+  color: var(--amber-dim);
+}
+
+.article pre {
+  background: var(--bg-card);
+  border: 1px solid var(--border);
+  border-radius: 6px;
+  padding: 1.25rem 1.5rem;
+  margin: 1.5rem 0;
+  overflow-x: auto;
+  line-height: 1.55;
+}
+
+.article pre code {
+  background: none;
+  padding: 0;
+  border-radius: 0;
+  color: var(--text-primary);
+  font-size: 0.85rem;
+}
+
+/* --- Images --- */
+.article img {
+  max-width: 100%;
+  border-radius: 6px;
+  border: 1px solid var(--border);
+  margin: 1.5rem 0;
+}
+
+/* --- Tables --- */
+.article table {
+  width: 100%;
+  border-collapse: collapse;
+  margin: 1.5rem 0;
+  font-size: 0.95rem;
+}
+
+.article th {
+  font-family: var(--font-mono);
+  font-size: 0.75rem;
+  letter-spacing: 0.06em;
+  text-transform: uppercase;
+  color: var(--text-dim);
+  text-align: left;
+  padding: 0.6rem 1rem;
+  border-bottom: 2px solid var(--border);
+}
+
+.article td {
+  padding: 0.6rem 1rem;
+  border-bottom: 1px solid var(--border);
+  color: var(--text-secondary);
+}
+
+/* --- Footer --- */
+.blog-footer {
+  text-align: center;
+  padding: 3rem 2rem;
+  border-top: 1px solid var(--border);
+  max-width: 720px;
+  margin: 0 auto;
+}
+
+.blog-footer a {
+  font-family: var(--font-mono);
+  font-size: 0.75rem;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+  color: var(--text-dim);
+  text-decoration: none;
+  margin: 0 1rem;
+}
+.blog-footer a:hover { color: var(--amber); }
+
+/* --- Responsive --- */
+@media (max-width: 640px) {
+  .article { padding: 2rem 1.25rem 4rem; }
+  .article pre { padding: 1rem; margin-left: -0.5rem; margin-right: -0.5rem; border-radius: 0; border-left: none; border-right: none; }
+}
+</style>
+</head>
+<body>
+
+<nav class="blog-nav">
+  <a href="/" class="wordmark">Numa</a>
+  <span class="sep">/</span>
+  <a href="/blog/">Blog</a>
+</nav>
+
+<article class="article">
+  <header class="article-header">
+    <h1>$title$</h1>
+    <div class="article-meta">
+      $date$ · <a href="https://dimescu.ro">Razvan Dimescu</a>
+    </div>
+  </header>
+
+$body$
+</article>
+
+<footer class="blog-footer">
+  <a href="https://github.com/razvandimescu/numa">GitHub</a>
+  <a href="/">Home</a>
+  <a href="/blog/">Blog</a>
+</footer>
+
+</body>
+</html>
diff --git a/site/blog/dns-from-scratch.html b/site/blog/dns-from-scratch.html
new file mode 100644
index 0000000..affdfbf
--- /dev/null
+++ b/site/blog/dns-from-scratch.html
@@ -0,0 +1,717 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>I Built a DNS Resolver from Scratch in Rust — Numa</title>
+<meta name="description" content="How DNS actually works at the wire
+level — label compression, TTL tricks, DoH, and what surprised me
+building a resolver with zero DNS libraries.">
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link href="https://fonts.googleapis.com/css2?family=Instrument+Serif:ital@0;1&family=DM+Sans:ital,opsz,wght@0,9..40,400;0,9..40,500;0,9..40,600;1,9..40,400&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
+<style>
+*, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
+
+:root {
+  --bg-deep: #f5f0e8;
+  --bg-surface: #ece5da;
+  --bg-elevated: #e3dbce;
+  --bg-card: #faf7f2;
+  --amber: #c0623a;
+  --amber-dim: #9e4e2d;
+  --teal: #6b7c4e;
+  --teal-dim: #566540;
+  --violet: #64748b;
+  --text-primary: #2c2418;
+  --text-secondary: #6b5e4f;
+  --text-dim: #a39888;
+  --border: rgba(0, 0, 0, 0.08);
+  --border-amber: rgba(192, 98, 58, 0.22);
+  --font-display: 'Instrument Serif', Georgia, serif;
+  --font-body: 'DM Sans', system-ui, sans-serif;
+  --font-mono: 'JetBrains Mono', monospace;
+}
+
+html { scroll-behavior: smooth; }
+
+body {
+  background: var(--bg-deep);
+  color: var(--text-primary);
+  font-family: var(--font-body);
+  font-weight: 400;
+  line-height: 1.7;
+  -webkit-font-smoothing: antialiased;
+}
+
+body::before {
+  content: '';
+  position: fixed;
+  inset: 0;
+  background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 256 256' xmlns='http://www.w3.org/2000/svg'%3E%3Cfilter id='n'%3E%3CfeTurbulence type='fractalNoise' baseFrequency='0.9' numOctaves='4' stitchTiles='stitch'/%3E%3C/filter%3E%3Crect width='100%25' height='100%25' filter='url(%23n)' opacity='0.025'/%3E%3C/svg%3E");
+  pointer-events: none;
+  z-index: 9999;
+}
+
+/* --- Blog nav --- */
+.blog-nav {
+  padding: 1.5rem 2rem;
+  display: flex;
+  align-items: center;
+  gap: 1.5rem;
+}
+
+.blog-nav a {
+  font-family: var(--font-mono);
+  font-size: 0.75rem;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+  color: var(--text-dim);
+  text-decoration: none;
+  transition: color 0.2s;
+}
+.blog-nav a:hover { color: var(--amber); }
+
+.blog-nav .wordmark {
+  font-family: var(--font-display);
+  font-size: 1.4rem;
+  font-weight: 700;
+  color: var(--text-primary);
+  text-decoration: none;
+  letter-spacing: -0.02em;
+}
+.blog-nav .wordmark:hover { color: var(--amber); }
+
+.blog-nav .sep {
+  color: var(--text-dim);
+  font-family: var(--font-mono);
+  font-size: 0.75rem;
+}
+
+/* --- Article --- */
+.article {
+  max-width: 720px;
+  margin: 0 auto;
+  padding: 3rem 2rem 6rem;
+}
+
+.article-header {
+  margin-bottom: 3rem;
+  padding-bottom: 2rem;
+  border-bottom: 1px solid var(--border);
+}
+
+.article-header h1 {
+  font-family: var(--font-display);
+  font-weight: 600;
+  font-size: clamp(2rem, 5vw, 3rem);
+  line-height: 1.15;
+  margin-bottom: 1rem;
+  color: var(--text-primary);
+}
+
+.article-meta {
+  font-family: var(--font-mono);
+  font-size: 0.75rem;
+  color: var(--text-dim);
+  letter-spacing: 0.04em;
+}
+
+.article-meta a {
+  color: var(--amber);
+  text-decoration: none;
+}
+.article-meta a:hover { text-decoration: underline; }
+
+/* --- Prose --- */
+.article h2 {
+  font-family: var(--font-display);
+  font-weight: 600;
+  font-size: 1.8rem;
+  line-height: 1.2;
+  margin: 3rem 0 1rem;
+  color: var(--text-primary);
+}
+
+.article h3 {
+  font-family: var(--font-body);
+  font-weight: 600;
+  font-size: 1.2rem;
+  margin: 2rem 0 0.75rem;
+  color: var(--text-primary);
+}
+
+.article p {
+  margin-bottom: 1.25rem;
+  color: var(--text-secondary);
+  font-size: 1.05rem;
+}
+
+.article a {
+  color: var(--amber);
+  text-decoration: underline;
+  text-decoration-color: rgba(192, 98, 58, 0.3);
+  text-underline-offset: 2px;
+  transition: text-decoration-color 0.2s;
+}
+.article a:hover {
+  text-decoration-color: var(--amber);
+}
+
+.article strong {
+  color: var(--text-primary);
+  font-weight: 600;
+}
+
+.article ul, .article ol {
+  margin-bottom: 1.25rem;
+  padding-left: 1.5rem;
+  color: var(--text-secondary);
+}
+
+.article li {
+  margin-bottom: 0.4rem;
+  font-size: 1.05rem;
+}
+
+.article blockquote {
+  border-left: 3px solid var(--amber);
+  padding: 0.75rem 1.25rem;
+  margin: 1.5rem 0;
+  background: rgba(192, 98, 58, 0.04);
+  border-radius: 0 4px 4px 0;
+}
+
+.article blockquote p {
+  color: var(--text-secondary);
+  font-style: italic;
+  margin-bottom: 0;
+}
+
+/* --- Code --- */
+.article code {
+  font-family: var(--font-mono);
+  font-size: 0.88em;
+  background: var(--bg-elevated);
+  padding: 0.15em 0.4em;
+  border-radius: 3px;
+  color: var(--amber-dim);
+}
+
+.article pre {
+  background: var(--bg-card);
+  border: 1px solid var(--border);
+  border-radius: 6px;
+  padding: 1.25rem 1.5rem;
+  margin: 1.5rem 0;
+  overflow-x: auto;
+  line-height: 1.55;
+}
+
+.article pre code {
+  background: none;
+  padding: 0;
+  border-radius: 0;
+  color: var(--text-primary);
+  font-size: 0.85rem;
+}
+
+/* --- Images --- */
+.article img {
+  max-width: 100%;
+  border-radius: 6px;
+  border: 1px solid var(--border);
+  margin: 1.5rem 0;
+}
+
+/* --- Tables --- */
+.article table {
+  width: 100%;
+  border-collapse: collapse;
+  margin: 1.5rem 0;
+  font-size: 0.95rem;
+}
+
+.article th {
+  font-family: var(--font-mono);
+  font-size: 0.75rem;
+  letter-spacing: 0.06em;
+  text-transform: uppercase;
+  color: var(--text-dim);
+  text-align: left;
+  padding: 0.6rem 1rem;
+  border-bottom: 2px solid var(--border);
+}
+
+.article td {
+  padding: 0.6rem 1rem;
+  border-bottom: 1px solid var(--border);
+  color: var(--text-secondary);
+}
+
+/* --- Footer --- */
+.blog-footer {
+  text-align: center;
+  padding: 3rem 2rem;
+  border-top: 1px solid var(--border);
+  max-width: 720px;
+  margin: 0 auto;
+}
+
+.blog-footer a {
+  font-family: var(--font-mono);
+  font-size: 0.75rem;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+  color: var(--text-dim);
+  text-decoration: none;
+  margin: 0 1rem;
+}
+.blog-footer a:hover { color: var(--amber); }
+
+/* --- Responsive --- */
+@media (max-width: 640px) {
+  .article { padding: 2rem 1.25rem 4rem; }
+  .article pre { padding: 1rem; margin-left: -0.5rem; margin-right: -0.5rem; border-radius: 0; border-left: none; border-right: none; }
+}
+</style>
+</head>
+<body>
+
+<nav class="blog-nav">
+  <a href="/" class="wordmark">Numa</a>
+  <span class="sep">/</span>
+  <a href="/blog/">Blog</a>
+</nav>
+
+<article class="article">
+  <header class="article-header">
+    <h1>I Built a DNS Resolver from Scratch in Rust</h1>
+    <div class="article-meta">
+      March 2026 · <a href="https://dimescu.ro">Razvan Dimescu</a>
+    </div>
+  </header>
+
+<p>I wanted to understand how DNS actually works. Not the “it translates
+domain names to IP addresses” explanation — the actual bytes on the
+wire. What does a DNS packet look like? How does label compression work?
+Why is everything crammed into 512 bytes?</p>
+<p>So I built one from scratch in Rust. No <code>hickory-dns</code>, no
+<code>trust-dns</code>, no <code>simple-dns</code>. The entire RFC 1035
+wire protocol — headers, labels, compression pointers, record types —
+parsed and serialized by hand. It started as a weekend learning project,
+became a side project I kept coming back to over 6 years, and eventually
+turned into <a href="https://github.com/razvandimescu/numa">Numa</a> —
+which I now use as my actual system DNS.</p>
+<p>A note on terminology before we go further: Numa is currently a
+<em>forwarding</em> resolver — it parses and caches DNS packets, but
+forwards queries to an upstream (Quad9, Cloudflare, or any DoH provider)
+rather than walking the delegation chain from root servers itself. Think
+of it as a smart proxy that does useful things with your DNS traffic
+locally (caching, ad blocking, overrides, local service domains) before
+forwarding what it can’t answer. Full recursive resolution — where Numa
+talks directly to root and authoritative nameservers — is on the
+roadmap, along with DNSSEC validation.</p>
+<p>Here’s what surprised me along the way.</p>
+<h2 id="what-does-a-dns-packet-actually-look-like">What does a DNS
+packet actually look like?</h2>
+<p>You can see a real one yourself. Run this:</p>
+<div class="sourceCode" id="cb1"><pre
+class="sourceCode bash"><code class="sourceCode bash"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true" tabindex="-1"></a><span class="ex">dig</span> @127.0.0.1 example.com A +noedns</span></code></pre></div>
+<pre><code>;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 15242
+;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
+
+;; QUESTION SECTION:
+;example.com.                   IN      A
+
+;; ANSWER SECTION:
+example.com.            53      IN      A       104.18.27.120
+example.com.            53      IN      A       104.18.26.120</code></pre>
+<p>That’s the human-readable version. But what’s actually on the wire? A
+DNS query for <code>example.com A</code> is just 29 bytes:</p>
+<pre><code>         ID    Flags  QCount ACount NSCount ARCount
+        ┌────┐ ┌────┐ ┌────┐ ┌────┐ ┌────┐ ┌────┐
+Header: AB CD  01 00  00 01  00 00  00 00  00 00
+        └────┘ └────┘ └────┘ └────┘ └────┘ └────┘
+         ↑      ↑      ↑
+         │      │      └─ 1 question, 0 answers, 0 authority, 0 additional
+         │      └─ Standard query, recursion desired
+         └─ Random ID (we&#39;ll match this in the response)
+
+Question: 07 65 78 61 6D 70 6C 65  03 63 6F 6D  00  00 01  00 01
+          ── ─────────────────────  ── ─────────  ──  ─────  ─────
+          7  e  x  a  m  p  l  e   3  c  o  m   end  A      IN
+          ↑                        ↑             ↑
+          └─ length prefix         └─ length     └─ root label (end of name)</code></pre>
+<p>12 bytes of header + 17 bytes of question = 29 bytes to ask “what’s
+the IP for example.com?” Compare that to an HTTP request for the same
+information — you’d need hundreds of bytes just for headers.</p>
+<p>We can send exactly those bytes and capture what comes back:</p>
+<div class="sourceCode" id="cb4"><pre
+class="sourceCode python"><code class="sourceCode python"><span id="cb4-1"><a href="#cb4-1" aria-hidden="true" tabindex="-1"></a>python3 <span class="op">-</span>c <span class="st">&quot;</span></span>
+<span id="cb4-2"><a href="#cb4-2" aria-hidden="true" tabindex="-1"></a><span class="er">import socket</span></span>
+<span id="cb4-3"><a href="#cb4-3" aria-hidden="true" tabindex="-1"></a><span class="co"># Hand-craft a DNS query: header (12 bytes) + question (17 bytes)</span></span>
+<span id="cb4-4"><a href="#cb4-4" aria-hidden="true" tabindex="-1"></a>q  <span class="op">=</span> <span class="st">b&#39;</span><span class="ch">\xab\xcd\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00</span><span class="st">&#39;</span>  <span class="co"># header</span></span>
+<span id="cb4-5"><a href="#cb4-5" aria-hidden="true" tabindex="-1"></a>q <span class="op">+=</span> <span class="st">b&#39;</span><span class="ch">\x07</span><span class="st">example</span><span class="ch">\x03</span><span class="st">com</span><span class="ch">\x00\x00\x01\x00\x01</span><span class="st">&#39;</span>              <span class="co"># question</span></span>
+<span id="cb4-6"><a href="#cb4-6" aria-hidden="true" tabindex="-1"></a>s <span class="op">=</span> socket.socket(socket.AF_INET, socket.SOCK_DGRAM)</span>
+<span id="cb4-7"><a href="#cb4-7" aria-hidden="true" tabindex="-1"></a>s.sendto(q, (<span class="st">&#39;127.0.0.1&#39;</span>, <span class="dv">53</span>))</span>
+<span id="cb4-8"><a href="#cb4-8" aria-hidden="true" tabindex="-1"></a>resp <span class="op">=</span> s.recv(<span class="dv">512</span>)</span>
+<span id="cb4-9"><a href="#cb4-9" aria-hidden="true" tabindex="-1"></a><span class="cf">for</span> i <span class="kw">in</span> <span class="bu">range</span>(<span class="dv">0</span>, <span class="bu">len</span>(resp), <span class="dv">16</span>):</span>
+<span id="cb4-10"><a href="#cb4-10" aria-hidden="true" tabindex="-1"></a>    h <span class="op">=</span> <span class="st">&#39; &#39;</span>.join(<span class="ss">f&#39;</span><span class="sc">{</span>b<span class="sc">:02x}</span><span class="ss">&#39;</span> <span class="cf">for</span> b <span class="kw">in</span> resp[i:i<span class="op">+</span><span class="dv">16</span>])</span>
+<span id="cb4-11"><a href="#cb4-11" aria-hidden="true" tabindex="-1"></a>    a <span class="op">=</span> <span class="st">&#39;&#39;</span>.join(<span class="bu">chr</span>(b) <span class="cf">if</span> <span class="dv">32</span><span class="op">&lt;=</span>b<span class="op">&lt;</span><span class="dv">127</span> <span class="cf">else</span> <span class="st">&#39;.&#39;</span> <span class="cf">for</span> b <span class="kw">in</span> resp[i:i<span class="op">+</span><span class="dv">16</span>])</span>
+<span id="cb4-12"><a href="#cb4-12" aria-hidden="true" tabindex="-1"></a>    <span class="bu">print</span>(<span class="ss">f&#39;</span><span class="sc">{</span>i<span class="sc">:08x}</span><span class="ss">  </span><span class="sc">{</span>h<span class="sc">:&lt;48s}</span><span class="ss">  </span><span class="sc">{</span>a<span class="sc">}</span><span class="ss">&#39;</span>)</span>
+<span id="cb4-13"><a href="#cb4-13" aria-hidden="true" tabindex="-1"></a><span class="co">&quot;</span></span></code></pre></div>
+<pre><code>00000000  ab cd 81 80 00 01 00 02 00 00 00 00 07 65 78 61   .............exa
+00000010  6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 07 65 78   mple.com......ex
+00000020  61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 00 00   ample.com.......
+00000030  00 19 00 04 68 12 1b 78 07 65 78 61 6d 70 6c 65   ....h..x.example
+00000040  03 63 6f 6d 00 00 01 00 01 00 00 00 19 00 04 68   .com...........h
+00000050  12 1a 78                                          ..x</code></pre>
+<p>83 bytes back. Let’s annotate the response:</p>
+<pre><code>         ID    Flags  QCount ACount NSCount ARCount
+        ┌────┐ ┌────┐ ┌────┐ ┌────┐ ┌────┐ ┌────┐
+Header: AB CD  81 80  00 01  00 02  00 00  00 00
+        └────┘ └────┘ └────┘ └────┘ └────┘ └────┘
+         ↑      ↑      ↑      ↑
+         │      │      │      └─ 2 answers
+         │      │      └─ 1 question (echoed back)
+         │      └─ Response flag set, recursion available
+         └─ Same ID as our query
+
+Question: 07 65 78 61 6D 70 6C 65  03 63 6F 6D  00  00 01  00 01
+          (same as our query — echoed back)
+
+Answer 1: 07 65 78 61 6D 70 6C 65  03 63 6F 6D  00  00 01  00 01
+          ─────────────────────────────────────  ──  ─────  ─────
+          e  x  a  m  p  l  e  .  c  o  m       end  A      IN
+
+          00 00 00 19  00 04  68 12 1B 78
+          ───────────  ─────  ───────────
+          TTL: 25s     len:4  104.18.27.120
+
+Answer 2: (same domain repeated)  00 01  00 01  00 00 00 19  00 04  68 12 1A 78
+                                                                    ───────────
+                                                                    104.18.26.120</code></pre>
+<p>Notice something wasteful? The domain <code>example.com</code>
+appears <em>three times</em> — once in the question, twice in the
+answers. That’s 39 bytes of repeated names in an 83-byte packet. DNS has
+a solution for this — but first, the overall structure.</p>
+<p>The whole thing fits in a single UDP datagram. The structure is:</p>
+<pre><code>+--+--+--+--+--+--+--+--+
+|         Header         |  12 bytes: ID, flags, counts
++--+--+--+--+--+--+--+--+
+|        Questions       |  What you&#39;re asking
++--+--+--+--+--+--+--+--+
+|         Answers        |  The response records
++--+--+--+--+--+--+--+--+
+|       Authorities      |  NS records for the zone
++--+--+--+--+--+--+--+--+
+|       Additional       |  Extra helpful records
++--+--+--+--+--+--+--+--+</code></pre>
+<p>In Rust, parsing the header is just reading 12 bytes and unpacking
+the flags:</p>
+<div class="sourceCode" id="cb8"><pre
+class="sourceCode rust"><code class="sourceCode rust"><span id="cb8-1"><a href="#cb8-1" aria-hidden="true" tabindex="-1"></a><span class="kw">pub</span> <span class="kw">fn</span> read(buffer<span class="op">:</span> <span class="op">&amp;</span><span class="kw">mut</span> BytePacketBuffer) <span class="op">-&gt;</span> <span class="dt">Result</span><span class="op">&lt;</span>DnsHeader<span class="op">&gt;</span> <span class="op">{</span></span>
+<span id="cb8-2"><a href="#cb8-2" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> id <span class="op">=</span> buffer<span class="op">.</span>read_u16()<span class="op">?;</span></span>
+<span id="cb8-3"><a href="#cb8-3" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> flags <span class="op">=</span> buffer<span class="op">.</span>read_u16()<span class="op">?;</span></span>
+<span id="cb8-4"><a href="#cb8-4" aria-hidden="true" tabindex="-1"></a>    <span class="co">// Flags pack 9 fields into 16 bits</span></span>
+<span id="cb8-5"><a href="#cb8-5" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> recursion_desired <span class="op">=</span> (flags <span class="op">&amp;</span> (<span class="dv">1</span> <span class="op">&lt;&lt;</span> <span class="dv">8</span>)) <span class="op">&gt;</span> <span class="dv">0</span><span class="op">;</span></span>
+<span id="cb8-6"><a href="#cb8-6" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> truncated_message <span class="op">=</span> (flags <span class="op">&amp;</span> (<span class="dv">1</span> <span class="op">&lt;&lt;</span> <span class="dv">9</span>)) <span class="op">&gt;</span> <span class="dv">0</span><span class="op">;</span></span>
+<span id="cb8-7"><a href="#cb8-7" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> authoritative_answer <span class="op">=</span> (flags <span class="op">&amp;</span> (<span class="dv">1</span> <span class="op">&lt;&lt;</span> <span class="dv">10</span>)) <span class="op">&gt;</span> <span class="dv">0</span><span class="op">;</span></span>
+<span id="cb8-8"><a href="#cb8-8" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> opcode <span class="op">=</span> (flags <span class="op">&gt;&gt;</span> <span class="dv">11</span>) <span class="op">&amp;</span> <span class="dv">0x0F</span><span class="op">;</span></span>
+<span id="cb8-9"><a href="#cb8-9" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> response <span class="op">=</span> (flags <span class="op">&amp;</span> (<span class="dv">1</span> <span class="op">&lt;&lt;</span> <span class="dv">15</span>)) <span class="op">&gt;</span> <span class="dv">0</span><span class="op">;</span></span>
+<span id="cb8-10"><a href="#cb8-10" aria-hidden="true" tabindex="-1"></a>    <span class="co">// ... and so on</span></span>
+<span id="cb8-11"><a href="#cb8-11" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
+<p>No padding, no alignment, no JSON overhead. DNS was designed in 1987
+when every byte counted, and honestly? The wire format is kind of
+beautiful in its efficiency.</p>
+<h2 id="label-compression-is-the-clever-part">Label compression is the
+clever part</h2>
+<p>Remember how <code>example.com</code> appeared three times in that
+83-byte response? Domain names in DNS are stored as a sequence of
+<strong>labels</strong> — length-prefixed segments:</p>
+<pre><code>example.com → [7]example[3]com[0]</code></pre>
+<p>The <code>[7]</code> means “the next 7 bytes are a label.” The
+<code>[0]</code> is the root label (end of name). That’s 13 bytes per
+occurrence, 39 bytes for three repetitions. In a response with authority
+and additional records, domain names can account for half the
+packet.</p>
+<p>DNS solves this with <strong>compression pointers</strong> — if the
+top two bits of a length byte are <code>11</code>, the remaining 14 bits
+are an offset back into the packet where the rest of the name can be
+found. A well-compressed version of our response would replace the
+answer names with <code>C0 0C</code> — a 2-byte pointer to offset 12
+where <code>example.com</code> first appears in the question section.
+That turns 39 bytes of names into 15 (13 + 2 + 2). Our upstream didn’t
+bother compressing, but many do — especially when related domains
+appear:</p>
+<pre><code>Offset 0x20: [6]google[3]com[0]        ← full name
+Offset 0x40: [4]mail[0xC0][0x20]       ← &quot;mail&quot; + pointer to offset 0x20
+Offset 0x50: [3]www[0xC0][0x20]        ← &quot;www&quot; + pointer to offset 0x20</code></pre>
+<p>Pointers can chain — a pointer can point to another pointer. Parsing
+this correctly requires tracking your position in the buffer and
+handling jumps:</p>
+<div class="sourceCode" id="cb11"><pre
+class="sourceCode rust"><code class="sourceCode rust"><span id="cb11-1"><a href="#cb11-1" aria-hidden="true" tabindex="-1"></a><span class="kw">pub</span> <span class="kw">fn</span> read_qname(<span class="op">&amp;</span><span class="kw">mut</span> <span class="kw">self</span><span class="op">,</span> outstr<span class="op">:</span> <span class="op">&amp;</span><span class="kw">mut</span> <span class="dt">String</span>) <span class="op">-&gt;</span> <span class="dt">Result</span><span class="op">&lt;</span>()<span class="op">&gt;</span> <span class="op">{</span></span>
+<span id="cb11-2"><a href="#cb11-2" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> <span class="kw">mut</span> pos <span class="op">=</span> <span class="kw">self</span><span class="op">.</span>pos()<span class="op">;</span></span>
+<span id="cb11-3"><a href="#cb11-3" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> <span class="kw">mut</span> jumped <span class="op">=</span> <span class="cn">false</span><span class="op">;</span></span>
+<span id="cb11-4"><a href="#cb11-4" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> <span class="kw">mut</span> delim <span class="op">=</span> <span class="st">&quot;&quot;</span><span class="op">;</span></span>
+<span id="cb11-5"><a href="#cb11-5" aria-hidden="true" tabindex="-1"></a></span>
+<span id="cb11-6"><a href="#cb11-6" aria-hidden="true" tabindex="-1"></a>    <span class="cf">loop</span> <span class="op">{</span></span>
+<span id="cb11-7"><a href="#cb11-7" aria-hidden="true" tabindex="-1"></a>        <span class="kw">let</span> len <span class="op">=</span> <span class="kw">self</span><span class="op">.</span>get(pos)<span class="op">?;</span></span>
+<span id="cb11-8"><a href="#cb11-8" aria-hidden="true" tabindex="-1"></a></span>
+<span id="cb11-9"><a href="#cb11-9" aria-hidden="true" tabindex="-1"></a>        <span class="co">// Top two bits set = compression pointer</span></span>
+<span id="cb11-10"><a href="#cb11-10" aria-hidden="true" tabindex="-1"></a>        <span class="cf">if</span> (len <span class="op">&amp;</span> <span class="dv">0xC0</span>) <span class="op">==</span> <span class="dv">0xC0</span> <span class="op">{</span></span>
+<span id="cb11-11"><a href="#cb11-11" aria-hidden="true" tabindex="-1"></a>            <span class="cf">if</span> <span class="op">!</span>jumped <span class="op">{</span></span>
+<span id="cb11-12"><a href="#cb11-12" aria-hidden="true" tabindex="-1"></a>                <span class="kw">self</span><span class="op">.</span>seek(pos <span class="op">+</span> <span class="dv">2</span>)<span class="op">?;</span> <span class="co">// advance past the pointer</span></span>
+<span id="cb11-13"><a href="#cb11-13" aria-hidden="true" tabindex="-1"></a>            <span class="op">}</span></span>
+<span id="cb11-14"><a href="#cb11-14" aria-hidden="true" tabindex="-1"></a>            <span class="kw">let</span> offset <span class="op">=</span> (((len <span class="kw">as</span> <span class="dt">u16</span>) <span class="op">^</span> <span class="dv">0xC0</span>) <span class="op">&lt;&lt;</span> <span class="dv">8</span>) <span class="op">|</span> <span class="kw">self</span><span class="op">.</span>get(pos <span class="op">+</span> <span class="dv">1</span>)<span class="op">?</span> <span class="kw">as</span> <span class="dt">u16</span><span class="op">;</span></span>
+<span id="cb11-15"><a href="#cb11-15" aria-hidden="true" tabindex="-1"></a>            pos <span class="op">=</span> offset <span class="kw">as</span> <span class="dt">usize</span><span class="op">;</span></span>
+<span id="cb11-16"><a href="#cb11-16" aria-hidden="true" tabindex="-1"></a>            jumped <span class="op">=</span> <span class="cn">true</span><span class="op">;</span></span>
+<span id="cb11-17"><a href="#cb11-17" aria-hidden="true" tabindex="-1"></a>            <span class="cf">continue</span><span class="op">;</span></span>
+<span id="cb11-18"><a href="#cb11-18" aria-hidden="true" tabindex="-1"></a>        <span class="op">}</span></span>
+<span id="cb11-19"><a href="#cb11-19" aria-hidden="true" tabindex="-1"></a></span>
+<span id="cb11-20"><a href="#cb11-20" aria-hidden="true" tabindex="-1"></a>        pos <span class="op">+=</span> <span class="dv">1</span><span class="op">;</span></span>
+<span id="cb11-21"><a href="#cb11-21" aria-hidden="true" tabindex="-1"></a>        <span class="cf">if</span> len <span class="op">==</span> <span class="dv">0</span> <span class="op">{</span> <span class="cf">break</span><span class="op">;</span> <span class="op">}</span> <span class="co">// root label</span></span>
+<span id="cb11-22"><a href="#cb11-22" aria-hidden="true" tabindex="-1"></a></span>
+<span id="cb11-23"><a href="#cb11-23" aria-hidden="true" tabindex="-1"></a>        outstr<span class="op">.</span>push_str(delim)<span class="op">;</span></span>
+<span id="cb11-24"><a href="#cb11-24" aria-hidden="true" tabindex="-1"></a>        outstr<span class="op">.</span>push_str(<span class="op">&amp;</span><span class="kw">self</span><span class="op">.</span>get_range(pos<span class="op">,</span> len <span class="kw">as</span> <span class="dt">usize</span>)<span class="op">?</span></span>
+<span id="cb11-25"><a href="#cb11-25" aria-hidden="true" tabindex="-1"></a>            <span class="op">.</span>iter()<span class="op">.</span>map(<span class="op">|&amp;</span>b<span class="op">|</span> b <span class="kw">as</span> <span class="dt">char</span>)<span class="op">.</span><span class="pp">collect::</span><span class="op">&lt;</span><span class="dt">String</span><span class="op">&gt;</span>())<span class="op">;</span></span>
+<span id="cb11-26"><a href="#cb11-26" aria-hidden="true" tabindex="-1"></a>        delim <span class="op">=</span> <span class="st">&quot;.&quot;</span><span class="op">;</span></span>
+<span id="cb11-27"><a href="#cb11-27" aria-hidden="true" tabindex="-1"></a>        pos <span class="op">+=</span> len <span class="kw">as</span> <span class="dt">usize</span><span class="op">;</span></span>
+<span id="cb11-28"><a href="#cb11-28" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
+<span id="cb11-29"><a href="#cb11-29" aria-hidden="true" tabindex="-1"></a></span>
+<span id="cb11-30"><a href="#cb11-30" aria-hidden="true" tabindex="-1"></a>    <span class="cf">if</span> <span class="op">!</span>jumped <span class="op">{</span></span>
+<span id="cb11-31"><a href="#cb11-31" aria-hidden="true" tabindex="-1"></a>        <span class="kw">self</span><span class="op">.</span>seek(pos)<span class="op">?;</span></span>
+<span id="cb11-32"><a href="#cb11-32" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
+<span id="cb11-33"><a href="#cb11-33" aria-hidden="true" tabindex="-1"></a>    <span class="cn">Ok</span>(())</span>
+<span id="cb11-34"><a href="#cb11-34" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
+<p>This one bit me: when you follow a pointer, you must <em>not</em>
+advance the buffer’s read position past where you jumped from. The
+pointer is 2 bytes, so you advance by 2, but the actual label data lives
+elsewhere in the packet. If you follow the pointer and also advance past
+it, you’ll skip over the next record entirely. I spent a fun evening
+debugging that one.</p>
+<h2 id="ttl-adjustment-on-read-not-write">TTL adjustment on read, not
+write</h2>
+<p>This is my favorite trick in the whole codebase. I initially stored
+the remaining TTL and decremented it, which meant I needed a background
+thread to sweep expired entries. It worked, but it felt wrong — too much
+machinery for something simple.</p>
+<p>The cleaner approach: store the original TTL and the timestamp when
+the record was cached. On read, compute
+<code>remaining = original_ttl - elapsed</code>. If it’s zero or
+negative, the entry is stale — evict it lazily.</p>
+<div class="sourceCode" id="cb12"><pre
+class="sourceCode rust"><code class="sourceCode rust"><span id="cb12-1"><a href="#cb12-1" aria-hidden="true" tabindex="-1"></a><span class="kw">pub</span> <span class="kw">fn</span> lookup(<span class="op">&amp;</span><span class="kw">mut</span> <span class="kw">self</span><span class="op">,</span> domain<span class="op">:</span> <span class="op">&amp;</span><span class="dt">str</span><span class="op">,</span> qtype<span class="op">:</span> QueryType) <span class="op">-&gt;</span> <span class="dt">Option</span><span class="op">&lt;</span>DnsPacket<span class="op">&gt;</span> <span class="op">{</span></span>
+<span id="cb12-2"><a href="#cb12-2" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> key <span class="op">=</span> (domain<span class="op">.</span>to_lowercase()<span class="op">,</span> qtype)<span class="op">;</span></span>
+<span id="cb12-3"><a href="#cb12-3" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> entry <span class="op">=</span> <span class="kw">self</span><span class="op">.</span>entries<span class="op">.</span>get(<span class="op">&amp;</span>key)<span class="op">?;</span></span>
+<span id="cb12-4"><a href="#cb12-4" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> elapsed <span class="op">=</span> entry<span class="op">.</span>cached_at<span class="op">.</span>elapsed()<span class="op">.</span>as_secs() <span class="kw">as</span> <span class="dt">u32</span><span class="op">;</span></span>
+<span id="cb12-5"><a href="#cb12-5" aria-hidden="true" tabindex="-1"></a></span>
+<span id="cb12-6"><a href="#cb12-6" aria-hidden="true" tabindex="-1"></a>    <span class="cf">if</span> elapsed <span class="op">&gt;=</span> entry<span class="op">.</span>original_ttl <span class="op">{</span></span>
+<span id="cb12-7"><a href="#cb12-7" aria-hidden="true" tabindex="-1"></a>        <span class="kw">self</span><span class="op">.</span>entries<span class="op">.</span>remove(<span class="op">&amp;</span>key)<span class="op">;</span></span>
+<span id="cb12-8"><a href="#cb12-8" aria-hidden="true" tabindex="-1"></a>        <span class="cf">return</span> <span class="cn">None</span><span class="op">;</span></span>
+<span id="cb12-9"><a href="#cb12-9" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
+<span id="cb12-10"><a href="#cb12-10" aria-hidden="true" tabindex="-1"></a></span>
+<span id="cb12-11"><a href="#cb12-11" aria-hidden="true" tabindex="-1"></a>    <span class="co">// Adjust TTLs in the response to reflect remaining time</span></span>
+<span id="cb12-12"><a href="#cb12-12" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> <span class="kw">mut</span> packet <span class="op">=</span> entry<span class="op">.</span>packet<span class="op">.</span>clone()<span class="op">;</span></span>
+<span id="cb12-13"><a href="#cb12-13" aria-hidden="true" tabindex="-1"></a>    <span class="cf">for</span> answer <span class="kw">in</span> <span class="op">&amp;</span><span class="kw">mut</span> packet<span class="op">.</span>answers <span class="op">{</span></span>
+<span id="cb12-14"><a href="#cb12-14" aria-hidden="true" tabindex="-1"></a>        answer<span class="op">.</span>set_ttl(entry<span class="op">.</span>original_ttl<span class="op">.</span>saturating_sub(elapsed))<span class="op">;</span></span>
+<span id="cb12-15"><a href="#cb12-15" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span></span>
+<span id="cb12-16"><a href="#cb12-16" aria-hidden="true" tabindex="-1"></a>    <span class="cn">Some</span>(packet)</span>
+<span id="cb12-17"><a href="#cb12-17" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
+<p>No background thread. No timer. Entries expire lazily. The cache
+stays consistent because every consumer sees the adjusted TTL.</p>
+<h2 id="async-per-query-with-tokio">Async per-query with tokio</h2>
+<p>Each incoming UDP packet spawns a tokio task. The main loop never
+blocks:</p>
+<div class="sourceCode" id="cb13"><pre
+class="sourceCode rust"><code class="sourceCode rust"><span id="cb13-1"><a href="#cb13-1" aria-hidden="true" tabindex="-1"></a><span class="cf">loop</span> <span class="op">{</span></span>
+<span id="cb13-2"><a href="#cb13-2" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> <span class="kw">mut</span> buffer <span class="op">=</span> <span class="pp">BytePacketBuffer::</span>new()<span class="op">;</span></span>
+<span id="cb13-3"><a href="#cb13-3" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> (_<span class="op">,</span> src_addr) <span class="op">=</span> socket<span class="op">.</span>recv_from(<span class="op">&amp;</span><span class="kw">mut</span> buffer<span class="op">.</span>buf)<span class="op">.</span><span class="kw">await</span><span class="op">?;</span></span>
+<span id="cb13-4"><a href="#cb13-4" aria-hidden="true" tabindex="-1"></a></span>
+<span id="cb13-5"><a href="#cb13-5" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> ctx <span class="op">=</span> <span class="pp">Arc::</span>clone(<span class="op">&amp;</span>ctx)<span class="op">;</span></span>
+<span id="cb13-6"><a href="#cb13-6" aria-hidden="true" tabindex="-1"></a>    <span class="pp">tokio::</span>spawn(<span class="kw">async</span> <span class="kw">move</span> <span class="op">{</span></span>
+<span id="cb13-7"><a href="#cb13-7" aria-hidden="true" tabindex="-1"></a>        <span class="cf">if</span> <span class="kw">let</span> <span class="cn">Err</span>(e) <span class="op">=</span> handle_query(buffer<span class="op">,</span> src_addr<span class="op">,</span> <span class="op">&amp;</span>ctx)<span class="op">.</span><span class="kw">await</span> <span class="op">{</span></span>
+<span id="cb13-8"><a href="#cb13-8" aria-hidden="true" tabindex="-1"></a>            <span class="pp">error!</span>(<span class="st">&quot;{} | HANDLER ERROR | {}&quot;</span><span class="op">,</span> src_addr<span class="op">,</span> e)<span class="op">;</span></span>
+<span id="cb13-9"><a href="#cb13-9" aria-hidden="true" tabindex="-1"></a>        <span class="op">}</span></span>
+<span id="cb13-10"><a href="#cb13-10" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span>)<span class="op">;</span></span>
+<span id="cb13-11"><a href="#cb13-11" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
+<p>Each <code>handle_query</code> walks a pipeline. This is the part
+where “from scratch” pays off — every step is just a function that
+either returns a response or says “not my problem, pass it on”:</p>
+<pre><code>                     ┌─────────────────────────────────────────────────────┐
+                     │              Numa Resolution Pipeline               │
+                     └─────────────────────────────────────────────────────┘
+
+  Query ──→ Overrides ──→ .numa TLD ──→ Blocklist ──→ Zones ──→ Cache ──→ DoH
+    │        │              │             │             │         │         │
+    │        │ match?       │ match?      │ blocked?    │ match?  │ hit?    │
+    │        ↓              ↓             ↓             ↓         ↓         ↓
+    │      respond        respond       0.0.0.0      respond   respond   forward
+    │      (auto-reverts  (reverse      (ad gone)    (static   (TTL      to upstream
+    │       after N min)   proxy+TLS)                 records)  adjusted) (encrypted)
+    │
+    └──→ Each step either answers or passes to the next.
+         Adding a feature = inserting a function into this chain.</code></pre>
+<p>Want conditional forwarding for Tailscale? Insert a step before the
+upstream that checks the domain suffix. Want to override
+<code>api.example.com</code> for 5 minutes while debugging? Insert an
+entry in the overrides step — it auto-expires and the domain goes back
+to resolving normally. A DNS library would have hidden this pipeline
+behind an opaque <code>resolve()</code> call.</p>
+<p>This is one of those cases where Rust + tokio makes things almost
+embarrassingly simple. In a synchronous resolver, you’d need a thread
+pool or hand-rolled event loop. Here, each query is a lightweight
+future. A slow upstream query doesn’t block anything — other queries
+keep flowing.</p>
+<h2 id="dns-over-https-the-wait-thats-it-moment">DNS-over-HTTPS: the
+“wait, that’s it?” moment</h2>
+<p>The most recent addition, and honestly the one that surprised me with
+how little code it needed. DoH (RFC 8484) is conceptually simple: take
+the exact same DNS wire-format packet you’d send over UDP, POST it to an
+HTTPS endpoint with <code>Content-Type: application/dns-message</code>,
+and parse the response the same way. Same bytes, different
+transport.</p>
+<div class="sourceCode" id="cb15"><pre
+class="sourceCode rust"><code class="sourceCode rust"><span id="cb15-1"><a href="#cb15-1" aria-hidden="true" tabindex="-1"></a><span class="kw">async</span> <span class="kw">fn</span> forward_doh(</span>
+<span id="cb15-2"><a href="#cb15-2" aria-hidden="true" tabindex="-1"></a>    query<span class="op">:</span> <span class="op">&amp;</span>DnsPacket<span class="op">,</span></span>
+<span id="cb15-3"><a href="#cb15-3" aria-hidden="true" tabindex="-1"></a>    url<span class="op">:</span> <span class="op">&amp;</span><span class="dt">str</span><span class="op">,</span></span>
+<span id="cb15-4"><a href="#cb15-4" aria-hidden="true" tabindex="-1"></a>    client<span class="op">:</span> <span class="op">&amp;</span><span class="pp">reqwest::</span>Client<span class="op">,</span></span>
+<span id="cb15-5"><a href="#cb15-5" aria-hidden="true" tabindex="-1"></a>    timeout_duration<span class="op">:</span> Duration<span class="op">,</span></span>
+<span id="cb15-6"><a href="#cb15-6" aria-hidden="true" tabindex="-1"></a>) <span class="op">-&gt;</span> <span class="dt">Result</span><span class="op">&lt;</span>DnsPacket<span class="op">&gt;</span> <span class="op">{</span></span>
+<span id="cb15-7"><a href="#cb15-7" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> <span class="kw">mut</span> send_buffer <span class="op">=</span> <span class="pp">BytePacketBuffer::</span>new()<span class="op">;</span></span>
+<span id="cb15-8"><a href="#cb15-8" aria-hidden="true" tabindex="-1"></a>    query<span class="op">.</span>write(<span class="op">&amp;</span><span class="kw">mut</span> send_buffer)<span class="op">?;</span></span>
+<span id="cb15-9"><a href="#cb15-9" aria-hidden="true" tabindex="-1"></a></span>
+<span id="cb15-10"><a href="#cb15-10" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> resp <span class="op">=</span> timeout(timeout_duration<span class="op">,</span> client</span>
+<span id="cb15-11"><a href="#cb15-11" aria-hidden="true" tabindex="-1"></a>        <span class="op">.</span>post(url)</span>
+<span id="cb15-12"><a href="#cb15-12" aria-hidden="true" tabindex="-1"></a>        <span class="op">.</span>header(<span class="st">&quot;content-type&quot;</span><span class="op">,</span> <span class="st">&quot;application/dns-message&quot;</span>)</span>
+<span id="cb15-13"><a href="#cb15-13" aria-hidden="true" tabindex="-1"></a>        <span class="op">.</span>header(<span class="st">&quot;accept&quot;</span><span class="op">,</span> <span class="st">&quot;application/dns-message&quot;</span>)</span>
+<span id="cb15-14"><a href="#cb15-14" aria-hidden="true" tabindex="-1"></a>        <span class="op">.</span>body(send_buffer<span class="op">.</span>filled()<span class="op">.</span>to_vec())</span>
+<span id="cb15-15"><a href="#cb15-15" aria-hidden="true" tabindex="-1"></a>        <span class="op">.</span>send())</span>
+<span id="cb15-16"><a href="#cb15-16" aria-hidden="true" tabindex="-1"></a>    <span class="op">.</span><span class="kw">await</span><span class="op">??.</span>error_for_status()<span class="op">?;</span></span>
+<span id="cb15-17"><a href="#cb15-17" aria-hidden="true" tabindex="-1"></a></span>
+<span id="cb15-18"><a href="#cb15-18" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> bytes <span class="op">=</span> resp<span class="op">.</span>bytes()<span class="op">.</span><span class="kw">await</span><span class="op">?;</span></span>
+<span id="cb15-19"><a href="#cb15-19" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> <span class="kw">mut</span> recv_buffer <span class="op">=</span> <span class="pp">BytePacketBuffer::</span>from_bytes(<span class="op">&amp;</span>bytes)<span class="op">;</span></span>
+<span id="cb15-20"><a href="#cb15-20" aria-hidden="true" tabindex="-1"></a>    <span class="pp">DnsPacket::</span>from_buffer(<span class="op">&amp;</span><span class="kw">mut</span> recv_buffer)</span>
+<span id="cb15-21"><a href="#cb15-21" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
+<p>The one gotcha that cost me an hour: Quad9 and other DoH providers
+require HTTP/2. My first attempt used HTTP/1.1 and got a cryptic 400 Bad
+Request. Adding the <code>http2</code> feature to reqwest fixed it. The
+upside of HTTP/2? Connection multiplexing means subsequent queries reuse
+the TLS session — ~16ms vs ~50ms for the first query. Free
+performance.</p>
+<p>The <code>Upstream</code> enum dispatches between UDP and DoH based
+on the URL scheme:</p>
+<div class="sourceCode" id="cb16"><pre
+class="sourceCode rust"><code class="sourceCode rust"><span id="cb16-1"><a href="#cb16-1" aria-hidden="true" tabindex="-1"></a><span class="kw">pub</span> <span class="kw">enum</span> Upstream <span class="op">{</span></span>
+<span id="cb16-2"><a href="#cb16-2" aria-hidden="true" tabindex="-1"></a>    Udp(SocketAddr)<span class="op">,</span></span>
+<span id="cb16-3"><a href="#cb16-3" aria-hidden="true" tabindex="-1"></a>    Doh <span class="op">{</span> url<span class="op">:</span> <span class="dt">String</span><span class="op">,</span> client<span class="op">:</span> <span class="pp">reqwest::</span>Client <span class="op">},</span></span>
+<span id="cb16-4"><a href="#cb16-4" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
+<p>If the configured address starts with <code>https://</code>, it’s
+DoH. Otherwise, plain UDP. Simple, no toggles.</p>
+<h2 id="why-not-just-use-dnsmasq-nginx-mkcert">“Why not just use dnsmasq
++ nginx + mkcert?”</h2>
+<p>Fair question — I got this a lot when I first <a
+href="https://www.reddit.com/r/programare/">posted about Numa</a>. And
+the answer is: you absolutely can. Those are mature, battle-tested
+tools.</p>
+<p>The difference is integration. With dnsmasq + nginx + mkcert, you’re
+configuring three tools: DNS resolution, reverse proxy rules, and
+certificate generation. Each has its own config format, its own
+lifecycle, its own failure modes. Numa puts the DNS record, the reverse
+proxy, and the TLS cert behind a single API call:</p>
+<div class="sourceCode" id="cb17"><pre
+class="sourceCode bash"><code class="sourceCode bash"><span id="cb17-1"><a href="#cb17-1" aria-hidden="true" tabindex="-1"></a><span class="ex">curl</span> <span class="at">-X</span> POST localhost:5380/services <span class="at">-d</span> <span class="st">&#39;{&quot;name&quot;:&quot;frontend&quot;,&quot;target_port&quot;:5173}&#39;</span></span></code></pre></div>
+<p>That creates the DNS entry, generates a TLS certificate with the
+correct SAN, and starts proxying — including WebSocket upgrade for Vite
+HMR. One command, no config files.</p>
+<p>There’s also a distinction people miss: <strong>mkcert and certbot
+solve different problems.</strong> Certbot issues certificates for
+public domains via Let’s Encrypt — it needs DNS validation or an open
+port 80. Numa generates certificates for <code>.numa</code> domains that
+don’t exist publicly. You can’t get a Let’s Encrypt cert for
+<code>frontend.numa</code>. They’re complementary, not alternatives.</p>
+<p>Someone on Reddit told me the real value is “TLS termination +
+reverse proxy, simple to install, for developers — stop there.”
+Honestly, they might be right about focus. But DNS is the foundation the
+proxy sits on, and having full control over the resolution pipeline is
+what makes auto-revert overrides and LAN discovery possible. Sometimes
+the “unnecessary” part is what makes the interesting part work.</p>
+<h2 id="the-blocklist-memory-problem">The blocklist memory problem</h2>
+<p>Numa’s ad blocking loads the <a
+href="https://github.com/hagezi/dns-blocklists">Hagezi Pro</a> list at
+startup — ~385,000 domains stored in a
+<code>HashSet&lt;String&gt;</code>. This works, but it consumes ~30MB of
+memory. For a laptop DNS proxy, that’s fine. For embedded devices or a
+future where you want to run Numa on a router, it’s too much.</p>
+<p>The obvious optimization is a <strong>Bloom filter</strong> — a
+probabilistic data structure that can tell you “definitely not in the
+set” or “probably in the set” using a fraction of the memory. A Bloom
+filter for 385K domains with a 0.1% false positive rate would use ~700KB
+instead of 30MB. The false positives (0.1% of queries hitting domains
+not in the list) would be blocked unnecessarily, which is acceptable for
+ad blocking.</p>
+<p>I haven’t implemented this yet — the <code>HashSet</code> is simple,
+correct, and 30MB is nothing on a laptop. But if Numa ever needs to run
+on a router or a Raspberry Pi, this is the first optimization I’d reach
+for.</p>
+<h2 id="what-i-learned">What I learned</h2>
+<p><strong>DNS is a 40-year-old protocol that works remarkably
+well.</strong> The wire format is tight, the caching model is elegant,
+and the hierarchical delegation system has scaled to billions of queries
+per day. The things people complain about (DNSSEC complexity, lack of
+encryption) are extensions bolted on decades later, not flaws in the
+original design.</p>
+<p><strong>“From scratch” gives you full control.</strong> When I wanted
+to add ephemeral overrides that auto-revert, it was trivial — just a new
+step in the resolution pipeline. Conditional forwarding for
+Tailscale/VPN? Another step. Every feature is a function that takes a
+query and returns either a response or “pass to the next stage.” A DNS
+library would have hidden this pipeline.</p>
+<p><strong>The hard parts aren’t where you’d expect.</strong> Parsing
+the wire protocol was straightforward (RFC 1035 is well-written). The
+hard parts were: browsers rejecting wildcard certs under single-label
+TLDs (<code>*.numa</code> fails — you need per-service SANs), macOS
+resolver quirks (scutil vs /etc/resolv.conf), and getting multiple
+processes to bind the same multicast port (<code>SO_REUSEPORT</code> on
+macOS, <code>SO_REUSEADDR</code> on Linux).</p>
+<p><strong>Terminology will get you roasted.</strong> I initially called
+Numa a “DNS resolver” and got corrected on Reddit — it’s a forwarding
+resolver (DNS proxy). It doesn’t walk the delegation chain from root
+servers; it forwards to an upstream. The distinction matters to people
+who work with DNS for a living, and being sloppy about it cost me
+credibility in my first community posts. If you’re building in a domain
+with established terminology, learn the vocabulary before you show
+up.</p>
+<h2 id="whats-next">What’s next</h2>
+<p>Numa is at v0.5.0 with DNS forwarding, caching, ad blocking,
+DNS-over-HTTPS, .numa local domains with auto TLS, and LAN service
+discovery.</p>
+<p>On the roadmap:</p>
+<ul>
+<li><strong>DoT (DNS-over-TLS)</strong> — DoH was first because it
+passes through captive portals and corporate firewalls (port 443 vs
+853). DoT has less framing overhead, so it’s faster. Both will be
+available.</li>
+<li><strong>Recursive resolution</strong> — walk the delegation chain
+from root servers instead of forwarding. Combined with DNSSEC
+validation, this removes the need to trust any upstream resolver.</li>
+<li><strong><a href="https://github.com/pubky/pkarr">pkarr</a>
+integration</strong> — self-sovereign DNS via the Mainline BitTorrent
+DHT. Publish DNS records signed with your Ed25519 key, no registrar
+needed.</li>
+</ul>
+<p>But those are rabbit holes for future posts.</p>
+<p><a
+href="https://github.com/razvandimescu/numa">github.com/razvandimescu/numa</a></p>
+</article>
+
+<footer class="blog-footer">
+  <a href="https://github.com/razvandimescu/numa">GitHub</a>
+  <a href="/">Home</a>
+  <a href="/blog/">Blog</a>
+</footer>
+
+</body>
+</html>
diff --git a/site/blog/index.html b/site/blog/index.html
new file mode 100644
index 0000000..354dd31
--- /dev/null
+++ b/site/blog/index.html
@@ -0,0 +1,188 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Blog — Numa</title>
+<meta name="description" content="Technical writing about DNS, Rust, and building infrastructure from scratch.">
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link href="https://fonts.googleapis.com/css2?family=Instrument+Serif:ital@0;1&family=DM+Sans:ital,opsz,wght@0,9..40,400;0,9..40,500;0,9..40,600;1,9..40,400&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
+<style>
+*, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
+
+:root {
+  --bg-deep: #f5f0e8;
+  --bg-surface: #ece5da;
+  --bg-card: #faf7f2;
+  --amber: #c0623a;
+  --amber-dim: #9e4e2d;
+  --teal: #6b7c4e;
+  --text-primary: #2c2418;
+  --text-secondary: #6b5e4f;
+  --text-dim: #a39888;
+  --border: rgba(0, 0, 0, 0.08);
+  --font-display: 'Instrument Serif', Georgia, serif;
+  --font-body: 'DM Sans', system-ui, sans-serif;
+  --font-mono: 'JetBrains Mono', monospace;
+}
+
+body {
+  background: var(--bg-deep);
+  color: var(--text-primary);
+  font-family: var(--font-body);
+  font-weight: 400;
+  line-height: 1.7;
+  -webkit-font-smoothing: antialiased;
+}
+
+body::before {
+  content: '';
+  position: fixed;
+  inset: 0;
+  background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 256 256' xmlns='http://www.w3.org/2000/svg'%3E%3Cfilter id='n'%3E%3CfeTurbulence type='fractalNoise' baseFrequency='0.9' numOctaves='4' stitchTiles='stitch'/%3E%3C/filter%3E%3Crect width='100%25' height='100%25' filter='url(%23n)' opacity='0.025'/%3E%3C/svg%3E");
+  pointer-events: none;
+  z-index: 9999;
+}
+
+.blog-nav {
+  padding: 1.5rem 2rem;
+  display: flex;
+  align-items: center;
+  gap: 1.5rem;
+}
+
+.blog-nav a {
+  font-family: var(--font-mono);
+  font-size: 0.75rem;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+  color: var(--text-dim);
+  text-decoration: none;
+  transition: color 0.2s;
+}
+.blog-nav a:hover { color: var(--amber); }
+
+.blog-nav .wordmark {
+  font-family: var(--font-display);
+  font-size: 1.4rem;
+  font-weight: 700;
+  color: var(--text-primary);
+  text-decoration: none;
+  letter-spacing: -0.02em;
+}
+.blog-nav .wordmark:hover { color: var(--amber); }
+
+.blog-nav .sep {
+  color: var(--text-dim);
+  font-family: var(--font-mono);
+  font-size: 0.75rem;
+}
+
+.blog-index {
+  max-width: 720px;
+  margin: 0 auto;
+  padding: 3rem 2rem 6rem;
+}
+
+.blog-index h1 {
+  font-family: var(--font-display);
+  font-weight: 600;
+  font-size: 2.5rem;
+  margin-bottom: 3rem;
+}
+
+.post-list {
+  list-style: none;
+}
+
+.post-list li {
+  padding: 1.5rem 0;
+  border-bottom: 1px solid var(--border);
+}
+
+.post-list li:first-child {
+  border-top: 1px solid var(--border);
+}
+
+.post-list a {
+  text-decoration: none;
+  display: block;
+}
+
+.post-list .post-title {
+  font-family: var(--font-display);
+  font-size: 1.4rem;
+  font-weight: 600;
+  color: var(--text-primary);
+  line-height: 1.3;
+  margin-bottom: 0.4rem;
+  transition: color 0.2s;
+}
+
+.post-list a:hover .post-title {
+  color: var(--amber);
+}
+
+.post-list .post-desc {
+  font-size: 0.95rem;
+  color: var(--text-secondary);
+  line-height: 1.5;
+  margin-bottom: 0.4rem;
+}
+
+.post-list .post-date {
+  font-family: var(--font-mono);
+  font-size: 0.72rem;
+  color: var(--text-dim);
+  letter-spacing: 0.04em;
+}
+
+.blog-footer {
+  text-align: center;
+  padding: 3rem 2rem;
+  border-top: 1px solid var(--border);
+  max-width: 720px;
+  margin: 0 auto;
+}
+
+.blog-footer a {
+  font-family: var(--font-mono);
+  font-size: 0.75rem;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+  color: var(--text-dim);
+  text-decoration: none;
+  margin: 0 1rem;
+}
+.blog-footer a:hover { color: var(--amber); }
+</style>
+</head>
+<body>
+
+<nav class="blog-nav">
+  <a href="/" class="wordmark">Numa</a>
+  <span class="sep">/</span>
+  <a href="/blog/">Blog</a>
+</nav>
+
+<main class="blog-index">
+  <h1>Blog</h1>
+  <ul class="post-list">
+    <li>
+      <a href="/blog/dns-from-scratch.html">
+        <div class="post-title">I Built a DNS Resolver from Scratch in Rust</div>
+        <div class="post-desc">How DNS actually works at the wire level — label compression, TTL tricks, DoH implementation, and what I learned building a resolver with zero DNS libraries.</div>
+        <div class="post-date">March 2026</div>
+      </a>
+    </li>
+  </ul>
+</main>
+
+<footer class="blog-footer">
+  <a href="https://github.com/razvandimescu/numa">GitHub</a>
+  <a href="/">Home</a>
+</footer>
+
+</body>
+</html>
diff --git a/site/index.html b/site/index.html
index 7982daf..8a9361f 100644
--- a/site/index.html
+++ b/site/index.html
@@ -3,8 +3,13 @@
 <head>
 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
-<title>Numa — DNS that governs itself</title>
+<title>Numa — DNS you own. Everywhere you go.</title>
 <meta name="description" content="DNS you own. Block ads, override DNS for development, name your local services with .numa domains, cache for speed. A single portable binary built from scratch in Rust.">
+<link rel="canonical" href="https://numa.rs">
+<meta property="og:title" content="Numa — DNS you own. Everywhere you go.">
+<meta property="og:description" content="Portable DNS resolver with ad blocking, encrypted upstream, .numa local domains, and developer overrides. Built from scratch in Rust.">
+<meta property="og:type" content="website">
+<meta property="og:url" content="https://numa.rs">
 <link rel="preconnect" href="https://fonts.googleapis.com">
 <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
 <link href="https://fonts.googleapis.com/css2?family=Instrument+Serif:ital@0;1&family=DM+Sans:ital,opsz,wght@0,9..40,400;0,9..40,500;0,9..40,600;1,9..40,400&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
@@ -785,6 +790,169 @@ p.lead {
   background: rgba(82, 122, 82, 0.04);
 }
 
+/* ===========================
+   PERFORMANCE
+   =========================== */
+.perf-section {
+  background: var(--bg-surface);
+}
+
+.perf-grid {
+  display: grid;
+  grid-template-columns: 1fr 1fr;
+  gap: 3rem;
+  margin-top: 3rem;
+  align-items: start;
+}
+
+.perf-table-wrapper {
+  overflow-x: auto;
+  border: 1px solid var(--border);
+}
+
+.perf-table {
+  width: 100%;
+  border-collapse: collapse;
+  font-size: 0.85rem;
+  min-width: 380px;
+}
+
+.perf-table thead th {
+  font-family: var(--font-mono);
+  font-size: 0.7rem;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+  color: var(--text-dim);
+  padding: 0.8rem 1rem;
+  text-align: right;
+  border-bottom: 1px solid var(--border);
+  background: var(--bg-elevated);
+  font-weight: 500;
+}
+
+.perf-table thead th:first-child {
+  text-align: left;
+}
+
+.perf-table tbody td {
+  padding: 0.65rem 1rem;
+  border-bottom: 1px solid var(--border);
+  color: var(--text-secondary);
+  text-align: right;
+  font-family: var(--font-mono);
+  font-size: 0.82rem;
+}
+
+.perf-table tbody td:first-child {
+  font-family: var(--font-body);
+  font-size: 0.85rem;
+  color: var(--text-primary);
+  text-align: left;
+  font-weight: 400;
+}
+
+.perf-table tbody tr:hover {
+  background: var(--bg-elevated);
+}
+
+.perf-table tbody tr.perf-highlight td {
+  color: var(--emerald);
+  font-weight: 500;
+}
+
+.perf-table tbody tr.perf-highlight td:first-child {
+  color: var(--emerald);
+}
+
+.perf-sidebar {
+  display: flex;
+  flex-direction: column;
+  gap: 1.5rem;
+}
+
+.perf-stat {
+  background: var(--bg-card);
+  border: 1px solid var(--border);
+  padding: 1.5rem;
+  box-shadow: 0 1px 4px rgba(0,0,0,0.04);
+}
+
+.perf-stat-value {
+  font-family: var(--font-display);
+  font-size: 2.2rem;
+  font-weight: 600;
+  line-height: 1.1;
+}
+
+.perf-stat-value.emerald { color: var(--emerald); }
+.perf-stat-value.teal { color: var(--teal); }
+.perf-stat-value.amber { color: var(--amber); }
+
+.perf-stat-label {
+  font-size: 0.82rem;
+  color: var(--text-secondary);
+  margin-top: 0.4rem;
+}
+
+.perf-bar-group {
+  margin-top: 1.5rem;
+}
+
+.perf-bar-row {
+  display: flex;
+  align-items: center;
+  gap: 0.75rem;
+  margin-bottom: 0.6rem;
+}
+
+.perf-bar-label {
+  font-size: 0.75rem;
+  color: var(--text-secondary);
+  width: 80px;
+  flex-shrink: 0;
+  text-align: right;
+}
+
+.perf-bar-track {
+  flex: 1;
+  height: 18px;
+  background: var(--bg-elevated);
+  border-radius: 2px;
+  overflow: hidden;
+  position: relative;
+}
+
+.perf-bar-fill {
+  height: 100%;
+  border-radius: 2px;
+  transition: width 0.6s ease;
+}
+
+.perf-bar-fill.emerald { background: var(--emerald); }
+.perf-bar-fill.teal { background: var(--teal); }
+.perf-bar-fill.dim { background: var(--text-dim); }
+
+.perf-bar-ms {
+  font-family: var(--font-mono);
+  font-size: 0.7rem;
+  color: var(--text-dim);
+  width: 42px;
+  flex-shrink: 0;
+}
+
+.perf-note {
+  font-size: 0.78rem;
+  color: var(--text-dim);
+  margin-top: 2rem;
+  line-height: 1.6;
+}
+
+.perf-note a {
+  color: var(--teal-dim);
+  text-decoration: none;
+  border-bottom: 1px solid var(--border-teal);
+}
+
 /* ===========================
    TECHNICAL
    =========================== */
@@ -824,6 +992,8 @@ p.lead {
   color: var(--text-secondary);
   overflow-x: auto;
   position: relative;
+  white-space: pre-wrap;
+  word-break: break-all;
 }
 
 .code-block::before {
@@ -980,6 +1150,7 @@ footer .closing {
   .problem-grid { grid-template-columns: 1fr; gap: 2rem; }
   .layers-grid { grid-template-columns: 1fr; }
   .tech-grid { grid-template-columns: 1fr; }
+  .perf-grid { grid-template-columns: 1fr; }
   .network-grid { grid-template-columns: repeat(2, 1fr); }
   .network-connections { display: none; }
   .hero-line { display: none; }
@@ -1036,9 +1207,9 @@ footer .closing {
     </div>
     <div class="problem-grid">
       <div class="problem-text reveal reveal-delay-1">
-        <p>Every time you visit a website, you ask a DNS resolver where to go. That resolver sees every domain you visit, when, and how often.</p>
-        <p>Today, a handful of operators control this infrastructure. ICANN governs the root. Registrars can seize domains. Governments compel censorship. Your ISP logs your queries by default.</p>
-        <p>The protocol that underpins the entire internet has no built-in privacy, no cryptographic ownership, and no way for users to choose who they trust.</p>
+        <p>Every time you visit a website, you ask a DNS resolver where to go. That resolver sees every domain you visit, when, and how often. Your ISP logs these queries by default.</p>
+        <p>Ad blockers work in one browser. Pi-hole needs a Raspberry Pi. Your local dev services live at <code>localhost:5173</code> and you can never remember which port is which.</p>
+        <p>DNS is the foundation of everything you do on the internet, but the tools for controlling it locally are either too complex (dnsmasq + nginx + mkcert) or too limited (cloud-only, appliance-only).</p>
       </div>
       <div class="dns-diagram reveal reveal-delay-2">
         <div class="dns-node"><span class="node-dot dim"></span>Your browser</div>
@@ -1062,44 +1233,43 @@ footer .closing {
   <div class="container">
     <div class="reveal">
       <div class="section-label">How It Works</div>
-      <h2>Three layers, built incrementally</h2>
-      <p class="lead">Numa starts as a practical developer tool and evolves toward a decentralized network. Each layer stands on its own.</p>
+      <h2>What it does today</h2>
+      <p class="lead">A portable DNS proxy with ad blocking, encrypted upstream, local service domains, and a REST API. Everything runs in a single binary.</p>
     </div>
     <div class="layers-grid">
       <div class="layer-card reveal reveal-delay-1">
-        <div class="layer-badge">Today</div>
-        <h3>DNS You Control</h3>
+        <div class="layer-badge">Layer 1</div>
+        <h3>Block &amp; Protect</h3>
         <ul>
           <li>Ad &amp; tracker blocking &mdash; 385K+ domains, zero config</li>
-          <li>Ephemeral DNS overrides with auto-revert</li>
-          <li>Local service proxy &mdash; <code>frontend.numa</code> instead of <code>localhost:5173</code></li>
-          <li>Live dashboard with real-time stats and controls</li>
-          <li>REST API &mdash; 22 endpoints for programmatic control</li>
+          <li>DNS-over-HTTPS &mdash; encrypted upstream (Quad9, Cloudflare, any provider)</li>
           <li>TTL-aware caching (sub-ms lookups)</li>
-          <li>Single binary, portable &mdash; your ad blocker travels with you</li>
+          <li>Single binary, portable &mdash; your DNS travels with you</li>
+          <li>macOS, Linux, and Windows</li>
         </ul>
       </div>
       <div class="layer-card reveal reveal-delay-2">
-        <div class="layer-badge">Next</div>
-        <h3>Self-Sovereign DNS</h3>
+        <div class="layer-badge">Layer 2</div>
+        <h3>Developer Tools</h3>
         <ul>
-          <li>pkarr integration: Ed25519 keys as domains</li>
-          <li>Resolve via Mainline BitTorrent DHT (10M+ nodes)</li>
-          <li>No registrar, no blockchain, no ICANN</li>
-          <li>Cryptographic verification built-in</li>
-          <li>Human-readable aliases for pkarr domains</li>
+          <li>Local service proxy &mdash; <code>frontend.numa</code> instead of <code>localhost:5173</code></li>
+          <li>Path-based routing &mdash; <code>app.numa/api</code> &rarr; <code>:5001</code></li>
+          <li>Ephemeral DNS overrides with auto-revert</li>
+          <li>LAN service discovery via mDNS</li>
+          <li>Conditional forwarding &mdash; plays nice with Tailscale/VPN split-DNS</li>
+          <li>REST API &mdash; script everything, automate anything</li>
+          <li>Live dashboard with real-time stats and controls</li>
         </ul>
       </div>
       <div class="layer-card reveal reveal-delay-3">
-        <div class="layer-badge">Vision</div>
-        <h3>Decentralized Resolver Network</h3>
+        <div class="layer-badge">Coming Next</div>
+        <h3>Self-Sovereign DNS</h3>
         <ul>
-          <li>Operators run Numa nodes and stake tokens</li>
-          <li>Earn rewards for uptime, correctness, latency</li>
-          <li>Independent auditors send challenge queries</li>
-          <li>Slashing for NXDOMAIN hijacking or poisoned records</li>
-          <li>Geographic diversity bonuses</li>
-          <li>Privacy-preserving resolution (DoH/DoT)</li>
+          <li>pkarr integration &mdash; DNS via Mainline DHT, no registrar needed</li>
+          <li>Global <code>.numa</code> names &mdash; self-publish, DHT-backed</li>
+          <li>.onion bridge &mdash; human-readable names for Tor hidden services</li>
+          <li>Ed25519 same-key binding &mdash; zero new trust assumptions</li>
+          <li>No blockchain required for core naming</li>
         </ul>
       </div>
     </div>
@@ -1131,66 +1301,12 @@ footer .closing {
         <span class="pipeline-arrow">&rarr;</span>
         <div class="pipeline-node"><div class="pipeline-box">Cache</div></div>
         <span class="pipeline-arrow">&rarr;</span>
-        <div class="pipeline-node"><div class="pipeline-box hl-violet">pkarr / DHT</div></div>
-        <span class="pipeline-arrow">&rarr;</span>
-        <div class="pipeline-node"><div class="pipeline-box">Upstream</div></div>
+        <div class="pipeline-node"><div class="pipeline-box hl-violet">DoH Upstream</div></div>
         <span class="pipeline-arrow">&rarr;</span>
         <div class="pipeline-node"><div class="pipeline-box hl-emerald">Respond</div></div>
       </div>
     </div>
 
-    <div class="arch-subsection reveal">
-      <h3>Layered resilience</h3>
-      <div class="layer-stack">
-        <div class="stack-row">
-          <div class="stack-label" style="color: var(--violet)">L4 Permanence</div>
-          <div class="stack-value">Arweave immutable zone snapshots (future)</div>
-        </div>
-        <div class="stack-row">
-          <div class="stack-label" style="color: var(--violet-dim)">L3 Distribution</div>
-          <div class="stack-value">Mainline DHT via pkarr &mdash; 10M+ nodes</div>
-        </div>
-        <div class="stack-row">
-          <div class="stack-label" style="color: var(--amber)">L2 Serving</div>
-          <div class="stack-value">Numa instances worldwide</div>
-        </div>
-        <div class="stack-row">
-          <div class="stack-label" style="color: var(--teal)">L1 Compatibility</div>
-          <div class="stack-value">Standard DNS wire protocol &mdash; RFC 1035</div>
-        </div>
-      </div>
-    </div>
-
-    <div class="arch-subsection reveal">
-      <h3>Network actors</h3>
-      <div class="network-grid">
-        <div class="network-actor">
-          <span class="actor-icon" style="color: var(--teal)" aria-hidden="true">&compfn;</span>
-          <h4 style="color: var(--teal)">Users</h4>
-          <p>Choose resolvers from a decentralized marketplace based on latency, privacy, and reputation</p>
-        </div>
-        <div class="network-actor">
-          <span class="actor-icon" style="color: var(--amber)" aria-hidden="true">&diamond;</span>
-          <h4 style="color: var(--amber)">Operators</h4>
-          <p>Stake tokens, run Numa nodes, earn rewards proportional to verified service quality</p>
-        </div>
-        <div class="network-actor">
-          <span class="actor-icon" style="color: var(--rose)" aria-hidden="true">&target;</span>
-          <h4 style="color: var(--rose)">Auditors</h4>
-          <p>Send challenge queries from diverse locations, verify correctness and latency</p>
-        </div>
-        <div class="network-actor">
-          <span class="actor-icon" style="color: var(--violet)" aria-hidden="true">&equiv;</span>
-          <h4 style="color: var(--violet)">Chain</h4>
-          <p>Accounting, reputation scores, reward distribution, slashing proofs</p>
-        </div>
-      </div>
-      <div class="network-connections" aria-hidden="true">
-        <div class="network-conn-line"></div>
-        <div class="network-conn-line"></div>
-        <div class="network-conn-line"></div>
-      </div>
-    </div>
   </div>
 </section>
 
@@ -1265,6 +1381,22 @@ footer .closing {
             <td class="check">Yes</td>
             <td class="check">Real-time + controls</td>
           </tr>
+          <tr>
+            <td>DNS-over-HTTPS upstream</td>
+            <td class="cross">No</td>
+            <td class="check">Yes</td>
+            <td class="check">Yes</td>
+            <td class="cross">No</td>
+            <td class="check">Built in (HTTP/2 + rustls)</td>
+          </tr>
+          <tr>
+            <td>Conditional forwarding</td>
+            <td class="cross">No</td>
+            <td class="cross">No</td>
+            <td class="cross">No</td>
+            <td class="muted">Manual</td>
+            <td class="check">Auto-detects Tailscale/VPN</td>
+          </tr>
           <tr>
             <td>Zero config needed</td>
             <td class="cross">Complex setup</td>
@@ -1273,14 +1405,6 @@ footer .closing {
             <td class="cross">Docker/setup</td>
             <td class="check">Works out of the box</td>
           </tr>
-          <tr>
-            <td>Self-sovereign DNS roadmap</td>
-            <td class="cross">No</td>
-            <td class="cross">No</td>
-            <td class="cross">No</td>
-            <td class="cross">No</td>
-            <td class="check">pkarr / DHT</td>
-          </tr>
         </tbody>
       </table>
     </div>
@@ -1289,6 +1413,125 @@ footer .closing {
 
 <div class="section-road" aria-hidden="true"><div class="roman-bricks"></div></div>
 
+<!-- ==================== PERFORMANCE ==================== -->
+<section class="perf-section" id="performance">
+  <div class="container">
+    <div class="reveal">
+      <div class="section-label" style="color: var(--emerald)">Performance</div>
+      <h2>Measured, not claimed</h2>
+      <p class="lead">Benchmarked with <code style="font-size:0.85em">dig</code> against public resolvers on the same machine. Cached queries resolve in under a microsecond.</p>
+    </div>
+
+    <div class="perf-grid">
+      <div class="reveal reveal-delay-1">
+        <div class="perf-table-wrapper">
+          <table class="perf-table">
+            <caption class="sr-only">DNS resolver latency comparison</caption>
+            <thead>
+              <tr>
+                <th>Resolver</th>
+                <th>Avg</th>
+                <th>P50</th>
+                <th>P99</th>
+              </tr>
+            </thead>
+            <tbody>
+              <tr class="perf-highlight">
+                <td>Numa (cached)</td>
+                <td>&lt;1ms</td>
+                <td>&lt;1ms</td>
+                <td>&lt;1ms</td>
+              </tr>
+              <tr>
+                <td>Numa (cold)</td>
+                <td>9ms</td>
+                <td>9ms</td>
+                <td>18ms</td>
+              </tr>
+              <tr>
+                <td>System resolver</td>
+                <td>9ms</td>
+                <td>8ms</td>
+                <td>44ms</td>
+              </tr>
+              <tr>
+                <td>Quad9</td>
+                <td>15ms</td>
+                <td>13ms</td>
+                <td>43ms</td>
+              </tr>
+              <tr>
+                <td>Cloudflare</td>
+                <td>19ms</td>
+                <td>14ms</td>
+                <td>132ms</td>
+              </tr>
+              <tr>
+                <td>Google</td>
+                <td>22ms</td>
+                <td>17ms</td>
+                <td>37ms</td>
+              </tr>
+            </tbody>
+          </table>
+        </div>
+
+        <div class="perf-bar-group">
+          <div class="perf-bar-row">
+            <span class="perf-bar-label">Numa</span>
+            <div class="perf-bar-track"><div class="perf-bar-fill emerald" style="width: 2%"></div></div>
+            <span class="perf-bar-ms">&lt;1ms</span>
+          </div>
+          <div class="perf-bar-row">
+            <span class="perf-bar-label">System</span>
+            <div class="perf-bar-track"><div class="perf-bar-fill dim" style="width: 20%"></div></div>
+            <span class="perf-bar-ms">9ms</span>
+          </div>
+          <div class="perf-bar-row">
+            <span class="perf-bar-label">Quad9</span>
+            <div class="perf-bar-track"><div class="perf-bar-fill dim" style="width: 33%"></div></div>
+            <span class="perf-bar-ms">15ms</span>
+          </div>
+          <div class="perf-bar-row">
+            <span class="perf-bar-label">Cloudflare</span>
+            <div class="perf-bar-track"><div class="perf-bar-fill dim" style="width: 42%"></div></div>
+            <span class="perf-bar-ms">19ms</span>
+          </div>
+          <div class="perf-bar-row">
+            <span class="perf-bar-label">Google</span>
+            <div class="perf-bar-track"><div class="perf-bar-fill dim" style="width: 49%"></div></div>
+            <span class="perf-bar-ms">22ms</span>
+          </div>
+        </div>
+      </div>
+
+      <div class="perf-sidebar reveal reveal-delay-2">
+        <div class="perf-stat">
+          <div class="perf-stat-value emerald">689 ns</div>
+          <div class="perf-stat-label">Cached round-trip &mdash; parse query, cache lookup, serialize response</div>
+        </div>
+        <div class="perf-stat">
+          <div class="perf-stat-value teal">2.0M</div>
+          <div class="perf-stat-label">Queries per second (single-threaded pipeline throughput, batched)</div>
+        </div>
+        <div class="perf-stat">
+          <div class="perf-stat-value amber">0 allocations</div>
+          <div class="perf-stat-label">Heap allocations in the I/O path &mdash; 4KB stack buffers, inline serialization</div>
+        </div>
+
+        <p class="perf-note">
+          Cold queries match system resolver speed &mdash; the bottleneck is upstream RTT, not Numa. We don't claim to be faster when the network is the limit.
+          <br><br>
+          Benchmarks are reproducible: <code style="font-size:0.85em">cargo bench</code> for micro-benchmarks, <code style="font-size:0.85em">python3 bench/dns-bench.sh</code> for end-to-end.
+          <a href="https://github.com/razvandimescu/numa/tree/main/bench">Methodology &rarr;</a>
+        </p>
+      </div>
+    </div>
+  </div>
+</section>
+
+<div class="section-road on-surface" aria-hidden="true"><div class="roman-bricks"></div></div>
+
 <!-- ==================== TECHNICAL ==================== -->
 <section id="technical">
   <div class="container">
@@ -1305,25 +1548,30 @@ footer .closing {
         <dd>Zero &mdash; wire protocol parsed from scratch</dd>
 
         <dt>Dependencies</dt>
-        <dd>8 runtime crates (tokio, axum, hyper, serde, serde_json, toml, log, futures)</dd>
+        <dd>18 runtime crates &mdash; tokio, axum, hyper, reqwest (DoH), rcgen + rustls (TLS), socket2 (multicast), serde, and more</dd>
 
         <dt>Packet Format</dt>
         <dd>RFC 1035 compliant, 4096-byte UDP (EDNS)</dd>
 
         <dt>Concurrency</dt>
-        <dd>Arc&lt;ServerCtx&gt; + std::sync::Mutex (sub-&micro;s holds, never across .await)</dd>
+        <dd>Arc&lt;ServerCtx&gt; + RwLock for reads, Mutex for writes (never across .await)</dd>
 
-        <dt>Signatures</dt>
-        <dd>Ed25519 via pkarr for self-sovereign domains</dd>
+        <dt>Upstream</dt>
+        <dd>DNS-over-HTTPS (DoH) via reqwest + http2 + rustls</dd>
       </dl>
       <div class="code-block reveal reveal-delay-2">
+<span class="comment"># Install (pick one)</span>
+<span class="prompt">$</span> <span class="cmd">brew install</span> razvandimescu/tap/numa
 <span class="prompt">$</span> <span class="cmd">cargo install</span> numa
+<span class="prompt">$</span> <span class="cmd">curl</span> <span class="flag">-fsSL</span> https://raw.githubusercontent.com/razvandimescu/numa/main/install.sh <span class="flag">|</span> <span class="cmd">sh</span>
+
+<span class="comment"># Run</span>
 <span class="prompt">$</span> <span class="cmd">sudo numa</span>                          <span class="comment"># bind to :53, :80, :5380</span>
 <span class="prompt">$</span> <span class="cmd">dig</span> <span class="flag">@127.0.0.1</span> google.com         <span class="comment"># test resolution</span>
-<span class="prompt">$</span> <span class="cmd">open</span> http://numa.numa              <span class="comment"># dashboard</span>
+<span class="prompt">$</span> <span class="cmd">open</span> http://localhost:5380           <span class="comment"># dashboard</span>
 <span class="prompt">$</span> <span class="cmd">curl</span> <span class="flag">-X POST</span> localhost:5380/services \
     <span class="flag">-d</span> <span class="str">'{"name":"frontend",
-         "target_port":5173}'</span>          <span class="comment"># http://frontend.numa</span>
+         "target_port":5173}'</span>          <span class="comment"># https://frontend.numa</span>
       </div>
     </div>
   </div>
@@ -1345,7 +1593,7 @@ footer .closing {
       </div>
       <div class="roadmap-item done">
         <span class="phase">Phase 1</span>
-        <span class="phase-desc">Override layer + REST API with 18 endpoints</span>
+        <span class="phase-desc">Override layer + REST API for programmatic DNS control</span>
       </div>
       <div class="roadmap-item done">
         <span class="phase">Phase 2</span>
@@ -1359,25 +1607,21 @@ footer .closing {
         <span class="phase">Phase 4</span>
         <span class="phase-desc">Local service proxy &mdash; .numa domains, HTTP/HTTPS reverse proxy, auto TLS, WebSocket</span>
       </div>
-      <div class="roadmap-item phase-teal">
+      <div class="roadmap-item done">
         <span class="phase">Phase 5</span>
-        <span class="phase-desc">pkarr integration &mdash; resolve Ed25519 keys via Mainline DHT (15M nodes)</span>
+        <span class="phase-desc">DNS-over-HTTPS &mdash; encrypted upstream, HTTP/2 connection pooling</span>
       </div>
       <div class="roadmap-item phase-teal">
         <span class="phase">Phase 6</span>
+        <span class="phase-desc">pkarr integration &mdash; self-sovereign DNS via Mainline DHT, no registrar needed</span>
+      </div>
+      <div class="roadmap-item phase-teal">
+        <span class="phase">Phase 7</span>
         <span class="phase-desc">Global .numa names &mdash; self-publish, DHT-backed, first-come-first-served</span>
       </div>
-      <div class="roadmap-item phase-amber">
-        <span class="phase">Phase 7</span>
-        <span class="phase-desc">Audit protocol &mdash; challenge-based verification of resolver honesty</span>
-      </div>
-      <div class="roadmap-item phase-violet">
+      <div class="roadmap-item phase-teal">
         <span class="phase">Phase 8</span>
-        <span class="phase-desc">Numa Network &mdash; proof-of-service consensus, NUMA token, paid .numa domains</span>
-      </div>
-      <div class="roadmap-item phase-violet">
-        <span class="phase">Phase 9</span>
-        <span class="phase-desc">.onion bridge &mdash; human-readable .numa names for Tor hidden services</span>
+        <span class="phase-desc">.onion bridge &mdash; human-readable Tor naming via Ed25519 same-key binding</span>
       </div>
     </div>
   </div>
@@ -1391,6 +1635,7 @@ footer .closing {
     </p>
     <div class="footer-links reveal reveal-delay-1">
       <a href="https://github.com/razvandimescu/numa" target="_blank" rel="noopener">GitHub</a>
+      <a href="/blog/">Blog</a>
       <a href="https://github.com/razvandimescu/numa/blob/main/LICENSE" target="_blank" rel="noopener">MIT License</a>
     </div>
     <p class="closing reveal reveal-delay-2">Built from scratch in Rust. No dependencies on trust.</p>
-- 
2.34.1


From 236ef7b4f593d567f89edc908e168d065c7fbf55 Mon Sep 17 00:00:00 2001
From: Razvan Dimescu <ssaricu@gmail.com>
Date: Fri, 27 Mar 2026 02:01:08 +0200
Subject: [PATCH 4/5] perf: optimize DNS query hot path (#15)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: optimize hot path — RwLock, inline filtering, pre-allocated strings

- Mutex → RwLock for cache, blocklist, and overrides (concurrent read access)
- Make cache.lookup() and overrides.lookup() take &self (read-only)
- Eliminate 3 Vec allocations per DnsPacket::write() via inline filtering
- Pre-allocate domain strings with capacity 64 in parse path
- Add criterion micro-benchmarks (hot_path + throughput)
- Add bench README documenting both benchmark suites

Measured improvement: ~14% faster parsing, ~9% pipeline throughput,
round-trip cached 733ns → 698ns (~2.3M queries/sec).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: simplify benchmark code after review

- Remove redundant DnsHeader::new() (already set by DnsPacket::new())
- Remove unused DnsHeader import
- Change simulate_cached_pipeline to take &DnsCache (lookup is &self now)
- Remove unnecessary mut on cache in cache_lookup_miss bench

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 Cargo.lock            | 267 ++++++++++++++++++++++++++++++++++++++++++
 Cargo.toml            |  11 ++
 Makefile              |  13 +-
 bench/README.md       |  87 ++++++++++++++
 benches/hot_path.rs   | 185 +++++++++++++++++++++++++++++
 benches/throughput.rs |  94 +++++++++++++++
 src/api.rs            |  51 ++++----
 src/cache.rs          |  18 +--
 src/ctx.rs            |  16 +--
 src/main.rs           |  10 +-
 src/override_store.rs |   7 +-
 src/packet.rs         |  38 +++---
 src/record.rs         |   8 +-
 13 files changed, 728 insertions(+), 77 deletions(-)
 create mode 100644 bench/README.md
 create mode 100644 benches/hot_path.rs
 create mode 100644 benches/throughput.rs

diff --git a/Cargo.lock b/Cargo.lock
index bd15955..a8563e2 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -17,6 +17,12 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "anes"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4b46cbb362ab8752921c97e041f5e366ee6297bd428a31275b9fcf1e380f7299"
+
 [[package]]
 name = "anstream"
 version = "0.6.21"
@@ -237,6 +243,12 @@ version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33"
 
+[[package]]
+name = "cast"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5"
+
 [[package]]
 name = "cc"
 version = "1.2.57"
@@ -261,6 +273,58 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
 
+[[package]]
+name = "ciborium"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42e69ffd6f0917f5c029256a24d0161db17cea3997d185db0d35926308770f0e"
+dependencies = [
+ "ciborium-io",
+ "ciborium-ll",
+ "serde",
+]
+
+[[package]]
+name = "ciborium-io"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05afea1e0a06c9be33d539b876f1ce3692f4afea2cb41f740e7743225ed1c757"
+
+[[package]]
+name = "ciborium-ll"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57663b653d948a338bfb3eeba9bb2fd5fcfaecb9e199e87e1eda4d9e8b240fd9"
+dependencies = [
+ "ciborium-io",
+ "half",
+]
+
+[[package]]
+name = "clap"
+version = "4.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b193af5b67834b676abd72466a96c1024e6a6ad978a1f484bd90b85c94041351"
+dependencies = [
+ "clap_builder",
+]
+
+[[package]]
+name = "clap_builder"
+version = "4.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f"
+dependencies = [
+ "anstyle",
+ "clap_lex",
+]
+
+[[package]]
+name = "clap_lex"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
+
 [[package]]
 name = "cmake"
 version = "0.1.57"
@@ -302,6 +366,73 @@ dependencies = [
  "cfg-if",
 ]
 
+[[package]]
+name = "criterion"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2b12d017a929603d80db1831cd3a24082f8137ce19c69e6447f54f5fc8d692f"
+dependencies = [
+ "anes",
+ "cast",
+ "ciborium",
+ "clap",
+ "criterion-plot",
+ "is-terminal",
+ "itertools",
+ "num-traits",
+ "once_cell",
+ "oorandom",
+ "plotters",
+ "rayon",
+ "regex",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "tinytemplate",
+ "walkdir",
+]
+
+[[package]]
+name = "criterion-plot"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6b50826342786a51a89e2da3a28f1c32b06e387201bc2d19791f622c673706b1"
+dependencies = [
+ "cast",
+ "itertools",
+]
+
+[[package]]
+name = "crossbeam-deque"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9dd111b7b7f7d55b72c0a6ae361660ee5853c9af73f70c3c2ef6858b950e2e51"
+dependencies = [
+ "crossbeam-epoch",
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-epoch"
+version = "0.9.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b82ac4a3c2ca9c3460964f020e1402edd5753411d7737aa39c3714ad1b5420e"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.8.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
+
+[[package]]
+name = "crunchy"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "460fbee9c2c2f33933d720630a6a0bac33ba7053db5344fac858d4b8952d77d5"
+
 [[package]]
 name = "data-encoding"
 version = "2.10.0"
@@ -348,6 +479,12 @@ version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
 
+[[package]]
+name = "either"
+version = "1.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
+
 [[package]]
 name = "env_filter"
 version = "1.0.0"
@@ -548,12 +685,29 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "half"
+version = "2.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ea2d84b969582b4b1864a92dc5d27cd2b77b622a8d79306834f1be5ba20d84b"
+dependencies = [
+ "cfg-if",
+ "crunchy",
+ "zerocopy",
+]
+
 [[package]]
 name = "hashbrown"
 version = "0.16.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
 
+[[package]]
+name = "hermit-abi"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc0fef456e4baa96da950455cd02c081ca953b141298e41db3fc7e36b1da849c"
+
 [[package]]
 name = "http"
 version = "1.4.0"
@@ -790,12 +944,32 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "is-terminal"
+version = "0.4.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46"
+dependencies = [
+ "hermit-abi",
+ "libc",
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "is_terminal_polyfill"
 version = "1.70.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
 
+[[package]]
+name = "itertools"
+version = "0.10.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473"
+dependencies = [
+ "either",
+]
+
 [[package]]
 name = "itoa"
 version = "1.0.17"
@@ -971,6 +1145,7 @@ version = "0.5.0"
 dependencies = [
  "arc-swap",
  "axum",
+ "criterion",
  "env_logger",
  "futures",
  "http-body-util",
@@ -1010,6 +1185,12 @@ version = "1.70.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
 
+[[package]]
+name = "oorandom"
+version = "11.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d6790f58c7ff633d8771f42965289203411a5e5c68388703c06e14f24770b41e"
+
 [[package]]
 name = "pem"
 version = "3.0.6"
@@ -1038,6 +1219,34 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 
+[[package]]
+name = "plotters"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5aeb6f403d7a4911efb1e33402027fc44f29b5bf6def3effcc22d7bb75f2b747"
+dependencies = [
+ "num-traits",
+ "plotters-backend",
+ "plotters-svg",
+ "wasm-bindgen",
+ "web-sys",
+]
+
+[[package]]
+name = "plotters-backend"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df42e13c12958a16b3f7f4386b9ab1f3e7933914ecea48da7139435263a4172a"
+
+[[package]]
+name = "plotters-svg"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51bae2ac328883f7acdfea3d66a7c35751187f870bc81f94563733a154d7a670"
+dependencies = [
+ "plotters-backend",
+]
+
 [[package]]
 name = "portable-atomic"
 version = "1.13.1"
@@ -1185,6 +1394,26 @@ dependencies = [
  "getrandom 0.3.4",
 ]
 
+[[package]]
+name = "rayon"
+version = "1.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "368f01d005bf8fd9b1206fb6fa653e6c4a81ceb1466406b81792d87c5677a58f"
+dependencies = [
+ "either",
+ "rayon-core",
+]
+
+[[package]]
+name = "rayon-core"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22e18b0f0062d30d4230b2e85ff77fdfe4326feb054b9783a3460d8435c8ab91"
+dependencies = [
+ "crossbeam-deque",
+ "crossbeam-utils",
+]
+
 [[package]]
 name = "rcgen"
 version = "0.13.2"
@@ -1346,6 +1575,15 @@ version = "1.0.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f"
 
+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
 [[package]]
 name = "serde"
 version = "1.0.228"
@@ -1589,6 +1827,16 @@ dependencies = [
  "zerovec",
 ]
 
+[[package]]
+name = "tinytemplate"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "be4d6b5f19ff7664e8c98d03e2139cb510db9b0a60b55f8e8709b689d939b6bc"
+dependencies = [
+ "serde",
+ "serde_json",
+]
+
 [[package]]
 name = "tinyvec"
 version = "1.11.0"
@@ -1807,6 +2055,16 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
 
+[[package]]
+name = "walkdir"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
+dependencies = [
+ "same-file",
+ "winapi-util",
+]
+
 [[package]]
 name = "want"
 version = "0.3.1"
@@ -1919,6 +2177,15 @@ dependencies = [
  "rustls-pki-types",
 ]
 
+[[package]]
+name = "winapi-util"
+version = "0.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "windows-link"
 version = "0.2.1"
diff --git a/Cargo.toml b/Cargo.toml
index fa52afa..ea71da7 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -28,3 +28,14 @@ time = "0.3"
 rustls = "0.23"
 tokio-rustls = "0.26"
 arc-swap = "1"
+
+[dev-dependencies]
+criterion = { version = "0.5", features = ["html_reports"] }
+
+[[bench]]
+name = "hot_path"
+harness = false
+
+[[bench]]
+name = "throughput"
+harness = false
diff --git a/Makefile b/Makefile
index d25d697..643c058 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-.PHONY: all build lint fmt check audit test clean deploy
+.PHONY: all build lint fmt check audit test bench clean deploy blog
 
 all: lint build
 
@@ -19,6 +19,17 @@ audit:
 test:
 	cargo test
 
+bench:
+	cargo bench
+
+blog:
+	@mkdir -p site/blog
+	@for f in blog/*.md; do \
+		name=$$(basename "$$f" .md); \
+		pandoc "$$f" --template=site/blog-template.html -o "site/blog/$$name.html"; \
+		echo "  $$f → site/blog/$$name.html"; \
+	done
+
 clean:
 	cargo clean
 
diff --git a/bench/README.md b/bench/README.md
new file mode 100644
index 0000000..7307369
--- /dev/null
+++ b/bench/README.md
@@ -0,0 +1,87 @@
+# Benchmarks
+
+Numa has two benchmark suites measuring different layers of performance.
+
+## Micro-benchmarks (`benches/`, criterion)
+
+Nanosecond-precision measurement of individual operations on the hot path.
+No running server required — these are pure Rust unit-level benchmarks.
+
+```sh
+cargo bench            # run all
+cargo bench --bench hot_path      # parse, serialize, cache, clone
+cargo bench --bench throughput    # pipeline QPS, buffer alloc
+```
+
+### What's measured
+
+**hot_path** — individual operations:
+
+| Benchmark | What it measures |
+|-----------|-----------------|
+| `buffer_parse` | Wire bytes → DnsPacket (typical response with 4 records) |
+| `buffer_serialize` | DnsPacket → wire bytes |
+| `packet_clone` | Full DnsPacket clone (what cache hit costs) |
+| `cache_lookup_hit` | Cache lookup on a single-entry cache |
+| `cache_lookup_hit_populated` | Cache lookup with 1000 entries |
+| `cache_lookup_miss` | HashMap miss (baseline) |
+| `cache_insert` | Insert into cache with packet clone |
+| `round_trip_cached` | Full cached path: parse query → cache hit → serialize response |
+
+**throughput** — pipeline capacity:
+
+| Benchmark | What it measures |
+|-----------|-----------------|
+| `pipeline_throughput/N` | N cached queries end-to-end (parse → lookup → serialize) |
+| `buffer_alloc` | BytePacketBuffer 4KB zero-init cost |
+
+### Reading results
+
+Criterion auto-compares against the previous run:
+
+```
+round_trip_cached  time: [710.5 ns 715.2 ns 720.1 ns]
+                   change: [-2.48% -1.85% -1.21%] (p = 0.00 < 0.05)
+                   Performance has improved.
+```
+
+- The three values are [lower bound, estimate, upper bound] of the mean
+- `change` shows the delta vs the last saved baseline
+- HTML reports with charts: `target/criterion/report/index.html`
+
+To save a named baseline for comparison:
+
+```sh
+cargo bench -- --save-baseline before
+# ... make changes ...
+cargo bench -- --baseline before
+```
+
+## End-to-end benchmark (`bench/dns-bench.sh`)
+
+Real-world latency comparison using `dig` against a running Numa instance
+and public resolvers. Measures millisecond-level latency including network I/O.
+
+```sh
+# Start Numa first (default port 15353 for testing)
+python3 bench/dns-bench.sh [port] [rounds]
+python3 bench/dns-bench.sh 15353 20    # default
+```
+
+### What's measured
+
+- **Numa (cold)**: cache flushed before each query — measures upstream forwarding
+- **Numa (cached)**: queries hit cache — measures local processing
+- **System / Google / Cloudflare / Quad9**: public resolver comparison
+
+Results saved to `bench/results.json`.
+
+### When to use which
+
+| Question | Use |
+|----------|-----|
+| Did my code change make parsing faster? | `cargo bench --bench hot_path` |
+| Is the cached path still sub-microsecond? | `cargo bench --bench hot_path` (round_trip_cached) |
+| How many queries/sec can we handle? | `cargo bench --bench throughput` |
+| Is Numa still competitive with system resolver? | `bench/dns-bench.sh` |
+| Did upstream forwarding regress? | `bench/dns-bench.sh` |
diff --git a/benches/hot_path.rs b/benches/hot_path.rs
new file mode 100644
index 0000000..accfcf2
--- /dev/null
+++ b/benches/hot_path.rs
@@ -0,0 +1,185 @@
+use criterion::{black_box, criterion_group, criterion_main, Criterion};
+use std::net::Ipv4Addr;
+
+use numa::buffer::BytePacketBuffer;
+use numa::cache::DnsCache;
+use numa::header::ResultCode;
+use numa::packet::DnsPacket;
+use numa::question::{DnsQuestion, QueryType};
+use numa::record::DnsRecord;
+
+fn make_response(domain: &str) -> DnsPacket {
+    let mut pkt = DnsPacket::new();
+    pkt.header.id = 0x1234;
+    pkt.header.response = true;
+    pkt.header.recursion_desired = true;
+    pkt.header.recursion_available = true;
+    pkt.header.rescode = ResultCode::NOERROR;
+    pkt.questions
+        .push(DnsQuestion::new(domain.to_string(), QueryType::A));
+    pkt.answers.push(DnsRecord::A {
+        domain: domain.to_string(),
+        addr: Ipv4Addr::new(93, 184, 216, 34),
+        ttl: 300,
+    });
+    // Typical response includes authority + additional records
+    pkt.authorities.push(DnsRecord::NS {
+        domain: domain.to_string(),
+        host: format!("ns1.{domain}"),
+        ttl: 172800,
+    });
+    pkt.authorities.push(DnsRecord::NS {
+        domain: domain.to_string(),
+        host: format!("ns2.{domain}"),
+        ttl: 172800,
+    });
+    pkt.resources.push(DnsRecord::A {
+        domain: format!("ns1.{domain}"),
+        addr: Ipv4Addr::new(198, 51, 100, 1),
+        ttl: 172800,
+    });
+    pkt
+}
+
+fn to_wire(pkt: &DnsPacket) -> Vec<u8> {
+    let mut buf = BytePacketBuffer::new();
+    pkt.write(&mut buf).unwrap();
+    buf.filled().to_vec()
+}
+
+fn bench_buffer_parse(c: &mut Criterion) {
+    let pkt = make_response("example.com");
+    let wire = to_wire(&pkt);
+
+    c.bench_function("buffer_parse", |b| {
+        b.iter(|| {
+            let mut buf = BytePacketBuffer::from_bytes(black_box(&wire));
+            DnsPacket::from_buffer(&mut buf).unwrap()
+        })
+    });
+}
+
+fn bench_buffer_serialize(c: &mut Criterion) {
+    let pkt = make_response("example.com");
+
+    c.bench_function("buffer_serialize", |b| {
+        b.iter(|| {
+            let mut buf = BytePacketBuffer::new();
+            black_box(&pkt).write(&mut buf).unwrap();
+            black_box(buf.pos());
+        })
+    });
+}
+
+fn bench_packet_clone(c: &mut Criterion) {
+    let pkt = make_response("example.com");
+
+    c.bench_function("packet_clone", |b| b.iter(|| black_box(&pkt).clone()));
+}
+
+fn bench_cache_lookup_hit(c: &mut Criterion) {
+    let mut cache = DnsCache::new(10_000, 60, 86400);
+    let pkt = make_response("example.com");
+    cache.insert("example.com", QueryType::A, &pkt);
+
+    c.bench_function("cache_lookup_hit", |b| {
+        b.iter(|| {
+            cache
+                .lookup(black_box("example.com"), QueryType::A)
+                .unwrap()
+        })
+    });
+}
+
+fn bench_cache_lookup_miss(c: &mut Criterion) {
+    let cache = DnsCache::new(10_000, 60, 86400);
+
+    c.bench_function("cache_lookup_miss", |b| {
+        b.iter(|| cache.lookup(black_box("nonexistent.com"), QueryType::A))
+    });
+}
+
+fn bench_cache_insert(c: &mut Criterion) {
+    let pkt = make_response("example.com");
+
+    c.bench_function("cache_insert", |b| {
+        let mut cache = DnsCache::new(10_000, 60, 86400);
+        let mut i = 0u64;
+        b.iter(|| {
+            let domain = format!("bench-{i}.example.com");
+            cache.insert(&domain, QueryType::A, black_box(&pkt));
+            i += 1;
+            // Reset cache periodically to avoid filling up
+            if i % 5000 == 0 {
+                cache.clear();
+            }
+        })
+    });
+}
+
+fn bench_round_trip(c: &mut Criterion) {
+    // Simulates the cached hot path: parse query → cache hit → serialize response
+    let query_pkt = {
+        let mut q = DnsPacket::new();
+        q.header.id = 0xABCD;
+        q.header.recursion_desired = true;
+        q.questions
+            .push(DnsQuestion::new("example.com".to_string(), QueryType::A));
+        q
+    };
+    let query_wire = to_wire(&query_pkt);
+
+    let response = make_response("example.com");
+    let mut cache = DnsCache::new(10_000, 60, 86400);
+    cache.insert("example.com", QueryType::A, &response);
+
+    c.bench_function("round_trip_cached", |b| {
+        b.iter(|| {
+            // 1. Parse incoming query
+            let mut buf = BytePacketBuffer::from_bytes(black_box(&query_wire));
+            let query = DnsPacket::from_buffer(&mut buf).unwrap();
+            let qname = &query.questions[0].name;
+            let qtype = query.questions[0].qtype;
+
+            // 2. Cache lookup
+            let mut resp = cache.lookup(qname, qtype).unwrap();
+            resp.header.id = query.header.id;
+
+            // 3. Serialize response
+            let mut resp_buf = BytePacketBuffer::new();
+            resp.write(&mut resp_buf).unwrap();
+            black_box(resp_buf.pos());
+        })
+    });
+}
+
+fn bench_cache_populated_lookup(c: &mut Criterion) {
+    // Benchmark with a realistically populated cache (1000 entries)
+    let mut cache = DnsCache::new(10_000, 60, 86400);
+    for i in 0..1000 {
+        let domain = format!("domain-{i}.example.com");
+        let pkt = make_response(&domain);
+        cache.insert(&domain, QueryType::A, &pkt);
+    }
+
+    c.bench_function("cache_lookup_hit_populated", |b| {
+        b.iter(|| {
+            cache
+                .lookup(black_box("domain-500.example.com"), QueryType::A)
+                .unwrap()
+        })
+    });
+}
+
+criterion_group!(
+    benches,
+    bench_buffer_parse,
+    bench_buffer_serialize,
+    bench_packet_clone,
+    bench_cache_lookup_hit,
+    bench_cache_lookup_miss,
+    bench_cache_insert,
+    bench_round_trip,
+    bench_cache_populated_lookup,
+);
+criterion_main!(benches);
diff --git a/benches/throughput.rs b/benches/throughput.rs
new file mode 100644
index 0000000..e01a25c
--- /dev/null
+++ b/benches/throughput.rs
@@ -0,0 +1,94 @@
+use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion, Throughput};
+use std::net::Ipv4Addr;
+
+use numa::buffer::BytePacketBuffer;
+use numa::header::ResultCode;
+use numa::packet::DnsPacket;
+use numa::question::{DnsQuestion, QueryType};
+use numa::record::DnsRecord;
+
+fn make_query_wire(domain: &str) -> Vec<u8> {
+    let mut q = DnsPacket::new();
+    q.header.id = 0xABCD;
+    q.header.recursion_desired = true;
+    q.questions
+        .push(DnsQuestion::new(domain.to_string(), QueryType::A));
+    let mut buf = BytePacketBuffer::new();
+    q.write(&mut buf).unwrap();
+    buf.filled().to_vec()
+}
+
+fn make_response(domain: &str) -> DnsPacket {
+    let mut pkt = DnsPacket::new();
+    pkt.header.id = 0xABCD;
+    pkt.header.response = true;
+    pkt.header.recursion_desired = true;
+    pkt.header.recursion_available = true;
+    pkt.header.rescode = ResultCode::NOERROR;
+    pkt.questions
+        .push(DnsQuestion::new(domain.to_string(), QueryType::A));
+    pkt.answers.push(DnsRecord::A {
+        domain: domain.to_string(),
+        addr: Ipv4Addr::new(93, 184, 216, 34),
+        ttl: 300,
+    });
+    pkt
+}
+
+/// Simulates the complete cached query pipeline (sans network I/O):
+/// parse → cache lookup → TTL adjust → serialize response
+fn simulate_cached_pipeline(query_wire: &[u8], cache: &numa::cache::DnsCache) -> usize {
+    let mut buf = BytePacketBuffer::from_bytes(query_wire);
+    let query = DnsPacket::from_buffer(&mut buf).unwrap();
+    let q = &query.questions[0];
+
+    let mut resp = cache.lookup(&q.name, q.qtype).unwrap();
+    resp.header.id = query.header.id;
+
+    let mut resp_buf = BytePacketBuffer::new();
+    resp.write(&mut resp_buf).unwrap();
+    resp_buf.pos()
+}
+
+fn bench_pipeline_throughput(c: &mut Criterion) {
+    let domains: Vec<String> = (0..100)
+        .map(|i| format!("domain-{i}.example.com"))
+        .collect();
+
+    let mut cache = numa::cache::DnsCache::new(10_000, 60, 86400);
+    for d in &domains {
+        cache.insert(d, QueryType::A, &make_response(d));
+    }
+
+    let query_wires: Vec<Vec<u8>> = domains.iter().map(|d| make_query_wire(d)).collect();
+
+    let mut group = c.benchmark_group("pipeline_throughput");
+
+    for count in [1, 10, 100] {
+        group.throughput(Throughput::Elements(count));
+        group.bench_with_input(BenchmarkId::from_parameter(count), &count, |b, &count| {
+            let mut idx = 0usize;
+            b.iter(|| {
+                for _ in 0..count {
+                    let wire = &query_wires[idx % query_wires.len()];
+                    simulate_cached_pipeline(wire, &cache);
+                    idx += 1;
+                }
+            });
+        });
+    }
+    group.finish();
+}
+
+/// Measures the overhead of BytePacketBuffer allocation + zero-init
+fn bench_buffer_alloc(c: &mut Criterion) {
+    c.bench_function("buffer_alloc", |b| {
+        b.iter(|| {
+            let buf = BytePacketBuffer::new();
+            criterion::black_box(buf.pos());
+        })
+    });
+}
+
+criterion_group!(benches, bench_pipeline_throughput, bench_buffer_alloc,);
+criterion_main!(benches);
diff --git a/src/api.rs b/src/api.rs
index 2df9d73..1c6283c 100644
--- a/src/api.rs
+++ b/src/api.rs
@@ -220,7 +220,7 @@ async fn create_overrides(
         })
         .collect::<Result<Vec<_>, (StatusCode, String)>>()?;
 
-    let mut store = ctx.overrides.lock().unwrap();
+    let mut store = ctx.overrides.write().unwrap();
     let mut responses = Vec::with_capacity(parsed.len());
 
     for (domain, target, ttl, duration_secs) in parsed {
@@ -241,7 +241,7 @@ async fn create_overrides(
 }
 
 async fn list_overrides(State(ctx): State<Arc<ServerCtx>>) -> Json<Vec<OverrideResponse>> {
-    let store = ctx.overrides.lock().unwrap();
+    let store = ctx.overrides.read().unwrap();
     let entries: Vec<OverrideResponse> = store
         .list()
         .into_iter()
@@ -254,7 +254,7 @@ async fn get_override(
     State(ctx): State<Arc<ServerCtx>>,
     Path(domain): Path<String>,
 ) -> Result<Json<OverrideResponse>, StatusCode> {
-    let store = ctx.overrides.lock().unwrap();
+    let store = ctx.overrides.read().unwrap();
     let entry = store.get(&domain).ok_or(StatusCode::NOT_FOUND)?;
     Ok(Json(OverrideResponse::from(entry)))
 }
@@ -263,7 +263,7 @@ async fn remove_override(
     State(ctx): State<Arc<ServerCtx>>,
     Path(domain): Path<String>,
 ) -> StatusCode {
-    let mut store = ctx.overrides.lock().unwrap();
+    let mut store = ctx.overrides.write().unwrap();
     if store.remove(&domain) {
         StatusCode::NO_CONTENT
     } else {
@@ -272,7 +272,7 @@ async fn remove_override(
 }
 
 async fn clear_overrides(State(ctx): State<Arc<ServerCtx>>) -> StatusCode {
-    ctx.overrides.lock().unwrap().clear();
+    ctx.overrides.write().unwrap().clear();
     StatusCode::NO_CONTENT
 }
 
@@ -280,7 +280,7 @@ async fn load_environment(
     State(ctx): State<Arc<ServerCtx>>,
     Json(req): Json<EnvironmentRequest>,
 ) -> Result<(StatusCode, Json<EnvironmentResponse>), (StatusCode, String)> {
-    let mut store = ctx.overrides.lock().unwrap();
+    let mut store = ctx.overrides.write().unwrap();
 
     for entry in &req.overrides {
         let duration = entry.duration_secs.or(req.duration_secs);
@@ -307,7 +307,7 @@ async fn diagnose(
 
     // Check overrides
     {
-        let store = ctx.overrides.lock().unwrap();
+        let store = ctx.overrides.read().unwrap();
         let entry = store.get(&domain_lower);
         steps.push(DiagnoseStep {
             source: "override".to_string(),
@@ -319,7 +319,7 @@ async fn diagnose(
 
     // Check blocklist
     {
-        let bl = ctx.blocklist.lock().unwrap();
+        let bl = ctx.blocklist.read().unwrap();
         let blocked = bl.is_blocked(&domain_lower);
         steps.push(DiagnoseStep {
             source: "blocklist".to_string(),
@@ -345,7 +345,7 @@ async fn diagnose(
 
     // Check cache
     {
-        let mut cache = ctx.cache.lock().unwrap();
+        let cache = ctx.cache.read().unwrap();
         let cached = cache.lookup(&domain_lower, qtype);
         steps.push(DiagnoseStep {
             source: "cache".to_string(),
@@ -443,11 +443,11 @@ async fn query_log(
 async fn stats(State(ctx): State<Arc<ServerCtx>>) -> Json<StatsResponse> {
     let snap = ctx.stats.lock().unwrap().snapshot();
     let (cache_len, cache_max) = {
-        let cache = ctx.cache.lock().unwrap();
+        let cache = ctx.cache.read().unwrap();
         (cache.len(), cache.max_entries())
     };
-    let override_count = ctx.overrides.lock().unwrap().active_count();
-    let bl_stats = ctx.blocklist.lock().unwrap().stats();
+    let override_count = ctx.overrides.read().unwrap().active_count();
+    let bl_stats = ctx.blocklist.read().unwrap().stats();
 
     let upstream = ctx.upstream.lock().unwrap().to_string();
 
@@ -486,7 +486,7 @@ async fn stats(State(ctx): State<Arc<ServerCtx>>) -> Json<StatsResponse> {
 }
 
 async fn list_cache(State(ctx): State<Arc<ServerCtx>>) -> Json<Vec<CacheEntryResponse>> {
-    let cache = ctx.cache.lock().unwrap();
+    let cache = ctx.cache.read().unwrap();
     let entries: Vec<CacheEntryResponse> = cache
         .list()
         .into_iter()
@@ -500,7 +500,7 @@ async fn list_cache(State(ctx): State<Arc<ServerCtx>>) -> Json<Vec<CacheEntryRes
 }
 
 async fn flush_cache(State(ctx): State<Arc<ServerCtx>>) -> StatusCode {
-    ctx.cache.lock().unwrap().clear();
+    ctx.cache.write().unwrap().clear();
     StatusCode::NO_CONTENT
 }
 
@@ -508,7 +508,7 @@ async fn flush_cache_domain(
     State(ctx): State<Arc<ServerCtx>>,
     Path(domain): Path<String>,
 ) -> StatusCode {
-    ctx.cache.lock().unwrap().remove(&domain);
+    ctx.cache.write().unwrap().remove(&domain);
     StatusCode::NO_CONTENT
 }
 
@@ -519,7 +519,7 @@ async fn health() -> Json<serde_json::Value> {
 // --- Blocking handlers ---
 
 async fn blocking_stats(State(ctx): State<Arc<ServerCtx>>) -> Json<serde_json::Value> {
-    let stats = ctx.blocklist.lock().unwrap().stats();
+    let stats = ctx.blocklist.read().unwrap().stats();
     Json(serde_json::json!({
         "enabled": stats.enabled,
         "paused": stats.paused,
@@ -539,7 +539,7 @@ async fn blocking_toggle(
     State(ctx): State<Arc<ServerCtx>>,
     Json(req): Json<BlockingToggleRequest>,
 ) -> Json<serde_json::Value> {
-    ctx.blocklist.lock().unwrap().set_enabled(req.enabled);
+    ctx.blocklist.write().unwrap().set_enabled(req.enabled);
     Json(serde_json::json!({ "enabled": req.enabled }))
 }
 
@@ -557,12 +557,12 @@ async fn blocking_pause(
     State(ctx): State<Arc<ServerCtx>>,
     Json(req): Json<BlockingPauseRequest>,
 ) -> Json<serde_json::Value> {
-    ctx.blocklist.lock().unwrap().pause(req.minutes * 60);
+    ctx.blocklist.write().unwrap().pause(req.minutes * 60);
     Json(serde_json::json!({ "paused_minutes": req.minutes }))
 }
 
 async fn blocking_unpause(State(ctx): State<Arc<ServerCtx>>) -> Json<serde_json::Value> {
-    ctx.blocklist.lock().unwrap().unpause();
+    ctx.blocklist.write().unwrap().unpause();
     Json(serde_json::json!({ "paused": false }))
 }
 
@@ -570,12 +570,12 @@ async fn blocking_check(
     State(ctx): State<Arc<ServerCtx>>,
     Path(domain): Path<String>,
 ) -> Json<crate::blocklist::BlockCheckResult> {
-    let result = ctx.blocklist.lock().unwrap().check(&domain);
+    let result = ctx.blocklist.read().unwrap().check(&domain);
     Json(result)
 }
 
 async fn blocking_allowlist(State(ctx): State<Arc<ServerCtx>>) -> Json<Vec<String>> {
-    let list = ctx.blocklist.lock().unwrap().allowlist();
+    let list = ctx.blocklist.read().unwrap().allowlist();
     Json(list)
 }
 
@@ -588,7 +588,7 @@ async fn blocking_allowlist_add(
     State(ctx): State<Arc<ServerCtx>>,
     Json(req): Json<AllowlistRequest>,
 ) -> (StatusCode, Json<serde_json::Value>) {
-    ctx.blocklist.lock().unwrap().add_to_allowlist(&req.domain);
+    ctx.blocklist.write().unwrap().add_to_allowlist(&req.domain);
     (
         StatusCode::CREATED,
         Json(serde_json::json!({ "allowed": req.domain })),
@@ -599,7 +599,12 @@ async fn blocking_allowlist_remove(
     State(ctx): State<Arc<ServerCtx>>,
     Path(domain): Path<String>,
 ) -> StatusCode {
-    if ctx.blocklist.lock().unwrap().remove_from_allowlist(&domain) {
+    if ctx
+        .blocklist
+        .write()
+        .unwrap()
+        .remove_from_allowlist(&domain)
+    {
         StatusCode::NO_CONTENT
     } else {
         StatusCode::NOT_FOUND
diff --git a/src/cache.rs b/src/cache.rs
index 0586bc9..decde82 100644
--- a/src/cache.rs
+++ b/src/cache.rs
@@ -19,7 +19,6 @@ pub struct DnsCache {
     max_entries: usize,
     min_ttl: u32,
     max_ttl: u32,
-    query_count: u64,
 }
 
 impl DnsCache {
@@ -30,29 +29,16 @@ impl DnsCache {
             max_entries,
             min_ttl,
             max_ttl,
-            query_count: 0,
         }
     }
 
-    pub fn lookup(&mut self, domain: &str, qtype: QueryType) -> Option<DnsPacket> {
-        self.query_count += 1;
-
-        if self.query_count.is_multiple_of(1000) {
-            self.evict_expired();
-        }
-
+    /// Read-only lookup — expired entries are left in place (cleaned up on insert).
+    pub fn lookup(&self, domain: &str, qtype: QueryType) -> Option<DnsPacket> {
         let type_map = self.entries.get(domain)?;
         let entry = type_map.get(&qtype)?;
 
         let elapsed = entry.inserted_at.elapsed();
         if elapsed >= entry.ttl {
-            // Expired: remove this entry
-            let type_map = self.entries.get_mut(domain).unwrap();
-            type_map.remove(&qtype);
-            self.entry_count -= 1;
-            if type_map.is_empty() {
-                self.entries.remove(domain);
-            }
             return None;
         }
 
diff --git a/src/ctx.rs b/src/ctx.rs
index 925ab4a..80b9226 100644
--- a/src/ctx.rs
+++ b/src/ctx.rs
@@ -1,6 +1,6 @@
 use std::net::SocketAddr;
 use std::path::PathBuf;
-use std::sync::Mutex;
+use std::sync::{Mutex, RwLock};
 use std::time::{Duration, Instant, SystemTime};
 
 use arc_swap::ArcSwap;
@@ -27,10 +27,10 @@ use crate::system_dns::ForwardingRule;
 pub struct ServerCtx {
     pub socket: UdpSocket,
     pub zone_map: ZoneMap,
-    pub cache: Mutex<DnsCache>,
+    pub cache: RwLock<DnsCache>,
     pub stats: Mutex<ServerStats>,
-    pub overrides: Mutex<OverrideStore>,
-    pub blocklist: Mutex<BlocklistStore>,
+    pub overrides: RwLock<OverrideStore>,
+    pub blocklist: RwLock<BlocklistStore>,
     pub query_log: Mutex<QueryLog>,
     pub services: Mutex<ServiceStore>,
     pub lan_peers: Mutex<PeerStore>,
@@ -73,7 +73,7 @@ pub async fn handle_query(
     // Pipeline: overrides -> .tld interception -> blocklist -> local zones -> cache -> upstream
     // Each lock is scoped to avoid holding MutexGuard across await points.
     let (response, path) = {
-        let override_record = ctx.overrides.lock().unwrap().lookup(&qname);
+        let override_record = ctx.overrides.read().unwrap().lookup(&qname);
         if let Some(record) = override_record {
             let mut resp = DnsPacket::response_from(&query, ResultCode::NOERROR);
             resp.answers.push(record);
@@ -116,7 +116,7 @@ pub async fn handle_query(
                 }),
             }
             (resp, QueryPath::Local)
-        } else if ctx.blocklist.lock().unwrap().is_blocked(&qname) {
+        } else if ctx.blocklist.read().unwrap().is_blocked(&qname) {
             let mut resp = DnsPacket::response_from(&query, ResultCode::NOERROR);
             match qtype {
                 QueryType::AAAA => resp.answers.push(DnsRecord::AAAA {
@@ -136,7 +136,7 @@ pub async fn handle_query(
             resp.answers = records.clone();
             (resp, QueryPath::Local)
         } else {
-            let cached = ctx.cache.lock().unwrap().lookup(&qname, qtype);
+            let cached = ctx.cache.read().unwrap().lookup(&qname, qtype);
             if let Some(cached) = cached {
                 let mut resp = cached;
                 resp.header.id = query.header.id;
@@ -149,7 +149,7 @@ pub async fn handle_query(
                     };
                 match forward_query(&query, &upstream, ctx.timeout).await {
                     Ok(resp) => {
-                        ctx.cache.lock().unwrap().insert(&qname, qtype, &resp);
+                        ctx.cache.write().unwrap().insert(&qname, qtype, &resp);
                         (resp, QueryPath::Forwarded)
                     }
                     Err(e) => {
diff --git a/src/main.rs b/src/main.rs
index 8e23e78..7e739aa 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,5 +1,5 @@
 use std::net::SocketAddr;
-use std::sync::{Arc, Mutex};
+use std::sync::{Arc, Mutex, RwLock};
 use std::time::Duration;
 
 use arc_swap::ArcSwap;
@@ -170,14 +170,14 @@ async fn main() -> numa::Result<()> {
     let ctx = Arc::new(ServerCtx {
         socket: UdpSocket::bind(&config.server.bind_addr).await?,
         zone_map: build_zone_map(&config.zones)?,
-        cache: Mutex::new(DnsCache::new(
+        cache: RwLock::new(DnsCache::new(
             config.cache.max_entries,
             config.cache.min_ttl,
             config.cache.max_ttl,
         )),
         stats: Mutex::new(ServerStats::new()),
-        overrides: Mutex::new(OverrideStore::new()),
-        blocklist: Mutex::new(blocklist),
+        overrides: RwLock::new(OverrideStore::new()),
+        blocklist: RwLock::new(blocklist),
         query_log: Mutex::new(QueryLog::new(1000)),
         services: Mutex::new(service_store),
         lan_peers: Mutex::new(numa::lan::PeerStore::new(config.lan.peer_timeout_secs)),
@@ -541,7 +541,7 @@ async fn load_blocklists(ctx: &ServerCtx, lists: &[String]) {
 
     // Swap under lock — sub-microsecond
     ctx.blocklist
-        .lock()
+        .write()
         .unwrap()
         .swap_domains(all_domains, sources);
     info!(
diff --git a/src/override_store.rs b/src/override_store.rs
index a1c7bf8..2ae671c 100644
--- a/src/override_store.rs
+++ b/src/override_store.rs
@@ -64,6 +64,9 @@ impl OverrideStore {
         ttl: u32,
         duration_secs: Option<u64>,
     ) -> Result<QueryType> {
+        // Clean up expired entries on write
+        self.entries.retain(|_, e| !e.is_expired());
+
         let domain_lower = domain.to_lowercase();
         let (qtype, record) = parse_target(&domain_lower, target, ttl)?;
 
@@ -84,10 +87,10 @@ impl OverrideStore {
     }
 
     /// Hot path: assumes `domain` is already lowercased (the parser does this).
-    pub fn lookup(&mut self, domain: &str) -> Option<DnsRecord> {
+    /// Read-only — expired entries are left in place (cleaned up on write operations).
+    pub fn lookup(&self, domain: &str) -> Option<DnsRecord> {
         let entry = self.entries.get(domain)?;
         if entry.is_expired() {
-            self.entries.remove(domain);
             return None;
         }
         Some(entry.record.clone())
diff --git a/src/packet.rs b/src/packet.rs
index bca60c2..2c4c85a 100644
--- a/src/packet.rs
+++ b/src/packet.rs
@@ -46,7 +46,7 @@ impl DnsPacket {
         result.header.read(buffer)?;
 
         for _ in 0..result.header.questions {
-            let mut question = DnsQuestion::new("".to_string(), QueryType::UNKNOWN(0));
+            let mut question = DnsQuestion::new(String::with_capacity(64), QueryType::UNKNOWN(0));
             question.read(buffer)?;
             result.questions.push(question);
         }
@@ -68,34 +68,36 @@ impl DnsPacket {
     }
 
     pub fn write(&self, buffer: &mut BytePacketBuffer) -> Result<()> {
-        // Filter out UNKNOWN records (e.g. EDNS OPT) that we can't re-serialize
-        let answers: Vec<_> = self.answers.iter().filter(|r| !r.is_unknown()).collect();
-        let authorities: Vec<_> = self
-            .authorities
-            .iter()
-            .filter(|r| !r.is_unknown())
-            .collect();
-        let resources: Vec<_> = self.resources.iter().filter(|r| !r.is_unknown()).collect();
+        // Count known records without allocating filter Vecs
+        let answer_count = self.answers.iter().filter(|r| !r.is_unknown()).count() as u16;
+        let auth_count = self.authorities.iter().filter(|r| !r.is_unknown()).count() as u16;
+        let res_count = self.resources.iter().filter(|r| !r.is_unknown()).count() as u16;
 
         let mut header = self.header.clone();
         header.questions = self.questions.len() as u16;
-        header.answers = answers.len() as u16;
-        header.authoritative_entries = authorities.len() as u16;
-        header.resource_entries = resources.len() as u16;
+        header.answers = answer_count;
+        header.authoritative_entries = auth_count;
+        header.resource_entries = res_count;
 
         header.write(buffer)?;
 
         for question in &self.questions {
             question.write(buffer)?;
         }
-        for rec in answers {
-            rec.write(buffer)?;
+        for rec in &self.answers {
+            if !rec.is_unknown() {
+                rec.write(buffer)?;
+            }
         }
-        for rec in authorities {
-            rec.write(buffer)?;
+        for rec in &self.authorities {
+            if !rec.is_unknown() {
+                rec.write(buffer)?;
+            }
         }
-        for rec in resources {
-            rec.write(buffer)?;
+        for rec in &self.resources {
+            if !rec.is_unknown() {
+                rec.write(buffer)?;
+            }
         }
 
         Ok(())
diff --git a/src/record.rs b/src/record.rs
index f525cbb..b7522dc 100644
--- a/src/record.rs
+++ b/src/record.rs
@@ -70,7 +70,7 @@ impl DnsRecord {
     }
 
     pub fn read(buffer: &mut BytePacketBuffer) -> Result<DnsRecord> {
-        let mut domain = String::new();
+        let mut domain = String::with_capacity(64);
         buffer.read_qname(&mut domain)?;
 
         let qtype_num = buffer.read_u16()?;
@@ -110,7 +110,7 @@ impl DnsRecord {
                 Ok(DnsRecord::AAAA { domain, addr, ttl })
             }
             QueryType::NS => {
-                let mut ns = String::new();
+                let mut ns = String::with_capacity(64);
                 buffer.read_qname(&mut ns)?;
 
                 Ok(DnsRecord::NS {
@@ -120,7 +120,7 @@ impl DnsRecord {
                 })
             }
             QueryType::CNAME => {
-                let mut cname = String::new();
+                let mut cname = String::with_capacity(64);
                 buffer.read_qname(&mut cname)?;
 
                 Ok(DnsRecord::CNAME {
@@ -131,7 +131,7 @@ impl DnsRecord {
             }
             QueryType::MX => {
                 let priority = buffer.read_u16()?;
-                let mut mx = String::new();
+                let mut mx = String::with_capacity(64);
                 buffer.read_qname(&mut mx)?;
 
                 Ok(DnsRecord::MX {
-- 
2.34.1


From bb7e33619a6bc7136114d15743cfca42012078c5 Mon Sep 17 00:00:00 2001
From: Razvan Dimescu <ssaricu@gmail.com>
Date: Fri, 27 Mar 2026 02:01:43 +0200
Subject: [PATCH 5/5] feat: self-host fonts, styled block page, wildcard TLS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fonts:
- Replace Google Fonts CDN with self-hosted woff2 (73KB, 5 files)
- Serve fonts from API server via include_bytes! (dashboard works offline)
- Proxy error pages use system fonts (zero external deps when DNS is broken)
- Fix Instrument Serif font-weight: use 400 (only available weight) instead of synthetic bold 600/700

Proxy:
- Styled "Blocked by Numa" page when blocked domain hits the proxy (was confusing "not a .numa domain" error)
- Extract shared error_page() template for 403 + 404 pages (deduplicate ~160 lines of CSS)

TLS:
- Add wildcard SAN *.numa to cert — unregistered .numa domains get valid HTTPS (styled 404 without cert warning)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 blog/dns-from-scratch.md                      |  49 +----
 site/blog-template.html                       |   8 +-
 site/blog/dns-from-scratch.html               | 184 ++++++------------
 site/blog/index.html                          |   8 +-
 site/dashboard.html                           |   4 +-
 site/fonts/dm-sans-italic-latin.woff2         | Bin 0 -> 15172 bytes
 site/fonts/dm-sans-latin.woff2                | Bin 0 -> 31312 bytes
 site/fonts/fonts.css                          |  36 ++++
 .../fonts/instrument-serif-italic-latin.woff2 | Bin 0 -> 8444 bytes
 site/fonts/instrument-serif-latin.woff2       | Bin 0 -> 7828 bytes
 site/fonts/jetbrains-mono-latin.woff2         | Bin 0 -> 11596 bytes
 site/index.html                               |  14 +-
 src/api.rs                                    |  48 +++++
 src/proxy.rs                                  | 155 +++++++++------
 src/tls.rs                                    |   9 +-
 15 files changed, 265 insertions(+), 250 deletions(-)
 create mode 100644 site/fonts/dm-sans-italic-latin.woff2
 create mode 100644 site/fonts/dm-sans-latin.woff2
 create mode 100644 site/fonts/fonts.css
 create mode 100644 site/fonts/instrument-serif-italic-latin.woff2
 create mode 100644 site/fonts/instrument-serif-latin.woff2
 create mode 100644 site/fonts/jetbrains-mono-latin.woff2

diff --git a/blog/dns-from-scratch.md b/blog/dns-from-scratch.md
index ebd6993..0959fc7 100644
--- a/blog/dns-from-scratch.md
+++ b/blog/dns-from-scratch.md
@@ -232,25 +232,9 @@ pub fn lookup(&mut self, domain: &str, qtype: QueryType) -> Option<DnsPacket> {
 
 No background thread. No timer. Entries expire lazily. The cache stays consistent because every consumer sees the adjusted TTL.
 
-## Async per-query with tokio
+## The resolution pipeline
 
-Each incoming UDP packet spawns a tokio task. The main loop never blocks:
-
-```rust
-loop {
-    let mut buffer = BytePacketBuffer::new();
-    let (_, src_addr) = socket.recv_from(&mut buffer.buf).await?;
-
-    let ctx = Arc::clone(&ctx);
-    tokio::spawn(async move {
-        if let Err(e) = handle_query(buffer, src_addr, &ctx).await {
-            error!("{} | HANDLER ERROR | {}", src_addr, e);
-        }
-    });
-}
-```
-
-Each `handle_query` walks a pipeline. This is the part where "from scratch" pays off — every step is just a function that either returns a response or says "not my problem, pass it on":
+Each incoming UDP packet spawns a tokio task. Each task walks a deterministic pipeline — every step either answers or passes to the next:
 
 ```
                      ┌─────────────────────────────────────────────────────┐
@@ -266,12 +250,9 @@ Each `handle_query` walks a pipeline. This is the part where "from scratch" pays
     │       after N min)   proxy+TLS)                 records)  adjusted) (encrypted)
     │
     └──→ Each step either answers or passes to the next.
-         Adding a feature = inserting a function into this chain.
 ```
 
-Want conditional forwarding for Tailscale? Insert a step before the upstream that checks the domain suffix. Want to override `api.example.com` for 5 minutes while debugging? Insert an entry in the overrides step — it auto-expires and the domain goes back to resolving normally. A DNS library would have hidden this pipeline behind an opaque `resolve()` call.
-
-This is one of those cases where Rust + tokio makes things almost embarrassingly simple. In a synchronous resolver, you'd need a thread pool or hand-rolled event loop. Here, each query is a lightweight future. A slow upstream query doesn't block anything — other queries keep flowing.
+This is where "from scratch" pays off. Want conditional forwarding for Tailscale? Insert a step before the upstream. Want to override `api.example.com` for 5 minutes while debugging? Add an entry in the overrides step — it auto-expires. A DNS library would have hidden this pipeline behind an opaque `resolve()` call.
 
 ## DNS-over-HTTPS: the "wait, that's it?" moment
 
@@ -316,37 +297,21 @@ If the configured address starts with `https://`, it's DoH. Otherwise, plain UDP
 
 ## "Why not just use dnsmasq + nginx + mkcert?"
 
-Fair question — I got this a lot when I first [posted about Numa](https://www.reddit.com/r/programare/). And the answer is: you absolutely can. Those are mature, battle-tested tools.
-
-The difference is integration. With dnsmasq + nginx + mkcert, you're configuring three tools: DNS resolution, reverse proxy rules, and certificate generation. Each has its own config format, its own lifecycle, its own failure modes. Numa puts the DNS record, the reverse proxy, and the TLS cert behind a single API call:
+You absolutely can — those are mature, battle-tested tools. The difference is integration: with dnsmasq + nginx + mkcert, you're configuring three tools with three config formats. Numa puts the DNS record, reverse proxy, and TLS cert behind one API call:
 
 ```bash
 curl -X POST localhost:5380/services -d '{"name":"frontend","target_port":5173}'
 ```
 
-That creates the DNS entry, generates a TLS certificate with the correct SAN, and starts proxying — including WebSocket upgrade for Vite HMR. One command, no config files.
-
-There's also a distinction people miss: **mkcert and certbot solve different problems.** Certbot issues certificates for public domains via Let's Encrypt — it needs DNS validation or an open port 80. Numa generates certificates for `.numa` domains that don't exist publicly. You can't get a Let's Encrypt cert for `frontend.numa`. They're complementary, not alternatives.
-
-Someone on Reddit told me the real value is "TLS termination + reverse proxy, simple to install, for developers — stop there." Honestly, they might be right about focus. But DNS is the foundation the proxy sits on, and having full control over the resolution pipeline is what makes auto-revert overrides and LAN discovery possible. Sometimes the "unnecessary" part is what makes the interesting part work.
-
-## The blocklist memory problem
-
-Numa's ad blocking loads the [Hagezi Pro](https://github.com/hagezi/dns-blocklists) list at startup — ~385,000 domains stored in a `HashSet<String>`. This works, but it consumes ~30MB of memory. For a laptop DNS proxy, that's fine. For embedded devices or a future where you want to run Numa on a router, it's too much.
-
-The obvious optimization is a **Bloom filter** — a probabilistic data structure that can tell you "definitely not in the set" or "probably in the set" using a fraction of the memory. A Bloom filter for 385K domains with a 0.1% false positive rate would use ~700KB instead of 30MB. The false positives (0.1% of queries hitting domains not in the list) would be blocked unnecessarily, which is acceptable for ad blocking.
-
-I haven't implemented this yet — the `HashSet` is simple, correct, and 30MB is nothing on a laptop. But if Numa ever needs to run on a router or a Raspberry Pi, this is the first optimization I'd reach for.
+That creates the DNS entry, generates a TLS certificate, and starts proxying — including WebSocket upgrade for Vite HMR. One command, no config files. Having full control over the resolution pipeline is what makes auto-revert overrides and LAN discovery possible.
 
 ## What I learned
 
 **DNS is a 40-year-old protocol that works remarkably well.** The wire format is tight, the caching model is elegant, and the hierarchical delegation system has scaled to billions of queries per day. The things people complain about (DNSSEC complexity, lack of encryption) are extensions bolted on decades later, not flaws in the original design.
 
-**"From scratch" gives you full control.** When I wanted to add ephemeral overrides that auto-revert, it was trivial — just a new step in the resolution pipeline. Conditional forwarding for Tailscale/VPN? Another step. Every feature is a function that takes a query and returns either a response or "pass to the next stage." A DNS library would have hidden this pipeline.
+**The hard parts aren't where you'd expect.** Parsing the wire protocol was straightforward (RFC 1035 is well-written). The hard parts were: browsers rejecting wildcard certs under single-label TLDs, macOS resolver quirks (`scutil` vs `/etc/resolv.conf`), and getting multiple processes to bind the same multicast port (`SO_REUSEPORT` on macOS, `SO_REUSEADDR` on Linux).
 
-**The hard parts aren't where you'd expect.** Parsing the wire protocol was straightforward (RFC 1035 is well-written). The hard parts were: browsers rejecting wildcard certs under single-label TLDs (`*.numa` fails — you need per-service SANs), macOS resolver quirks (scutil vs /etc/resolv.conf), and getting multiple processes to bind the same multicast port (`SO_REUSEPORT` on macOS, `SO_REUSEADDR` on Linux).
-
-**Terminology will get you roasted.** I initially called Numa a "DNS resolver" and got corrected on Reddit — it's a forwarding resolver (DNS proxy). It doesn't walk the delegation chain from root servers; it forwards to an upstream. The distinction matters to people who work with DNS for a living, and being sloppy about it cost me credibility in my first community posts. If you're building in a domain with established terminology, learn the vocabulary before you show up.
+**Learn the vocabulary before you show up.** I initially called Numa a "DNS resolver" and got corrected — it's a forwarding resolver. The distinction matters to people who work with DNS professionally, and being sloppy about it cost me credibility in my first community posts.
 
 ## What's next
 
diff --git a/site/blog-template.html b/site/blog-template.html
index 61bdb3b..0275c1f 100644
--- a/site/blog-template.html
+++ b/site/blog-template.html
@@ -5,9 +5,7 @@
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 <title>$title$ — Numa</title>
 <meta name="description" content="$description$">
-<link rel="preconnect" href="https://fonts.googleapis.com">
-<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
-<link href="https://fonts.googleapis.com/css2?family=Instrument+Serif:ital@0;1&family=DM+Sans:ital,opsz,wght@0,9..40,400;0,9..40,500;0,9..40,600;1,9..40,400&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
+<link rel="stylesheet" href="/fonts/fonts.css">
 <style>
 *, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
 
@@ -73,7 +71,7 @@ body::before {
 .blog-nav .wordmark {
   font-family: var(--font-display);
   font-size: 1.4rem;
-  font-weight: 700;
+  font-weight: 400;
   color: var(--text-primary);
   text-decoration: none;
   letter-spacing: -0.02em;
@@ -101,7 +99,7 @@ body::before {
 
 .article-header h1 {
   font-family: var(--font-display);
-  font-weight: 600;
+  font-weight: 400;
   font-size: clamp(2rem, 5vw, 3rem);
   line-height: 1.15;
   margin-bottom: 1rem;
diff --git a/site/blog/dns-from-scratch.html b/site/blog/dns-from-scratch.html
index affdfbf..39f857f 100644
--- a/site/blog/dns-from-scratch.html
+++ b/site/blog/dns-from-scratch.html
@@ -7,9 +7,7 @@
 <meta name="description" content="How DNS actually works at the wire
 level — label compression, TTL tricks, DoH, and what surprised me
 building a resolver with zero DNS libraries.">
-<link rel="preconnect" href="https://fonts.googleapis.com">
-<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
-<link href="https://fonts.googleapis.com/css2?family=Instrument+Serif:ital@0;1&family=DM+Sans:ital,opsz,wght@0,9..40,400;0,9..40,500;0,9..40,600;1,9..40,400&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
+<link rel="stylesheet" href="/fonts/fonts.css">
 <style>
 *, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
 
@@ -75,7 +73,7 @@ body::before {
 .blog-nav .wordmark {
   font-family: var(--font-display);
   font-size: 1.4rem;
-  font-weight: 700;
+  font-weight: 400;
   color: var(--text-primary);
   text-decoration: none;
   letter-spacing: -0.02em;
@@ -103,7 +101,7 @@ body::before {
 
 .article-header h1 {
   font-family: var(--font-display);
-  font-weight: 600;
+  font-weight: 400;
   font-size: clamp(2rem, 5vw, 3rem);
   line-height: 1.15;
   margin-bottom: 1rem;
@@ -522,24 +520,10 @@ class="sourceCode rust"><code class="sourceCode rust"><span id="cb12-1"><a href=
 <span id="cb12-17"><a href="#cb12-17" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
 <p>No background thread. No timer. Entries expire lazily. The cache
 stays consistent because every consumer sees the adjusted TTL.</p>
-<h2 id="async-per-query-with-tokio">Async per-query with tokio</h2>
-<p>Each incoming UDP packet spawns a tokio task. The main loop never
-blocks:</p>
-<div class="sourceCode" id="cb13"><pre
-class="sourceCode rust"><code class="sourceCode rust"><span id="cb13-1"><a href="#cb13-1" aria-hidden="true" tabindex="-1"></a><span class="cf">loop</span> <span class="op">{</span></span>
-<span id="cb13-2"><a href="#cb13-2" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> <span class="kw">mut</span> buffer <span class="op">=</span> <span class="pp">BytePacketBuffer::</span>new()<span class="op">;</span></span>
-<span id="cb13-3"><a href="#cb13-3" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> (_<span class="op">,</span> src_addr) <span class="op">=</span> socket<span class="op">.</span>recv_from(<span class="op">&amp;</span><span class="kw">mut</span> buffer<span class="op">.</span>buf)<span class="op">.</span><span class="kw">await</span><span class="op">?;</span></span>
-<span id="cb13-4"><a href="#cb13-4" aria-hidden="true" tabindex="-1"></a></span>
-<span id="cb13-5"><a href="#cb13-5" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> ctx <span class="op">=</span> <span class="pp">Arc::</span>clone(<span class="op">&amp;</span>ctx)<span class="op">;</span></span>
-<span id="cb13-6"><a href="#cb13-6" aria-hidden="true" tabindex="-1"></a>    <span class="pp">tokio::</span>spawn(<span class="kw">async</span> <span class="kw">move</span> <span class="op">{</span></span>
-<span id="cb13-7"><a href="#cb13-7" aria-hidden="true" tabindex="-1"></a>        <span class="cf">if</span> <span class="kw">let</span> <span class="cn">Err</span>(e) <span class="op">=</span> handle_query(buffer<span class="op">,</span> src_addr<span class="op">,</span> <span class="op">&amp;</span>ctx)<span class="op">.</span><span class="kw">await</span> <span class="op">{</span></span>
-<span id="cb13-8"><a href="#cb13-8" aria-hidden="true" tabindex="-1"></a>            <span class="pp">error!</span>(<span class="st">&quot;{} | HANDLER ERROR | {}&quot;</span><span class="op">,</span> src_addr<span class="op">,</span> e)<span class="op">;</span></span>
-<span id="cb13-9"><a href="#cb13-9" aria-hidden="true" tabindex="-1"></a>        <span class="op">}</span></span>
-<span id="cb13-10"><a href="#cb13-10" aria-hidden="true" tabindex="-1"></a>    <span class="op">}</span>)<span class="op">;</span></span>
-<span id="cb13-11"><a href="#cb13-11" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
-<p>Each <code>handle_query</code> walks a pipeline. This is the part
-where “from scratch” pays off — every step is just a function that
-either returns a response or says “not my problem, pass it on”:</p>
+<h2 id="the-resolution-pipeline">The resolution pipeline</h2>
+<p>Each incoming UDP packet spawns a tokio task. Each task walks a
+deterministic pipeline — every step either answers or passes to the
+next:</p>
 <pre><code>                     ┌─────────────────────────────────────────────────────┐
                      │              Numa Resolution Pipeline               │
                      └─────────────────────────────────────────────────────┘
@@ -552,19 +536,12 @@ either returns a response or says “not my problem, pass it on”:</p>
     │      (auto-reverts  (reverse      (ad gone)    (static   (TTL      to upstream
     │       after N min)   proxy+TLS)                 records)  adjusted) (encrypted)
     │
-    └──→ Each step either answers or passes to the next.
-         Adding a feature = inserting a function into this chain.</code></pre>
-<p>Want conditional forwarding for Tailscale? Insert a step before the
-upstream that checks the domain suffix. Want to override
-<code>api.example.com</code> for 5 minutes while debugging? Insert an
-entry in the overrides step — it auto-expires and the domain goes back
-to resolving normally. A DNS library would have hidden this pipeline
-behind an opaque <code>resolve()</code> call.</p>
-<p>This is one of those cases where Rust + tokio makes things almost
-embarrassingly simple. In a synchronous resolver, you’d need a thread
-pool or hand-rolled event loop. Here, each query is a lightweight
-future. A slow upstream query doesn’t block anything — other queries
-keep flowing.</p>
+    └──→ Each step either answers or passes to the next.</code></pre>
+<p>This is where “from scratch” pays off. Want conditional forwarding
+for Tailscale? Insert a step before the upstream. Want to override
+<code>api.example.com</code> for 5 minutes while debugging? Add an entry
+in the overrides step — it auto-expires. A DNS library would have hidden
+this pipeline behind an opaque <code>resolve()</code> call.</p>
 <h2 id="dns-over-https-the-wait-thats-it-moment">DNS-over-HTTPS: the
 “wait, that’s it?” moment</h2>
 <p>The most recent addition, and honestly the one that surprised me with
@@ -573,28 +550,28 @@ the exact same DNS wire-format packet you’d send over UDP, POST it to an
 HTTPS endpoint with <code>Content-Type: application/dns-message</code>,
 and parse the response the same way. Same bytes, different
 transport.</p>
-<div class="sourceCode" id="cb15"><pre
-class="sourceCode rust"><code class="sourceCode rust"><span id="cb15-1"><a href="#cb15-1" aria-hidden="true" tabindex="-1"></a><span class="kw">async</span> <span class="kw">fn</span> forward_doh(</span>
-<span id="cb15-2"><a href="#cb15-2" aria-hidden="true" tabindex="-1"></a>    query<span class="op">:</span> <span class="op">&amp;</span>DnsPacket<span class="op">,</span></span>
-<span id="cb15-3"><a href="#cb15-3" aria-hidden="true" tabindex="-1"></a>    url<span class="op">:</span> <span class="op">&amp;</span><span class="dt">str</span><span class="op">,</span></span>
-<span id="cb15-4"><a href="#cb15-4" aria-hidden="true" tabindex="-1"></a>    client<span class="op">:</span> <span class="op">&amp;</span><span class="pp">reqwest::</span>Client<span class="op">,</span></span>
-<span id="cb15-5"><a href="#cb15-5" aria-hidden="true" tabindex="-1"></a>    timeout_duration<span class="op">:</span> Duration<span class="op">,</span></span>
-<span id="cb15-6"><a href="#cb15-6" aria-hidden="true" tabindex="-1"></a>) <span class="op">-&gt;</span> <span class="dt">Result</span><span class="op">&lt;</span>DnsPacket<span class="op">&gt;</span> <span class="op">{</span></span>
-<span id="cb15-7"><a href="#cb15-7" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> <span class="kw">mut</span> send_buffer <span class="op">=</span> <span class="pp">BytePacketBuffer::</span>new()<span class="op">;</span></span>
-<span id="cb15-8"><a href="#cb15-8" aria-hidden="true" tabindex="-1"></a>    query<span class="op">.</span>write(<span class="op">&amp;</span><span class="kw">mut</span> send_buffer)<span class="op">?;</span></span>
-<span id="cb15-9"><a href="#cb15-9" aria-hidden="true" tabindex="-1"></a></span>
-<span id="cb15-10"><a href="#cb15-10" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> resp <span class="op">=</span> timeout(timeout_duration<span class="op">,</span> client</span>
-<span id="cb15-11"><a href="#cb15-11" aria-hidden="true" tabindex="-1"></a>        <span class="op">.</span>post(url)</span>
-<span id="cb15-12"><a href="#cb15-12" aria-hidden="true" tabindex="-1"></a>        <span class="op">.</span>header(<span class="st">&quot;content-type&quot;</span><span class="op">,</span> <span class="st">&quot;application/dns-message&quot;</span>)</span>
-<span id="cb15-13"><a href="#cb15-13" aria-hidden="true" tabindex="-1"></a>        <span class="op">.</span>header(<span class="st">&quot;accept&quot;</span><span class="op">,</span> <span class="st">&quot;application/dns-message&quot;</span>)</span>
-<span id="cb15-14"><a href="#cb15-14" aria-hidden="true" tabindex="-1"></a>        <span class="op">.</span>body(send_buffer<span class="op">.</span>filled()<span class="op">.</span>to_vec())</span>
-<span id="cb15-15"><a href="#cb15-15" aria-hidden="true" tabindex="-1"></a>        <span class="op">.</span>send())</span>
-<span id="cb15-16"><a href="#cb15-16" aria-hidden="true" tabindex="-1"></a>    <span class="op">.</span><span class="kw">await</span><span class="op">??.</span>error_for_status()<span class="op">?;</span></span>
-<span id="cb15-17"><a href="#cb15-17" aria-hidden="true" tabindex="-1"></a></span>
-<span id="cb15-18"><a href="#cb15-18" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> bytes <span class="op">=</span> resp<span class="op">.</span>bytes()<span class="op">.</span><span class="kw">await</span><span class="op">?;</span></span>
-<span id="cb15-19"><a href="#cb15-19" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> <span class="kw">mut</span> recv_buffer <span class="op">=</span> <span class="pp">BytePacketBuffer::</span>from_bytes(<span class="op">&amp;</span>bytes)<span class="op">;</span></span>
-<span id="cb15-20"><a href="#cb15-20" aria-hidden="true" tabindex="-1"></a>    <span class="pp">DnsPacket::</span>from_buffer(<span class="op">&amp;</span><span class="kw">mut</span> recv_buffer)</span>
-<span id="cb15-21"><a href="#cb15-21" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
+<div class="sourceCode" id="cb14"><pre
+class="sourceCode rust"><code class="sourceCode rust"><span id="cb14-1"><a href="#cb14-1" aria-hidden="true" tabindex="-1"></a><span class="kw">async</span> <span class="kw">fn</span> forward_doh(</span>
+<span id="cb14-2"><a href="#cb14-2" aria-hidden="true" tabindex="-1"></a>    query<span class="op">:</span> <span class="op">&amp;</span>DnsPacket<span class="op">,</span></span>
+<span id="cb14-3"><a href="#cb14-3" aria-hidden="true" tabindex="-1"></a>    url<span class="op">:</span> <span class="op">&amp;</span><span class="dt">str</span><span class="op">,</span></span>
+<span id="cb14-4"><a href="#cb14-4" aria-hidden="true" tabindex="-1"></a>    client<span class="op">:</span> <span class="op">&amp;</span><span class="pp">reqwest::</span>Client<span class="op">,</span></span>
+<span id="cb14-5"><a href="#cb14-5" aria-hidden="true" tabindex="-1"></a>    timeout_duration<span class="op">:</span> Duration<span class="op">,</span></span>
+<span id="cb14-6"><a href="#cb14-6" aria-hidden="true" tabindex="-1"></a>) <span class="op">-&gt;</span> <span class="dt">Result</span><span class="op">&lt;</span>DnsPacket<span class="op">&gt;</span> <span class="op">{</span></span>
+<span id="cb14-7"><a href="#cb14-7" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> <span class="kw">mut</span> send_buffer <span class="op">=</span> <span class="pp">BytePacketBuffer::</span>new()<span class="op">;</span></span>
+<span id="cb14-8"><a href="#cb14-8" aria-hidden="true" tabindex="-1"></a>    query<span class="op">.</span>write(<span class="op">&amp;</span><span class="kw">mut</span> send_buffer)<span class="op">?;</span></span>
+<span id="cb14-9"><a href="#cb14-9" aria-hidden="true" tabindex="-1"></a></span>
+<span id="cb14-10"><a href="#cb14-10" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> resp <span class="op">=</span> timeout(timeout_duration<span class="op">,</span> client</span>
+<span id="cb14-11"><a href="#cb14-11" aria-hidden="true" tabindex="-1"></a>        <span class="op">.</span>post(url)</span>
+<span id="cb14-12"><a href="#cb14-12" aria-hidden="true" tabindex="-1"></a>        <span class="op">.</span>header(<span class="st">&quot;content-type&quot;</span><span class="op">,</span> <span class="st">&quot;application/dns-message&quot;</span>)</span>
+<span id="cb14-13"><a href="#cb14-13" aria-hidden="true" tabindex="-1"></a>        <span class="op">.</span>header(<span class="st">&quot;accept&quot;</span><span class="op">,</span> <span class="st">&quot;application/dns-message&quot;</span>)</span>
+<span id="cb14-14"><a href="#cb14-14" aria-hidden="true" tabindex="-1"></a>        <span class="op">.</span>body(send_buffer<span class="op">.</span>filled()<span class="op">.</span>to_vec())</span>
+<span id="cb14-15"><a href="#cb14-15" aria-hidden="true" tabindex="-1"></a>        <span class="op">.</span>send())</span>
+<span id="cb14-16"><a href="#cb14-16" aria-hidden="true" tabindex="-1"></a>    <span class="op">.</span><span class="kw">await</span><span class="op">??.</span>error_for_status()<span class="op">?;</span></span>
+<span id="cb14-17"><a href="#cb14-17" aria-hidden="true" tabindex="-1"></a></span>
+<span id="cb14-18"><a href="#cb14-18" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> bytes <span class="op">=</span> resp<span class="op">.</span>bytes()<span class="op">.</span><span class="kw">await</span><span class="op">?;</span></span>
+<span id="cb14-19"><a href="#cb14-19" aria-hidden="true" tabindex="-1"></a>    <span class="kw">let</span> <span class="kw">mut</span> recv_buffer <span class="op">=</span> <span class="pp">BytePacketBuffer::</span>from_bytes(<span class="op">&amp;</span>bytes)<span class="op">;</span></span>
+<span id="cb14-20"><a href="#cb14-20" aria-hidden="true" tabindex="-1"></a>    <span class="pp">DnsPacket::</span>from_buffer(<span class="op">&amp;</span><span class="kw">mut</span> recv_buffer)</span>
+<span id="cb14-21"><a href="#cb14-21" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
 <p>The one gotcha that cost me an hour: Quad9 and other DoH providers
 require HTTP/2. My first attempt used HTTP/1.1 and got a cryptic 400 Bad
 Request. Adding the <code>http2</code> feature to reqwest fixed it. The
@@ -603,59 +580,25 @@ the TLS session — ~16ms vs ~50ms for the first query. Free
 performance.</p>
 <p>The <code>Upstream</code> enum dispatches between UDP and DoH based
 on the URL scheme:</p>
-<div class="sourceCode" id="cb16"><pre
-class="sourceCode rust"><code class="sourceCode rust"><span id="cb16-1"><a href="#cb16-1" aria-hidden="true" tabindex="-1"></a><span class="kw">pub</span> <span class="kw">enum</span> Upstream <span class="op">{</span></span>
-<span id="cb16-2"><a href="#cb16-2" aria-hidden="true" tabindex="-1"></a>    Udp(SocketAddr)<span class="op">,</span></span>
-<span id="cb16-3"><a href="#cb16-3" aria-hidden="true" tabindex="-1"></a>    Doh <span class="op">{</span> url<span class="op">:</span> <span class="dt">String</span><span class="op">,</span> client<span class="op">:</span> <span class="pp">reqwest::</span>Client <span class="op">},</span></span>
-<span id="cb16-4"><a href="#cb16-4" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
+<div class="sourceCode" id="cb15"><pre
+class="sourceCode rust"><code class="sourceCode rust"><span id="cb15-1"><a href="#cb15-1" aria-hidden="true" tabindex="-1"></a><span class="kw">pub</span> <span class="kw">enum</span> Upstream <span class="op">{</span></span>
+<span id="cb15-2"><a href="#cb15-2" aria-hidden="true" tabindex="-1"></a>    Udp(SocketAddr)<span class="op">,</span></span>
+<span id="cb15-3"><a href="#cb15-3" aria-hidden="true" tabindex="-1"></a>    Doh <span class="op">{</span> url<span class="op">:</span> <span class="dt">String</span><span class="op">,</span> client<span class="op">:</span> <span class="pp">reqwest::</span>Client <span class="op">},</span></span>
+<span id="cb15-4"><a href="#cb15-4" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
 <p>If the configured address starts with <code>https://</code>, it’s
 DoH. Otherwise, plain UDP. Simple, no toggles.</p>
 <h2 id="why-not-just-use-dnsmasq-nginx-mkcert">“Why not just use dnsmasq
 + nginx + mkcert?”</h2>
-<p>Fair question — I got this a lot when I first <a
-href="https://www.reddit.com/r/programare/">posted about Numa</a>. And
-the answer is: you absolutely can. Those are mature, battle-tested
-tools.</p>
-<p>The difference is integration. With dnsmasq + nginx + mkcert, you’re
-configuring three tools: DNS resolution, reverse proxy rules, and
-certificate generation. Each has its own config format, its own
-lifecycle, its own failure modes. Numa puts the DNS record, the reverse
-proxy, and the TLS cert behind a single API call:</p>
-<div class="sourceCode" id="cb17"><pre
-class="sourceCode bash"><code class="sourceCode bash"><span id="cb17-1"><a href="#cb17-1" aria-hidden="true" tabindex="-1"></a><span class="ex">curl</span> <span class="at">-X</span> POST localhost:5380/services <span class="at">-d</span> <span class="st">&#39;{&quot;name&quot;:&quot;frontend&quot;,&quot;target_port&quot;:5173}&#39;</span></span></code></pre></div>
-<p>That creates the DNS entry, generates a TLS certificate with the
-correct SAN, and starts proxying — including WebSocket upgrade for Vite
-HMR. One command, no config files.</p>
-<p>There’s also a distinction people miss: <strong>mkcert and certbot
-solve different problems.</strong> Certbot issues certificates for
-public domains via Let’s Encrypt — it needs DNS validation or an open
-port 80. Numa generates certificates for <code>.numa</code> domains that
-don’t exist publicly. You can’t get a Let’s Encrypt cert for
-<code>frontend.numa</code>. They’re complementary, not alternatives.</p>
-<p>Someone on Reddit told me the real value is “TLS termination +
-reverse proxy, simple to install, for developers — stop there.”
-Honestly, they might be right about focus. But DNS is the foundation the
-proxy sits on, and having full control over the resolution pipeline is
-what makes auto-revert overrides and LAN discovery possible. Sometimes
-the “unnecessary” part is what makes the interesting part work.</p>
-<h2 id="the-blocklist-memory-problem">The blocklist memory problem</h2>
-<p>Numa’s ad blocking loads the <a
-href="https://github.com/hagezi/dns-blocklists">Hagezi Pro</a> list at
-startup — ~385,000 domains stored in a
-<code>HashSet&lt;String&gt;</code>. This works, but it consumes ~30MB of
-memory. For a laptop DNS proxy, that’s fine. For embedded devices or a
-future where you want to run Numa on a router, it’s too much.</p>
-<p>The obvious optimization is a <strong>Bloom filter</strong> — a
-probabilistic data structure that can tell you “definitely not in the
-set” or “probably in the set” using a fraction of the memory. A Bloom
-filter for 385K domains with a 0.1% false positive rate would use ~700KB
-instead of 30MB. The false positives (0.1% of queries hitting domains
-not in the list) would be blocked unnecessarily, which is acceptable for
-ad blocking.</p>
-<p>I haven’t implemented this yet — the <code>HashSet</code> is simple,
-correct, and 30MB is nothing on a laptop. But if Numa ever needs to run
-on a router or a Raspberry Pi, this is the first optimization I’d reach
-for.</p>
+<p>You absolutely can — those are mature, battle-tested tools. The
+difference is integration: with dnsmasq + nginx + mkcert, you’re
+configuring three tools with three config formats. Numa puts the DNS
+record, reverse proxy, and TLS cert behind one API call:</p>
+<div class="sourceCode" id="cb16"><pre
+class="sourceCode bash"><code class="sourceCode bash"><span id="cb16-1"><a href="#cb16-1" aria-hidden="true" tabindex="-1"></a><span class="ex">curl</span> <span class="at">-X</span> POST localhost:5380/services <span class="at">-d</span> <span class="st">&#39;{&quot;name&quot;:&quot;frontend&quot;,&quot;target_port&quot;:5173}&#39;</span></span></code></pre></div>
+<p>That creates the DNS entry, generates a TLS certificate, and starts
+proxying — including WebSocket upgrade for Vite HMR. One command, no
+config files. Having full control over the resolution pipeline is what
+makes auto-revert overrides and LAN discovery possible.</p>
 <h2 id="what-i-learned">What I learned</h2>
 <p><strong>DNS is a 40-year-old protocol that works remarkably
 well.</strong> The wire format is tight, the caching model is elegant,
@@ -663,27 +606,18 @@ and the hierarchical delegation system has scaled to billions of queries
 per day. The things people complain about (DNSSEC complexity, lack of
 encryption) are extensions bolted on decades later, not flaws in the
 original design.</p>
-<p><strong>“From scratch” gives you full control.</strong> When I wanted
-to add ephemeral overrides that auto-revert, it was trivial — just a new
-step in the resolution pipeline. Conditional forwarding for
-Tailscale/VPN? Another step. Every feature is a function that takes a
-query and returns either a response or “pass to the next stage.” A DNS
-library would have hidden this pipeline.</p>
 <p><strong>The hard parts aren’t where you’d expect.</strong> Parsing
 the wire protocol was straightforward (RFC 1035 is well-written). The
 hard parts were: browsers rejecting wildcard certs under single-label
-TLDs (<code>*.numa</code> fails — you need per-service SANs), macOS
-resolver quirks (scutil vs /etc/resolv.conf), and getting multiple
-processes to bind the same multicast port (<code>SO_REUSEPORT</code> on
-macOS, <code>SO_REUSEADDR</code> on Linux).</p>
-<p><strong>Terminology will get you roasted.</strong> I initially called
-Numa a “DNS resolver” and got corrected on Reddit — it’s a forwarding
-resolver (DNS proxy). It doesn’t walk the delegation chain from root
-servers; it forwards to an upstream. The distinction matters to people
-who work with DNS for a living, and being sloppy about it cost me
-credibility in my first community posts. If you’re building in a domain
-with established terminology, learn the vocabulary before you show
-up.</p>
+TLDs, macOS resolver quirks (<code>scutil</code> vs
+<code>/etc/resolv.conf</code>), and getting multiple processes to bind
+the same multicast port (<code>SO_REUSEPORT</code> on macOS,
+<code>SO_REUSEADDR</code> on Linux).</p>
+<p><strong>Learn the vocabulary before you show up.</strong> I initially
+called Numa a “DNS resolver” and got corrected — it’s a forwarding
+resolver. The distinction matters to people who work with DNS
+professionally, and being sloppy about it cost me credibility in my
+first community posts.</p>
 <h2 id="whats-next">What’s next</h2>
 <p>Numa is at v0.5.0 with DNS forwarding, caching, ad blocking,
 DNS-over-HTTPS, .numa local domains with auto TLS, and LAN service
diff --git a/site/blog/index.html b/site/blog/index.html
index 354dd31..4034054 100644
--- a/site/blog/index.html
+++ b/site/blog/index.html
@@ -5,9 +5,7 @@
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 <title>Blog — Numa</title>
 <meta name="description" content="Technical writing about DNS, Rust, and building infrastructure from scratch.">
-<link rel="preconnect" href="https://fonts.googleapis.com">
-<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
-<link href="https://fonts.googleapis.com/css2?family=Instrument+Serif:ital@0;1&family=DM+Sans:ital,opsz,wght@0,9..40,400;0,9..40,500;0,9..40,600;1,9..40,400&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
+<link rel="stylesheet" href="/fonts/fonts.css">
 <style>
 *, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
 
@@ -66,7 +64,7 @@ body::before {
 .blog-nav .wordmark {
   font-family: var(--font-display);
   font-size: 1.4rem;
-  font-weight: 700;
+  font-weight: 400;
   color: var(--text-primary);
   text-decoration: none;
   letter-spacing: -0.02em;
@@ -87,7 +85,7 @@ body::before {
 
 .blog-index h1 {
   font-family: var(--font-display);
-  font-weight: 600;
+  font-weight: 400;
   font-size: 2.5rem;
   margin-bottom: 3rem;
 }
diff --git a/site/dashboard.html b/site/dashboard.html
index 348960c..005106e 100644
--- a/site/dashboard.html
+++ b/site/dashboard.html
@@ -4,9 +4,7 @@
 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 <title>Numa — Dashboard</title>
-<link rel="preconnect" href="https://fonts.googleapis.com">
-<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
-<link href="https://fonts.googleapis.com/css2?family=Instrument+Serif:ital@0;1&family=DM+Sans:opsz,wght@9..40,400;9..40,500;9..40,600&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
+<link rel="stylesheet" href="/fonts/fonts.css">
 <style>
 *, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
 
diff --git a/site/fonts/dm-sans-italic-latin.woff2 b/site/fonts/dm-sans-italic-latin.woff2
new file mode 100644
index 0000000000000000000000000000000000000000..965dc3e0d62932c2b3670026197d080c695cb36c
GIT binary patch
literal 15172
zcmV-KJG;bpPew8T0RR9106Rng6aWAK0FYDw06NeB0RR9100000000000000000000
z0000Qg+d#)6dZweKS)+VQi6UzO;$ltMh0L%Q&d4zfgmRy0EA30ED;C_&M3fl3xf^-
zFzYk{HUcCAh8P4O1%+}4i&`7DhBaebM#F9g*rHEoZBYap2N)J-%~6yI$_Ls1e?o#9
zGWMVz&!*F?M1n}mcG9Nez^*B#CvKNqoYpnl>Q%azp7hF|lpP3T$#TiTG8?WB_iWUW
z&_$?04UycV()Y|}o$0{g@}_y{Z}Q#m7swWS%{X+M=zs|oNeKu<2~{u^%%&e&9o%{W
z{SP`4hyOM>$`Km-Bp3ewe~sTh_sz_oH{V4fo-Mg$TOA^e5=0vvZ;&Ce7$2UW+n@X1
zHr9->rUp!$2qT060}*gkh=|xorAnw+7==+WtH=*+)epYe80ZhQIb16<$<i_HT?vG)
zt2SRN-@ST;+|3?iXn6jgqjuk$WvhT94s-`^KOQxpsRkIQc{HCWTGDE|_daEUR9H}`
z6eSwrBuf0=r}J|pTgO!0B`K=L5TGhueR(|q`QK;DTGsC1sjWP>Gv@#vNnXiq0I-VE
z**jkN_uT`k4{+;kpJ4MFLOA%z&965wf(`@;MD6oMbk)oA%B+PXD_)&?DQcaTcjda>
z&##%iq{vF05T<GNj^)|9twUK(o8=%(GW0&d%q-#XxUGNM@EBoZCc>yXSrH|&Q6t*C
zYK;07;oXnser7AU4c*aHk9hRbkK2fz+4~BGFcg9>>Fm>!G+=X*4_N&pD4M&fPgU+X
z**&7R0D@%<*dCsLe|I+_7sp3PMPn4gf3s15nM3O=rM`^KhXM$I|F3DiRJV`1*6&AY
z^;2rEr>10Qzy`o!aBHMZdfS#m9*3M@h%g}|7y<goDIsEju?aF}{{L;-+rF83*DLwU
zdn6gdc2Ev_|2f-_H|qdH(Y<+ZB+ckaw!m6Tw)gxoY$C5eNQ<%;<r(eDT9Q8iI>?qk
z5qCMMh`VrwSP_(|$~1kdq@$uL(x!~nTGeEw=p9{ZH}nB2A{z5}9=pE!n&weiLz%|a
z6%MK(C@e#$jKOSYx$~>{`)NHBx71^6qY275AQB~wkn(x$zgGw}!~h@`AZsXS5imhu
z1~U+FAOL}g1c96ifi-&s8X5#noDsNiL*QWm0&hMD`~)BvBpAV95eTBhB8ZoWAW1TU
z6eAIgHX6ZLsR+`fBgmA8pg=K#iOLXEs6a4XC4xETAy{ZJf+dzASYb7SwbmopXd8kZ
zb|ctpKY{}eAvog<f*Lhw)Tu|KMJqHq=zs<R0f<4sM2$N2TC_p{t;YZq3GxOs17!#Z
zC;;^)b>`**2B4EjW?$B~Y&RVAhW+7aj`QbpKX?l<!4we*(jgtO5o65q5l4wq%R=o9
zx(&DKcl^MI9<yOK$%1T|&)mXAPKF>I<iGMs`Kz4FX`bg+zo=2A^|bxlL_2H^Ut^3E
z8SY_0q}Md3h+;~K5GBq5M;vp?j6GlSU1^a(B8i2G6{mql2riE<k1s`4E$-kO{A9g7
zhc-%`QopqA!}6d!E>Fv{r?PWxaLvcvFugImIk~yM!rb2N!R^_d!JX+{aa-OSKOUdB
zmq0lYAi_FfTqx^&Aqsy1M6~DqM_+jD^*7#p>!Xjq_;z!<)ftVavw5%#<0M5wg;d&D
zm+hre8;N#Q)ZTJ4*<7JkZ}jyKOis<rE;Vn0fCB0SQ410T0!W}0hcdp2NrJH8YiSXL
zU;vQzasUDaI{)XSA}oyE4b^*oc_Sp*#U<pcf#bE>jtv$>1KgdN{Idyi@WDik04}WY
zLF2QTa9KJCc$MJr%xZBN8&OC|tA=(P^EH#gIipUYudmygREL23NC;%A2Z;(;^6|YM
zyYc%l00cG&kIQL5ajWn#W4HZ$`S}zmO(~1;NCbFa$U)+QviP6$^z4tbcAe4zZA^<G
zo}!#0r3G=^S)g>%NK$ZHr{9p#HG5Z=)u2P#tg2LTns=I{sAK>c&QcXzi@wFK*}LiT
zN$bf8?bmuO(DYOQQL@6Mmy@i;FDMKD(Nq1A8jmB#RxM5C5Edv|VNrk1DHMgUphxd?
z|EgD4&DsyadM(g|l)92vm;&S?Sz-b1<LqPIRI5&CXIk0H<|#ELfD4kl)Do3w*~h%h
z-@2+s?brIW0IXbDN>Gs8rIx6`_f!vX#NVn(79-IlBu{YZR200AKy6I7CJ;HKd(tR`
z_&ub+;OuFrvvXrD2myQNQK}Z<O1U(sGi#kWv$next=-LywS2U1sJYZP?}MRG&`1@=
zJ7(3E5gyU)_z1ye>q$DlyqM^E7fmLm6BpZ27?y2ch3FJiCAnkN-;5kw+s*7BbVH&Q
zMkU}9l8j2l%lWlxCj<|v@n?YCNqlB$ObiX<9n;gPA4>wOcet0ZH~|{)8QP>Lf_Nno
z8%m9wAS{#{X$_-};fmcf9P-I2?b=M%9dF!81(Z|laTNlkhnrf9S@y}KYFwhp0gq3w
zHjyL`jSj^|Dm^CKE(CWGh8^0CwK{~}hi`V1wIN`I0ei><!{uF911>0KtkJl6Ik(h!
z-f`O)+Tb(3dJhZ;Dc6%oS;@lGSCNdE7&SO{;r$>K1u$hf7B@7YkFudq+OX57VOV69
z343xuX<1E;Q7}QhHn>-ZPt#lKgal35+(S?>eK2S>W)`U$=I%f~p6HE=JI3Y?gJg}s
zsMfU5%yY15Z|*8wItuGsx78FDEBC|pku16kXZnGx%JFS)Zy^b<YEPFK3}N8)R9=;0
zf}c^Ti{4j3&uJ>NOBnagK@F055O=$^Sv2P-sy}+ega}c`$nG>6;6p>ZtwnS_UtQ=j
z!!ZUA%byXizb?oYtBl&sh_SpK=W$L-Uq4VQPc*|}WkyXwJ1zoDj){W7Nkzc=?vE{E
zr~@?V>9Wo-Fr%7{YXEbG9xfyQFf*q}H3Bu(OXCn88JUA!cxvQgaJ(7sYeT=A(GdcD
zJ>KDtjYu!!Jm9p>w`P%?IY8rVmds~Ab44_XSS@^YF##V0WDnjL(S_V+qXaS=Ft7X>
z`d>%BG+oR8Lx>yilt><au^68FXslEqe&(hYF**x2X%QB_vq^b~s+(ZEk(m1qQWes1
zA1m%|f}APwhuqRqsTci35*%h7C$DQ#RG57|H7|YKfWU0xp3x#I66TiH2J|vP9X%sM
zLjG|o7KGjG`|Xxa<-OM6fPe|Sv4RN;9wH>DutJT7zBr@910VbuL<pgT5lJ*d7{*9O
zkxDvQp8J-HLQ0tYYb&q-P6CI34PXN3K%hcnr3s<v0o*sC)t;VmP6o!ZM$QznT`D|u
zvIjzq`Lw{A8~?A@0R=WF-Z5NIYzan4?p}Cd#Zuf*n&?KX-L(>j){yl8GD)OTF>am2
z$Um0)UxdHJ{6G4v)4G?z@4EcU9(=a=dyDwTvv61VOSnFCabG`gccI1-s@eB)oQd`R
zglC>Vq}1;nx72oyaT|SLLaYp{b!!w~+UB1wyI)XPX%DK1`_iyEi!^oQ@aHwXOe&sm
zrw(L7TJh2SB=N}v2cD2)=UqO^(mZuZMz4eke_nZWKKbgRfk)oA&D^ubFKzcOn=tzR
zUFx02&84<pQvG?xIxoT8!%rYDWOi%;iMR5vYeQOBPUZCGOra&85(sQzBP0ts(sf_z
zrz%hJsQVX_>56|mW;40<9AEM2yR#loIsWLG5qJ4B=3)1rkS`~GzB3ciW1%B{=zE@c
zQowvP_xH~8Y2KV~u%CIkJOsLQoRteXB_1@ExNx@R=JPBh$WdX7J$>nq8=iRAdg=Jd
zP!|bmCK@c`y40a&dKeK-6tSN0Q8q~oXN-^k5c``lfQlmkb(d<c1=NO|B?Kdsm!jy}
z>D8`EoCcid6P=VPHybx49)U~}LK?}V15{WWNQ9UcifC0$V;J7&C?LZp67BNQ+(4Vx
zgB%*Xx(b?NvMDEvTJHu;RJxTn-0bwZVjS>5!6`pD<pkIWVZw8c2VlGpV=<!x=C{%)
z9i5(bXb3cXM6eJzcfLJZIM|um5*vI77CweTj1mqMmT-~4KnM>hEC}YJAIU|KH#*&g
z%Lo-BM3_M%hwlnt;Q|M@`5;)p_}I+C)7hS`cm~-)`*HMX{^AF%@d&GDr^LkQ6j)aw
zUnW2@30GM}_^$ziKxW{83m!x)h*^@5Q&6&D%Z{2o4JUnR_2bNiD;;loKKvN?3ouBK
zV1pTj3KK3ulxQ(x#Y-?mq9ns4OIM=IbTd^t;GjbYN<fm~8;t@J6+oTo+st4lvm76`
zy|xw~&|gHr0x_0Iu)!8P?9t#vU$peY1y^)<qsM2Vk1u@T3t!ezRNg0d4jgijL!9Zl
zyq_5O@aH+01XQd)TBHmrx{sEe4_=-dfb?GHMEs&o6%1?PE(5y`H4{|mnwA;^=WQ~|
zp<h$7orY*E(fnP8jCyj^FpjNrS~(iJLy-2RD(r1sn)xD_mS;edy)o}D5mU}MY7=!-
zsEBc&z0^p*9CkQNR&@VL6)N^^j2fc5_*isHV=}kZT>@D!lb-L=zZXt`Dt!5^IK5!8
z?6ttbmjm|b8ZxW>t^R_nvJRE?RC*(Yi8^2b$-_~?1hT8idBRzzy@)fGYatMbsJluL
zC4I7p{>6?>To~efwtcNq=}#K`{D=j#oX}cO7AKhI=9Yt5xK`{BDTBm>^3o-!gM(P|
zsC|8{PC2^^28g@L*3>*~W3BM^jz8jPrSp`*-0Z~&BGIK?fSSemCwxY=eAhN<|GqqJ
zJm=L91pe@{&Vt5Ex2)&i;iI~!p1z?U#b+^;t9sqP^R41)?{(Cz*0x&%zhe!5VI8|v
zqfKhjfH!!Xn>>)WQkN~cur?;hRmmu6FgySVzm<T$C<7b$`r2}NcHK6=+#>#u2dn$X
z*2@ceXIrQD2t6v6U^x@oZvCH{920=1{K+l_$cHL)S5OE3^#6ws3@05>dac9+tSTw{
zXPd)27nrd;6F{8(7W4uMu9em6_;Ac7urH(^KQ{pP-{|XrCjcg-8iBfH`yMuEe+cZe
z(}gPjTT(&Tz{SU$Qo;fGYnfLo5r9ID(GnQ>a$!w`fC3}{0dOFoh_zM%@0tQY3bbRr
z98J9pMZFYpy#!&MC7d(_W~))aQpwQQu>ChiHBD9CLxT)12Ic#Ucta2-xDY@s*iLOS
zBUW;hy9UTd5i?{)P3Fv;6|;JN#>#wbL@wk(3C*C{w)btf+y0yVnpdk2s2kKx_LjZ>
zgXiplaEYy)<SD)U6g5dRc5*iAe?;K|O$)cG|H*!V`j7E5OQsdSHyCl?{{yt4Z-9BV
z_<2M3ety!8`WV6YrvQ9=_&5vr`ZwMV0(_m!i8Dck<yKnlgl1Q{3qTZMAnN}jZU$lb
z^Z#fD7=cC#CPw05EFMyEF%BPT1W0Eohe#%|Y!bOFWRWYNR79bWN-=w7?3A!EiCQUJ
z*2-yAa5A0NOnuGJ&n(U=xtK#|9#?a@nQwr_JS^mC5pPTQSVnItKP&iK#bBi%>kP71
zgl$4?HrPhtwldlz%ofphinmvSBnKorWSE1@Fj|1sf~^;8w<tTr*ky=)675&*6atWk
z0)Yep`yRmDCwShrr?VvlcQz-zy>bEmX7d~_1s*{>3bIZ@SOcyU;#6;>t2k{7F60um
zFkc{{BFM>>5Ql#|q(+siAmCP^uEsnx2Mf96UpG<7M8t3cs3SXT8zo3?>?rTx-)4~p
z)?tX&rzXY8;I;0o9Y(Q)O<X8YO{G{<HH~)Ea17g8sM8`NZdp2(r*t|zOdFCklr<Ga
zp+!E*<zlhcFh<quwBBWE_}t*w!&Seo>5SoIJdfrrGZv$Lebn`uBAT7@urW@^X-(5G
zA=ZOaOVi?)&h;s8qUCW1w|N-EHfU#kL|nrWuJUS^+x1LUbEruzrZ9mTJ_&FDhN?Fj
zVG^%L$!|7w#0jN*(r62<5mPh*{!MG;D|s>KrA#6suDYltXyN3%sTyg`D>Z49UOr#t
zr^=OBxdkAh;J&Bo8{0%_&Rddf1BjbB%x)}4Ml@d;i}5^AKsq{IpKFvjCB97F_r-#=
z%2vAR#jXItOiB-P)$&d$#vkct{Q+Qr#cwKD@0awWQ$rnq+GH&#?g!?F%Kdf}wp^(?
z&*r6B0EUMc^hgrR>}K&t)wa}lM69JF-it}@*0XP$R>7>UuNXX-jDEqR<4t9Zz54X)
z#)r?BjY<mY6?{Hna_HxIeYZqw0w4)oQHjCM&MoAgDpo@a#1+I(epzDXM`(P*UX{Gz
zc5GvVcY(hCnubw`0gGpJ8KlAdS*@>G>qXTf=zuVHb<EH!aG(OvX=hJ0);#&(C-?vN
zVtIU0$BV+$DBAn7_}VYpkajQ0r>N5KYP<pJbuU_XqpM<)DM*dEPdoWV;g{;ZVp+fu
zd0)T%ipl+3;2kEnt;i8sd1Zt#5WDiIGnn;|u$LBrLEQNZ`E{v?G@@uHgLmf@>e$wa
zhzc+;cpXcDP1uk`oLP!Mmxb`lxdLvp*=d@|`2Y69U)~g^To0ciG28i{n%}N1E0b2M
zht-E44>ojRWeU_oPG6Vt)Xh$r{WReH^?b=kPti$*6=xI*s9=IGXK(Au1r`nS{GfrT
zWj{8{r&;Hf&ehTWGWW$tu4ZQCNeA}e3D+^oL@&M_!NX4Ml0n|*IL7pnGH-jO*zG3F
zzvF|h&ZVq1p7;gE@ElKLioaA#wK6f9S{?cF<4whsY9s0h=o)js9_{V&toLoxqwCe2
zm{n^in0;kN9)-Q(jStV4=f{q9%B==Z0^N1Sh=6cJDg|cBMcb}p0V|Q@aik^#8~S9X
zpHd++IvUtTe;-iq7=XIgdQo*BYve3;&c?*dx#AIuv&R9?FSN6@Ad8e_n=~Z%6k>e>
zkJcR8WHG*&&Rgi>tiMBcdUuUPNKg>PUTSc^0-`ISrRkHzBaHlRE!8<&w@M*J!}m}q
z=X)J<p@mb3Z>{ViJ~3_g-S-hHV1^ZmT`s>;<4hraL=4i(&rW~c6U%X`ZPMQYmrM=y
zmGNWe{`Hyo=KR@}^z2*(uE=?5vs>7_I=8gTn0~-n*A_JjR&r12l$L8tqUlCrQkN$a
zw7yIH_`F#dYrcSX*DW#W|K2WjMz`7TI?{CRL3l##K<AZb`iap|D4sU`DUL-~G3BTL
z=BJ90^&&g#2Z4U`t&W5l62Kga2O-`y@*B;?$|Tq9dH9}fd%@r3wu`0s7{oycFT2dj
zFBi`tK4LAOT2i|9E$t|oik4gaURo3HcR7`_5En#xmdB8GdaL{Xs2Go?mK0JypvbKo
zAa=IzpbugPXkb?;-gfY0Mt-4q3*y6;rrDEaF+Y{auj0;men1dvUzj8E2~Qn=%6yaV
z+9SIh)5uZnQ{N29`0&qzc*L0G&oLjf&%3WUW69)iRDbB6ROng3UP!h$#+o7dkYHH%
zmVnAU;%~QMs!5*JE6VgO1veReIZG!IyEYOjC_S<Ltn6~}9G@nRO2-e#K{zkF%Bn6C
z&mrU1^_kSsD(~LowwLA7Qr1Cx7D;+Z5Eg{{m(vKlYm3pbrN;RbH@Fkq<3V<UFNbuo
zR*>*P5PcEi`r$*N$P|jT55t2PBu_P;ez-WGfj72E)*0Cd_@8JUao+Y>B3sI^rGof@
zN#@CFO;OXVvf;?y_+>NMuuS;Pl-u@OAr2%hTpXR7yZ%{tNh!;S<RHz1c{ZC&=%Af6
z&+Z`Wl&h~0F5O79N>x1DK)*MKj7u*vn3q~%RRJ>PIJG{RTvpjLD^W!_FpK!8fQgwL
zVIrweuR++=3AwjJH3JDgww>Pt_$V>1>586r4iVp_rH@y1_GEOCDIJzM)))3%xM8%@
z#|V@%^|1e2#1D*}(vD=gSa@1YVuKo)wf)ummTvsv^BL|$i^B);bBVwlN)i$IVDQ|q
zTbq;mzFL)Txc$vvS6G=&E#zAYD`a?wR>uTBJtS`Md5o#VoM@V!;#%sJl4~5XJmNO^
z9Si4wd-3mTaXu|&GV)Wl60Oo5hkv|W8<|w}ry&V(b0)0@ZN+<E^j__6JmZVSdv`DV
zd4>85B!Tu>y=<=_=DC~k+yjZ$fPFxv4h$FqkO(y<LZUZVbnlWL935O_B_SXQB}@@O
z1?*Tc)q(>N4le6BXP=C1ON000)3Td&96%6z(mjo5f805raxWPB(}aqip7T>yHP5_U
zB6iN6f!XtYmbFz#{OIaxll-0hahNsHtFZYMt?Y)u<KjfXU&gPCtE^qm3U;@M=VhNK
zqh=qGy}6`V-JM%zCr1tL2+^?v5*2OTP3tq-Cf?Bc+J-~4(Mlx;3`BgB^$M%X*IH|p
zxKT~uY@qp<q21hb{QmSTX`yZ%9&q&NDDV{{vgA+!nb=V0#_g$o4Lg-A^#w(wMlJP?
z>LU<e;kdgaJ-uJ#TDK|P<9P{x>0`$%bEACVg(Yl#^N9BbW!7a+45~Mc%Oz+Xv-o^W
zB@MI%XLG$>F@fsXjg3auf+}QwRR0mg2B`FdkHZLB9t@SA`Xh!ViT(oO-%#e<*W&#e
z2QJQ0cAdkuSncxR4SNT5<2SgtSWEcteimJC({WF?|J^hytw~~_z}Mjx_e!cW&DQ_*
zqW7Kef_Q7_YiA$Z&@}C)$m9Sx`6@iuJ!)IG-@fwls&n;GzORGprDRYsci_92vWM3p
zrJsKqwlm=r7sBdeY`Aw1u$6oJ#Q4&T*|izvo)F|i+nDurGo6-?VP1JVy}oW@QmBg5
z*$w9(((BZ2{q>vK+u!AdJ$J00b5Nz25})qbi}L+pPNkyN1jcmo4Q$pgJfDO%0PBoW
zW%fu~qdcqLL2E5Mo5pS!a`vlTXDJ7PeGFk@h-ZiR2ey)n{dRG6Cn%!`GxdU^dlCC2
zXXDIla_I=sDiso5F;I#S*{KAeo*;;CY~lVmg$jyy{dUfHJ_(&jJ|2zb<l=vhgTxmH
zKT`cC<mULn{c&==!8_6sfuwxFGdc=VTFNkB>s8v$P@x<pr#$W%<S>dMuJ}&!#O#+E
z<(>O%XFZEY>8f4KH8l#pU}TmUC?Nhr>YUe>?$<gq#Na_beMt5Gghy=B35kJ)I3&ao
zi$pqFv@k{>0r6&*0sCUaO@fjTS+G&X52@M@J9-usoj;9p8~Jmrzj)z+;V!o#$aRm5
zbgO>#O~@&BU-fIrrx^!z7~5+I1UzLnx^4(nUKOV)AN=E$f9HHYWzA%Z_sQiBp{wtO
z>y>!OxhiRlXN`5OMmDUj<5|yANf&=`AIP(TKY50AlJ*48t|P78vX3H$UA=1C+D*(v
z5qC8Wn#Re&f<S~Byc`|7$H^~4!>+(@f@H<*xLOU@w_mkv+wtm<%(>v-vCso=fQ)2*
zwGC1$PiSE5Pvh*4*}mLb{J-+{45H91q8i#wSJfQX6yE2{imWDl^b;@h`FCWC?7FRS
zB4+~3p-$*(VL|*zRrkrwitoQLdzYy!d<DIeQ>NO|-GRUt_HE#tH}%%w)*VW^*126e
z5mB!R>0r}I1@|9LUHayhw%i-8GMsm=@O&Uz;Nl@sE(FPt(f3YbQq>(j{~Rp3Q_UPJ
z%Du0c#{04v45yj@X5moAb|cqfm}Q)yFPP!mD$IyaN!`u+tvwc6>KDgx?elCSX_sMV
z6U`4D9&!_#DBB@#O=f@ozk4^>-tg<#jqNw0EWZ93SMsbYdDoG?b6`Zz_B{g+C9HjP
zB5-QU{)t8cY?uY|eIIQUW?vjM{!GWtGoKoTRp!nF9_>@jtB(Qp3T3Ic@yGdp$k_<#
zPA5I8$PJ=sbxt`-Ur%;}n)s2|dfi_OTpsIn@1Z&0pn%n-P*G}YZ6$)=?Wa>;tX|ei
zE%s-6JnnF^`uti!w5}WjADg4*-0;6%Wuw21t03k*E$!WWo>86m!7<#&`@ExvWU?<W
z^j*dh8&_bGaQwCtZyMrrZ{yPkmwzWXdg?D(34Nl4FUpa5Yo89~1OdoEeb}f=@aCI5
znYPl-h18)Y$gCDFWj1DA>)NC)SrFD{b5`1VI#L^}PJ-RhoFHUPQ`9}CZ5j>hC@QuA
ztCoX{z&51dl~#LYmR6R&>#-f-9X}gV%k+AY9S<?1PgT!jD@=d$49vIDm5zl5JNLJR
zzPUdi0olDX6n!|-5OHS+U$d7mJ=u!^UiQuN5#J;2baz!Sb0BzH2JYo+4l#>2gftDF
zl_AFEO-wuZMY7f$4o-IF?e!o>_RVo3pK45%Mw-@St@>qM_F^}#YOjlB++Kf_ar->o
zkfNa+x)JhFZ@4sQ_)`&@J~8fVJ=S{-bsnX*PKVtw$v%xe9rpn+KK<4t{FqTMhnSIH
zqZ9Ho<A!Zq&-o2(i1~bC;>}IJbOfz0?`u(e<=A(8E*xw50Y2fdne1AgI=NhD+Oz7p
zX(#Eln@c^OiqN)zY&vE+@w;dDpJ%i2i3Oi-vOOGWuxX(;T=%MRU;W31NI~W0yln21
zBkk06#0}Ow_FF8_qOYPMuHpB*K@V%=23C|C-f{MDzC!_@ZdMbT7FBGYuTP)(#*q1%
zm^F1#v1h)~@*{Oj9Xpk!>65BZ)oLujt6tu|L)7ixGW}5h`{U)Zlt(YSe(k$F<JPaU
z=;w!>Y_I{+Pq5gU23A$sEqe3e9fXx>%yRo`;yUN(r}RQ1uwzw(9cp8`3JOt?ZH7pS
z)#|rFh^%-nrb><?!LzLnO?F6N(<<A(Fs{4goZ2h}p&4oKxtfM(I&+RW=R?%$N<@fw
zrKNimu#6YgK)etySZjumi0yRUW*4^_OHV~pS{kKN=$<+AH+B_ZnNWmg{3W=tYL;AZ
zKWhRk=_t&hG`r1E0fj!evJgEoRB7vl<a2I%a_26gDU&_~QI*k>bknfIj-=}9UMi?n
z+8wACOv23Us`T%zh%tB4t0_SV5<xIBC#JoAdwWSiaz>I;%YMppBhRVE3WK_d2LXlj
zWU4ezb{DF=(*uE&4JNm4`&e8h%{{bGg3f@c#-^>bm53rpW=v<gVLx4`DYxJm4r<I#
zCDybltAtZLq|2O(*6u*3U=oIcLR2~1KrP1t*U!2MZgiZXCf$@{Q~}+y*Y3~IopcAP
zy=?D~<$W47rRn@hu=&vLpFI%v{|BysUX;;_RNAB37ja3-<jtNrJugBiOY^tbjLXFQ
zQ46PW-Y%kPE$hN=>ftu^MxQJeLmL=^*fnlVTyxjDb$tD?o*$NBpD^xNeeBH~<{iu@
z$j3^mQbX;P_pqK}kyX*EEmaFuXPMn=_B?wc3936JxkOY4s%NSfs;_4sVLvB5mj2^d
z%6+m{c5&jIeVpSshd2)?I>o}B;AWu!cB#AIQM^yo9$p+T&3iz%)lvNd!G_>|!AsnO
zzr#NmHRey4JmHAYC5#KV30FmDimn#D6C<LENGo!S5~3ZVHH)(?ZnpT|A~kDj5;fO}
z|FIO-=4%zTx!S$8w_85$_|!S-9&>IxU9P%bQBT$f>razjF1=0qn0wppa(@IGcaa6k
z5@czzQrQOCep#*TyzI5?o98SKkjKbJ%SX$n$~VZ5$Xnzu6)uWEMV?}zVyB{B@rUA_
zk|-;b24##gM>$=&RoSR~pnR(`Qxl}JkYEM@a}WlNnjkcVePgKMX!EtevDPd@0w<Gn
zs7>WU9H?gx;Q!D@jt$7@R_~85&(yv<%XC&~Ytvr=)S@lmaL8kaGS-{dP9cQWL;x@j
z+NCB)0mYPkD_vuk0<?c%BmGSzC^6#zn8fHcrw}mgw9YQHqd<sTdTPj}PAywZh$&VC
zwX5t|hxkR6{jQ|)j^RhAFBxTe?e(ciwGBOYt-Bv?mzpq%hdziD>tvQMNA64UVqozB
zFZk@TklR(ys7*e!VkYPzBBRaspZrt23$!8g-)isu>R$oA85Y!>bDo<5Rb^r7dPynG
z0@NB+23<I$p~a36cI`IqO_h~ZG4o^(mcwk@>V{F36|8A}AFT>NSPg48SU;4VF!E-<
z)!q<T*Z<RwM(8m*#y$)~?dlI7<3~$*&^0kP)=~QZQ*CszE29lcfK^nLo(e6J>t7nn
zYg3%*p6Rh#H#H;6@rL6_?ongDuq{&RUKev34n3*J^d6KZqC#ljkyIT9y*U5%Bdx-6
z<{q-;O~13hBjucWRBm)-dDrJpLm}+evcfK&AOnL~-ZHo_J9pz*o~D-6v9nM4Aq~=5
z4Rbu=SH0`u6~YZ7O-4By?xXKD0jR)wy<%p=PE@Mdf3AzbYrJ*1@*z>;#$x9y^S(G!
zn+gWltPh8SZoMM1t|xNPuvSLfr~<#3-n-oaM9%+ER{`5$+YKAs&u1*LW#iu78=aNk
zsZK1+j*WF!b6)(k+ZT(xXF45IYqqZLg}xAF_9KSkY{7uMOtr=BT+XR#^KzrSi6VQt
zCi$@~YkKW=kQ^#)OsSN2KA(+sk-S^#2<kz-oZ$HmLwR;P?UjP%)Oi<@A!3J^6&M<W
zog6637P-uq`*@uzY_MUVm>Lh`(0lf)W|TIsPlWHO8DdoB@+`YDPncg3l80n2#3Uk%
zAHMvU9(;&L?b;uEpV?Uu#5n<cUP|%s=x#<TjE*RKG8GGj6Z}uCBpfLS1H;OaL!d~t
z+hPYS`2g<EorENbR=PN#MGkpGgpgf<wdqa_sbOX#dYU~!*kd8pMv&m7zNq5*&l{ix
z5Oxbd2J5xRCvE|O^9tTreMWIEx|)5nX1Uy^24Yl!EmJLS1LA4^4>hErZyX{x>SG5V
z_dAzO;s|cpkJi}gYVaU5MO3wkfEZV3C0k-C)Tv&FQhr<!0vo5&gdUA>^t~;44F`L`
zEc!o1`{IQE|2zEiC_+OM+yE!g({J03+%q_F-a^CTR0$JdFLF}d!t<$!j@`PcP`kEI
zs+*VbM7p#*RR|yGs9vf86mw@T*{bp0oK9J;DHsw}aE$GTA|-Xqo9nOY!N<w|Q%g+W
z!O03S76}$BkdRHJuj9?T01<zj&<M5AL^q=<`rX-9#*a*x`Ew1*73DsIYLXQc03DsS
zq8+c)M3OehHjmBYY(agXrTva9Z#}hHvJX$|E}#ZF?umI!>SO`$A+)I%l3Sb;A|hfM
z_l7b<;Me|eq6m7Pkg;9uK<7(7f|by?!77g`WurZ)!&?<zJu|j^&2&9gn_Rv)T8~>v
zeLfa)yIF*u5Rv6CKX;<NHA#2PjTO1`NIe;uYUoog|K8b{?`?}wS!D67Iz;P4E;AkH
zX*Ns_i)20SW1XQ)as|oox-%l>t3L=&GivYftc?1(e25AK_U?`dj>fpk8vo?zQIo5E
zJc(<82^!2wo#!<uE$ogmI^GuSJ8X?PQ~*F~*C|EBjX&i0_p?&_j~gO{hR}vwYQ--5
zy{TCL`>HdgxEhtF?7>uisa~(!+W6xc-`qj&9jLl9*nm6XmJhL!wD3`t7BO2?wl9~A
zN_TNZxC_4@s*2imsNt|rW|&1+W5hmIrnC?ti7TXaty|??OErj!eAwqTK!Y3;48#;?
z7BQmYhG}(mWE7|2oDj-P=8abkBb)^`p3ZsaH8&VRa{v8838|z|2D<j?O0QW=0IBzi
zHOG80RI!%TIl~ltp*G{zAC<?a_P@Jg7<z<_@7fJaxxhH~&g(jN1aG=@3ryKV54bDM
zCsxTL&fxJrdxCB}FL+=BZpXz(NG~9^72?~Kl?*JU9ZF!S&j|>$97Re@3`(%qs+3TK
z#FQckXe2oE&TAMX${@-?qD-^uTGS15C;@ud?%CqK*?LJ7+gxEGDV{m+pp_3>x)({Y
z08&}cEM>5aQA_RrNbE@QkDfS0$W0pw5)ab!mgE|=R3~m%3L)Qmjfx;p)&bfOd-QN;
z|JjImm2Lkx|J|tU`_NxHOfkBFxVi@o^UQ%jrO&E4mPPP4*<VnSicXhll=)O+L{q#v
z3HXk-TOwFw8qgr~zm?jT#kKf-xA4Di1L-u;Q&2%K%PQ)yp<Ou>`;}N@qYh=!&Bix$
zpd7l~C?BbyajUWuG317x8WI^)5w?n?EX8n8UHKS%ZuavO{tNLEa8_5aoPmn=xbG&S
zJ&s$64DH8>^`=k_ZDSvdb^}e>Xs2pN)ANG|`IUGLyOXok3c|4JThtjnlwO(n*(xMM
z$wC&RtI<RUK-xDl7R1!+8?xB?FIWu+qL{^o&?#!5Pq7cT!mSsw&*p{c({!@1wWChw
z6jLEkUr)XBq9yhWr`15W%G{z^g)~Io{sNgT;2b#)MT<q4IE}zv!RXm2DAfE3x=|L}
zzMfK23NE$FZ6Jz;#Dr1FS<yP%_oE^yF?k4Xa$1fEQyS=qJY7o;9?r?g5K(VOY?4%)
zxK!xig<LQVa8pv(5IW{5W3b7Dfw>0k$R_Y2ywpFFRHXxNfPK6jcQ&;hGk0F<opnC1
zG0F!i&vAK?mbcwPsaVMPj%`#U*RVp&h0Er0Pc~h6NqNgMP17g}8iuH{J&93E*9CPj
zC4uzu!tLE{`u|TBzIPj(xa}IY5vf>hoWt3yK<XfK1OzVS-a>AxGXZzMCP{{{%R3{N
zl4Xj~7b&^9);Y*ZVe$ggtXX_=PRqxqd>L*(2JgB_z*5xZpD3XZVdkkA!xuI^MWt4`
z5sj9*cA)h>OEdu&9aVSloUH10w@pLW0$xPoSpLPa;>#6X;$kE(-I+cRu}+jV?{gl~
zF;$rXh%&VzcmCtgjs60)kut`y%y?&K=1$kx@QDxeU9SiTtcoI_XC8NsP%4BXDXoQ&
zT{$B-7tM;J{La&qe*D?oClp)Mia^qSQPuUK30v^iU8sS<SQ3)tiKK5uo)%qCP;D4a
zi#>8i;dg5#&tg*L(vB{Mrl_K_Kgiyai-~BU`;}05!@)}zNj1-nl^-3ff%T_SOKV4I
z{h2CeGTLx-hHRP+e2cXqbJ*|7wKOO6&6U+3TkUDwpI}wkh>)Qr9;TI(#Z4CUdw8_1
zbt#vE6J%!BPlZp&)g7f-kx~qkQIs$)goc?&)5TpfB6rNh+KL#<sGBr1&luZMQ_Pz4
z0!dOR9w#GVF?8@`w;Nx<2H5d>2wEaWMY9t56|au~@v~E8eYGHtHUIXhz+rRymVm2v
zwR1rZVe@o}GWCEnBElemBY2uIl_s7HmQ2rosD0g@k3CNJf@jLvVj!i9Bkbrb%G1Ww
zY0*L|Ep(Po<U^Jj)@UX8)*{AxU4#g7OfV6Zb@2y9M+-fDn?D+mt|N~d8#4_zcZ^Kk
z7$$HN+`L(Ou+f}5(R>j~YKR8cX6b3Et{9c9y=@Qt11*2l=4>31My6RXHMh5&0Tc09
zh)QR@FP?4`GAYB<F+3|QOREPetfU!R?LeG0R<Hx(xO?wY-jy3=He72PWNEXmxh_TE
zO~7kQo^+UCwb57BXZhrv&G%6#A+oHAXuF}XnKx1z+Rr6S^p#<*NKMyiolnprksH!;
zj^6J%35FL8c+uw<%YTpb*D@-1su+5+h$Pah&0Ms~ceFIY)dFl)(c!N1YF(vegl;Z>
zFpny4JzWx5<zn(jQ+B#!r&H#k5NRfl#|A+pX0m2Hev67Qz-n67p2P@Iklfcmv%a6T
z1|cH)a?<y;)+_e;5h0_oJU&7s)fqd<^DIrAi-VkGmNi*YquzGjduMlU13?V8jfk~F
z0E)3o>KLA37Hesc*qAL)xQ?*^hMBxJ8L5ldxTHy0-^1d%7-q#%Ukvknm^FN<7C#1J
zS*l!7YK;EYL>o;9lZt!9z2I{nU{R+4;nTl}&z;`-(fC7R=7UGpOaP0SxA~t*mq?D*
zV6V+}*l+8-gId2Bzbkf~D)<YAU}Dj<Fw3lJ5BoF`dy3dXEWx?pD@^T@+|)c-%qr|5
zya4fXwvyiD&p-dY)oOGG-S*CQW2e_^G<&|bt<5^{E*N7Csy(Na%Z-QKh`4t2XATTz
zVYs%>DQEUqIoQK68=f2rVU?0agVtJQ8yE>WM_4PNW|hd!FbaL38q0CpY2bu+Qnwa&
zi->xoc}_p5*s=hm3MnbZjJC@K_{B!;(gNCYLl|67@HTe`DehZ%orC#SG1DvSiiozb
zK#)oL8hFEFV}{^SNk|jg*&_BVFG7g%V)VJv#;C!={3h}A|DHcOqO5}248(EnJc}F}
z;Q}oN0YTb{IQ}JjYUim}IPZtss*1qw37q-~j8?<hSMerxD1sM4yxrjueIU66FofCd
zv4!AF1TXPscaZn~a#QkqI)-3ThqV||L$9(s2qw8DnqYVQG(_(F$?P{vQCc;uML_!o
zx8_+<IXlp_q@~s(9=sf2a0NCtE;U)L5w%uHgScDJ+54E0VHP9CtN;oazysZU`2MVF
zPn||{EP{t#ggUYmDvRQ9gu3{oGpw-d=?s}YU-82@OquAiImJ{dq++2h*+XEH-z5a8
zjAue{FvCf2CFK!iT^BZC7G^gl3r$_q85>{)_pN+wOx936)g4blb1S%S>B<slY-Ax!
z!cvl8$>ZQv0zlDHM~*9kMQyd(5iwk?x!@mHooJyQEs+b#871hPC$i-EX(Ev{36~2B
zZDGdfwRcwe733Z`Bdlbpu*;9U3wWw_>s}oWX+O^0z>ksnn72t4ay@6l|6ljv>pwQO
z%ICLQSzBtf)T1Oh49g8Sw!_11X<)6;6H=0;gbT?jSDeeP2UC{0Jw{`pEy}6vN10)m
zw#cY(s5$t_t~*XHE5h7d>(+qPJ!qS=+j_uK)`c3>&X$E%EOztASlKX(bYy3KLF!JH
zW|Yo05qiZ6<1kDuwzf8DFq(!DfzLd5n@pscWH=9!6_{eL?gT!=APg4wAw&f(!%`q~
za(#ha+&4)7uF+3FGHXt5Uct-}T)of+xDD>O09cC*2my!~!+p)wD&J-_yBQca4_$p_
zX721VZQYqYGOs7J(8SajMN<Yg3peF%6yap<-k&B(3hS(eiQe^7whxg+r~RG6oiHZG
zbDiyLQNqX$Ch4cqG@8w4(^(B8!nx2QnGB|Jij>3m5OtXmBF4DFpS~BSNO3&QiM5O*
zVNw-IJD@Zf_t<$I^^kiFqAq~%a9@!J@IQk3$TFO=uI+@j2fpszyrb68my9lEHhBaN
z<`o=nix&LVF?q0MZxBE*ef)ZI`J_+Ug;YAFB}SR20V?9Q<8|z_^mt*Jz7c;VX+aWB
zN8{?0ra`z|ECwU^7}|W|M2JhkS<&iFfredL;s@*JkBGx{bD-5X@X<0`b_;#bduLJ?
zX=cosX<!l*+HwcX5kZS+VnEjMQM|#-CF@ub9II3RJwZakkP=~?(S}l~1&LGGI$TK=
zc`myc9vmd_-R!iesf4v+QxzMVx&Du_t=+Z;vj0$l%7uu{MfueG{Ld(~R$YC8H=)ci
zSj=dCwkyc<)7Ycd2_477X`>Ohmoo#OE^I<na=!B>Zjif25LLg!C-W(uwe@ALU-4EJ
zf(OZ~U2cu!z=RMtA=}p-p0pjVsE3mFrpVqi1Rx(M$1~dD^Mw1+Nif*CTDj*Cm>>Qo
zx~?4rc~lj_;f<^O@kyp|bH%-kJX-J~%*o&%%t1==`Dm}tcK@;1x-L&qoUIP85T|tm
zXh9jOU18mXaa`xhwHj)Fm9>t<wjf3^5u_YN5@-pz^!h#$XB5MNs(D!tNChz{6Iyq4
zoF6MUVF5j=ce{6jLe43yL;!05Q<16_K2I0r4ueXN0VU?k{*$^sbTN!5I2s`iPl=R9
zX8#wp8kj(nDhmVr@DZ>~4kJP!t|U2+PAZUxBZ^R@I~D4_tHiHJ0(e%MXoVws6A{D~
z2mE5e7G#$9Fr$$g2_i6I45k7FEfHbKoJGEpRwCND=L}Uk&)um60!SiqCmr(UAnVbI
zdwi`lci!J|B3nZw@1GP;i+BpHIp}JNfM^ZdLy(~1V-eYEo<m%@{=;jL6dUsbFO>=f
zWxs-QL5%tnedUwZZ1bK>NsD(xN{^Jq>mf*E<!H{Fg#ZwwhV(w}j!r+qGEk0AI*ti7
zX49P*f-uB%d=VRh$x<aka6OAP;J~NGw{CpX+1=p(L`r2F3pc(S9lTXI^Zs}v-1OO1
zf{!7ENaJbw&-|sv;Os(&<_8`2uzonOZ$Y<V9g<xYfE2xUZ*>Y3o9AqZKv<zRg9R`w
zTzHOHpn*vTO_EIA*ypRnXxP}%bSKUdC{QV62Teqw<!B)7tQX;d*sC|XgdXVUwV3(p
zg4g|}ub~&_kdB_Yas-TlYneu3;#VJutwefngu|MHo*+it1ud~3s&cUs9PEugwG37O
zPfD{iRsku&<fD^WM6f1%1r>OUAJYU!u+Tb*5UA%=sQrynWNy+DnCcp4X`Y$Yv4O)8
z<bZQ;Cgn0Txx^CXP47J?y8u2R)_`$NIf_i9BM7O8+|X9`Gnilnh{cGsZz6e+?H&9Y
zfIy=5#fl3dfPk<P|Bbn5%>({OH2oUj+hz3xemLhZJi~j}pMSESy@3J?6aWbL+s%<c
zlMqH7;I$LtyZgpmu<NG%Y0uF$&z^H!^-Z}wO+<L=2JBva8@GPdJ@i4KZlJRhbR(K>
z9X#?wOvN!gJjtsMMA|xbLhX}xaeeY+c27B)^{YS3u3n@*P0M*c$His2&$*$}p4<)c
zWPOl37Av2<!8Agl&?4-aJN=8>)GPh_*k(xZiF!{_ZXjYy*Y_dG)mW;x_sa*|b-t-^
zcovOUxJ%kK<W2Wb*bqtxp-(o9<^fqi8RgoZ|5Sn}+aUaTYA~1QxR4P3Y;{HV?0K+1
zy9L1YWGTQW0u!^>V@bSjgtQJtC$d;-u<I;F*br+&vl`Vv9$D9pCW@JB(*w}n^Q|98
zd?F?S0eHhGOpL=!M&Rz~wgL}VZ(wi$o~K}ELLf`>gaV&LO=##NnJ}R7al(W_&4dND
z^%n`DmwFk(hC;-I13m&=z};hF2@Cp(1U7V%MkmRlt>jTAMHKE>^T&V#nX;8BFy16y
z+)Yqw0R493$?LEOU%cFJ`<26G%9SmL9>4ZgxzdeSK&=GJ3YmG8Mr4*SaO38Z=_Y|z
zk`LF_=mkzMj-116ZsLWBVH9hq@rsm?8Fm$^l$Y|~Ct0RRdU1NBnim~+?rz9mwk!@6
zD^^gsMsZ)!kIn$@#vFF2DWs-W>RhH|xcG4&h4a^wGg=YQ2MclAOf|`{VKq<gh9=dL
zRzl{OZF)j(vRGc6rynJQl{ubc7A+Om+S`*Y_b6E=tshQTtT00;6b~23lw}z;Kj|hT
zQRuq%IqZi5(jKH+d5Ztcdjn{4Nfe<811rOXlb@u-A!dY)H)z8l+?S11q#+$~=<ub1
z%rP#lwr`#8I9IwJxBkTBl&9p=GqZC%=NA@vFD<XouX^t9wRJulI|h7r?%KU)?>>h8
z2M!(*aM*80jv9E(%SXnilc(%FEzGZ=S>f*wu=er!^&JR`^7Zm?M2uU}SUiywn-Z56
zpULL(o|z~VOJ#|bYR#~Eqba%Ng@4{;_|Na3l>bh**B=-;9E~SNPiJ#u7G5pUdSI=?
z)s8;2-R%#@)A@3}-A9{S+jrh|w|Djmkbdv(@5m!z&3)|TkqyV*E#v{P=6gHs^*>(L
zG~NE<{bNa`vZT;hz=0}+?3*qP;E5AJ3jj+t>0~=`_4HcT)gZov1b<I%D<CM4<^jP7
z*=ne#wPjKRUI-ivv8*xg4=ZI7{y$!j-^<Ar{6GZK0hC(9r2Nk#JI1%I>`*76YUu<k
zBWJasl{ogk+jZjU8+FR01TPQ|U0QDnL3wK-B%r`TR2F`V3UZ8Li9ymmQJ4N0NZ&tQ
z>xioKpSnNWo$NGtH~VEu49aH}!eA9c?G%|B{MZgY_(NRK5t99a|LzMqe#4H;0Y~oC
zx<T?Jp5_UDCxTN5AdrGyAqb@%UPN3cVrR?aelM3||KYS%>Iy{%XRR~HaM`MSvIx~4
z64ZVJuO>s&x`757slg5I<lT%8ck-dtP?KPsF)}k2u~S=kv9ANJ<9JWCc9!BIp2i==
y#A$oBTErq%eeVCCfvcM7i}&ZwOn=%gr)+({hTH<eXsV*hsSxxhRc;7TAO-+v2o*g5

literal 0
HcmV?d00001

diff --git a/site/fonts/dm-sans-latin.woff2 b/site/fonts/dm-sans-latin.woff2
new file mode 100644
index 0000000000000000000000000000000000000000..9443ff9f45d3844e82c20f630bc5a0266bb7402e
GIT binary patch
literal 31312
zcmV(<K-#}|Pew8T0RR910D4dW6aWAK0a_dY0D0N~0RR9100000000000000000000
z0000Qk2@QxP#l4FKS)+VQjGyWO;$ltfj$OcKT}jeRDvQWNC1RPFM%Wx2nxq&yC(~S
zG5|1x^%em(0we>5U<4oqhja&xJzL38aYLNL4m5BNwG9Dcdu=xJGH43Mt_Qb?&`Yi4
z?7LkQ<)b!V+5i84QiA_6hJCO-K($s|>#hl5L)av6q12-x7z8d%({oW#Xg^eGBD+aJ
z)KTv}Yn}*Oy9yiUp;WAj>grQhUWQBL=SW-CTEhDZ58<)y;dU%yDRxDi;fIe$b0OT{
zW1uy_AaJG)53$uPFbIQTD=gxN4Xv0h`OSzxhpEWa{Z^L#w9GXB>VsNJljgH)JzG?J
z7q8Y0ZklNx-J>brW<-WF?e5`+y)@zx`hF_Kwb@B~wk_PVF`HxKbcPvi@G573JE~D9
zJkRrM>)iMMpZGHjHPDNgg$qUjMq+fbMuN4`SQy!WQHU#xRmBWXr~X^LrP@zYIe;2m
z<huYUF<AWo+D~aDiXUS?dxta+#Y=|J@K8k~6;FkjC<U^9(dYN+>fhUvW)?p%Mved=
zGe_A<GtWdpY@giG2WHy~JRoSU>gpeIv;I+tAW4W4fhZCPG(a$|+KTAuo0g$pPj+;<
zi=Ng@I^*ro!)baton*=DEzd1y4jNd(i%{$&Ex`o@Pv{@l@|8eW)frH_#_#0s9w<{|
z$ug>A&LuyeoBy4()StIsRmK*(+09}(KZG%{H+|+n6|)43`Hd080zY3<t9l=+N^HxJ
zC}78fjHj6eIt9GIr@i&u7JwRv(oQ?F3?y5!RP^aRzyG<<nFq-NK(;_Qt_b=HS7AGO
z1w6jaw65#``TvEG|ESCV|FubyC3_|lzJTYw56ne}-2XPRo#cF=8k+tQ^5Ni+C3~FK
zJF>lZo#0P{f>;<o+1pYXEuD}Mbp5X-ORvoH|IPV!-;*raR?ta)(sGKl9mwf!7`D8h
zeJ$tzq(IDrD%`F;Da1mZ8qelwq!*VZHCcA%Q~+2Qwr%XIYv?1&id6AX3Jlr501}JV
zbmyV4lWT-5DOaHnl9WLhytVhjl+e|oa22iv5HP9Nb)6q9h$J=U-&D)?e-flVq`egg
z>K;d02T)E!>H@S^G+$w5IOJIW0B{mWA@PVAkgEYGY5`EYI{>*lkkqaTiK0m^H)Kht
zy`1C}2B7qIL}~YiqI8eC6diJ^{H}84T*Wen&fSITI=gdgcOmyK3zu$tzusl-qq!>E
zmFgPU<@DwN(I$tHy|+dk>Pb4e*-WLc7cz(V1f&R+AU67)efz?yS8vtxd~>4B@hCn!
zX*w&jnZYOc5~0-W`(-J;`EFgP+N#@YtsF88k(u`B=BA!wAi%{hZ|UYMr2xHF+Eqj$
zawh;&qzZsIFcT<a;2Ec#F*@djCeQ?!=VK=ye4qmCVE`B$#uJ*@0Cc{r<;P1{q|0wy
zsUlSh)Wc~`W6v<xcR<Tt?Zz`3BSxA~O5uef@*{fJe_miPnqHv1RJKgMQ!4s1ruIBn
zzMWjhjCal0T55<@P=Z8>gZeuXLBmh=f7itcl8>S&!9cKLMX=*Q@WO@QD}WFzl<<Rm
zgn|kZ3M)=1sSF{?kAxT%2$fVN#EK`>RFBX=BSI6+2`#lIwAG%_QAa{&T?yUwAoS9o
zFwhXfFe3?LjU|kiOqgsc;TOLV{_q#!AJYjl%_hvTkg(V?!V0ShYpf&eu!FG6E*g96
zrE!o$XdL4h8iD{e1cP1n*y|vN5U}_Phs6NnBN#bg90X%47|X!;7mSHu^aP_Z7&g$)
zgT52=RM7i?UJSYuv<IN2ftCW=P|y-UJqL9H)W0B+;G<v^JKz8W3pNxQItEtknD1`k
z#`jy<Zvfv)sO8%O703;*H6<_H-wwXwdGh_syNm{W_onBS-Tvi@1G&P3;PC)K@O-{m
z06du9244k=ywjgug);xoTm=M$1F#@lR&C<GJdIct+&?mruO({N5$7pNLwc0>&iL7L
zl8>bO!E`fonxopI!BOD#lY@zTJ*qGc`D*3)Dm?3Racf=)wlN+rZwdUsne{-u1_c((
zR>94#){Sp&ES(10b(mraQ+ndPaF5#@&jwEaAH+UhfXS;}`2Uo?`{Lioy>b3Ir>!zo
zIOs(`=Y_8<$-$Vvi9{)}#FNhMt@1hK*(2m)z^t+({~}n$>C<}<_N@R-<uP{$2IjO$
z2kmpeGcctMYVG5PLx{wy@QuK}hMfEC>4Eu=Pi_kY?;MfbpV-$1778_uu43y?S4F7u
z#hl3xSBaMb3w3{DTonK-S;j6hwHFTq{dx)^Q(A3hewM6esI;1`YP#OUDwICIlt}yH
zWW85ygd$E6geU^vu0BJ4g02iPuDF!`&)*&ex_a*Di@;<j6CB@f|KA?VH&Wab58dCO
zSD2lhZ{I0@)W4PV|C!@M4s00Xb|?C2fWYOtZp_`)d{BdZarXKHQ*Rf6TC;KQZ3EZ_
zv9+4_@-GltZG|@ms{=dH@Im)rb093u!PHXPKvdy8Y9^d4_mE~S2NUlc<xA2!@RlZy
zPRts7R=RlQ+u+4sMPzg0)*QZ$#T%q9ld}7Fuqxrwa6n60<8QMZ86nLhJukCbHT#yZ
za<pQ~#-nAuz-Gmsy||xF&O36~^FCW$<expD%=l_EjH>M#+2PG|WBR!GoYABb*_IEC
zW}%v9S(5a^5EP?17)kNTzZE*Um#2*Y03Sf?a)iLcI^VD9y4<H->dpa{OT|lj++BMU
z70~rh3#TtX`%iEC`&L*PF2%+u`V0ISvyPHC*Fc=_DLz{redLyfLf;e&HO^=Jvj-UH
z&U>nN_Z^@60|YK(f6ftfvz`Q3Xwf+CEvX|VMi}?Ko(G?@!8i0;n1N2jhyJP{X#U<u
zP3!h>`Tk=cZ4=$YeE>^5gje0vrw{p~tHboXNpUv1P2wHsrbsW!#v_=a2&M=~eMi@y
zbG|qIjJh)=anPv{DOSZBE~M(P1H3`CU|L*TQt*~B&LTqMk_ekIF7e1T@)gnOd8}Ex
zVGCRXx+V_7g%05H&~Ey4|DMB`eV+i6(2M?k3ipDaHOg{8v)-Z|8y0*BCfs+!@Z}cZ
zL}9^##*q5e`j6fMLESqR46sfan-XD<xmw(NhU2zW8)6+~p;J~JC*!BCnkq5gSX7XB
z+_=Lz5S+1@fZeeAz^TSBGe^PLeGKPf6&O+BA`mQWaXmNu0&dVbI1=6)UOV<&eaiAg
z(EFvWZ3o)~5Nl&Fv(QAtVgTAJdO$e`KA^4Lbgni<O9ZWxsiE%2R%jx=2U>7ffqJ9D
zkKhtyQpU`UDs}lUpeDeeaF4NDDD`qKRI!vpsP$ojN<Oe3LF1)z;hu~xe(xowG6|uQ
zK$D>KoIB?+UYlLZs3MHczv(lTC1}b8l=901Ns^+I^BRHj=)u#N_@fsO%x6Q1H{d<I
z0h2u2gbGP!;lniM=R#rCEB+9DHU304;G<0nh{vGQ<LfnEi!po&3_TmFADiww*>H$Z
zKaf7ncip8BfYZweucc}dMjM)k4nW02NfZ%;+PO8AW09SGWe9FaKvyV$5r3p+^R+vK
zsCA_)D`21tizr&%@6iAuUk<Yavp5X4JOwKZLpph5)a+p|?;3;(Ba?D6O?4>*z1>~6
z7{D$EPzGHO3a%yGn%nvmrX)6qN|8T3>&`7aDQD*B?;h&o!{V1L`kb2%?uWxzRUlk#
zQ*^sf8NFP7hWUdEf}Kl=t{{Tj{bY_m)H`?`n!NL*!Sp=UXyMUXrZFh8vYv5DirDiU
zH&{Xf0mBbr?`Nb6rf9qklU;7K(R77ev%vW|zzFx<6m7115ZJva*5n0Gt9<g3P&QOk
z8ga2?b9kQ{>$LPk+X?vo+fn2v7=RTk26h}+@WO>1UjZBh3+3Yn`S>fSpb&)>7pkN(
z@`&=I{9;s4NF`Mj6)RpzHPur_1C7LJqPa?1YOR{K+KbasM>TcURW051P**Sg)i=-(
zO$;+q3uBGd&Une%n{28se({^`{_vMx{xMx&b1XE_V#^G-!YU)JvCbG4parOT0zW>v
z03nn{MtcWnY|QvIs6-*t%$A`Tf<u;u3SoidY@&m3nBv2N<>B|tF_c}ToF6d%FWY0O
z3FpZs{P|j$>g%9O$zG9fjNp7;9&W?W9(YS`pYA1fvkjW-<#gUZxfDlNeNvV;$ByZl
zXYqCgyf`-Lf%|T`^d87Yr9;8A%TJxp5qp;Z-Ph#W;>zfp3$oKQ+LL*ydm#J5TMpTK
zRd75%PT|vR^5%Jc&%+>Om8I=zO0(b2lpw#&+1OM|v1D!Qk2VkXCFfr<^N*!Liv7TS
zX|m-0eyTIi(!cWmHoMce>#HR(P_Q<<8=fy7-J)4oA2X*tM<r@fJ2h@(WKOp|_Vekn
z+_*jVrmL+cw~gBL{9&5#&S^Qz%^kS#b+Ob{w`8W_@UhC2-;i?f@^T~FQ}(e#{!kfz
zH?0hA;7PhqJBQ0Q#um9#Vopox0q2ICG{|hYj~lw>^UeinlkoecV$?kyet&?)@}_BJ
zHotamd7Avb;jd5C-|Ws-<pYA6;m^BT36jb{b=kP>D(I(KQS=$6geMA>?>Vv$LzBwX
zEsLC9(!+k3+T&_0G~P4al;`K7xa;Wo3Lkq)+G^s^0-uZq_XeZMOl|2ofD~0s@uyOX
zTFUuRDNikxRcVP6|B9`pwmRynr-6nNG}1&<%{13iE3LKFPJ117)<xGRq=cP%>!YuJ
z`WtAF!HSYH(Y8!6wdGg8DSv`M|5wVhFw-ovNnc{=)3?G(O3GRYen?uI7-ziECT46Z
zLdr577}E|f3w%N2I-pQ`94$wi*vm3Oi^A63mufpwT6{1S1}~}=ma=jjKVn?kc33LC
zy`Zeeg*qeAcoZT$3T4}lo-&T2&<hbZ?$X)|8M53@bIbkLh!9E0w|7jjt5j*qcNI=P
z3|=uor&Cm^Ihbz`V;T149y=5J*f|Tu!o`o3H^=d(=x*bs7Tco;<fz~TCzuJ1JrwF5
z!tY)GyvX9uLWXO($D1BZi-Z+7A7P8*9T0C;ngBit4CU@SQ+EUr+$@2MII?PQ<y8=h
z#v^P9lJr(;P+Ko5^Sz-|LgR*!`0O@Ln7eobn^m(&5cFI;6}0Z%2M!^WfAxHD_W^IT
zJ{dGB$j8Q5YHKlnb`^0_%%YUsg*{y{%rPt=-Bw?1)!67*AIDaXGAFF>-$X${0d?so
zLL`$C*-$b8w?_uJq#CO5VM8A4S3MyOnXqFdr;wdAg(}rh+OSgf>Xw;SRZ4xxUSAf}
zSMF%6?yUz2B0YG>bnv9C6;wA;uh1x;C^k`RRXY_>k)|lOSBX+Rj;O{#Lcyf0>qr}Q
z))f>bm2mx&A-;eXr%HjO>Zl&m;+b7*hyxEI_ZQI1a?M4U71Gq6!D-kAW1+Pu*HEt;
zVr_D>7Y^6KX{E7r1QSoD0qQ-su@rgc8Dww9L$%zec<1f87=e}70TfA3k53H)9)MW*
zh#+Y98o+*W@z1_@_wEGtQp5<THefC$Ui<#(#m}Gr?ODnd9e}^phvpAn&l|WUK>r8k
z<?YD__?!OBb+3ZlJJJ7uy*&N=@IPX$^%uT*{Ppgeo?B%`yXkTES)aI7BgcPxoqEN$
z@Vs-!x<2M^#jjl{_~MgChu{3OGd3r;9j<)1{`S&WefC`U<k&s-I{P?EU%IvORp*ai
z?usMdcgFgcJHP4ClX9Gu=EYv@%hRM-$&`7epMH*Nb)&@i<UY8u<s@I+*=MGi=S{6z
zFT!@e+%w<epC4ZOR+JePdGqK0$KIGgCVIm?gRR|eMX8E4_rfsx@m!iJ7kVuaZlFdz
zYYMcDt=(yLH7b>V#9w)6`rGGp@bKY-{rJlv^{Z~=KW&|FEq@rhL!S@HJ^Z_|$E$<V
zq&zs^oz5F~(d7A2@|h5V$Y((m6rOg${_mzu{C{`-4@DRKxs%;d`6-{R4o7Z&{~-F&
z!a5r+I$Cr7)Wa?L+}7>(@t?w%I*#}~gX$wxsh0EnpBNUN2|A21R?h_47w6Vke@^_V
zaphqj`&FOQrF?ovP_A<2(rLDKrxArJ#!F}A?v;k+V%J|p^1aKvvXxP<SFq2&JD%$9
zr2>TZfxi;|9iRC3>*@XW$4)<AdC<1pxu>juH}=6e%~mIQ{a@_8oqw=B(Gg>7@zOB$
zT(JE-&)H-C1FGrbbp5BWhDzYG<>ycLqaS%@{n)=ch<><WCamCr_M87^w;92E#S^Z*
zy^wC7dL`R)IOYHWd*8?Q62IR{>Sd3R{jka1Cj@$Q&GHX9L(j*{)j<$Q<n!M<o~;~f
z|Ler6z7I3}j(Sh{U-0HcfQ;(XI}uQ8&a=N9W>AgX?~9N-cV4_Wqbi!c7@&SrZGZ;#
zvzAUoMXI`15=sM;7pSw<xQ-Wl<z3W1%gwr!_D*7!VEUkPskFHkT=H6MXv=r=1tqA#
zLxzu$Dj0dxCsCFoKfCW&g0xWNQ%WVZHPcByBTVv_h1S~X5ZPSe0RkZY?9jHkx!MBw
zwFL@p3sRspSP>{~COz65WVSe^1k?gbyyTxgm8Rb1l6PqHR&8eb^tbtTSDRmN%!KrJ
zHlf-XmK$C9tr{tVT*GW0OvF#7nu<~9TVCeLx-aKsu5%m>Xc;;#l7bJpb=j!smSz5A
zLnw%HMnmcrT~+wCxV~5hCSF8}v)DngN?3Zs3@3u<#UTMn$!ggnDe_%~m7sj;S#@0#
zP1kG@kLp78ts3-eBUkHt^>oAEa|AofLrjSXKJ4%#ict^=OLo@wO$E20Y4E1?jq02B
zd_OPo$B5$PiK80K&3mqAKMjs^{e=Af@%x_d8Q(X-?Zp7MQf_&{&5t*Kj)3x5jSMm7
z*(0@MHp}oISCEfHl;|kmGJahwlKMZJI_+q*Wze3T&Kz`Q(uEh@x#+>IFJHa*>mxuv
zetHWwP^iH|3=(FDd`5_rD8g`g{Unbcj8xEAg^gF#L`6(cOp@Y~l{8stQ<XAB8Poje
zH&K33&aYzpp@P4Z_oqt!QALW%{uO7ISTohLP;K+nG)G+v)G}8c^EI?Y6Du^;(i*L;
z)5=;_I;v{Ac(XOKOaqH0SgM(onp<V3Z3OV4P`KG~PF94SpTHspVw<=*dSGhsoZcL<
ziwU@xs@u`ROpntmC7Qh8KTR(9&g0DsPqz<Xn#b3xMSA?Yrjz0EFldKM05^lF$XXNG
zcY7^^y6;V_UgfD+(?<k5>(OLBZ<d?WRg&l<94HChs_D@>2eEa)`4o8-s=5az*`yz#
zP{K=HHnk0z21xU8rHQM4L8BLzBt=zI&8Dcc=ylXdQAEAxk>~jrmMW*jmn8i>iUQJ4
z=jv_ey7TEZRAUy=vvS*RBcG@sR|x#TA&wPeTh`oXMVIpvq7%K+?VCu25JaJr@hazb
zAk50Ekpp7sMkZID2<Us0`T>oH+}9N>rQ|{!a?+C%y~W<qLDtK6LF~Wi=-!sPRhZ>D
zM}E)m(|<V!;*K_#K2Khe8A(H2tUGR9gp)00A6x6pDmxq@2lb`*Z;du2VfL?Tp`ZUn
zUcLP-UMgEFT%{2o-Prc%%b;a5H7X+jCYrF8$!wl7`n*j()a>o}YL{EvI`Y-(n3JCx
zH~DaNUt>rQ(6lwjvXN;j*fBvSLP8?d-D*^lKa)mm)yj=H+)3F=l5nFa2|w$@VpaBq
zn9WqES=r{#aDc8BC(cKo7&C3AI=ZiapGaB)L|d~@I-L0J<Q=WTA?#Uy&1wtU#S2;(
zUg0uUPt>IpKX0r@9Ac4!ia6}S$)1xirjyXVY_lxk=Brn1$G$eY;=7Nu>gL1S1X_mm
zK<pXZTXNHG$w}_svk&H;$8iVQtnH6le?&?$N8KHXQ%Y>?;0Y6(_g}2;%azpFcr*91
z)7Ac?IOIWHmLwm$;lp7FyzS|qz-Y-%=-7dD;0re&!*+7^;mQd~Q`42_wqI;(_4j4%
z4MYlldM4O$wAMeHyItOxx7Y=?JbCL#S%s6OmKEZ+yVBZ7@mr~7rDS4pHWz|K*8DA!
zzFBt8JY7+J?HD&o+?wy{+_N?IE+WaGy}sb0`npM3FZCVbZJ(LSJIQkBZ_+jo&gXMn
zixcLa;!R>&R?N;XV{4+-hrD6=UWh*W9*oq$i{QD|3ML9gtDHJ0IZbuLt~HaLKIy+O
zJE1gcgh5!;LwOGkyI`w(F(!bt@D?eaXBDn}St2{kFEY*5<a`+C*l^V&L>5hn%j?fk
zF$SA=w-k+Ie$I8nrkn&42%S++Z|32niXtttg6_X3z+P~U5hhyZR_KMkoQxw@3l(E@
zZjK%87M;stLReim%_e%~M2ov02L-Pcuoy@|Vgu2!Bv-84RsnPB)!bpM`0rp|Vs}?K
z$w#$U!lFA3@|EOb(b_eOgZ1@GEL_8OER0Ww0Vk(&rZSRebEAswxJe%hRcdTbKYkHj
ze#dmcGtE$@3^D!x$_+}^-OWMh==>l_4|njMxsm<884I*dpTAum@NG}ydSBv}rF~0A
zVY#s!<XN`p1B?DQo#5?e?RPgqvPKAW?q0kR>i)MhzVuRFXkrSaCn=|URB{N6p%Q!j
z)`enmB*9H$>c9vl6R1~2t*}0?7OnOBK~SNGqvpB*Ci&$TEWomK&+KW$d~&d8K5-hJ
zjcCHDDHUhl?d7bRf>L2n8DpL>x9~OoVX-XTsR{ihSIf_bG$4R753vpYzDZ4WOI?fR
z3E<)ngt;<`r9-0ZN$WZjk~Oh@iQT8bK*1`5Z<J#RZu6TKio=$3+dN<z6+hs2oGTWb
zS04>zCr=Gyld(@S2G}yHmaXymWNQZ@{qV?!%HbDOU6YoIQLt4Z^t1uOFXmI`qrapf
zOK2{wQ)>2VfMq>v@WfHw&tUrcUA@^Z3b{_(TZ)v1(`mkltXG;ZZK%8^{c*zLT-jN0
zMhgLSE7V?qUf3eBuY1Q?fQ_6>m+RItFaA`Dt0&+u<Ltr)jH9Ca{EmfUVHEZSqH)2t
zP$-gDWz3+@tHo>meh7I;uTvzEfbc&ez_Rp3vkadV5DVF%oB-b5-EmA9J}q1u-)c8n
zWc_+Qyakj%Sw;l1gvv|8sr5uYL)C%n!I$hcH9zcWwIYy+>xwhgP@E-ji@fdcJ~eH>
zX<1*-^F>4BD_vG5)g)nay%_<xu`HD<<Y1Z50WmU-O1#DCG>l1}f9{}A9iD-(!}yXJ
zQM~*DYsj(%F%86u2YKMPk*{n1(Y!tdG${SJNHZCF2w7B9T{Z%jXCY8r>P6(C(DQd@
zCPd(){fqv?9&nQ<e4P&*_4%J%j9#Y#H>tq?=G`rk+hX9hSon)OSAf#095ZEjR+VQC
z8Nd&YDmE&?Na1qz5u9QJrx9|{Xcy<)ut@9eW9tHJiof4#D)WJZU(K_jwcV@MM|xMx
zGp;}0+CKZO;a7#)N6(!P)5PW!#2Hbqz|?G{Q5+f~QF#8_=8IyDmmr2R{og=unc6zF
zRESA%34m4iHJ_uFnGw630QFKdfP~TyspWG{SUwxRrs)0Ck$SuPoR!a`>uDq(#BMY%
z+}PW9!=9+S&N>?dohWTVCz-d|C9?&suHVZ#iA7#BSHR#qN6nTVJ=?$}`1|`uf*6|t
zg%ly_i##xjluV^xV;1W|{gQ{Ib1=-iijXeU%n_wFfO{rui4>c(O-1o)DdfO+0Zg+2
z3Eg_E#a3^wBa-csHi+UGCs2^SgI^M<55J~;tIPL@b-ZTW=U4xpg|v1TG*~)K(Lin|
zhb^T~Hmy++K5C4It<44R)7Q($-*a?jE*wt9B-2evrhSLP%cLPZ9v$|w<Vp{V21k<G
zdzcEf@B@kDeIZXJTIwjoyFU)rz9I*N9rDusK=c~Y2u}JqTp2>826RSPsfYAp5`-t3
z_#|MfMQTYS&7irtwz;We*6V@pkO3hdPDmq+L~qjr6_B+T)XoJ~oCTQwrS-GldxJWM
zujuS+EnWk<(+O4eq3<H<(>GrEsa<O>b%LUsB@(+R44=k^XtipMn4s*#>$t2{GtL!+
zS%-BTi73MmB%6bg{@G#3U>uC1Sp@E%8*<Rm4OFrpQj>goDxIcGicbxt1Z=b4X38S~
zea6|y^>RDbJb8-I4ayvKf@FqS<rcp*N9p-%Q%Lty@s0OF*e@q=6q*w06T9M;Djlpo
z#^mri8<W#tU+3t!y@Jcsxp4qZQ?~Y~M2w&=xMICw!y(-v2E)#j=|QQ3cCTMOt_1O~
z0~ygm84N7W;GW|($mjwXy%3o_2Zo+=?X&JR_kv-`$sdkDw?Fmv6$=N!nu8wc_W-Bq
zUf-@==U+MmEy%Prfu`oVrj}oun?3`SN6Iw~9Y68Z+p4@dd!k$`y;U7cY|;x1&dDs{
zZ%e?O;38b`sj@!FsDK`+tbEzL^4IiA=;4aWC*)8#=kf>dagRbU+L)y)eH|MR_ip2(
zr=!ol-?=R(y+bU%Yd``Bs~}IxqwzRCa^|?~fJDd&WO>Ne)Thv=tC7|4Pg`J}PNviq
z)UWiSsAO_5u{Szey?LcYxyH6e-x5=Z2b*B8LSTmag*v$v#M3F~htdvd`)#rg8DQD4
zFJUn+V=*6NupjN@;AQzGR_w>F<5Pf#gb$4{AaL6n&@1G58Y}np=?)sa2VaPTOUFTw
zhuGpoW0|nm;KFcaK&skm?}@j<V5@$sL+J^vKnZr}>2I7bP|L<0WipTAIJJE%-XLqE
zypx#kP^iz$ul#2oY67iowM~s3ZLRg-<;JaoZ?N?#JS*0NYsLSIU75zQ>>QAl2jrll
zTnVu`zBR8KE&sCrrJlL1mS%B7ym~1Xltu@8E1McBdRfy#t^FXXtMjK!FPM0t!`a-^
z<R>j?jVHREL^l@j_SPA~_lCI{E&udR*z(`1*XGwP-e$ZF8hhW?SH5)5e(u3r2!BO`
zdZC->)GzCFUeS$oRiS-1U&`VJlAg^W{WOc!SxHBW%95?p7U!*giYqEp%7XLB7EUFi
zEO>XUkGt2-W%?-=%*^Cn>q6}GD0Nn1G3dkDyoP>65{5FRfdIpY@;fHgmn>vIoyRh3
z#ZI4?dG@Xh=RBb-;K1jTI)#)zS#~V6JT1QCOsXTl8fo#SXxMCtnBg-jVb3B9083!m
z4`=fj`bn{>(;UZWJ&T3<DW<9;+`x)@7Tfew%w2wlN1o|(zF_rx&-1VUFn+-qEvk->
zu*Qe8*~|2kT+&aIs$b;1{y*1M4tub^o+Tso|D=<CTzc6Pkd5EVT+BSq(gbm~sT^iu
ziw|e98u}^zR+&7&HZ%8|^d$?2x+v8#Daak5_NKk;6t_jskUF&6O96IUC9Rs`RM@k#
zpF|sahLoARJx<^als#v23eyfS7r(Zdewe$on}^{&`(N6DLx-;xvU{WRo@3X0W*xi&
zJd~?ZvhA3>z*9J`Wv>c{kW5&<W2Cs(!jU+Xc2n%_B!k!P<9ddr>IhHpXKlYl3C^X9
zfFbXV=il4d-pj#^1D_-D_HT#P-*~EwWn3*kO4^vF&hh^fGfF@uf*UP7Y0#d8HkBsM
zq*UA{Q(rS&`Qc+yMd!l@*e$7p{DzD4y$RLRBl@n`?Vg2P{$77U-(!_JNK&~vX0N$!
z{ftBMoDu1kV$<TktO}#*)wqZEA68EL_{PVd&OXc&H2<TI6Fv^n0RVZR#%iZ(+9U$2
zjH+6#maaf+UAnjIIH6{Mrry6B2~fS$HEp2AsilVGz7VLJXn%P`t7R?5l+$dCGhC@m
zIn_yMJkj0HV}j_V+iHO|x!>`e04dM`&t1>sEC(1IY-`w0an9M{r|xwU>M3<fl^~;%
zqf-6)5_C49g`5KJNkP-Ny^hVNOZlJ&$`m2FjEhZ;|A&owu6HnL?1}(_Je>d}Nb8~o
z6%8n3v>5^-y4~lVWe*RBwpm-iXqxK}5ztU&a>zm(Ljg)piYLt&P2Ij5<;MxRt1iQ;
z#Z~!6g|2!+>!W@pYEZf88tzcr)$PEpF4HyI0jr>Y|4>DSsJdGW`nsfr`*>s^H}^Z9
z4UmYs-a~sHW0?~5KM|YSMfH)CP3j(XQa6-?timmA3w7=zMeB3o&|ry?ZM{0kRWHT0
z=J4ZCDi`wA`=IyudL27J7Y0B)6h(;}lBr%Yajo(H(5RTfss$m5>dyp=H>rOqSmaUE
zY`ySBT?So(Rd+?pCFSD%TEx?L5d!s9y#)R5wqsGyNUDYmZJF<PU2I0i=~`#URB320
z8_3g8I6z`{eP1p7{ZH{WF5vq&niOAA`^E2w!?`yi|Erk$J8KN~f4W-TSo*R(-M<hz
z_m5V-;MLu=F4>{}+56gokJkTb(OP_d<@1N$d)1%zTC;QX9hf}kb*u(^O9Q%Lrs1Q;
zWK(%lq3QKzL5s09*7{r<qwR3}eEXLj#*RC??&!vL&vk#@W9nt}F7z$$8}IuNcNljG
zpTxgN;1f;~ONpP7w4__f81fuNLRp|Lrw&u!rDbR@(>e5`%->la)+1~jZ-KvDa9UU{
z%n4r-9}xd9eW(9!d6Rs#{A-0-aj)vIwpqJI`=!pHzu7Qt_`oPLo-?g54Vm6GU$Q)5
z9kjk>W7&?|fjwn^$$@ufov*@t_>_z4e!@fY?DhQZ{nr=vJ?*CkR|UTc8AJDmTO;Vm
zeB|4xHMTqUcRUb(G=WcSOZ=StHf2rSn{G>Q$gneqGZ(Uv?D<?Q_gtQl-;w_||83zw
zv9g#cK04qTykV$r=)2+g@I52Skyl3BMrTLw9IF}&k3BQa9?y-xH=&uhezIk9dh+%u
z>D2SnrPK21>FGyiFf(H_M`zB@4$QtgCz)HCcgh185b%Ei>}!ekwM75div;KdFlgZo
z4~~8!DMgnc#X@9|(2W`+GEp`LQHem>_7g<yG`#3_jJ;7ATcoi@db@oW3-dc;Niz_h
zrxY9RbJ6Mgw4e2oLl_YvKww9<nN<~?EXz#juiRZTXbVe=eK4wx1fxKeSxO?m4N4mY
z8dI!W#Qz$@F_D_q42q+x0ZdG6{u`ySVkk<65HEK!0EClkU3oU}KEP0`IyBIcTa3~0
z{N{82-x1<1Q7A!_TJ`zn&~Qjz+ki%``(*$M&)@oqSB^td9o0X~#kIpTFA!*~Q-P<G
zG1*$+@~3l(yw<V^0l{oKxw~Y*42>;}shJP5Y$)@mqd->5x;To6naJGi>tDO7J=;b+
z1T}?<#3_8}BEC84;<|8*>0poFj3D9$6N8DtB*AzU1923C7{wqC0o|A!z%DBgb%(~D
zL&#9VFvG2E;IpjYn8C6@$tenInDRXEX(t4PZ2$@+Km>Srgud1Dg&-e!n8w{mKUJ^;
zkLyui7IqyqlcGUmQz|NNCIBi*OcN#qQJN}xwEzr8LUcY2qwTroY4&302`+%cHxxk`
zd&`CUKGTfxj;-AeL|j_-X35A`eTcPRTUR*}(#1+t_jevVrk3nqe9M<oxc}NW)*gX7
zNd0kr6sf)T(y98ABAZE}W_J{CY`Oiaj)^*W20|8XBT__CO#~eQV#ma8%9G!inp_e1
z6~wp|Iui1+-);_``B*!wWRNs0%tO2QW;q&dE*@VC!cOX)^B^hAVJ5E}lv4V@g?q67
zuL1s-Wf|u6_J>Hb2j{7A9}`%1;ePJGb4f9MA<!%=O9a0ZSel}hq|AzF$<(2}psQKq
ziRRT)Q{1aUGk48^BxIAiF14v~bf-qisqLsXYWdf02b3@gNmLF#x3c)Ve(jzr$iIH|
z7@00ll7MNjPiEMHx)67CVQyd-S@@;Bxp%ZGeV5WEcyN_#+h)71O+62Jcaq)<-&vEn
z<y_?ED0k7*9MHPUOV&$G1Wh8bX-m+2E|IPwa#-IZD(Rjv3_sE&HBhXOO@}%A{(`Z1
zcIb)IFoAz3pSts90%UYx#M%Uh)oS7}qK(qzs^0d<lB$YhK7CpdjdE*h^p%x)iJtih
z=ctyS5vVQ$R}ne`*3B`1K#rR|hoJHy;`k^AnLOfW)84E?oRyuw?3u3`mnU_Mo;l;f
zrH#ieUqBbKcXEfPc%9WeyVEpNt2YZ82o%ey`SmKS4I_S1XX|8tG=JQqznJz+hWUn-
zotFylR6t;p58$T~h$>&tlD1&^Dree@>ZtJ^H)RYY!!;Vbm<Hi|3neJfK=?S&`gQOe
zh!VBL5JF}su>*j>fndP+SRTre<G%Oec3M-E!FnF1h|XeS1Zda@&~Uc^6&fWdvo{bq
zzV9Sqy4KV?>)#FiSt;Xhe~*ROR}dD1W{^!Y`)Dv?S_Yi<^N2iyH>BVJ3rwG(89GQd
zgqYwgpNkQfKlad|EIF4ImHh`1Rqe^%7gcC$F>`l1Sr9w<onHK_#S(FGWd{^NAf!^8
z{3%3j$$xL>xP4hk)Yy~QhPWAFOETHrh*_Xd?@mpxLPY;G3v((3d(&MnCbrKyXXT;M
zPMBi~<Ivre55fqSL8nGZ4#o!7cn)kL4Eqpbg@S8<jjaWeDES=`nfX~F@+=T}Ziwu_
z2unJCI^(3<oxb?5V=i~-ineqp%4Qx)m?}&Y$7-exB~*?=h`i0wM9ia0HNn0qyGC}s
zGpFtTi&uX{kEzId%EI`8!rL<L7B__mvV~M3*Kw3)KC9<#70zmWLpOAu;B^-ndvtkj
zhII7v5rB$VdP}+S+w%pz+^?ti%xilRexMScL7#ad{);K~S7$)5%Em1#uco5jbXl6q
z_vCi|S63%A$0}c`UCcGj^^8o9!+$<V{^-S)nuflz(d#WyeG}|C@n5f1XuyatB09xH
z0~*kP1~ec6kEd0P22WH|e*@Qw7-yZYfebnk#|4uo>Gb&+$qnBB>tA1cNZ;JP1368_
zjV-obg<RYrP-Gk;g^YdOl}%<IxF|>%V}N5HHmCs*%<v*QSU}mL^pO{sfu*dF9C<RD
z6+w{BHDBcA0ilRfKJuE-qO@28@NiuW6^a`R>t2mB7luru4yj+z3w2d54zAP-^kUuC
zi}gaiP@e@Ii1T={c3phc^m&)lq2`n;%Au5!#nX9jR~BTWP>sE7f~Q%V!3cN)In!K(
zg1S~#RW(=_dklkygg{noY**h2Zu`{M`g-%zkw1-lTH00)DT!?F>54I0X&xBaJYg&W
zl+E>UsHb|RsT3~F7pPN6>_(R!O+)MbA|R`EI!z_9Nudm2>SVy>c10OjP^}Btf4ycq
z-yW_l=*oea<lFIc|6>QHKV;)1*+64kqK9<XZF@28|8j|-nj9QB-?)$$2|i+~wI&xA
zrv8hPv0!p);*0)E;5YnXH<BSm5BksdGvVR`5sxUrCh*7F>N0n49}BX?R?7qCb?e*8
z>VjK(68PZ<)jJZDg&7T<UtP0v84tL(xQo1DBf-U;;MmUjBq%nLb6IeaVgQl#WH@bP
zrr_CO<zzL9vlr$%6Dmv4FvP-V7l(}*AY%ugwHq1saF$E0TQ}07^b2Hra9BEC|LppF
zCbyl@ZAk9|d~D0wUg*YH=Rz0;N04!>rsGx;?Zsk*(g}nM;8eTHP-yn6#FV@ZF-jKW
zqK<4kQS^>%`;dk5;*{{-BpNXk)v<03XjZdW6qWK*H#aR;92U0QJF7P9_@>pvGNiw=
zz_T~(D`uxAeLy8MRmISdKNN=}Mx_dc89x_Qwv>)ppdo>^5m(v-O+dkYmh0H8HJI+9
z^o1vajqxBb_HNql$Z!T25a_#+Ei?@qxjj)1Gr??BD)Z4v#T2Q0o*)$-3Y+7ML1<za
z8)gBz9;}-dj0tU<9E=Q2!kwlVFXBRVvI$`Eu2Jg5v+tNr>-<c=K(fStQ=EyjXwJ`r
z&ymcL5n`armwe80Da4zp!Hj&4v|WoErVP*|WA<$uC$D)WpxvBXji*6G*eul=bJtSv
zk(9lN+uf`+drm!F{+GFCUXUV7tYIb71aY5<V|>0TDhPqAj}y-5rsYphYVpx}E;Y8|
z1d2VUeKnnZDDAJBGoGw`Hpw4<yu6^lH~UPnNC`f?M6(PODK(jL+`jw&h&J+r1GTj?
z^Uu{UpC8E+C7~P1&iYh8*_)FiN}dGju87);axhTVfgIHvKu{TLlj5uMv2wpe0SE7$
zAD~nyCwS4n6ir}AVl|f(;P@35nbS%g6}>=?f#@z#9{9lMeJ$Apv)&uA5bvA*Xbkmh
z<z_p`DOAc^Rv5A@%C9tePkfsm%q?g4M|Hvqqn=tu0mi@R@NEGrtN-abL2zLjrCcH$
zPq0A+fIvYHOAbwkiVSkP6DYEU3<zNJRVWV#s+U6Qsq<IwcB5~QUu2aD7=yxuU`QAe
zjZyX0RK`DV*mTnJ!VVB-N2~0{QQY*7JrB;_v9<6hwt3wu?_M3@-=E!j=J>Uvw~N4!
zpI_w{ybKuCPlDFi&0s27=m=~JO~1+WvXQ`yPu19Yy;ezLy018q!!Bnq`<g7PxQ3c1
zgxX{fuO^Cv$9@$iRY;~c#~{Y~fQ)|ZgoGW**_uE;I!!-^^3@s0D4#}|YM!9TO^ZqS
zN%-fKI@j|6e0L^&vf$^ZeK#aWgA?p9N1(@XIYp9hR2mP;53oUWA!Gnc+_ogaC$CU|
zV*<hiX?Bp|1g3@GLdfE7m>7y06p99@!C`P19Eutog053cOv(ePAH@h!8+<)&$1nm+
ztS|E*a;5^N!c9nZR}FN@m@Ra13F<Kp51kEbN*&YCd1vq-=cW~eE^qwR*}J$&Phd`D
zI`QPK_c?1Oe`jxkw^~PnQ};1v_xlg7Uca}A#u&qn$MUYy8hgrdbTOgZlBnaf??%vF
zkzrByhwU#K=41XT;HP>AHtVeVsa(z-SV{LCllm8^QAsu-C$@p_3tI~U5H!U6VY7|~
zPVks*&Pdp}GG9@<1E)h22@z#J3Sdg4Y<AGs@jf>Hbg}W{Widz+K`ZWr`j7l}7lW2^
z+V`d3#gU)q^ORCQv9HeJ{eAMJhq)Su-;n(9?EulMb(RBKqF<c*I@7Ijm`H9upx{ck
zRw9m2B2nFv9YYNw4kZX@Z2wJ4(gx1L8?!h6c4x#A4aaCp9OZf5q$I<n5Z5TW3qdbe
zC`_DJR8ZfEkb+iPlX%ScAn|F$zyS<6_xk@PV^8VTQ2DnY=_lm=KKy3gGJLba_%#xb
zT?bGN+1(M~=?|xH3R2rc?O1A1^AuJ4t0ljV_?6@n<l_RpxteKyMA-b8-GlE10KyJ|
zeFy-Y{+3s29(t?wa{br$RSk*(nZWv;OV&Z0;vvpK&mRG&sBw&nCDQ3tEy65NysD)E
zCASe$;?KbWU_e#)RY0>K2pnTg8zV1_9qNRXs1Z>Vtw%voMNbrk<cfDyM;llVd|cHQ
z;NFi70h{^!fi4TjU<$&)3jBy*mrCS{bvT#=izoc-S=g@dyR##SA%uhw8p0|q;&S6C
z|F9PUA>@iyu23GzHhbDEf9poQ4!H=;FKAbwM{@SHF2?iDR6nq}F0`AlasToY$MN2{
zJ>|+QwyGx)3?k--gKqQMJ7+Y$@fI%Qd<Z2P9h?NSsJOrcr)E;HmXe$`0>iE1rc=cl
zphSp>*Ieitr()-?&S!uq5j|NZ=oR@rCl`Kx&97I?*wokqixIsOyDf;taQs=OpJB;<
ze3iG1eg#uYS&U9{E><pUmeUR*6k|=cR0ODLuBD;%GXN7;pG>EBh`?*%!^~y?0Fc<%
zktK_utv2pYAhJT}E^^e7qrwygc=5DkBgb(ZQ#Yf?z)9SxS%fLT<X~KMRuW^vWTBEN
zz{DYvy^OONbttF-6i%=2sQ1ZcYX;p<CMhf0rCyH7D;aD|qeHic+Tmd52co5ySQk}o
zQ?hel2xs1}YJU%U5t;irEK-c=oyQ}ivx3>}Y94cf7!lnt#_}`zD6Ai_X0Z-mIkAU@
z%>DR+Cj<>LN;u7IOW7F`wC|3o_?^se(ed8-D3(D5hSlgcFeRm=DXi7VCa9spZi9jV
zprV)r3R=4Lts~beAn38m03MBD?umX(DdSBEjG}PGQo?wXl07P_0fOPH%?1SJT)6V#
zyNDNu#xMyRk^LLbd|+s($qE(5fOLZQEF0p^?KllKj;BK!K>Y+ygyb-vL`4p+u2qrq
zX@{oefGE+lkfNEyp9IQe8q4*z$%?kfPG0o=iC^Lu7smyxeKz7R&i=!Aos`*#MOc|z
z5~8Z4lWKxbRfc-YRwFWMMHG=}jb2)coOVa`3WJL8`dCNVK?joo$@`O}4Xcam*gGtI
z^p+&B+#IAvBq6m6p+HB{_1mqv!=06-DjSzGI`Ena=xzXn&mQV4@YdzJ!J8DgX8ZPr
zIc9SSI9_Fv<1?TIPmq~1+U?{iDXa2ih|Hs35M|*zHFexMC?!IxSTQbn;HO4zNL+`)
z8(@|HrjKs5jYf-`$&+0fIcX>U<7GKo3V)uVD*=K!42mre{O>XYXCY0ECKVWKIOH*0
zMuew;Vt^%wpobv=vV;&M=oR_12oiDJ6IF_yNP{H>4dXyX<3PoF6a<A==oSqZWm2Gt
z=#M*BMlbeT&Y<lnr4ZKjGKQpLTv7=j${LtSR5csMuo1XS+TZ~_rVnHjoA${<F%~;0
zUbi(?QRY+l8X1G_D;C)#*X|=4rKG`@VD5QgmBNy_&vh29*ssoZcAOvcrF}aU?sN+0
zS9d@iSlrOIrwSt6ln!Tw$wBE12aWlV9z&csSAs&vN|aOp=Nw?10&{+XhTl#`(iqJ2
z$M_fYav~UY@BE8uUx*CD?L)Ra<4oQxv%;ciH1$MCVdFgwiINxKfDHf71jH`fMT-wJ
zN6F^^;}jXM!o<%8TK_zR(-?bjkT^of93^gm!C?~y10;nthtQ6@(o^P2m|I|ON9XN{
zxdAGf8)2@5$)Ni(=pE(Vrk)8y-=ec^r(g$7T;dx?sL<|Hyx|LoRL#(I>*F<b)N=F<
zsv;|5k>w;w(a7PFAW!d|+PcmN5Qh+y&dj_Nl@LRWK|qm&PvKHo7nAE65XdIAd#RB1
zg%C{jE;^>IzLV-}h*h^v#Bu<#2~Dp%;1E7K#Nd_soGWwFB~}>Bcrxu>JjlJJ@P@Av
z>JJ`RzUGjQEvONNo_xjzvremp$x)Tc6$|LaqOuW>xZc~>EJw5huR;Y&!g6|gEt4;y
zW*eK!xaDfmQt3cnQ{N56?`u^mUMeP_S94VmRd4KRiZ=|%G%A1I{h~_j{8~C9N(&a{
zwNueyW!tMgS*C}VW#{3DSDQMutLGh33KTWxtS#8Cw-lE(g<KtQOuZ_3BXy+))@^&3
zIg{n=6#SXiQQS0)1g|c>jBq}&o)}`poQy~;aC}dI9*a5l<bEtGm)gy35p4cBClQG5
zYG<w%GYghgT}mQAb<PrqDie>PMyJ^AoPsaTd*LlE2M(ZiTg+FU&OIK@ws#GgLD0Bs
zkYQS*hmyzTcMgo_5n<)h2zoqSf3xqUthIS!E*cvIZ{S$e1Q)z~yymqezoCgKin~SR
zw=pcyd$jA{TIrbxz@;^dqnS<fRyU*>4j``o5H=3{Zg%3`Mm9>TT}$gsOqd?23kgI)
zqxX+@TVD^gpC|yM&%I*?c?#a{`YrRp#P|p)RGPCKk)xV)f=3tic*-N<H7sFCXt9DL
zqD_gS^))P_M|Il)If)^o#0mj15E`x{bjN=tLE|)3H^0j&eud)TKv4}{q|o3WkP}1h
z&WGs#3UK+&2~Z>vB8yTh!Kp2)8?FXdoEfyiz%gX-VFdNkI&{UhI@Nii5&a+NP7JX3
zL$<(6VF#JEFYP<|@v&`RTQZ2Ru6;Xc2iFw}Y;C>tnP6Kh%DnH9*`*}#-VZJ!YHOz^
zV`9`pI&e@9BfOOUUWMoXGG+CVf;pd{C;wfk-FYS%1DMU#K3^_hI!$F0N$jR8tt}Zp
za_Tt(CA55g8X-Tqg6YJF&$CF6R|Vl}GJ?;mCVGiP3HCI{rZHIBjm2WPdaw7A+~5RU
zaB2#3d_EO81!jTYDo2yCk9t8?Q=$h%ahFLiCQyyj2T!8K|Fqk%7w3EVe%QO^T}FD@
z;3W^I-^-!Nu7-w7MEoip?eC5u?-lmWD}apX&#Pw1K0HavprJC#L}Uiyk*uJ&9|;%U
zc_)oKf>^#qg>Q^6YN-A5WSX9f#b;g*-gVr_SIsk1X}B>HNhT5V1{U*>l^<Jp5^7%m
z?JU-ds@#JycOXqd#bb!Gh4(Q4$&eD^$q_S!yAlq`7W09li3ra<NN;3@3Ku+0D8F2)
zgaT=G;iZ5$IKky#$`eHR#y$FA3JnSi05AfGXtBNoK}pzJ2#HaoLsXL%ui+k0CM;Mu
zJKK`1n$)dU09?Vxtboj>49k_KY`3}%p^l*>;7|)f5Ja(Gov90Who~r`&cY0M%(0<C
z70XU{wVUr15^*X>9h^@zO|j5VRv+*KQ8y_@uJ^&S*^&lcwNLGEX4hSTNw2sZ%k4(d
zQAvOo?@uIwV(meMII;DNtN<)RUM&S(R;E%xl(S<gn$%|&u~x}W+yuy4eeo?M9|9P6
zAV~&8foCfLuXjX;iUIEY3R%)BYjm=O5J+^3d=~)#F~XtiLq@^7@nmH2Lx9GhlJSt)
zZ`pzEM9ueLDQr)GStUP(xxiRS%or%vMh~Rdo`DvkF@8A{S7=a>-9laz%l7i$(Il>=
zkB>aKB2SYV6i%JaJ|V_Ly$QxdV5(^tsHvu6Vq&<yAn<C*f?tkPbYAMR-J0G$v;{^z
z#8^auh@PwCbgfCywj4pn$`#SQS!B8#b&ax!PC8Nu-Y%Es`tY4fKw~Fo*3de09{)$^
z|5l?L*LuI+-u@qat3-bC4O-#cS5l{T`i-DH(AV0bZ+7(lVQ;lkKq*D^TrB7e&j<){
zF+!TQl*fERlsdn;kTYD`2{7sZH&m2jrO>r35sE~#Y>Y-%V|q{Q9y%@LHZ=2_&2lYm
zOaIf+B6?98y&yTZr|fCqltPvL_v!31d@|LvBH2P!ci{=3hcf8?B&OwmYxG`jM2Rp>
zJh_r%{2x1TMWupwjGIv87F4NWTED;(Kt%8X5+tO=`#1#zU>`>a#WO@;2r*;EC9-hY
zhk==aN-C)oNGd6-l1hewO4o!qAtKXy?r1uBqU$Vf#(1V47<3`%6Ji3HP-BuBE_ThV
zPK-fu3Q`mjNNd_y{r~BD`@gGK<6jhb6`J(mRW+4c{*2>={;A_t&_jWB^sXLQSAwKC
zsb?txk8A{9K{@4OzXt{&WqLvKJIN^!G_IWE+gu}5@iHbxC(N(_P1Kw{w0Vl0z*Yi#
zRCy&9!8r>lwC7vx8J6~hL;`Y*J_!YPVg39ixG}F}0G@AAwpKuosvM)8Erfu>6{|#0
zC?Ro-MHI*|#RN)bvVty<ka3qLg$Y3^r2^_im~M@g5#K;sEfZ-On0L20+LZ4HdieFr
z?>&vbMG68hyAZ2lGfMy0s=D;x;loE#p~oJN+&j2RJ{Nk|?c&+8*mT@_f(a2~)?!t*
zAi$x8L_UoVKFl*{IzNF`4I4ufn#E`a)Od=|;BkMu=o*L)`@9N&qlBfw15|iF4Sa>r
za_BmYVgG3i$B8yxB+1Aq@#7#&&;+@7YINdz7=V4N@`WHDc_`zJ^#^*B-lR7NH|q_0
zgWjk&nr-MM407cvDBhe!!6xL*<$+wv6P1_=+zF)$FJgxhn-7&WeTQ!*3!Ruo0V_Jx
z#e?RA^&&1vJQxy-U9H~Okfz<X6-8B>Ylda1vZ=BnPBKko#ad2Z%Co#?Ikrt2ntiwi
z>CKa?vgS<DDwU3WNR0_`GE2)za@N_z7_45H=3wZx9+n7Jx2Kdi+CUL4x?S3OZH$Nr
zQyruD*e6!UU@`7FgivRNI%DK5n#Al{v30a1ZzkQY3c3+DBAHfIp}c);;<yWZJ+r-a
zVn*s*=6T6LQl=(G-%OsHHxv8CTi}n`rpZgerufz_c<yyPG}d!*YT(&9J|RZ%&~3TV
zB=612RqSTj$PnE)6EiQZI_cD+S=xe8L*{qVjitCi-y5yH+{B;T6E$uBE4L%Dzpw@C
zn$y9?zSZ&Vr7ohAt~=kb@|3fOrqv$dts66uha4GOak$WRns@n+M=gm*kglgnwc~0f
zMNkzaqz<$@#JSA6S|Dn1NRxL>oRF(1Yt5#7O2pFHQ(b{nF13V}f9xYxqL0U_EONV|
zYS#74cJ<JwLtA(KypFeavt!$|V<4NSX^xsD6ld3>TuDNe;6ds*%i`!wzEkx`%npx`
z<c!a&bRGWrc+!G^b}w|K{GKpG;f9eyCQyTDK573FgLK)hl$QMc|IdXn`?|=q%gcIM
zwzaMLF7%mhh6TAFvzHHdXFFvw*(^yi-lv3O?B+8h@Xz`uUv4Dkg>o$yM%%16q%&Pf
z7B5p=*#e<bYA2e4^l}>GIrO;z2GC5hEh?F_L$a8Wz<MZWpxjI@LJWgcHN6!^E9U!?
zNftz{BV~UBRO%(z{0UmL7o=Dd<#eXl|Be_B7+PI`PU-<fv~nU!mf{Kj@iQ-ZgT*vR
zpatW?aK!^{#g-rNDd$NC88KRM6($V)phoqSPZ8u^L+~7LaS}nWqX6vT{2d-m)%iL{
z=LK_hhR)VmI#*Nl*CkX{T(wL2rh5*Xo@kpGOjJW@V|Ja!5)+u@Re3XI;zCHbm7Y(E
zaLUtID#k&C;Pc)^YtGH&rL#<qsq-8^=Vhnc)h@xOMm7$3%8kUi&$z=z?O3ntq97X{
z>*H2zqI6x%Nd?11PQvTh<R#~}`bF;>Hp9@jGgIMNw2p9BZSQJq;^(_tTF}I{&t(l!
z5<(^01Ld^k?0u?p%Dq6bzRAG0%Xejbv89gFbcoWp;K1We*Dl@G&@C}Jw&=+3b6TCW
z)gIcD)^HRRbIz01y>9+An8f~$V=$q`oo$?>NfIi+h&HBPNJ(;EU#8CI)_u8gbnmNQ
z9tSr~N?dz9nY^%cV>-RNfzR`w(-&^Z3PZT#Dv{4_?c^E)lcBYIT#dWtKZxHu`?#!6
z!Hpc<>Dh}H!znJCG_JR|A7@0;xI&uxr}8F&ZWl?Vb9kMmSFapjW@;!k6ghn*&&V?6
znnS~L*R>^`8^s<ZHg7t|g`4>v706y0{ba!XRl@xNvii(%d--&84HOmvDrb%8cy8vF
z`apWm>t}uLcBGBk*FUWBKD>3K`svd`fr+{=U!vndmnb!Yh<r@mJBKECXTEVRHZi4+
zL80-!o2R5GjlOid8<txxnFR;sj+w<@ZE@Cm!9gP&fpQQYG`J(P)Ra2Sw;yuBIs!8a
z<LhZtW+D!OdSY%UeY!v-l<jCsrY6m^+|_8N^Rx4dyN8=|q%Z8&9Iw}LTBgZf*>zjn
ztozPiZd;w-3j%9i*~{yzn|m&|P`aq`{&u4G-i;A~dxdekJ3B6%sdzr^Wahz3pF_5=
z3;wuU;~0!LGea(KXQCnq>(3_DMtq)4GhcYIO-+hT>UMoU?X)DJgnvymd;C7l+W=iW
zv7ty~AVio8^O)aWlXcrwgoPE|`>FXjeH`BMpg>n>N%xy|!}<B#m8|PL+v$w_Rt|Qa
z){CpN@}`IwqXsMH*I}H_+p(;Wzd-ZiOM)r&5u(-vGf*O`BF33h4ALhaEdeJBX{%pG
zcVFH_>uWs<ad67b|4cNE^Bog~^8!>X_y3WVIXg(>x8EwAy2e@Bk9cTP2*Q<*g-mHb
zjr^`{(W#RgU}hI%R5}G(keT!frfuuJ3un%VXy7t<?L)CUcquh%#xOl*hPrHICMqdW
zQ4~-TEUo~~f_+bf>rw~va4$UN0*q!Jl@JP1>MRoLJ%`rhq9iIsE&V7ZXFc;$tHOf_
z{ns*}0>*jfxJHHvC%BOYFQ$WJ6R)O+W{efig72gR!E|cxf*C?*bT*jPj`p;rLoI20
z3)c-k*Bc03xLD1L)Ma}|5h~Edm2gp9DqCJ<GZYlVP=w{4yphyoeVyxqDUoi%i<<EM
zJA$a{iYzM{GCA=CU6-{Kp7Kk}W@kmNr(?>vDq5e32w~2_j}@<j9sCkEfnq9^TY5%C
zBuD^hmYIc=Qq)4;8e?oAl4)^UZw+HKGnprghuVibZ1QaCZL5fiGuvSvtH_eFy`-dt
z=(EYOXjKq9?7^^6$ha)An%0dJ=P9qMetwv&x1Mcc``BEN*hcf5Yy3f@_Vk;Q(A6xV
zSeKgY<T{%?iFk_$m#>~P)frA31~nE1VN8cP0v;I&G*Sf(scNwb1m#13sUAZ3hi)3C
zmeFZSW5Yda#b|1#E(IrIb0M|CaxS12`7<U1E{tLk2uUS)!IPg(tZ_SS;P)c2B$dxv
z$_A!^!PPsl2;VE;BoMQziIQeJu7JvZ|ND!GlR$>hgHyK}ScHObHhC9j(VYRD0{t@K
zNL!qu>DRLd(+KLByN3olw<gYp9keU}19N{j&6C5B@eop!sA%yZ1>Q*mx<o)Nz!Z4;
zVo4+l5(SBd(8DC#gp`;tb#)(kfqJL+Q-Bgxz7P_8<e`dB>Bn^4EJD{hXA^DclFsUq
zF6o+==h6|^R5K*bk|0zPyi@gCzgL}7ml3P={L>l_DFRlB)Lu5(N#~hIB6gDLxk+T>
zZArC*q*!g;vg!AHi)WDS4H0=ZQe~x{tiq*a9By5Gsqd@0h!9Y5QA-GJP2pB^!v=>m
z!lWRfuXB2M=oRs#mLuh@5|yB(?t5+opseBX`6!BP=#aEDw#AEn*qvdFc4-EOc>c-C
z!8u+cmpfjlIh*O@ZE7pC)~K_BTvN_~l%D=eIs1)ZPk{Tc>n*6ysn+Y-G<@=zB68h4
zDiR&qeT9kYNk*uK>s|KoLxxdXx1KrdKY9h*zp*xFnoEx2p4Ep>Y<hR+c)f^oLN!<7
z=Xfo{0E^#kM4hO8&VG&{M{0L0$F@KEEg&VRziX9b%0=JKXC4PL*EH5bh-A*pqGy~*
z#N3M1Q#TaO8_T}#48oELm|4aVDC~XdcJcMnf~#t9jrX#ePLvu+U`~2~!eb>63H8)m
zjAhcNVpRZ%^nx?dX{$LV<eY1|Su+bE1g@FVe#9r0!Dc>-jf)ukSP7D#f#l9uo}tWP
zIE-Y{6*9|8GNg=$a~4Ry4E7KW%)_!?rsxb8Cto@mq$4Qyk_5nGtJu@l4#}Jt-H{Ei
zr?UmI4&G&t4^f&g8CWTR*43WadXlZBSwKTGQ;DXl$JGe@)ChO)h9T_ODPM||*Dxwx
z^lAvqq~S37)Ja7Do8V$UfqWWTt7Gc3V;!(=$5il-;uql?_(gCTui@MH0=|YX;+uDT
z{0jFD4RziVz_z(B;b$*pF_c5jT%Lw{i$12&u^b0hqhnB^@Sg!MOZ30Lip_lHUdUqc
zUH!_;=BeiAeJrELcKG(a(de<SM0QV)ZphfZ&C_01yj@$SA=8Pr<NQz<&*N!hnfBlN
z1$EDWb|)vd+8NOM;FWrMJ!N-W!5tXtyeEKdQ*ZtE;jEr=3;%S;mf#!sCS1p7Z|F*@
z#h38qT*fk-A_-W8H!m_0DqJNGZtLif+Is+3TR#-tTvkO=Ru9KyG-PdRWXnk9vGvf@
zRiZhhn+_&_Y1^_+Kux6T7Se3`@sxqYHd|M?^pX%YrJVedt9r|+vQTi?FlHpXK@%Hv
zn+V~TE;1}1+Y81+y%Nc=!f~G{TX@61Y_d3|Fz>q(Tv6wFx{5d7-oCsfUQb;-&&;}r
zjo$vbXDCL70#<UN#`X0}5yMKteH`-9%&1zPXqmP?%LTQH!a`2us<kR!xBFaU=3IU;
zpw4Y*DZbBFAA6mxL0fwfyp5B3YQJ#F-afk-Q{VeW1z`W^f?QXZnKOqmA*@_ZBKBUJ
zaaAA%te||?bm^1fJ(+d%d1Wpo<^9;1lQpNVX=9)qi>BZm&e1d|fHN~_wK70fx%bM7
zD1JgtjYE(g=p@F-5|V9@C(l(~r6GG201m}pC9Bk``r*>4T_Z`QSiRHM5}yL6GCZn?
ziZD(v0M$ZQGZkRbjw^YT>HE}x0CEykg+@Ol7T(7|Y??3K`3R9ZYWQ*T(LC%LREMmM
zlxh#439ls`a#b{pF*px_B*2pJ7zuB8fgZZn&|>vE^$kpGiSUt!!quy0A{n3?i4251
zhpM+jrwH8N07VFV+#>E+5fefb<XMC;<ruFB!9wu|w-C_NkH0U@9d0LX$Wy^B6yXV1
zE=3VOjRqJ048A?z^_&}D!q@Q?d=($yYx&)0K+H}`5ImKSWXTomgAOLy;U%6k71cnH
zEiPT=1+#EmxRRPguyu#zrW6*U^?_+Qq;1m}RTaozQPXt;ebB+N48zh?J?5lMt!fZ+
z(YPD#F-0UwLtazfb~=&NjX*XxyVe2B`2`%;P))&rc{i_35f}>qG*;uS+BL;h-;bK>
ze<k1g81a;yXw`Lf*nFe*+Es_`&fM$*!R4YBKmTet%y@SIQ(lT)z!6_*eS`I3264qZ
zIBDCSst7lvnCI+rU6GeHR2r=nLXqFZnu+M~zFJ^-rQW<If!g;HAczp18Sil-!Z~}*
zP+T+l*#3hT>`t`XmZz=#22*3+%1zbxsG6V3$f(#`!kuTP8L&z!>eGr<dbku&yG7~|
zY8=mKU?QqPV(|D<M5es;lw+=w;q#<d9v)y-0fVfR?KHPMA_6!Cd&Uaqj6>91s3Xr-
z_+9`-z?2~->h%(d<gl9aKXYSyujb3>%!XY8<*lmu5rZQ4VW<(KU5^nLO(3A*@=U=&
z)K$+$+B(7<90C)#GvJ(en?Pp{E5K<X>f9W*DtIrc$`6=wSBtIE*8$g{3W8W=luDRy
zCY*Y4*9|w|zr}xo{|f#R{~7*c{1^Do@jLM!4EJk>6OJ1~j)UoI;HBK&M;RKD)94bG
zrw2z}zcB;WO@GcT_r2^@-OO^(sZ}AugYuaVnCQBkIa=$yy^vI#P)%(&*Cph<Zh2i#
zR2RiFR=Y2oA1GWO!3`$pPj#OLJ!3<x)U}<8zQ#bsn%T}3bd=Qa0pVUg<}lm6?SNK#
z7|!ZrhNf(EF@IJk_yoChCPTZk*g#N?Rp70tak(o^*0$5cssu?+$(lcg1wEy#G-YzV
zCvZ}DhQ~HL`+u}WQ>vkRqI$eB#wM6bDJ4Z;?a6(13ET=3b007!7Fl{$I#rjRwtn+6
z(oov-1~Ep8_SMA2i1x7B_;Sk?@||{&Cu8^cwxi3|ZO>O3Nr^}^EaY|yOVe_#lq{yb
z)OuMV_>em1`jm(5s=#5pso>gR?VT8b{4bYu%^ciPKb15R0ux?scFuZ|bXKBm@Pv9x
z3g)#Bgtw5|&o;dIb7dV=^vNfWUB)ZJFLy$w5xunNTDfRZ)Knvzy{ap3&ncN?)x9>|
z?ex1POOX=MB&rb#vptTNQ;W=V2dxc+(VDa5wjd~~3Q6s|VmRMQneTO1lH)=nfxJkp
zc6^d*ymXe?yCxu_5L}#fo-pnX)<<aqwB8Qw?YZdb>szVM_73Ep#<6K#IHQ&vDnnSK
zF#&S3tR&8zq)e$Z2J=!sRsilB7@#mEoV9#q3&4s{jZuNvCKx1mZz4xYV1|i6UWr&T
zA#AWLpyoPA0L7YVPmfDbCSnk-4aS=q&PvM?ORFry#ks}8N`{rrP_Sf?W6~rxpR9|r
zks)<`GA_kLq8!(CgM4O{6!j8X6j6Yg&TzSoio3Vf^SoEa(vJ^4_U4MWIjaK$d7U7Q
zkHK^^!|$U`Cp99Nh4GEJ`Upiz!JlfbTW!|}piXT=rI&s#uvFnXqF4hhCFSR6Q!Ujz
zDmrJd6>AGYMo(&F);VQXouqUuWl?doW=By(XrfrNJ;#C>fQ|DVl_QLYf=#k%N)mOQ
zMQKs0aAzW<G<P$F4ZJA76@uUjGeVpJ%e{RaS49Ny1Ubj)cbE)WKKE|f#WAu{f<>vD
zwXyMeA6QUHT`@S?7H)T3fKi2}>>&~6exgb9GR#iS8-Nfy<nu=#qWP-}08@eq@~@J!
zMTJB;CSM2<&^@Ger#NkfMZ2Y6_DmX|LCa}A2NjseslhUk!{hW;DoOy7!s2a$Gf3+J
zcO&LQOs(v?@1K58^{7N-r@jF<Gwd_NzVqbhGs6qWfb7BLWFRWMkTtyc^$N(F6OqZ8
zV}InS%;9}Rh7<LX=OYgi32f%j0|W=anJ^&j@cKG!YeSnsQ%hRavU;Wf_1w2HKF)Dk
z8$W6e0_?3e!8oGg4g^ss<r-C7KTEGQ*k(1-uqd9`un(ISD#d&{lS`NL*$tr`4(H@h
zhVkJ@lCoSWmxp#p+(^I?MGwXStF&2XI0TzgafM6A69RqV?Ixxj6NLQ#kGrY;Q_-xs
zE0--=0PY)H^86VLDg4c81g9%}wPuHzlx3Z~STU`mtB0)H^4%|cuKp0BVlq{5bKvo;
z-kDoE#K0{=c|LQRd;&aObv@}}{*0I2Wrlv+)=wjEB3gxNxE89M($2EN%5l%YwFVh;
zuG4ZMg-x0T!r}vUlxDFP%~Jv^VQJE{?qa6Y^_=dIBQef}qG%B<kn8mZ==IB1+kUQ?
zP+`w$8!Q%#U+ARpCR#>MsAfRc)7exUvdy=eG+Qtd4b|E2W%lEph?j&lu5i1p4FTt{
z9<&ggiTxgH+ezM9OO>YWY|hDL7bmdvjF0VJn2}>mcgGtx5h-Cl?IFE{h`=pq;_>Za
zw<nIp1p*eXJE^&rCmtYJY5=oL%q-zM#&vzlmp{`3ev+k80~7o!7Z!DL4Vmju%O*{u
zs8izO>(9F(p^yKYJ!QT9a6XsKTN)M(hqLX$*^Tic%f4gMBi9I<OSQG-)nKTDyk)~7
z28G3tDO@VM8Zm8>`O5P(MFl1*q=E}WI!Mc2rzDBC5`+r#a=PTyZ@CygKKa^VCdMDD
zl2#cOe|$o;nk`jYr)L=_1c+8nxn=<`b5M*a#TXB0JG*(-(Qb@>mAt5e6L{#x4H}l5
zx-rQUTL!aSgtuq_WBxDmae~OowLw*i%W`WJqHk3iB8x%OAKvCz1~~V#^0$HaHF1}7
z-|ayz`;;Hy{TmRUSq)3blSYY)?PR6KM9CnQPeA=XAmGmxhCEYG>i``i^n`1V$2cD2
zIF8{s#Bm(Qw+F}ZE%1b(o2!Ik!%b9d9JBG<WDlaxLdSybN%Q1@z(5EIR;jp@=Y<6>
zP*bPMUn~suhb%@Ov4g7VCt^ngcNpfs3Mc&;MlJu1%cJN+#8UF8!S%T0*DyT1#Q15T
z4GFO*WDaW`&^QV32CRo<5Mm=F2fT*MAvP93Jqwd{R`5w`F#x2!E#Rh7WTsWx2O4TB
znxOael9GCDjmywFg|uY);dCvt*sY7A)MRMWL`tTN$alc$G*^k>-6GQPwc&nYeN>H)
zs6vuZTHIX995^?!JWa%_wt}x0Dhl-sx|!o%X%W2y?JK;m6y9&j?3_axu^K^?aw$Dk
zk#J6RRREwqtzovtqY+&aHiiK4R6#;{PL<*V5&PL_h_oqf3!jWR!>mbD>N%QvdR8~#
z9{lJZw)tTgLfMZ>u?M7PAOJC^Wltj~CMEV9(E*V-<R40j@W)Sa390Hx2B-^IUy{4t
zRWy|gMkQU$>;Nv|>P!`&8o~mPhs1!#Lr8>h(2$mwQ%)1nUJTI6%Q*J{r|9`)vnvWV
zB$%F%SbEbqq1-Yj4w75KV+Y19zm_-@Zi%<;|IDe96i>3zdL-3=G{N_1WV9QBa0L4P
zGg|$ZVn@rUrQ$5J|7PcXrkp7u_Nr2*Cm6bB`vkCB-y5kODf-~%LEk+9hjUO0i3-l)
zQJfBm3KpffAOH*7i9{=sPdMM{;ITc0VN^v^Bo7Tjd4e?3#?cT(V(5~V1~0UnZbX^%
z`uFN+*ZIfjQIo_MvYfe0XWsm#IJ46H6%{1mB26yNC=*W~_K915zYUVB;%f%_3tPBY
zE2AV1TSlQ!eNraE6oV_Yu%8W*mwQzH*wA<d6D!X#5MyInLJ$dp80!5W_(rdO0{M@i
z;j#Wc{K>xp-}Dp0;Ru@xz(CPJK8-pTS^sM3f>_}*TvYXaLrFIew_zHZG!YCi+?LPX
zmHYwfjw5_>wtuV6y*|YUX)MLi;QTFo##64Vz@X7ln)Rr*26PoMf51c|fc$3tHxz8>
z&#~vf6@JtI1rl#P=z-?o@qqs!A?8Wl7B`sa7}hoLnJrzj@t8l?8eMk8FG2nZcKu@<
z`X7QHz)v)6@N-zdfr_%^)lm5b+<-zD+QDs_=qUT$1F(>-f|>qE;(p9u5E6!lmpjo3
zhQfWO6<iL;KwZ%|i=>oSQgia{TaZA!assdU4iYQBQ`ZdLIYI-K{}lM2s$dYFnY9Nc
zz+)eOJ?`N}d>R&U2X}D?&*Rg$tBK;;5V%#G^1@$omeAK(P#J|=NwtLQC+h2IX)+%v
zZ1Ak88mg{oDqe3W0-uEK`QHmw6*F9JG&kekFY>4cWD3?8unbc1s@yY3Ih|AEc(gTl
zZf_@Y`Sk9#U_P+jC3m86xKx|n*N0)9@3nZLqGN`driBo`Zrfa6T;1AQ3pf=xS1ZgT
zai0nt#LKbDs!PqzxJ(Yc2c=5v6GS!}Jz$Y4c|;tA(g>7+_6)f%frqF8sA>_YF)78N
z>K6AFGx9jktQC3`K1M=C-aFVt%nm4l9*3b@P;7LeeZdM1t_yK#;V1*hzxUJ%RS$~0
z2&fz*1W@FI%mGn;vaGOKtMWywAV=DxQTv%}aS;2UIO$XMyr|SS$6_6pec1MCfD_!p
zCD`T(ERSHG6Bs&35{hyKN;@HtxC((oyaW{r7zpGAa*S{Q4Z=b=M-iTO<mRo=c^&E?
z7;07f+SHELwd)A%$Mfli$mhHe`!ba$n_vdd_)b_|at2LCU`t{BMCNsKxQX3KxY`C3
z-bh;mK=ti#3=l6;2vNXpE|wKG1?VWZfgRi5%(yHOZ}K^BmsEE|K`GYQlm(88eo-4^
zQYMKPseFztgGVe>%PgB>p~Lz~ZH!4wbF0N;N+Q{3f04k&QxW5*jR`3uZL&}f0)jen
z?8^A&Dza0y-Rg{WE%JEgNUsue-Aa8q)ti-+&3X!Hi&SO=I1sZ9LshnmRjdBEwIW?8
zs@N~yN}N#<?ZJ{fWo*y;LOkGeXg0xncpIO?=R#bBG||WRm>sQppczog)+7`O;wst~
zH(T1z&LA&##<dRmjdkR1P#1R%Lse}}Y+fXbbL2T`=##F347O48q%sA09fo$3*)5Uo
z$&ll<T$rR<U|Wt1wa_=O(5jy0D4%>C+_0pRhMKRpDoMFGp15er4{f_x4BMStVk3%8
zPWDn~hj)u0Pz!F5+dfC1N<4T&*|55(VtI~*kKWS+;gS~yFUhN#461%tjK`&;wav!l
z#<}3UsqOA@-6jNI@js~Y*4FW*+mvTN0XU-ZNq?2_T2R+t;U*L!s2WWw$><tHrDR)T
zMdiH{)%*Od$DT=JIEBWFfLbKwFKVY0q#;bd+o~rgEBh6p5x^4;B68bq%qb}36?PKp
z0xm*Cen_=Qy{0h2@fV*LNZ-BtW}cn^DFY}45p?F=Nk1*9Z*gdA^es=MFuyeh-W0~a
z@etlaTsa)!hBNAC2!4%$e~j~f039yT2za!lzSwCDq)xNhg6%=)j}GPJ;4qd7sR3Xg
zGjlgcQ~k8?T0mVRC4no>HAr>zJiIq*vTeXFQwM+08*Ln%E*{a4M<cI6&5k?|t_t{z
z@yyJWjVECW*KiXzaSb<dGs-B_bK6W&GAx>uV4E;85I@HWR-SFtBEiPqmY0!`O(ayB
zYVsuE_&k@8q-F|qt<EL5=u60cj=NwYvRApFOq5kI#SNMKXj6B_<2#A%ogE!<*{E^Y
zEeq2@3i(60TO2sT-fjrrbnaYy>GsM>I^SMF5{J5XAr40JpJUEix`Tv^393IT=Z!)y
zbTRn+Nf>)1@(=?iUB^k}qG&7zo)3{GJaQ1<?4W?)mon)b)My@7n|gb@?m5@mr&A`z
zywn}@V;Ok>uqW*`xY~2s1RmoogzD^#QQ6`!MIpF{Ky-EDQba!MBr@AIT8u-2>8`N#
zqsD((B_j%K^KQ07v%tOVKwW0==Rb!giqit11C@G60wE>71%MGw!C?~~9H9t20%9x7
z!!ZB`0lq`)_cW;qO#}%IXjsD<Q?JG>o`NNJ4UiC05JW^>Z|6yKT(q1%(?yY38n=00
zhGC=!%Dmf=z-hS5p_TVV_xb(|4Uuc>uUmL>5ER?*Y}fUtl8(G=l|@mOB@vmojAJ;v
z-5SWXid?<fXf#)<?Bx}%RA&Cl1qsqgF0t`&GlUcNe59J5_AONrulb_3ifVMIZ5ckj
zCZ@Je!hE%Mw-}v>1i+&8xw5xy=cGuj?2oa*XgjmjI1H}UOQmCTCi6k;RH%;uSsHZA
zsM+qq6O9iYaTv@+biV$GVfvvqVnUXV3T=zL`)RqjzccmZlij%7$y9UcTs~iuA&af4
za^~G!CiUxfZ>}S%x@Cybi0-(_eCV-~c*vJwu3K$C%h<JxZ#;e9+)GmY_#k3CSQH!G
z+PalF+pE5(!P=r;+N+jWXgQP(sA;Yd-fY*dr@Ww0b)hL|7TH+dunBBP`@6VnXq}}l
zN49en*$HeUm>7}kCES4#O?oIUE|dV3#=XmEN?5m>#)WgljhTU<@U|j_IB^n~HRiww
z%zcpuzg93tP}3N2pw^;eM!B?6qytARK1n=u!c+`0?*!x*`@nV5`4zM^1!EeJF^xL3
zvPo~;WdHt>cQOJ%z|1{Er)>>_fPN4ZvnL!FC{pm@&KTzRsgnf{-?t{+k0;k0Zz^r`
z(d*|eeQ=i=iL9yOp%_rgDnm|anq;}<R3Aiy3Ljb~1O?AgR!u@%2Gvn`+Saw1MH&p_
z{(l$J{`smkOiP!Al_Kmm9O3@CqrbwAI#@$f>U2WXZ8`&Re$2xnp%0v7{OqvCsuNSv
z<3kKIQB1+9Xj*jlnuVWqYn<%fDN=tz3dt89HEBe395V^5K1?r$)bu=-zx!!fG<lt9
z$c=)8lG~(H!P4Pj0^U?9fnEljrvYajuJv0;w0~Kl<T~ljCK(wePJj?VFfhpU8=s^>
zIrwRYpohbD@edGgzMW8B${{B*@Ci@^k~+N@lws<XPZm@SmyIZznV!4qQRHe$W13b`
zBXt(A+|StzVVL+nkz#;3K+Je!`5g>Fc5dNvAdohMd9KdYYjvt_p|EcC(aHW6jAnJL
zMzR#3N<Q(Gxg~o~A0ltLW;1fCPdi=5>$CXnOPPe*ueK*i+~Wr>uHUkIDfH~lW6=kC
z>}@@XV}6AdnNrGin!eDY+l{*m7s~S*Xrx&tPv`#eYD+z3<i65v-nCpadu{C$T-46h
z>`B98C>QwI7N}_v0I$oc3YR*u7f~^Bd&dAF+FZ%NR?Dm-b;o-iDQ~3K8GthBI2*<$
zYSV1{=V0#3CGSOY^Il{fqM4X9-iC=pVl-4dmOZYKJ2~&XA<xtJ={GzxifOP{-^{&F
z*T-X1tO~%@4RDR4jeJo6KmCY?R*u<L3p-Gu8*I$qFaXBvrF9*w)_Y*R#lw5cC;ZT{
zaZ$W#?Eu?)8qWD^=+a!{$=Clbd?G(^Vz?vqb0Sq09exTn<Tp-C#ECc&r^*R=4Q`BL
zRr2-}@B;3>GqOlgZF+vaEEz<0c4Mrp?$bF&OIwCF^RMiWWY=pj=W^kBhDDb&IZ>&j
z$vn-%4puEhT0ZWj?B*H*PBxw?01JcbfJ+cQdF#5;VFmaxOl-Aw&eXM0CM=D|*vMB+
z$`9#&OH&_&-CLvMVYD4?#ZsU~`|WfbYToQBFT^l8jAblr0e=|qykJmVeW%y4Xp7GQ
zbEfRH&%Y(je1G5TE2<At&|xFIsmU^iODP-)C<6=#%maGkje~KUy!}?YUSqlfGpCSw
z=dgWdcG71Iy)Gzp+VukhpwI?GO^#+ToAm;%OS^c<j>9alb7AY^I?B-))B(DI)a2S#
z>$Y!`zDUWW76~{rlOdNw*5t6Ri4HQ6NCFDi{11PZwCzy_KVZEjMTrJxaO`s&P}Q<`
zpY!1ZYDfYMB}4^~pDt9%##yBmldHJps`RDfJrcI0-n2Bw=h$Ch=frj$m^o74+wy@q
zFK8A?%TKbLDwv`L@8bI28~PMAPTGg(>vsTzt?&y1F%*Dtf)@G7IYRPPP7&XGIEsBS
z{mBXvBECvB4lmS{8fpZF8fvJah8k+nr0E*DwC^}hn_*d9mxdjz6M6%o-teHdY@FgS
zrk_EGmnptdOQ-1+UDM(897t7HD+)TYPAhFGQfAKOCm%xO^n~=0gOf>6qr12Suy^r%
zaB^2d``4`N)oL6LEA+36(7!B1@8~R{EWS<1pnn-R)IKx9S1K2PJ_^0R26|sS`nSb$
zFh){PQl*mX#$XAxW~ezwl?VC4^BG6(ET0tfPb@+&N}(5J&~tTFHMQ1J_%3Ev7i|b3
zdT|E5ID<xxJvtf&(IS!j#-BEyicU%Bw2X2idpnNC%&Qq+xm@z7O#PyVv$5Beiv~Rs
z@Fwo1M@%?5bO}9KMo*K7asSe+Nlg}5=O&zn;1L|=X}FaIEGMu&yY}NJudLSZ0*8_j
zAtk;B#11YXz`?=57f6b*1_m2dhpp6pJ0!CD1*={LWt9zBWtCM{*?Jc0SdgOkHDF(B
z+)7gBb<R8p1l&yfc42#+VbItBU3CLtJl+x3R+G=nmqeJfpiM1R{<mh+n2vruR_ULa
zjQ{vVkK}6Bz0sdlZlCyK9$G2%)4oYg!(0#w5D-x5YIgY;;tu#oy9cx)8`^;C_~KlV
za=tl6K)ZC~zKtzObEag7Z`f#3$W#NJ!dOtAyk-PNDSxOw4<jTH$Jk&%#$7mm+bOvC
z!UUc7AxPZczvclj_8p-DRZ48Q%pa2wbOt~JI%em6Nest^K-obJFko!9Hq8ok=%#R$
zNA%DKd^ilXPzxJSE2VuepBVjJK*h=d{(ir%vXeGvaOsdc6x0!}M3QwMxym=9TCG-e
z4Lxz}ST^*~qmg%a|LyOLpSo7m3H<sV-1OV|o0UxFaR==EAW)lGD)~tQGZO8myichJ
zRLL#e`eg;Hk|zpk8@P>|ncHyos7ZlQNjuv<zrwD`Icj(sJWPRiu!Lto!UB!~F*QsP
zB=S?`1iLOxfKMibl(-IrLV!Xj9ztL!V^eAWg%lfh;VFN*|97cdaSuCkzi@?n-i6?G
znH^;_1C5#}jD}7vIgwD8BT6W%Ohc3vdNiJ9okL?LU@hunmSf5QmFvsQ@%%P6A!KEA
zB(aH7DeFo^<EiW;?ANn#w^=xm%_|E!ADmKJo6`$pG}dZ(gcqtyF}o$`tLe5FDfvrr
zf4N7-2*K0|Z(QFv0$?d<H>>*7fe&FPOc^RX!{_G1^_{>y-UvWUdd;=SUciU}Y6CvA
zobTah4Z9Y-g-SHXE6~G<kPu1)%Or*(PeNV;Kv!Ji|5y72^)vtzgymY|#6sJ)vB>&r
zp&4|3EQvAnG91^dwFU|`I)52})V$d*;tvSA9B#E`;viM2*9&LOUE|}U&T!5#EI&9D
ze4$dSdh)@@?j8(+EB><&$}I=$(0A`N9Vv5W*|N>c>05{qAZkH*CQwl@%zC~yv+%IH
z8I5oiSD}h?IR5K9QLqT7rE6KP0|*15DY-D0+n9#<^mH&d^^dKcGiU7*{8cvcrOa7c
z^}PCGAVa((2b-tq+oGTS?6tSSSWV`w)Us?Ei|;KA2unZ%0i9Y91e8G;0~+j_j7vWH
z3{{FM-riapi&U|Xs-Z58Bc9<njT>BKh}i!`zAmkO1Azilx8K>OOGhNN4wedZRIWB0
z^{>w7-_y=CU2H~GU!)m{7&)7VsW~Q`%WG!u+1aj+Tgj@bcBU{->OT9Pe&DgPv%xQH
zZe9x_ezHqZ4-_-+8J4w~III#<js983j$HU^%`iwpdz*Qp`F8D-)mi}rI88wRF_-~l
zu0nFmI+H7Y?01PVIAFYBka5q#D@zV(Bcus@87|`--VbSEduH&N%3lMSmYoeSjRcu9
zJ3;n7au@`BSgws=zwD53O)6-#0C_|*%$&#OzM0BWfd#Sh%cJ%+*5OKaw$@>q*0aZS
zx`tlMU=b_lMvU%FJ@)6CR7opYZ^mLlfCYm$bDdRe_xmv@qgM7O=d><YgbnwNk8^@9
z`WviKv+{!AES)cwjqe;7o@bl4PuIIxo5kFcKA=Mm%y0I=8`{9FJ3&QtPp;11U~}h7
zjwSD%ZBGbVoqeK=dr#geP`4jN1!4@7Hq?PNDgTdny;P;U&9iJ6(%#z{Y0JkM_PJ$y
z^WF`}h(xQj*UVh#*7%u2vNQNB==h9@39)#Y%5_0@UEBHcMT^Z^7oCL@fJ#Qpk`?2*
z%dj$4S!*Y|ZUCLJmiKGCUF>3CcWle3FJed}l5)i{&z);#3zOdtTa9_8-Y^-CY0c~H
zedI?#v5-`hw}fi`7(T0tz$FrlwC%8_a4}S${<=F-aQ(<~`I~e$6Gkcy6Zdm^6nqB$
z7JSA1#S%I1h7>c5m-Iml1fwM=tpW0hHu&uf-JDp+D`F(6r`eSMX_wd!-yT2-;xSeH
z@kdkQTxjBiD?`ZaQYmC}^f^bKN{dr<zFO==ped#o#<S-lm>H)4J{1N%7wUHBd!Bd3
z$VTme_g#akxiOCVeX6=T$0ca$*f37)7C~Cy0WT@>R%e8lhgTNEYJ^g1YXhtate|D<
z5>Gxnx5mWsq}!9gHBi{b;y9e#darDnRY~PYGPK+WS&=j0nKk~&B#!%S2&h0Uor(qv
zxI#7VCK^PZSqTp$s@C25JiBNo7oP<sltFGPkQqZ5jQ@Le?exBoP%ns=@$X8Cc=g=~
zMl2<U++=FG_k81n!or9ufp6Rtqpma%?t>RKiLe*0UErqC^kz%Bz}gOx?^iDzlp~!{
z&~p?gP`SjVp<RS^C(y5x-sH&5sGl$!N0zH#^{ci}?XP;3RYWGxuan+#BW@U(je7TC
z_W2km7uRq<F5^)s-?m?x%$EQ~yBG{M!t&Ipz~mjGiFIE~IZY)e!5MF`_d8qtzhVQ{
zAL&&+q_inwlM~r7L_BE367VKY;v`N&5+`vICvg%daAJ`_KRoi_6LKIMhDih(UwoeD
zYgH&GOCl70>2P6!>;F{<)yv6R`*{%hs=|!tY3&?IV=Jhp(e@I{6ZE5W8OArcSvQVa
z!|7^b`9OMml=Z>j(y=#ng!Zq-%7*7~%WPl*nRJae$bBesC8{ZaDHw0qfx!%11^o^4
zppAp`fZ33MTOfeja2h`80+`KBZt#sKeAz}VhXV%yi#z{2CbxjhkuLhcu%+kXf4$K=
zD+r0;vtkTEddi-<fFnQAZ0U=8dG$oli~OHg!Q9Zf-p9^0K(K}7Lj@%1cd+j$Gv|u?
z%cm?t-Af<`INit65CLZ~)!GBNfNQr;qrq`k=ULbI4%OWGpdUo-Mo(l2DjP<ra~?{K
zw+2@9mzjo3M5vcbk}Rw0NJYCVI^!&YWPR<N)n)dQ_->Y^>1x&1Ej4bNs1oJ#L5tU>
z9Qe6G62jD21y155h)!Y&1}?$qb4kdhcW09I(*wo#Kh>xRGsz?~LB63}fr%mitR8AO
zhL8yGs1~&+0Un$gjJ<Gp!jGq1V?>-`6RJF>@RO`+N%mQ~F|&#pWlyz3xZf?GU+ra?
zKxwZ&z=7gjFH?^fT*Fg%ns?KsiFWxSVJol;VjH$Jap7za=M)8I8zG_xJzVXW*p!>f
zXP#eh&GOIU&KRPpF*)3u6)T}?lJw)=?96da$Rnp%thJSE`@x(L7}Lho@;ThV%P@{b
ztMay&%W?v+L@L7COc}Hk$&=OE$Cx+FTfo2kD={pZFO>SDM!Df+t1t+gD<^YVtJUgZ
zzlIh$L5|92I^k+jGKnwziCVNoA{;2#ZjymSYdC@*fgH&C5YSyfTAy0H<0*W44wnT;
zG#I^K19v3n{hprEZHzEuXI<OtiLUTw2@(IO#)`|4VASMjs#GagDyP@&A)+)Obe~<r
z&`a_onA=b-Wb8~P4d}2lUGKEj1706k9OnSNR}_FNPmf}H4}So%L~#^JQ%d|(*Br$#
zmaMA|^jZnZl@gb5b>&$eek1=hfRueb)wG5aw?`HA7ohnd3<^iPQdy;mo=^_<*1+O)
zuyI`9=K<E#dsz&jmSjF-VB*Dk!z&@O&oXj(7}OYT@2ZLb<F-~=TGB1Ek|pn_9*rl(
zZ!-+bvhBsxj;OcB=YVsAs-%Q<p^!OYQ)Iaqpgy07@(~ZuM%nM`L`9^mM0H860*zu<
zM!NkJYe-m1PTvkV9j(O`%aG5CZlX%0)GiV@q91r&{neEmcmH#!P_8$d%V|AksMF;t
zX+7^LLLq6af(nDGz(VkQN;Nwl6w2roRG>{rLFOt9(mgZUwcWyj$QnLDYYBeh!A2oT
zW?y!_AQ>PUY_Qo5g7vQNzmcm{@?wgi2~T}p@cL;ZIJ-m3ZV#2BmGKwHJ}ZwhG(Au>
zT0_Nk*Bv+2bpjWb+u+(gEr|?XyfEp{RLp=-c}e~!qK|vH2R&R<ryBK?q{%n(H`b1Z
z792Fm=cwkQsW<{84D2jkFdlf{8#QTjz$nd9?)MR`fMuJtT2mnMX|&2)d&tW$30}8{
zx>Dq&G!A@@Mf$XU#x+abb}JRdT)tSX7E`w`KACtW)1hITfY{jX$D#bhw4d|@DX8KS
zz=vNOP5WucsLa_EC-9va2Oc@t5kp~xO(a84aUs(RdZ8u=wL&VYrap^FtKpDG^9L$@
zpWh%cSdXStq<yB3CWJ7xW}D3L=$9l~`c<9ph=A(iey{;5i9-m(qE?ku)%<A5u94Sh
zeU9JbxWTN@Z%v+8XEn#X#^T#a{lmb2kWlat8k)QjIG-QFCZR||5Dvb1YW@cpj!mOi
zbodEl7=Cb}ezKF%pKaXFXZ51XVFKS2tIDS;dPWMt*K+upV#x>hT2A9Dny|MqxaBsw
zW!d`JDquc|fFO8byPOX3w_1<52Ql|;R{4hT;7)z^O<mphpf;Z0eBS(!^KC6n`#6WE
z9=@GG(bZVxJj{e+qs;LAx?B(InZ|M2Xt9oL7UQv5>FIjfQBLoNW%R0@P<fUqqHaZI
zQZSW*=?|neE;V_9idAIIH)jSn(1sw}Ze4_I&SN*&$>ry%oI4pV8C_aDnz)S@QIT+b
zs$yq+gGuB1c4fYf<ur`}T^_8FrDGZ{tX}UvC`$w0^OGRGPb!_pZzq>LJx!aC$plNU
ztNbg6s~11_)*qJ%C`X3q8`VTJV+nVzm^A1i57G_)6n?#QxaCXVp-}EgnD5~@M6uGG
z93B3g(W225SZC(9SE9+USW&_ZseQ=K_&$OehEURbXEJ>d4hPrgOZ|eN^C8~PpBZ9U
z;A|8_^I?9ZoQNfpjpZGy5;-Vqf`T(Iemd<gEgB}^Vc>EK+=`5*w1PQ7PZAGURaJqW
zY<&3q;hn#HGQT!^<lUpu8%GygKuGCLyfiF*dwe&4>d7S9pFdI}GC6fmUl1G<9}wG0
zkBOXQv90u&h`SY#6z(EVvYPVte>C+h96av8qw#1Mjfde5+!6k+z>1wV?^(q*{O=AQ
z5!>*;J6ui{+wea|qHjeah4aUpj3jennCeM?MJCU?I4cl97fbD*D*oTuTlx*xv`2jK
z*67F~%M0HWRmXEU_nY2Vdls;u01(h_<z@l;%mP?(6ol&YdPx<RP{+vg@uJ@U0qbeX
zwjL#+^;T@}bwvrvV{LPtN8x9RcmeRZ>4nDxqL$Z_fZ{_M@|DQ4lF*2T_Eia=cp7)z
zPr`frfwJ$>O~QL_q>OTN?ntgYcyH~d#s}Ij5dMLehJg1-SNc5=l)tDCeZW!@1qa|G
z@apa3f5eg{R|L!ld9CX1P{-?$;RdAjx*S6OT~xS-4f2^fes{=-l&f3fk_mj3UBy=e
zO5THusP~`E)cMHcbBPk~;V=b1Sf!-q2ih1RAE0Q0K43nkpuYx?YO?@2l#a!7ju*L6
zt7tPs)-XjT`qZ1+8lqKk$xpz~%RP7y%IED8Jy_|&n0lHf8{u&`aoz6jzd9ctCj{m*
z3YVOrQ6b0a6v{Y*N)fY=FHOruj60jy2$sc;lME&{c5>jhloONGkC*!^u50;&H$KMk
zVIz?*Ki&8-X~Um|X54JluYkmNAf-|TC8~l`ObE9?p`4h1!<axbKR!bS#0)YR7gLmz
zpfT-w)V0c0>|MacG@N-j`1N4pP8Q+ed^Hi1OsefDL$otlKP)U|Ku(4hm{cZ6F_WH=
zy(F1V?&^qayn2vF3YyI&BhCWQyNt!mtdtsz)3hMQzzBN6DA7h5HM)*c49ZYuu?z+q
zEi*L>I3~2zO$$eNN<FoSp!8AhL>o0!h8jw{aM3Y)ol62G-Kq_Rq>l+?bUM+fa8@m3
zcW0Mq>YAfVRNK;ZZ2jHUkx;6Zrs772424}YMkA+pVG~QA))m>Kr*xSq_EvpJKCdMf
zy3$0@vQcAwa}(p7$;d7A3Gs)P$TOy3QBg8vq@*Lqlb|ys3o~h*L6Q=xkJ2+A`LDc7
zpn&Hq(M0E;DTQ1@K;f9!c&x~vnBowpc!`T*{_8D1Y1B;C`R;rH4SfuwSSnY1q3rlX
zwT4}9H1S%KQ~1-q@^#@h!R%azaDL%*cX5e$xwo=Px@NK3AlvlKO4M&VyUzZhbvaU<
z?mI@^pWna#c!JUY>!i}m-d#VN%NJORtR=Q`rCRf)ru9a%#o6w3xqAHp_t4kA?ZPvj
zOnGNP7|j>_%hh@#xZUlA4!%81sSH1R(#kLEzi;=)^EKLW$DeTGq^fS(t{=u}Ue;|t
z&g*{O@5geR8zd<XHo33ftL)SKZ$qibKHcVWUL76)uXsII<uAKDSN0FQnZ-Yy73o5>
zJWDj(gfPFRuf&J+X1J9meDu=phEY%JD~L*RSURDSANNKy1KNEP?V-t;Fz=2_zSba<
z;K-1LJBujxa|xGSo)E6bg$Z25c)NkPS+f!I*N%KKU#H`&DwT;_NkLf$S7dQ(RQY9t
zM$Mn)I587w8oiQM^;_s0-%{_^gYf8yRR4$RBy~KLBuv}4tjvF5t*(E`_9rjQY`6Ni
zP$XXjbf3L3I|=)07BULgry9<U5^~CT*HJ9vRw#j1C@r&_uLNn6AOr}6K|sQ2tVEDk
zC_Yd@1s3O{qFlR=saB{^M>||!Wj?9XC)-FnEMp+MXh)qKBjYHA=_3Yn+K7!fEYXD)
zT5yqz+`?OZlUw+R93uv2{WN|&V6a2<Q!cL2II=nzoR$Awt7Xsl0~=CIt77xd|1bUI
z!gAW=>dIAL?)Kg6`0QE&d6HAM2<~}?C1-Zj?vezluC7U>|Ei$*B~-4ZlP%g_J#X0S
X+@%Obd_<z<*3TETC3)`Q^LVxd%f^>I

literal 0
HcmV?d00001

diff --git a/site/fonts/fonts.css b/site/fonts/fonts.css
new file mode 100644
index 0000000..3f6f1ae
--- /dev/null
+++ b/site/fonts/fonts.css
@@ -0,0 +1,36 @@
+/* Self-hosted fonts — no external requests to Google */
+@font-face {
+  font-family: 'Instrument Serif';
+  font-style: normal;
+  font-weight: 400;
+  font-display: swap;
+  src: url(/fonts/instrument-serif-latin.woff2) format('woff2');
+}
+@font-face {
+  font-family: 'Instrument Serif';
+  font-style: italic;
+  font-weight: 400;
+  font-display: swap;
+  src: url(/fonts/instrument-serif-italic-latin.woff2) format('woff2');
+}
+@font-face {
+  font-family: 'DM Sans';
+  font-style: normal;
+  font-weight: 400 600;
+  font-display: swap;
+  src: url(/fonts/dm-sans-latin.woff2) format('woff2');
+}
+@font-face {
+  font-family: 'DM Sans';
+  font-style: italic;
+  font-weight: 400;
+  font-display: swap;
+  src: url(/fonts/dm-sans-italic-latin.woff2) format('woff2');
+}
+@font-face {
+  font-family: 'JetBrains Mono';
+  font-style: normal;
+  font-weight: 400 500;
+  font-display: swap;
+  src: url(/fonts/jetbrains-mono-latin.woff2) format('woff2');
+}
diff --git a/site/fonts/instrument-serif-italic-latin.woff2 b/site/fonts/instrument-serif-italic-latin.woff2
new file mode 100644
index 0000000000000000000000000000000000000000..dd21ed1685aaefd7726a4a90c0e787860cfa6a3d
GIT binary patch
literal 8444
zcmV<YAOqibPew8T0RR9103iGT4gdfE08Xp`03f0O0RR9100000000000000000000
z0000Qf(#p-b{v6x24Db$2oVSh+#JeX3xZkz0X7081BEaIAO(dW2Z{?DpF<VXZ9WKe
z2b?QfsY*svt_o39Fv^SnKPD$*h-ko^)(?$xJW;$h^SVv7i)avQ!=yTaPJ76e+(K?4
zB~-g0QH2FIyRVsTDv^WF^oSaP$KU+rf}l||TdP7|=vB9e|C7V7Xue6UJ3^CFwDLT8
zd%u<Kl9ZEfkf$*Q8AM&e>4xXG`F}1Y+zXd#1uQ^XKro6>#0tbn6f?K!vRt$-tyivJ
z?8UNQez*R<%I!tk{{aF33FPD6|4B}7ALI|%D?nVqO#lqcb16PVu#TX)H4wX@;p?Bz
z=ddA`IT*7^ohGl+Dp~Fm!zNV@{O7to3=8nutb$P4;SzuwU+uRq1#kG>beeZkppgRk
zHHOet7W*oPE#ikel-s@txALLciVRdRWJ8TJb!~11w;S5h3wrPoC{_J_&gtJ)m;s(|
zoj@>llxGt=K-U5YfG7S?H7}R7E=h+TR;<dg{@1;@AXu=16a)&Q_33Sz?S4P)ouva=
zS$nL64-~?pu|v2HP(@TUi(dFzgCxUhZ9XE)0mTkUif?>!Ko<b400_EE8E#XiN}1F(
zVo^4Us*KSNeoRinom%%Xe~P{Kfs}Mxk9<WQp~N3~h<cHC9OpxvPUzHsAgK`X%fC=y
zpaA$U41@qe1cOkZAT&%6HZF*O7(_w>A`=P{P648#2GP=kL^6X|MT5jjgd{s4DK3aR
z1Co^s$uER>iXkQCkjiR^&kt#ChO~A-x_Th}1CRxaAj3-`%U3{Ft%GdX4B4_3vVA9H
z&mPmk+GiBj5#z9?O~ZmffZiZ@drZ6O_Yj~jxlEW9R!YwY=pNg4w*nLnpzhj>%&*;d
z>}&;}ZTSR(J)7noVCe#X!Rl|<I-4~kBA|i5fRHX7#Ec9tL?9jpGAOip7!+xF8x*vh
z14UH+018u{hX*?I0i8L3&P+gOGSC?tA6$!6Kj@ILf5@)e$ePO+?P;6k*+&Jpcgo9E
zfOwLJxwmd_ue2kKv8%QK?F>$;W7=Trrj^Cz2ikVWx9D%gI<;D}xA=_(V7~qw{h64|
z*c#qYEU|+bWB%c{%}?+nU-K#N^Jf2Lo~_68ojl1KOl=MUT-?9A&dtramgNjpKal&e
zN9~lA=_UUp6RdK!99W{i5cAY*8Ipk;9>CCk|9*EkD*lO=@dID+oQIoF0AA-sp61d1
z{omgSh|uL_P?*PH8a5M!xR~$cdC$pN-G~_)|Cv5Qdes~RR-T-_cENJvj<Mlz<AtEy
zuD&*7!6wKiQuMT|ac)enpB}f@V73~6wO<?#?FVk$s5LVFOKJ-rU}mMO%4%t4Vy!a)
zbvD#eWxSx=9$A*jHo+3NY{%}(UhL_oeb}?eE!b`D=6D(3#LsyRJDck<ck=|c$8*R)
z0Q?}4xfWNcn%G7m{4weQhkPBtzCkhAotc^ozCMy#)wq!l)e7AB3cj7fweY<Nk!cUQ
zizeZ`iDhhy#Y2J<@HN<1<uV^va8?6w1|ypeM(|5-01!X|0xB5bfD0i4Awe+0p@0Sk
zm|#IH5|Bh3?R`pBz5H^$42K)($VMIt;6W+MQG<Hgkjk()Vjuy{L1yYR8AL$Wbbu1a
z#}ur4ctGc61av06oE$z4gE+tMnC^Bsp!djLMlw7LSF`0;cgu8bz_zc0#o86@WV#0m
zZ4{A=tWzv`E!*hkN=>0S?5Q}eX$E8A$d8Yk&`kq93^BC7G-)Nw`bY2Dvh>x8R+T!l
zltP}+my?BSsRlPTp(Uiq9#D8wO){#@3dxmYJCxeZujg_;1?qgbKUrUyoC!!`kCe3W
zGOVYx*rhx9n2X9(BireaLWFGAhG_GT##vRk;*&;0<8SKHap*7oObV<Dy=h*VFbbm6
zOHG!|rk2`Q6*3D@^5mZ|bg7pG4ws@z?dBG2P91+KBs(_SRQI_XIqG>i!Ct~u?RkXV
zXreYJAF@!DR;rMu?W<B^3weMy8gVF&K}KFDrIYHSwM?1111}{y`qET0hpN&gX&}nA
z1#R}to_TQgs(!TKgDjayi$70UtD{rB1u1!rjhFv(f2CcUB(I@a9+=<~9;YON1Tus|
zfe7fR@pUtedaaBY5@*!F=i{$!)Ci;z_tMoXs}Dvfh!T<j2Moa&T<zoGNqK+)1{k2g
z0Rsv+fWe^Tw>7{577!pnHlk)yQbG{H1qmeJ0Ray>*a!fPQs3f`(ojWC;6VcxI4oX3
zNbLnAgv3Z`5d=1<z=97HA`ro{DLm6BRGgldkiY_b0qQ9CZK}=zX-S|!A5&Xvq4o~u
zTUj=&7nGYH7;p$#fKO@#6?XvyFf97}zImywtl{d*Vb(0>CfIoPMgzJ83}tEFKPGY7
z<)~=~KyvnR0|?fM?;Eq&_9HV17%Vx60<rfLGLJS{0;7>iLJas!Becgz;}lN@Yj6xJ
zP84`i-248300APHdOs+ZB%L=dPQ+$-AWutA&F3zTSx(A@h1#;h$-v&E|3cvu!4i^*
zFR+h$UVw2vVFsK95IuQ!XEqi|(v0Dt(Cov-%cs+F65(M;Bst(*1VGFXMsS2jMCc+i
zq9Q(0BO`L6B&xy}LvcHW8I@P^QG>8JEHUuJz_Gv=^LL!?902u&I1w0Op$ttJ!W`B}
zinPd%{3wswXpCFQyYK;QBgc?mPV_@MIF`+FzCH8*JNN(l|L*^<`2S4ciwk;MjL*qp
zQhC*C)vi--jQxYlx9r+8^~TZ9-izz|@G;53$|A@m%7+z_6g<ZmX!}#eP)1kER8CXE
zR>@V(QN>duQZMEg5~!1CmT3*q9;_`?N4PG99=UF%UbO+0eys(1i*y!78a7#CwAgBS
zyfv{_C9aFJI>B1o#*{6o?(G>n(|6!xn=OsD!m&AdgME{0D+KBW0k{C!0nk8Qz<dL8
zXFH(n0w7_EI8nvgHV8f8DiZ{RJgFY8Oj@VS$t}qWWHLEZs%+~N;oNfWW9A|{G-;EA
zHbJOy@=|Si%l40aI+9w526NKlDv2Q>1<L5S3<fQkY_(bpZOK|SU16d-=rT$&O3xst
z#J6*dLu7`8cp9oP>nsTt7rA9q(ffu>r?XMAgv{ZHt*pJgmi{y-5dJ3N7#w{^%P7s4
z_kJ}7NrC2_JWdn<+-`aDWIk=BCYl}AdHw3#Do<AF@|)tUSQc1Ir1y8sWU0lv!XSOb
z1MDL0h|qZ5iEFVpd(KnJ?~SGPi4)o~1bY|YK?7XGgS*_a`e0UP#_oPXM<6LR$gB1p
zbBu(sgf8E&wYjW;9F~Bj2V1(AAqO2Mk*AASvzmCj(K<AgAc)vZ5ou-TsxA%kHZ8AW
z?l{4jSF(GxTj$16kxresF}l|t0AnxVFj+X}EgFGL{l5R$F;AxcLY33}Qpb;nK+|TL
ziOOH9UN{6QV0;s;X)K8{s$&j^O!@F7lS!nGgNJSKeQmNVa_rDtsc2;8#-~jV-eZ!4
zlp+&7YkG3vKv-*hPbM(yQmS^a#66c~hD2>}RXAM3A9ul|ZEGqbJl(wx10f1Cm)~}v
z{ZZHAXd-IeSca%cW_4gUHSMZCs5p(JQ*RZ$4cIF<#T{{uyXOEZ9~4GohVLhhnx=05
zjnozAL|hHGkBXM&VHxrqTg|QObXUzOJiAGf?E*8j!8X)TY6ruL{Bz#N8ad~eZLO(D
zBZ1XJ!Asu=J=mU#xQgCaPLzc9?8(V?qn!XvQ}?H|53FJ33_GuCe^cX=xoDo(`z#Mh
zjoBM9DZ*pAiTrKe9C65KLfKO8=3ZshDvNe2AC@@My#a%iT@@;o)6P|nM&gU{On(B7
zs9MgJ>7u=d+>xG&wo233l@h)f-F{LhY~(o{!(IUtP*ijT2dWpcY!xPz36PBY|Erk7
zIo9g$pGzK0GOzz6rM!a*ld{8lr*q6JRE5-X%k?KtSZ>6-uE%Kl)o5rP5(%nS7;{{g
z!k?r<u`4d*2Gec2tdAr@qLdu$`oS5bRF*?4M~@o)Tze$G6HQp9#dMP)a$8kizg=Bl
zGB-i8tgJ|HJT~21>~Td!THC4HL<d$*_ByB0xpgp6ms;1-ZFFiCY^><kq?ls~)`m@v
z{0A^)Emg&c@J-PbW^swdil?zl^(P-9x$b1w$!b~01{;b11<qb;NJlEtc3Rgw@7OJw
zJkFP<UYg-z8nzQy*6uDndS12(%f|1V$o1ky0NASG^wCH|3L)I|Pz~5ZF~QTiDH;?v
z4m@?qO(exP48~Xj9hq9(V3gfQBk9!3oD7$~_ZhP?zpg{Nvv1c$j!e*;=3D*hBBo%s
z`aWAW*04IAk8l$HJ|=uqg0rY3H25@7A~aO-WU<knX(>TcK{6t3EXtCbsnz&oc<qqL
z>*A$dHXpNldKkiV+zLrNyqO2cIONv!VsP%ncUEelrBs7`S~?o3PNWMtsS27Wnu1iV
zvzxY<iN^Z&Gvm1>|G`kpIOjlfw?1l(Q|G6=5L)GCWgDneztCQBFA~JL+;q}8ZV*br
zN+fywOR@m-P)<t4r>NMIn?Wkiu*iUN_o)U&H4R|2n@J*3<?Io=hUR+9e$XbTNck;7
z=gw4Pib8g0j)YVD(AeR2ZO&-%bhk?&u3G|HHgPht6$!D!!;qZ-220E~L&YH^nw~gB
z3xlT;(J)_$VD;!R7nyqLh~PxVp`2MjZxXVG`<f1)d6sYmAY+rQPYQJOSWG5nIGsO_
ze~Z6!MMjiKw$52fj)^B+VQE)?t##AV)DSLYUkblNm7_n&<^MIH7wvsbJN>WRwrpkv
zX$xR-@l1TjvT?{wfU&PE-O~S3+5VxP9r;W#GP0K+-i);%8Z;c)q{|SzeHx-99vlTw
zNq_<$tL?wKb#aD{OjxE<E~YFZNwRIwgn$3KrDH9-p{d|sTtLsp#!2FBP6A|+&Z<6B
zIY|EZv><XR*wtKO>r-52P&~QD6A#*dFPQY=m&n^Ul<ltVIJ^&r2auB?=Z}*R`Zxtf
z^m^zV2ihYLHVLjJu9&)X?-`8HGuZ8PIz+=SrJ0MtygcPAhU3J`EDN)0YGY!Y8+WS3
zJG5jnjR56FI27S2@o|355PvwzYwk!4n+QxUcf+*g@V)WJ@qYo^Fk&#|qQ+Hj`)Fk3
zc_Nu{t*~}zQK@yRYUx6^-DR!Gb8l9js>)8vigD9Y`$($*_04Vzj)VDJJ{%W^=x|Km
zEMOhtf*8yyFoFLPnF43vxP*d=WXaPh!E$r6`6o3Rsfy1@M+kmy<kLhlnF25~xCW})
z`d8Nzec&NSZeKb=O*9-U<biLcuxjP7Nib|4%JH`)I8~3`%eCU25(=3@#uQ|RYtr<w
zc`Bc%0WFiZBsLo*tONR4TV+-7S(wZ?MS+oL&vMV%t$zuyf{oipS<!UQ)ZXl}b3BP6
z2)#3R9$}R}XO-IbFORs3keMfWW&hbP8arQcY|}mChIpzmfu*Kgrm8<8#!cKf&9cj=
zTD;`>TbF9flpI$r{3+HrAp=i|)I8QOoAIG*8HM@ns#m|_9M1Js!oJ3}YA^8#DuVpH
zMf}MgPvx#Ce2zP04!%!9Xs_nanf#Of`6JH0;~!)-R%YEgXgdx!ee#3)GrjgqHivu6
z;ob9Qyy~KHlcDPXOlI_PnNCq7cn449&Lc~-T?w+VEbFM)5hQoi8IASYN6*7y%gpAK
z@j{(lq2Tq2!IYb}g_|wgIuhbwUH3^3l!TEy9Ff(FYr5HW?5sdZ-9%Li&fYt`uW4zN
zeKarcyj(!7;yV`MIV6Jr((oS`%zI%qM-YAVQ`PF>jm-}56AN~V*!dLZ)u4V9QOtzB
z!s9Kbs=lPV#~8Wk<>0YodWRRLNjJm{W|n)6I^`W&^ve06&gl3$?MlJU%mX#64*?iK
z>BfWB_Gw-yCrfAj#s0yvQ+Hu9?ISz?P~M2iP=q;@CR0ISv^blX`@TtC7uC-up4`!U
ziHPo-SzstKnM<q|bD}+Qr*ZBwcn#6Fwg1``eBnMRh0G#Ac_vq!#g%PWX)9*rx-z38
zJU!cxQ1r>HNjRcG5E>4f9g-g<e~~W`zij0HVXD{17`?@jAd(0NzuT_h^M|A;85@=!
zmaNf7xlJ+pn#I3dxbRk-(_qc_aB4fg(=+|i_|;JJ8r2@#P#NQ}6(<U9XV3m&YDv^b
z<YwwYl41Cl9nW~<+9LI<Oj))$DDBsDGMcDASx6&I?36r_eE9`|?hHC9K`A00-leyz
zncu3{7TIshzBmArY2c}t-G)H#Y~!ucyl-LT-ic(Yz3~>^ZOMyG%F3g;eQ#gE=H7z|
zrvf%pVEC7=(2KseS>Bcw&=oizj8h=TUAxt;9vrTx0=rKIUpK<GfCChm#5{(PaPW^w
z$1FMf%yb7Cvk$31c>ZwvucW{*<Jh?+9B3tc+!EJg;w>IIPeSPBG#JqzxVs3lFOQ<z
z$<R3IXw>YLhZHPksty!Ebk9JiC8FKB0;Cv5o_%46H=4eUz$)F5x^pi&j*}3^I0Yu_
z^njW1M9u-{(U*$E>g0PcLfedz5X`}Q@3wzH7`>Vh^}_giaNTnvnE{w?TYqv{iiPM^
zyHqmUNGVM4hsVAhy^ciOy*ua;I<#RsKW8zqRh1TcMqb!V!uz?!^uNMG$f8(lP-j%V
zGb>XQ&J3LK5D1=`&j=K?X9!IU=4LPwm2f}|mr<6GtqzwYUA@d%5^Ao^&pOZBZ7I<<
zh^l095rQ#ema>-LYz!uX4Me4QQ*6q`seVtKT1T?6xPql>7zxBV)ozw(hptrA9zB#B
z9-ks`D-Z%twIedmsRPA?j%Pv<#(ky<T9&lo?)|4i-Z4`<r6+)_*-$qvS2B5h<+Wu6
z8TY%C_wX9g9J^ozmk;mi=;^IqIADeOTm@`xygT5pjK!D|a?_JFOWY0Kgb3~WFm=4A
z-QlL?V+qs%YlAGz=@^!i2ntS6k+;~3;jFH@n`c)RD3nsM&1P)@r7tVTDi1a%yOiUa
ziDNT-cf>YyeCCy4v$51;jpF`#!p5bE**+$-h)%h-8{u5F#21Yiweoyt^#7RG%lf{W
z{ktHjYdTyP@2C&u{G*xTOB$u62E#T%(4e$L$O*UcXQWd2=P*v>?`3&Gq4^+*keL6{
zr4!$yoVw_8bFX^oBPF6lRm+T4N6m!=yT3f`j%N@$Lc?=X%DxnY3Mp=B(-|5opY2k@
z#0W0K7Lk4n+<45jOd*xcnqrB9{B_c!S6s0UKb3Jr;EIK*RcyO1BZwXR)k%zHGh_yV
zf#4+ew==XFV}0L-L5i~GvsdarXxZDBtSFD^I3j~`&6{^psZ-lIX?xKmB@&LRMmlvv
zcke$F@QzLBAM_9?n$mTIj!-yd*emM_(wA4I2lnr<Zrx?1a{Gx+5sYAQc}DL=xy8RE
zm*uO74in3Y{lF!A>xLvY-}<cs2AlrxHyh_t<iDYN=QSkpnHd=whx8;RJD+|x%6w(g
zqgQxMgpSa#?3D7~eLDYIRw*}HrrT>RkLpt`*{cEtXRUY`_;*&|cRc#$7F6|nNs)is
z-(cssD!^{yQ|dfPiavW;zBxkl@)e)<70E5VPrNW;QBu%D-DXz}fkger8}R%JEsV3t
zg|G4Xi<q=0wZkN;)@@#F*w4sQBA^RtDpTV_*h@t)f(G$ILM5Ncxt~1TFGOVtneI5D
zmby|YT%jV7#M+pe5Xpidsrl;_ccjXYq>q6QS;39m1`Ra~r3CB@2;myJji!F<@LDxg
zE1g1Rn>qHp7ROZ@w}zb>OA3g|V%StEv!IhuLGl-w(uKn)SL2{4VbsRSOY^EjxJiFx
zNf~wt%Va5w>QgU66P1V@Rh5mrAyTS`Vqt<ST#)Z7Q>1eJ{8rAAP-|aRHCT<}gHN*5
zx5eyrTw4r`_i(Hyi)4Lg^WvAx(`x@u>MzstcFo#W37Gv&U9q^ys62a*6)xj_WJ(X&
z7T=$ps*X@6-{C9?ebbQv1QoU;l+U;qgIH#0O0>F8i`J1|k~!UEmkLIuh+UaMWd}tw
zDZ>FvO%jV=>Wfg)q^xk6t}!}%wSB#3xYAb{4M+p1Ox)N@TZ+B<Buy~a#T1{8rI5)C
zha@9NATD^w7LsEo*i;$~b!4?ZR~rkLXGrDz^o$`snPt0V!fw)s4DP0F6mape2ATYS
z*{lH;neY6HFdmqFuK%I{p1D4~n~&zwQ2CAS*1iDJZ=h*$(yhq8#uF@7FiLei07uUC
z-E}jm)n{WVbS#-|HKmAm8rc3z&Yeq;@Ar)VOs|{(NA{ls1J^eV%%V(muxP;J^#89h
z7x43v`MPqq$95k8;fQoN)pQC%hU-)+N7!8x-Vzd_c;+&X6M%W<E|yDinUl0Gxdb2o
zq6`;0(IX9BUklLNI4`E&5)0-3D}nf;nUd{tE_UiEk&tH$;WTrN;K1Sig>wlh2!iVc
zt}M-&5$KYOhjNc=j19Kb0Pf)V<p|CV5V+iSU(ayvF?BYP^YmK{=R5#iwQokwTU|wj
zO{WST<5HdupjOX%oGHG-k-s$(Ez1Le@9_qM_|GZJP96AkxGiQTP&gadPZ(G(`@C|P
znLvPEM)kNa@efJk9~8$Qm)d9A{{Sn%3;PuC531$%x@{o_;&ljs>|s$A5>w3ly~gv$
zIi=Qk&tgT!a<J+ry=st%dBy<W3G^3OK9itH`Qz1W>Nfq6*$VQ-5lfmBB!vU}{Qxv|
zo7|k)Fzi>5e^9;Ti@k{8#&jy+#&uX4FKl2nC}1_1v<!B5SwpFeMt7T9$>f>b&9YdL
z0E=gGe=DZ5SgA07%nJUv<<m^t4mgKR0ZBU^^$h$2ruloE;`VvZa@vu@I#I?t;X~Sv
zN7aFUkcQi97s(vm?a)*(c@K`@j89e*;W^FIt48M{o`Zk*_ih6Oi-ut0=){7z{$LMy
z_wK?o-p4aN6DquidUz%_^zYpqptaY18X^ILKEINusCg!Pr@Cg1M3ZN7k6=rGhSkTe
zlH{;GtVWAxvJ0IVqdQ*pI5?*|Vi=))dd65I&v;_cJ35-@;OCyn2^h*B{f+nF!#q>}
zc_t@Y%L4l*$z98`X2r^kLzCbgo5&fTpdKWC#!AoOW$AjI8+8op^A8+qPkXE&ar<lt
zj+i_Bb>-RDAKSd6Gw~e!HN1C|h>ChU084%QyYcN?b>~=Z=IOZHkEZ)DFb`0nfeh^F
zf*aCa<EFJUIlZtwr-*bYXGPUM<!KpQT00XTfZbI%kjqFJ+_1bGoPvt@)0ES}_V|&0
zFJ~;Dp1Zxq*z<96a+XYvxdFY)WX9S)5SNjdnWc&)tCYEO+Ue*=d7s>|q7Sprex+c}
zh{p7nGm|mNWa`3*;P~yd8535d0jC+PJH8-TofwK=Q_;@ltdNpnMjnV58rsrSVfjSj
z!0c_WF?*WyFr*^yQp;JMzH0%gBviVMMq7d06zsMcpRUqC{53F#w=-h<T`0AWuX7gM
z-}$xgNgi%Vx|BFTh4W6%fqR%=N2~I(xkXmwm&i2cLW#M$ynO0c^Dumoe2JS+Y`M2{
zwr5j_HXJSbP*m??X~|t%Ln1eb>v<=p^GlS_@wV4k?_pU1-F}HhYacIjj{M2YuLX!^
z;{XffvczrA<zXlgSDXDnJnOD9v&}ufU>3_T53wIDQa*f<Wgrk@+WxD0aztpZLGO}U
zuyf=vAwe89G$LSP`7%4_*z+@;D*^32vddVPt>fT6%CF<M<YlWeIWC0LGLeq>;z0xf
z0$BQb2&otp`#X_}{R-f-zW*Er_<Yej^Y>kPc3VQ5g+YJ;5WpAm8S7;T-pg0Mv>gAN
z(*uob6<QT}AZj_uD_n>!FZUQ=oJv}_ze4?5XqaPcf0rX(6wbxi@;|UxzKFR9WgeHe
zDcJH9gtfOsV&%2Tm$<kac$S;TtVLg~(&Epe6s<rNQIQ<O&Xpq5it#a0iRnLt3kftk
zm5R`+wgJxznCJtzK7KMlC{)F(D2NJZNdhR`@pJwd7Ox$;231Z|3t1e2(F9^`R<C~y
zS>CL|oH7oTP-IE1Cv_u`#|7kS_GEGpIgwmTt|AwcGsro8&I2kzYAqY>v?^xO@etr<
zOAr`_n@TZl6z#39Ebk)qyyv4c0Fgv)0D~OP09JBv0UV7_0(jl30|Y8&1I18a7u|E(
z?YczMieqSvP7T`V?uKUA4Vukpi>`k?tt?LITv~PM)~QDepH|)S`09t&QFEDHrMWpZ
z3RTI?XiK-2(9_VJqA?^9#G0>4kFSkiavUxp*K0Q{ju@vKMa`tPeKmy`_3HT4+cfJ^
zLPx_2!(d&Ph3qVu3rP}V*_pE3?&c7aG(qTCfYvr`+6_ofJ-@{;&@fC}B3~0<2Xh$N
z-*%fu(i#Iz>Lm3a7wx)AdcaP-2AkcZdK}&wZCYsCiP2m&)T?!ccpnuoK&>geFw4JD
zHv^`-_8rDVi>~Mh^Dha)eLWz0lP5*r=okGd{gDy_V-QuEztS_PX)<ZEvU5DA&&|s(
zU??nNDjqn9xx}2mOUpzJ9>Owo*zocS(Ul{rs>RkgGZa_ni+c9Yk&R89{tF<pl)sSF
z|JKoCr1^8~xbf0`I$>f^Mo4B@RwNqpe>w3)G9@>iQIO5$6&8H%pE-(3Wu8j4R&Ve&
zTkVe0Zcka?mn&hRZAatDbT(fsSL@Aow?7;`@eBX~j7)x^wHw!??F6>mOc#ND*ClU;
z6LoG)mIH~|bODJ?*?~$`88uZ9dIlG&oO!V7!tYoeiRkIbKvG2RC`2|G!JNal3z!C~
zmRkg_AQyk`K)YV}Lg^h1`<tAL5bqs<R8>%FzJ$#3W24U<MXQQhQG#MsH=QJ?_saN1
zJ-?+s(JnP~s6V1241F5^)c?f7;(ulJph-`L{4wOhia$603z%V;8(~<xGqQF6juSp5
z@*EVhVS(6{1k(d3kg{pvlxHg^MIe+Fl?BV%r}?8?M^mWDZ9-S5^Kqnwd$xB?g{C5o
zc_%*><Q8Eqys|61Vs-5W_wKuEFL=66*VX-!133586?v~O!al1K|HTHH9!RBXh!k=)
evNd6|E0%(7mWPt0rJT1%@W9%26-uyf1^@smVIlwk

literal 0
HcmV?d00001

diff --git a/site/fonts/instrument-serif-latin.woff2 b/site/fonts/instrument-serif-latin.woff2
new file mode 100644
index 0000000000000000000000000000000000000000..3ee1bf99e509367119f90bec172d17953ec35dff
GIT binary patch
literal 7828
zcmV;F9&6!uPew8T0RR9103MV84gdfE08HEf03JI40RR9100000000000000000000
z0000Qf(#p-Ivjy~24Db$2oVSh*#O7{3xZkz0X7081BEaIAO(de2Z{?D5<(T+7`l;p
z077(j1fr-{dsHim`aBqg2mgOeZVVBv0PU*|MhaBssuH_*^>3pKDu1Agu#1MMgmNIQ
zqtHv-2|eKCfa_j-VDi$(ZZec@F=$|e(8Play+5V1=uRqljN~Ba9iyR<#3Xpoi+*0R
zyO*O-$*7GAtj^W9Dv24M-)8Rv>gWH@CqG~#7_@@XL>h@Yqmos-3g^n&(0NWzSLJrb
z-CXK<wcC};i)i@&IQVtWxzJ3KaUf~HO%r(3tgOHS!Q$@`A-CV}mjnTaUgqbyMhM+*
zd+`(!E>KOdP3la!W$CVyA;~jr1;EJ;@NY#NySA$&(*uRz0a;1rwg3V)byj-oaoPd5
z0-|FpVJqb3TEE(F(@AA7^op81j{PR&zYIkI{Of;XdQkjV(1gxaB3KeW9Vd45{M_`E
znXS#>-QVd_-vAUeA~S{c!GASXs;@Vf)^0p}0SsWG(9xpvTFA9f186|fFbfL6A&g~8
zRb3x?yb9zq$s^tCp3J1u8kAaxDI1B$^94L!jbcmyb|{JNbZ>;p!HjfArPbn6>Xf==
z%y~^bCR6EK-S(_YoUsn$VslnmN&@$1W)dTWP=qkTYZ^0j&R5>+U;g$^_E|Ozscki@
z={b0iC1{~C|MP#nK!O9{cku^t27w_UG&l$Y8-&0EapMUhAOI2a0|_7jkyC&KQh@{u
z1Bny`5<>@KU<R>@2T7C+lF9~>X&Fe4T#$T4ASKE`D%F5AXaH%_3ewIFveGJ$HP(S_
zuo+~lPLS<(gY0zxq{|_Y!;XUV=t0(}AK59x$VQDKgFt``#7U1n{Z1JM0m>0eK^pNk
zdNO?V$L6(g6o5Q8Kp-Kn`r5db;2*x{_IhoM<8T4=GmsXmXaIA@071->#D4_|gK^@^
z3m*#xvd|Ea=PeM<Coc&XXffYxU;&ER%@P0#|LXV8ew;v*-v$^|c)kUa!YMEf=jN{L
z9J(=CopNh603e;y2_3RM+ql*0P?OaF(uJCBQ<t`c%H&$nQ0YU>si~VfShx94klg^P
zk?y32R7sg7q<{KNKj<sH%uDFrlzKV6)I9?|W)F0!Gdiuo+y~H^bj%L4we?!5HfsPR
zOEuqSmRXA8ih(tt>jia5?bN~=#gCOS08~Ox{GEQa@BPB(`dE*&nD3)|in~XU?mNE+
z5FRvl=w*G+BD`7LSUw(%8~?j$$i1sH0O`Zn>>BoPi;)u?C$z!C@G+V};2dAO_&S<P
z470@b8IR{SEzvS~IRa=NjyHJq#+0NFV+Ju3h#A-Fd$3-{ry?&l*COu5xEpt8B8R)H
zuXc>9D;8vOH_qgd_bk|lS<qr_cV49cP>mmb-Xc2<Ai51Ga4bKg9Nez)k#(Z{VYD1}
z=-A6izykvj#vx)K#*26nt6$v4rg)Lc|MCC$;JbovuRfh!Fy7K~7(j2aRYG(r18{~4
z3LO?)c(~(*01*L5P@*Q32x8Epm-)O>oN6`VuVxZSB8?2P$f1BD%Bhapxk{g2-PA#?
ztO<zQau%23jsLmeJQtX6aywst=}{!`@r9F0El_~0)>8;V*7LoI(`6E2{jqFxoy>Gv
zqU`RAy2Bclx@mN#))h21-%yiq9N1BZni7F~J0`tGI^F6XYuLP1KIJB_q#8!yPFo)w
z>(qY3u^rKpdXA77R(0tkRm+d(kTEUQ94pZUlEZni4d!4hEx9$F+fmqcg15c3pKf^V
z@AMwW_j4ZeMq?D+yF+nu4uWZ0B<OD+wdtzx0`>O|m%o}nW7v}wb7FrMRmUd}-x+(s
zWhlv%a_yf3>Y<4=hHn@p9iiFe=fF8Im14QcT3=!FwQ4FDI<Us;)T#`D;Z#&$mM7o-
z-rq-PHvgM*9*{k4I_PukY(?%&uE*-;4)22dyhrT52*u9ID<XPhuMj+-{H!&#s-Eu`
ztL~p(TXYV5v9xHv2bueenb>so_$2vrU-^2^#N`<6)2qa|Na9Qk-zn0w^ER03xoz@(
zXP{KXW8kS(qO>#A%OQ5D=y!Kh*3r^Ek2fTO&uCEM!-gk*mhwP=5I-cyK!PAb2#=^w
zXEf5S%9%cqi6fq5(y)<5F8P#DajHV%Hw(^CAc<6X#uFdkCxQeC5;zn{(BOi=0)z7%
z@^8Nds=RwmRjCH7E_jnd6*VvC1cVbz2wY%57aM<^phJd&o8aQsPVPLx^Wxp)KyJF?
zflHIU;LG7>ce(F*oRD@pdG+a;rFr45g~ZBsR7h}z_VMhaGd$<T877R5_yyaG)0EU7
zx%*<IG4G?BaJ$E2nqUBVE<mDG#IIbzWv7ci*Q_UaXwhnJBJ&q6BF|qCMgW1Rc7RvS
zAphi0n~+SQM1TiW8s$7cNdgNEA$XM{Ms#GTNznraecxly!JuF80*TiQw1H69Pl;DN
zfD@1$C<kDad|424@sENxmu>>Aqx>%k`(>IY*DvIy-}^}4Hw@q;K>Xk0d;5?9i9-Eq
zAcK6A_~k$vM#l+>fZj<nx<G8*6&aw+AcGB8W1PvRn{TO=u6H5#!n@NagUA#z?Df~{
zyw@-P|BtK>2SDW@u3q{pRjJxABh{N=nwb_^VV(2wUwnX^3V(#3-|+9{&pJI`>;K*V
zefgMw^gSGpF2G0sxFCKe{lv*rp-GE2%dNE9R$Y$iaoQQ@JmziixAawb7mCu6rE+Ei
z%Y;~lDho{xTrQSEOa<7AFyteY;3>mZim#l9YMyGib5lj2flw1)Ekv66X%(QIgq>Ii
zspS+_ky|Oy8Y=4qSu5BEp*9JzQKYRjc8al`&Tg@G(AvdlAFD2L5*?Q8s3b>FqzSWG
zlul*`80=-TU%W#gQ2zG<;08cU2bctu{{<@U1{CK4(&YdoNcoGOdDOfPIx=p#AV6^=
zDPoR6dN{kBB+SXkm5t`I-YHXwHnGt*90sYQofR_l-L9}@gJ78(CgfNnN?>2#ELpTB
znS<%j@aPCtqh6-Q0)lZP?ui;P<}yque0vDb6sj#21{@wNi%!)BVHifI<2c4-axlyb
zBM6l$m6ShR9;hsEfTwc4WaJ=8kwj5IRgs9`(_=LP0icmXU0uYq*$rs4$ld3K5CGRn
zHaA>+w=tiGP$-~UsW}W@kYZ_mh>!uf9I7LS=%_%zgYRdE9HhE2E(=;)OF5vVTn=Ci
zX{f*<4+&<*T_25HYheu4=lnp?@(|96sE3WD%d#rES76#Z3IegR705JLtn7?KT~nAq
zDmdcjgk+I57*xJ(9MT-;Nxbkj0MGYppzvP4><0B7`l!TXR`+8N7M+MqYHCoYa2ikn
z*so!g#Cdb3OCigrl9+OqK%z_+w~drhXeomOy@%vkx<GyT@n%^QTqGp;x~j2OH>G?t
z)<D*cc2dE6)Yg(Hdrf6tiyyy>B9$D+V-)T@D?uQ<d`!pqBW<rKFs)OyfHSOHRv*FA
zh?7aqyiu@Qv~d!phsHznYt>oR;I;mKjpB9jyHRT8glqHJXM=;2kQlAJ^G9V^$J!os
zV<EIqlGT$!QYEz$A9q6nFonX^QIS4{Go-8~xqtw(dx2|~uEA8;Hx#$(N_TD6w)1?V
zqUV6Cr-s%RH+#_4TQbnn!{NkkXKvL}5idqM3E88Y-loW5B9RbEie2b3QznY0w$e4l
z^1{xyiFme#L8JK&RCH6!J28gVBm73ZR&2FTZ*`HslB4T)sogL{0f3>hBokCm6D^k8
zS;_oXJbksRq!;7h?%`o`TWnul{V=n$wl-{SM6}si?Be;)NToL_G;Yg+$kY-3CEi_Y
z3v0^5BGD6#PMe0DF4x9UH<$JvP<7Rz4r663TzA?=DWBXf-90zNc~q~DGav0qykX_-
z9gG{(bGBscW^8<y-wFw2OcjZ>by8$ZN?sS3H8gH47ORscGR7P=(t*`%npv*yRlmh5
zrK90Csgk?v8{=TkT~&XJqn%9-Rh*RH!5SiU?IFd0C?utj7EFZLEnt53^YvIqNguoO
znr<G~?yV&Vhmf~2*?vn0=!r-XlZ&CP-XYT57SaJIeH>$m2*7O4c2>aJGu}zCmoBex
z)PgisN0nNY1T$f?{OnQ<sNOK9EU9I8HfVMJh>+w+7{g5I@X4rEx#5#}!cM~#Ja-5t
zdjdN91mkfs)*ZbdrzS?I`Lf~^7iY0nn>9D9TwGrD3A;JeujUDiR5fY_Kj0(-F)&i$
zsyMK{LT&)&0*fyeYDR=rXDa54VA{Lzd|vTHU%d8X@YK{&S+7Q%E%kmt2~saJqyME~
zq^*-~r91>Fjp)E)<f@(K`^PP~4QeSrz5YeQ<~C*nL-u}nR8{0y+AN%TaMa?|AZ_;m
zVZ&CKPJ)-{<i(PxGP`<9-C!1Drz>H7s^n2AG)`NZF{IR08R1uM3ko4VSJqcEFBmr>
zWw29kX0I6Qc|w9hcpUht$(S19s@19k*dAWwFjd;tD@5Ic7oJz@mO7RP2!qv%_Q0-n
zFe<5n;s_tSGKOZpvL`o9#}3k7nWL56>;i}22pm-JU&%h3&Ga&6-f%J=hm2YR)%uc&
ziC7F(iK4cb@7`zJT`L140i>%7H*GB|ngsNa4n&nwtY+6-OD8fMjEOG8(d|ZmGr%^y
z>nl(z5ucXiP^fb*9fcF)42Z>g6Y!Kc`VD6auae!~{gqBT8s`nL%k2Lcta)R6taYBq
zK3O|{oe9zZA!60vb1Aty?vHw04W8;+w_2ahFK$00QBj;uG%*BP)X9JffG3>Llppg-
zTa)2bOP*P>wB`y<I?BXQc{eAy-rrI%eyT-zJRw=CsAi>}Q_eW(WCuRCMu!6-9i`5e
z6Fy1Ays><iiqh|=wC2SQH8ko@*t63ka|=ctCv(naC&eRTAoWK1#vllcATgM9?CZ4>
z!`70uB#rZg$xm1skLxnbpkp4Hh|#Et5r5|SBaW-(0|zxT4*D~?V@7kJtdpn0@xOgj
zRcecxX1*cEa0c}}mj{G!dUJl{D{W22Q_J&`1O8hxH}S#O5w>-z_@W<bwB%fp<dEtk
z;!S<|G>X!%(lM&znXQ$eqc=Zav*Z_lJ1A77Doi<Kc#|l6UieEN!;piD5hYYq^4qlp
zj?c+*La|D^#l5f1&o|={$bOme6$Z3N-X-pwS{C!2ofm2BXz`aS_f@tsc^4%0V-6g-
z7&in+RpCd9Aov)LqSHRl*KKP#cVPcy=?2>Q_H!tTU%*jh2CAsv&kR3c)z#|pH{EWu
zg=GZ!?)T=AI=V1J9wc-!s&tV5JJn&e#C60g6!P}JIpHF=QLSTXTE{rd7{L?$H^C$i
z`IebPEq^~9MW<&D#dt&z^W}icu6I5BwX@$Q=i7oD5{p83w;@7M&YA}yk30+c%s3Wf
z(LNoyC$OL1^ee3SLX`4{f7Me^-clMIlo6pR7j8>Q5q4@SGQxv`Y~k7pFXFFxo3`8*
z@s~AqbYdd)wAGS!T5n_8D42n>d9B>0;gJ^-{6F+B;=fB~RI@)=9ReRj=PQEKLbZt%
z-KB8Zf95`-a_A!-{Kk=vcVXtWzt@<|c}WRrHfyN(({OMV=D56irMw2E^l@mYs?%p*
zp*qSC8y!<=P{oHB%OVo0a?-rkd1TbWq$5lkHMWLGQd;D)fM8j8vN=2<#?+#VP-QGr
zf=t+Z+O@m}J;b5Wd`1t+h3vE;b#&qyUEo)}AL~piS%6OHZ;Sh!&#!WQ+b0qtYD&Um
z;xbgGu0=zXZG$FOkz(}&%g=j0r(Pm*@JY6xRf|}39vGbgU*a-cuG|qk5!{(`W^iq#
zu@gF~B{{D@dlJtfz7x*n<RAbR9A;B1@}d{YWlr@IVj;<x5vy5KNjJiXl4J)~+e?Jr
z$S-XKXQ>psYf`Ao0d7{Pq>@7Ek;P8Iz_ESQ=MK_Fv;A`}l`9_{)*X?I)!%V&!JU0(
z^k$!Zdm>sjY~AR1PDSxzCW=5Or)dZMHlG5zZSqMT>)iJ6gI~}cLGYGE<ZV4Iu6D3t
z>M!>Vx4SF2gh}4inb!f{>0a#=hK1RGxHny9Tj~2o`DzZnod`BNH|8*YiNHRJ@v{Yj
zt;Ng=zXi7bnH;4vnAf><m+SWgpWtT-1@6)8QQUQj9L}tOrI~VBXi{P9h1Y5ML66;B
z_iRnYm>wRUaM9m_@^-b9pxLAh8pe!Q>jeBO3Dl>xEzEwmOSb~z+1A^Jq%bqM2+J)|
zlE$Pg^}1|RnDXEeI<$(8q4Gz)SD2g$kE+c2uzI=ZOGcuUiir@je^L^-1j|h^ehqP%
z!Rzy_QTV0XztcCeCKkIK2;%s)`Ocp(%CLI?R9{=qM+q+HtXDpoaGQPL_e`<HC&IM3
zwK}8@FlIP9KCkVl5ID9xf_)=Iys+?RJOu|OYULftsfrb;MpblNNu!VJYaCu(Y;BPL
zuir}%OhnHyTQ-GN2C4Pl@q&PmTo;=+IR7XqJ4VLpbMm~wzNA@dx5i$d+Y*=&qzs5R
z%B1}4cNLuopLd_b45rhrA4mDQlE$j#ZhCQ$f1*JqWev=e-W=yHi_5TRRN;vQvVb99
zNwQHdO%aKtDSD$M*>kV&l-O6H3*vcyz4Y{VLVg>#V<_Ty%P>RyKhcDcHEt^iw7XnP
zklDEv)C=2f#|42!v1Vf0U~?cSb{dCRc9bgIN8tOhA4bgR2L;{^v=$KaJl;csxT&mL
zH3b*U`14y9i8LeYokrlFUS@gkaHe7xi1X0q{@zM2-p{4AfcqMkcazH<=kadA!6E%M
z+jr{vy@7c{$&a`x7TIDkn12YNtn654X$rn(<&Cd#W9iZlv3kq!x*vxQiVj|&4tQp@
znfXQ6;(b<(?MO!tp<!?g2rB=?Vj0|!K1fU(%6RjYHpMKv8r@oE2w%$9rl|#z#nCEx
zHEPE<PD7_ROhJ8Ph5dn0ku4nAY=7XC^|4?pNA2kaSgzqd9GqqfT#=9vXiqn*J+C>?
z{(DThBHbje`R?1Ans2`Y$8U+vQ9i%%*#R8JcUxY=S$}b?$}bj&lVL6wz-E{i_4`(g
z)Xb!zT84!z@+=UGZ-uA>Ez-zTvw@TIWhVkP(lM7DE?d{;>Be>!9jaujZ7N-Q66k_O
z(-F%t%#(q^oz5NKRv;*&8OQYu9B1fp+|GT>CPp=$C`KnGMHs;t?E2mlaRF;$5rR+}
zyO2(|EB(E_f4VPnXR)o`4n?K@^uoHhZY4aJW!ejFz%=8^v(@u&Kd+lFcMwO=nIGHE
zWu*uuG>MVKql>E_^7K9ssuj3SlZdab+hSyY#OrVrxw!dd?*7)JMjSIHYo*h&EUgjP
z9=iX+XXmmRpQIO3QLi8S6H6~P<QWu)yG&PR`(BmF0u?vBTajnG7YVb__zNhd(<u27
zPe!fvh*b6L`@#Y$P08CHj#HywW#6s5b7I`mXm}#3i2mWFXB@9l;M(QG0*wX4LoW9L
zK}@RLo1>&Qpt0Ha0ATUw(|EHqEQCel9o^sjS6v>+jCanf`wKsbqdXcb1f$LJKz{PQ
z&d!$LqAneS=|kgP)mzDX26BFr;TVJLpvE!SpX2~r{MA*}J?*Q;a5g@+FW6I^`?xa~
zELfguS6$tj$9vQ~&UJ1fcwh)ku}t{TP}$gTa`|s#GL+^sVQdK)2~sX8<V#BBf?Toi
zq412*=dD-xn$Ok(L8hDN+B<~nwVlxjP1$Aga}_;)!RDew>XaeCx(37OV5rz1(5iL4
z>#Y*Uzj58ZZSr9zhw&`tIg2v}+6;Da-0k*R>;q>MJ>ulFJk>K`wSU0RJoFYy@2Y*y
z=BM$wHwQN%xD9l^@9~bG2im4Meobcf_snMUITO2bUVZXIP=Z<k0m|qX;%!wv$W`uu
z$%pa!jCuj?k_M|)$Q`u)USk~f2>!M+z*0Ef0tjV!FMD7ZL59OA&M6JEAtyQFyhkB$
z830{vFMk5L0y<SY4d=J(OGe-KbMIu>1AV;x`Ad}gp71?zSQ?pQ__L&tP{1LSB*Q)^
z^A5<R@DI~*Wg1LFN+?E3IOI~FB&ALc*yNJay)|iM9*=NC97aeZTX^(pVW!IR0rm1>
zwn3xz0QQiTfcl&F8-@I&P4XUl{e4bzO8`od1%@FDOy>!M+>s=AVETKl6;dXb4E_t6
z$MJ*T@ZV%6c!Xs*a{3#S$MHvRy$b;&dk?xq6C9YAbbJY(-bpgUzeuAUVX<fMPnlOH
zbncxBu!?)1T2Ek9CYE2OR4ctnZr*3GUK&}?8~3&IRd+#+_D&oR23`ql%jxf@b#hcA
zjqHFcIt|n&4gU{Ud-}hZaXcf9`~%l}`oHSL@wm+C-=&d8d`n^931V?eUJJM_XRrc1
z1I_)0%aN0W``|WdsEe^@Es90dyOo@r+j4qVy8V4R#e=RNA@$XU-Jbq>GLD~Py>lw6
z_J;rr`iz+C^Y1s`+I&Co;$YwAyWg(@x&Zn2h<A2HqH#0{?1e{j^dW6#c+F3MCe358
zp?$4mDsGWohXQmA*b7Io7UPLuH;%&p0m;{Y^^ctRB&X8nRCM1MmEzStLpW9yMQSPe
z5ABL^$i`Gwg(|~{5SWa_I5t-M1(<Pe*r%g8nAv2$fNE`7TLp!Eotx|}uIj@uVT>yW
z#FGq=Fj76C);K;6bVac1G@j`Chkt>ttl#G(UEMqe@dL`cQ3So>B+%p$kHMeeu0BLx
z3PS>!6u^UR?j`&!ec4Cb9F6#|HYx>)7(QD=8gZHe@LY_+6rY-Wb5t(djHzymh!~((
zd)LNm8S>?=;N>}CAgc6|428Um>sP!e*_Sc?pf22?5F7H94dSBn`Cz}G5j+6D=qxSD
z4(mWDi1-A)fLQ+haXy3bTe2H;lvn#uqL;!Dpc?<9&V&Ew!U~<>p4D#_{5Wt;J_Y(J
zV14R22G(Sm-KS5jt^)Bf3E=3+Prfdu$NY!s<S)Pn&;R@YeE7QO|3CBlVBCEOB_sd=
z{NYR+<N_;i1<0G%ej~}FDfbS2si(9#Pg$@}BDc?5DiHS;!uDr%ev%5}`PcB?^#=^t
z56Dz|ESJOs1`5QbAizG~97S@ZGGS+)au=NN;hyg9`~JlIr1Y!MPk%rB(i!l2-=k3}
z3g3Im;h}UF_|T8YJfU)RTtV!%y7m4QsH?A2xwDVS>Tjhtg>j|9!zCV3S$Np#7`%W6
zdhC1*55WV&&eD=(fZz=0D1W|5*75N@SgI6yH)DXD0YYy+5WEkBekBbk?}e{e28hjh
zB0zu}HgVR8vezuttxT0tRiJW*=UhDiB1ql<5<HRykeLDxpa}AKfRhdt1Dq*^F}#|&
zTt_!#i*`{0r*2oSO|7AIuurL7Ymi#Ax&PGyrLss8uSvTOZR{FVYSJM?Wx}{B3N|*Y
z*`bv-w#=a<YRxpgfQnL3XGas%FsqdE^c|Yjs7*}^h%FCj5xo#HWH^OT74w&oh*qsC
zICZlI?ef`FiloO@3s+dwEjUULWL7g%r1G6<7CmpK+O#6m8#QaO3U;*`m!>97-I)TJ
zhEUnWd9*aeY*t6C+{5$>Wi=<q+Ha0$ZC9&xns#Nk=UT2=qria?^QdZ*3hgyg5+rY~
zFdxm||4}ypE!>mz^CFEx6#4s?5a7!Y8F6Zqi}F!{)E{Y4DJqj^_$xDuf-+lRP9oQH
zs=WNJ-Ke|w5Zbd>Z(#*q`nyk|@S?sV`t=`BTq3Hpth_=@rOA)jK|cGz^mFi#p)CFj
zpkA#1LgN0995q^kKgW!%k>vg5x>d<*Qr4wzY;JiWeS2qjk8S@z*5T2yWhXxM&ve;m
z=W;GCudZ+8-QL|lD0qBQ`0Vo+<XF%s%GhkRJKbJ?P^IC>6At)?Fk-wSXyv?fzEBOg
zh)F?}EK=w_*CnM~2vjL+2p*GS4G|MhSyLVM-1Nnvnd=ans_ro&t<9S#b&S^&3*8=c
zWkR~OY8af;Iz=|HL70J!QSj((`Y26hy^U?H!l>1O&x<uM2Crc=wcuH580Jg-u_Zj;
zPxo=w!9tkO?Z6V3wr@)VeCf8htbSO2E<%j0H*H_mzw0mh|4ASDw3ZJ30`G9Dvla7e
z&^E@lv>4mT=REHaUW%up!vT(XkPxMTIS4|8p(xX4<=H(P7o1>cgs2|_4nM>XBvgp<
zS;0_3B*r0eDMxaPg>)X+(4iV>q@fnG;H)4Mv*4R}6Ym9g?1N1~?>i{Xm{+yT|8>Bg
m_6mWB)a>j1#Js;hWpSCKMD`3(Q^%JeMxS$5jEl{Y>k|N*PZGTV

literal 0
HcmV?d00001

diff --git a/site/fonts/jetbrains-mono-latin.woff2 b/site/fonts/jetbrains-mono-latin.woff2
new file mode 100644
index 0000000000000000000000000000000000000000..310faddfdd181f2dbef10b26ce9231504762d045
GIT binary patch
literal 11596
zcmV-SEwj>hPew8T0RR9104+=a5&!@I0CWTZ04(DG0RR9100000000000000000000
z0000Qf=e5UE*yhC24Fu^R6$gMASWIGg*q=x5eN$4WX?GYgbV;M#YzD-0we>75(FRx
zheijHRU3?FHF(o8<#rHAxa)H+idr>E>9ha;bJ8(n4E-2@`O4^oBur*iMRrv(Q6VO@
zK(eZ~w1ggI^<jTXtJk>g(0h%j3t@!s+B`RLfD2<4Yk>@xdwAyhVHAxfg=hkr-t+^C
z7(^OLk1MBbGRNxo2Z7{r-@8=p&YtW4`G5~x=jR5`Dz_b>u}^Y&_}cIF+}#&sRbo_M
zl~|HOav9(HS_C1>k{#KEkEd<@Jk|h=JR8ISl@N(umR%4<K*3cMS3<<X=sWMutM($j
zD(`+}^P}r3XW2cikwzogvb|a$uWKCu`o8c*0&fU^d4+$e{1BhvBhmrM$;vR6EK5U`
z4PbT6o=1Qt;0zW;JV79YC;rt7|H?h{=2joX%GkbPg%MwI`J#H$`}q0G;r{<sOvW5r
zNb96PT1Z<$8~&gEV(0!{w7@b>nn@|J6as#eI#UkXvSk@avcR!I&pZ{TUgvI8@=E9R
zzX&j}ZEn|coT-nBHo6*u$sWI1!)7jhFZt36C<b9rlELBs|6KWAz}!23OU%MF@H4!?
zGqbwo#AfUwsIuy*s%FK@rgks;$^y*=nWSL+{2tC-VRBDNyhZNT5I`{<kKE030Jn#N
zFI|~xrPF9E1yK(2;9IC(_{V!F`g8$ORd{cr`yl#{c4q(#7P|l!OF{$zQUcB0fyXnT
zy9dv50YO@tSK*{{&g^+g@A$_0+!zyj8)PnxzH*nlAP!zdbcO7=g)MM8_pN{b9j4~t
z5VyBGFQS`;R^&0~=Z8^Bh(j)Ro|kPoIrSFK1Aed@F$hc_pZaqOm~73zKVoz&GDs4H
zD-Dt%6Ot_tQh*03C4iI@L8?_l#KaJ(I*5`QqGN)XnIRSw#HJDA(gN}7fcSMof})Uq
zgOHd}$hdLHq#4MZdB{4OAv^4W?6)6s&?4lRlaMnmK$a{)F1r$Pwd)}_xfOD|dm;CG
z2=a(0Ay0c2@}Uo5KK2RB*S>}M-uE!SHjVsV9{CRf3<8EgKrIds;Ll$%vbi~*AP6i+
zf&i*jQev(C=5B}d6F+CiAzcDsa1bCO;|4Z0peFRV1N+Nbym;fWiqTRXzc0UQ@l-c`
zqte|7@HF$G>yWU+^CD(nojUIf)G>{xu8zI(a_!V~@z+2s4xTDkVx!OE-5;c`eJ2g2
z?G?q--xtASf8Fe|KLbX&>A|UyyZT+LT*o$n(N4F-wdu@`iN|?xyPqmZ*O+~7#RgOr
z@hA<}kwX%w?j<hhE2R^G-iV>DomzQ1k8JONlmyDhV?H~na={(`iVRdMiD09_5Nl0=
zR!)vZqGotU)b-7)!<<yGka$OsjylRaoacfHH7b(<%aoyR9z`AT$~yy0Drq(pb)d+z
zh_-tOn1ozR#VpLnLgZs93Q&mED8pJ*pcaitp&i}m!8UA1KL#<1F&xGToWYg23fJI9
z+={z#|IkJ0z%GXp?3}l&6LAZy^(_Y$GB9%<MS8eY=iDi63rr|Nk&Hg+KHRo0{n|JA
z@BO+(9b2aZP-M!Lq+UTRKSyl&?iS$YOIR{x&dDf?j?VjkjZH$)e8g)aItsbalB~zc
zk}X>CR+UwECX{7WRz4otsKxbeB^+zl>{_=B`*Bi&3xiZb!37XN84L)2gt8%^fN=ad
zIl@o^!}L$~MXrQ1Bzuv|`y?#OoFA;jmXv@9o{TA&hS^wvMOcagC|j-p5sFa`b<3MT
zg+?UMj!mszcZ6(J<q{rNh~dljQ{#-}x4%S?Zp|Oqr2Jx6%E-Y4sx;nv;JiiE{$*@@
z0(c{B#K-*4{~wV1NWVaL|9b-<ja@u2Tp|QvV*#y_fYDfIeh<we07pNOQIrA5kai@g
z5~(l<D>4HFkbx8lXn&Ai1QH-BFhP+11$p?ZiSj-pl}uc?%g`@IyaNNLX^&kZBUrMD
zZ+ZjVZlj#Xbiy|YBzrYGp2r~NPDq!Tvwyr3<w_$!Ip?7cX|>)y2c37L=gEp{{%4z0
zO}DPyy?gh>{#$nDem{gIU>vOC^Hp(1{8{vd-!HB&?kgT><qZBW!g~QUTl@1q=LXM_
zXsZ5M!IYEWyVd}fF*aNX_0z5V<EA}GIjUy22mY+So`D~=%Iv?^lXX(Z)r)?ypFiyc
z^#2RKe*t{^<;Ay$qz~fz`+&e}v(eQ)0mNK-MmPe=%Av)uz0FmbSlW`cX8dQO%m_?O
zl2KffQcX)UBgK>qvobBW%xc-@<XR=qyc{bP+o;fbJe!r+L|~gzTZt^Fv{Shqgm$S=
zZ4a@1_LDlO)?qS-$Q@B<k<u}0C#jrpoW?0e=johbaE`@glq-?0U~{zw*Ri`+y=yeP
zh1<<sZqngiZSLZAJD+>d?$qvXT^<nhh>(6y8}zIJ&$xl!S*`AnU|5k2OfD#}4%;}h
zC5^7v;#R$$@PYSy=v&<$;&(sBgL*tB>`@Vqi+U0Q8nGa`5^%>G*-r%<FMA89&^=Lu
z64@x}szpg-tUu~dvXv3_(mSYqkbu{pR1M%Ms2LK}p9#u02F1w$8EdeKbRFn)Ht7(l
zI3}@;35qKA{3>|{g2h<dxr$lPmQ!)lgt_TOMZLrP5HOB<tSbxasv>or6IJTXtD8l!
z1ZzF<Dk+AMCZ8qH#0(mCe#Mo!wxZB;n<_IZN(#a%qc;5b4cY<TiWuU8LJl^g&W%Uw
zQ9`oUY%<rf_xOEYyEYx`2&4P8d>aFle#3Tco}t)Q{^=gy*Pn<F9oehZZ2!hXXP@Iw
zjGIc#j@Gxe)|7kSVQ)5X3*)v+Tj05ALf~jckpu>6jUrn<lH|v0P;bAT{{BJKSZ5V6
z!ZPFK-^S6;?ymf&+4>gO4-!d3QbrO>SvLZq6UQhhHSOYnWUrl@{r|K5{VUbk5BWz@
z`epmCOh13<50q3Jh$)IYf0<EMBT1x-e!3t|oXTjd-7%Y8sjj$aGX4S`y7b_}sp~2k
zy#I7j=|hdcV<nYhG`^C!F5|ILNtsCzCCIG<c}A@ENbgzh8r5l7Yv`diH9AGg_FJzO
zBv76?16&M=c)}Uc8=4xik`wYkB^zVlQtBU$<q%dIE+1xUaw+`<x$%^bY?)EzNkI)+
zO}H|UXBcdCuT1E@elbooEg>1{K?-dbqFil%A`Zr9Cs>|#kDvQT5^O<(e&pViP`^BE
z1QdXwHk(?AuuF~Ro3fgbf?`wczldp**<JKH0o9@_EE&_ODDyr&cr2X!QAFhgv*;@<
zOzT@`jnyf2PA2q)ZS{+D!%I*>ZCab(II7HUuFx&9I2F0;ZDl47wNX$bgGQoUMmial
z*RyRqm>eq!icQU_o<A)4H0IU^qb*ScqG&3THBAKB@Z&qenfyoQBA0YpCgyG}$+**d
zipk__+)Zdkd0HtSf?32hxju1OwaD$`A2GIvgZ0odZ)YN7r3b|^B&jUxbKRAKYSUC#
z-(P`x=HGXv%Bj>Y5v{GA>M8e}eOzAONO&HTWp!V+V=&pmh*ToIYH?`J@utTz$OCI>
z!`x{fkvQB^K&+X`+i2@Dt>cS0-CfIP@%i&&r;<)0ZIM)r9kwTin144KnV*tv(-g@g
z1z;M%E9R$SXeJ?<`>F;-Ca$alWade>C|Q|b%NsP9Iep<ugM+A{OvaNl%<w2Zbsg~g
zwUbj<?ta&7*4hAzdoVqMk%=&z4!&xe#YN=@9Z^c&Gr7R?RCbzbs)*w-64IVY!!oQ)
z-_>$f&OjeEc6}_Y``Fu<KJp7VmT8u{IZq`obv4B)bIXjqtsH)06_lo}jibiqB(gRC
z6dw$Z0n$rl&rLAp13Wd6STXfu!tb(U1AaDoq!Jt~exCpM>~bDNppZDF;S74b!fAwR
z#51U3(o9}awHSdwVg}tug&tLRNgq|<<^9~C(NOJ?^$UGsB_th@uK~?#Y!NUN@|ZBT
zpVsOL6OPBc)$yB6(d6V$S3Y|Ey7F?@?9KM@)vKt<4l__LGZ}Cw(5tl}9V<vsV|dJ{
zZW-E6vJjAZZ-h9c(-HgdLZ*qk&!%?_q8z#(w&&=iFw+L6lDZmc1g*ZT4z2ML8n>T@
zu*#d<RVEpehzt_L%4d=@d7gzy^H&)#FU)K6@SXGPKi|@Mm|r|^b3A8)PAix*6JLr4
z6;hMs{|TcMl=r>0>fX1y<qy64v7yrL)P3;3?<*;>?{xpcUr(D=UCrzIz;$KuJInIk
zF2wP?r!&6$`1{{lpl|==G<_Owr&FKVQ}wiF+4^Zc$T`*?g*rqzt?FQp!fFjGRY8g&
zNUO<Yr3e>cEv44n2!>RJ!b%9l?`s^;=p(iYo4yw})7a~YTAfYS3MyXzQQ)+=3S5u1
zB!3zD;!Cvaqw3ab%tgcf@awO9dQ&4Zun}ATVfwpk(Uk_{jQ%S<lYKJYue`uXb=A9m
zNPQd`qmO8h(A&rkKw0-;@}G{iP2<GomJcwt1_w#{+tPOX4K#;6uyQ#B;*4SRyuSC=
z(EY0iuWF6aFcW8XIBCfF)I0U3H~alNdnUf}y~%<E2g_S|qO)mwcQPNlUEvA%{uY|j
zyrcd*vQ;`)IVxX**2?D2XH3e@ZaD!Gjy0rEGVWFeL-a<1?xF^glu=$2VI`bI%$baq
zP{P+d*teR>%`DG!xxA9ib!)a1Q&$V&vZg<{ITK69R-;YguGkYPr{uGPQ(1)vs)|3(
zYxg7XR$irl!WoEvL`Bq^pvCEqQ8~vf!wZ__+U+~^wg#igX4mfkIma;|*L9^aI;X{E
zX)x=gwbZ@6d}p3_q{*c22-i_PGsEC#v?Ojak~*bKPCXYbb>w-*oVc#5PXW(9t!v1;
zoR$?+mWK@PgEMVK<y4(E?ZGlX76Yk-DiBgyKK9@I<E9NhWo?ioH9cVsWupzaz0r)@
z?YOMv;s;xFBxOtm35N=*lp)KL&dmgFH5tt|f}s?_pwem!C=@}f)1nLoRiu+J*r`pw
z5A33hcKCnif&Pkqawm+5Tx(okiEgdGbF=u*n>RE+owRcaXJBM9lFek}M!Oj|+41^N
zy~7i5^D#<k96P@6LW)XO;0`JjGS(r?R-*~G67{BPGItnjd#giRyo{(x=hd_bZN))z
zv9P5nEv@zDUZyXmeQ!;fg?TPbN{ZbivI^n<thb*G?w8#8a(@0tckYn{-+nR+e2ha@
zPoK>`P;E5)&9PCxyE)qFyIQAuT(6+2tqi+irmZtP7HMDYk7ay^2khDgvelw&xl*Q(
z)P4dVHQ%m3^S4JwuKK|e-n>_F2#1Tr3EI)%bV`4(C@JIlEDkqbWmpm<2o7_E^=_Z@
zz<V)aGhfg;eqSCpB`n<XlD`_ua|_lAV~)~nKF%w<9qn|9+-0S>sNHh+Dm30jt0vex
zdw8aw)yY(ndcDbRC5{sIP^u>l6%4C$bT;@`cq_xXB_?<KN4l>G#GSecM-!2oi`JZD
z;!G?%w_R4+tkhcZb2xHJg)Wrvd?1BGhsQ$w;m}xHy(hKv9XpH1A#B#0?F2)>UvI!|
zBt!1S{?!$7nW4K!r7kRz>R_3mZeHsk8R^haRJ~dKOCQ6opY>K*g%oKg%#@wtCBm$D
zZz2EXr&viWDx^{sbE|?OI*>uUK#)iGaF+J|<3;tNk8ee@oiG!52Tx%9yNtLsl&PLj
zAD(5{^%LICh>byVaYamiyuSy96#gonyM?|%++W>*qS@)V$8PgQ#zV8A$e7ROvE%7s
zmM)`{@wHY~>MeF6Mnr$Tfv}M=l6vN!47bK|DyilMdt0R6Kg|r82vVyj?PLgi^dp<D
zrW0Phiw4T`6JspyqvQJ>Wvx6uT~<c(d9BcXOWQ`G-fF(>Gn!0}%uV$}IL;g$KKs$&
zor(99#?JoI_!Z{r8iiGM`L}n`IhOJc!3{J-dxGtU-lra0K*WGkz6-=gdj+r*x=c7Z
za1nNmNe3<xPDT5LT(ULXDZ)Vr%Pk4TLzFrc)<BPmqR4|JMJ24E6iZ;?MXEfDba>_+
zl5cynm^woqFmEp(VHhiDaeqe%8FST)^z<W{xG#!aBngU!QoODpyM3hlj*;tgaz=WE
z5)W>zH!p^)4aYr8ESftnHB5;7v1KJ>mz!~S4vYrNm_mxEHyRZ98@wo4PnT!7m;fae
zYmAi@U%cLw;!SIDG&qCakjN8mI>U7RS0hq=Dk@)pxhch;=5;yTJsrL9dPi_nWIkNh
zPtZ%I#z3e0M(>Rk_f#5TsIkRmx1FR<o@7qGL%(CQ;EOc0f9Klfn*NTSof+wBpJw!A
z_sDvBHp(4xp3b&&F(*7V83{2V!cwo(ll4S>36Yse=z8Kg*`WN+i*nwK5?)_Htv$UH
z6TQy^kY>tg!YMMJRif0{VZKx7)ovB`W@c^@;#)iL+Og@EM!(hFEsPrHO-D;h=UnD_
zxak(}YtLYP>)U$nw^;7?&b39--vWkFt&-9Q7{e+%4G|IZamZ~*eV0a8z{mKmbY1C<
zp#hi4(jYc!8L7*@O680ZBplH*!m8&)qUWlF&%n(KyF20?d+<FC{+>8&%Wwr9)u*{N
ztEc!*xwn1Lm39E%-LTv6&KiruYQ!B*%bJ!IMypw)q0GiPNKyFA5H-S?;lFP5E_q*h
zq2+Ag1K(r3%O!n1Zlz<Ichur@^tnf^UPse;?|H$${6{{dKNLG<cKoE5iqGww?^}D6
znr_0Z2^6<%-Rk?y``O9;TMbs5fs}3qxZ?)7E2w?*i;utJ`Oovp!%sK&0{l0&;s);x
zpD~}|qh$rOs+^+gM#WVPo$ZdMj<!aht!2bs_(M0(`;-6d3ld+2ro7Bvag}gKWxnm6
zQCrQH=P3b9y~J-nIh&OR*?fvG%c{Oxkp9E1B3OFSqusPo3r)uYElL(F9k+!OJ9uS0
zemRd<&M&Qh&kqX{uQ-S5Ez=8qV+-)gme@jMd;#oRZt*~0<-Wb#aIcVai!bLESg~c-
zLfgVZw6)pO46H5Zc>l<(AX)F|^iYje|MzP$sv4=L3?yMKMW|Gs)CT44#ZXd$ii=Tp
zx&fwk^7A9GaN0$>0BzyFoR%x_QZdnI6@tVWDExWS^VQmoUxDOR+@+E~wUkyS^Q1QT
zj@4Vj%`5tySH#WF<HCL4hxW&Y_Cw(<3NaM3AE_&&8|lX0`XT#}c-fU^6FY%CMs8Fr
zkDfdu4#CkgRbqMU*^dZii~l{|`4w`RV?W}MC7Bh1=U+*+YvZE4@?+&C><a(6ho1;b
z1Zd*`01dFaU04Ie6d5Kr+WpX+Fv`VsB-V5~%&Ken5K}QhX3cl8A)iA`MfIa0GfYUV
z{QguK1+T<J%+SNC#`+^#4YdPMQfI%7CDJFWkokj6m<MlOrxc!W5k>(qYQ+t)gUpIk
zOhJIti3zK<zro6dxQ-Z|V%msLpeL*WVn@uxE_$g>evYs@h--~jk_uED;@XljXR-}P
zXkeVbp^u9&3P^A$Obv+@L^#$c^f)I(17S)qOa=&Xg;*6UVu%RWh6$Zvsw-B+vbY2=
zZ^A5*x+N9Y$n4GD)wW-Ev_d6DSj63pauW9%7=Sa{fnZuv5hj5q>;q_N`r{0bwhM!x
z#`|D><=$JQgm@z2X{##4A|mU>XgDufj$o0JU`$J&3h=5rVHd&_PAoU#sq;n#yv?dY
zEQ*m>!(!?_Cpp4oATBiW5FcJFgMFG%2JhAtEd-rAAS-8G0-lN?OaTDh7R;rMW(t)q
z6RLhi?HCwR&baxhX7k%e8sC5V;45$AvzhfM=E;E{M^j(R^zCnhwl@YaUjbkyNMrAI
zwe(PYWnuUH`L`vZ^Tq;OfYOK1mBNiPJVe1kbg(|5B*FR7tHdzxzwoK>QRipL0KA(I
z%<2|z5TuS%Vg|0oB~Wl(VFU)akd|EjW1LBF1u`SLe`ghYGaY9>T1F_w1!bDUwwfSz
z->2z-I``W#QBH=ao;;+4k2-Iv@CYn3W1<NvTIYb=<eFrAizE3eghNYj%J;Z3c6<KD
zD9$Oe;Mtc|$VW()jFu%KCyt>KoSZV&m-&~!Q454g2{|Ap#@~X7x~xo6CNld{C#kY1
ze@(3$p2-$3qK!JPV5!WMYw-okT*C$FGzl;tRX}T=t_D&;sZ;enP$gulSSawLvrmB3
z4tL=)<s-lVy9$WAvTD;MABu4@D+Qcci}s~ZpG?J6Syd}XAJomgG7w4KL|||lGW!x;
zslfPHNxXI(c&i{<@9J({5-$CH-tKe8vr{{Cwz?Ld!+ald)BH<JZkOQlA^+st|FuCH
zE)jq<GC;c$<*L>488_>gGnQQKM$dT3_x_WBxF}N|gRp)hrp#GuvxAmg?Jf^^%#@Pq
zQd!xnoOqhyv#n{~g|~e3+qmt!a?fx1f*2Reyr!GFxjTF(?%Z9zH!gep+xcWq^}64-
zckrEmSG*_R+>_r~)~S`IR7?(Pp>|qJn+YVGSc<5i9!+RP|I#ci6Hh9Ysm47Pv6PiO
z$@lV#MMi9L!5X_l%Np4vfMCMNQ>fmmYBegU4eC}}M|E0P>NZ7{(WU;Y8RfO6rJ>D?
zXO$*4g*mOyhHcVT*cv-yTbnZ1$<2R!*e89L6VAEf4`2063`R}Vg*E&!9ebi5)A&X@
zC=h}#7+^s!hA@s<ti~SDkYK<^iZ)jG7qeJ~)FXY_1$TdEynREr`l&13%Ii{^u58O-
zMsqy3C7WuxnP)#&Ig`1pRI3WBwzOrhVD;BXP1RiOE3?8XYh1fpC|K1&WG=2)+1^Y5
z21H@72f(|S=_j|9t!?p;Xg_#l#{-Awf#;q4^Sd9v`!zRa2Z1B$_+AG$3atZk)AWN9
zK3+8Sq2^VVG+Rs4j1nEhp~YZ3m8o7Wn@!1{!88|qOb{H(&`na@mVGNvqlrCjgmR_r
z{yq>-f&9RV8{|@V?vfz}7&1n2oWT&6ej)+C06>n2#iN#9;U+z?8Ss!Tl~snaLC($9
z<Qx=+|8QVve3oy|%0BM9%t9IdM{!o#>X<ibndk7(J_m0XXQ@A@9vckDW~Al$B*H;O
zLAJCf@yDx&r`&b#t3Y5Zwmm%H2b?dkt0JVIy|6y{ES<n5>F4BiT~vD-Z)?<ATx|0m
z77k302*}m#F7u<1;PIT=znsKLr&E}J-v!Miw{B++(QTgZzu$Ske*nD@r3vXAWLw~;
zzEmjNS)#6i=yTFVUQTjSzvBY<^N=g#LJ`=sjOgb#+kfJrj--2@%RKK%63(};mxEji
z?zrQ^{0KoRrXG=zU87PR@F9D4vkU`C<Utj@%VzPZw>2~6&fFX~e*<C|>9Pmsyx8CR
zv)De5|6=8*MMu~phQLDPc^=YiV9fW?>8^T!XMll(FB1&Fj`uV^kQ;?H*zz(BElw(O
z*In3)19lEPI*Mo38DXf*Phj#p8E5qGcAs-j!~2>ON5;9sJ(J^`jX!_<<in2#A%`=g
zsgztnNHT#|Qvaw{js^C`wsE@1=NGg41G5yw5QdDi4OijnhCz2N?g8O5T@#sLoNh9~
z?d4G%rgI4?BcGDQ#^P}JP7akYCznAWlFw<tV<i(qJ?=Un51gQu2k39KaAJ}|<7}44
z+`$`#`HO{|o~yak?<R~zWMm$Pt{Yxy*$I)F`{QX#X1mvp?UBv8@n4<nWUcN5+&nLp
z8h+Eew0WK~luewtPQ2$894SrDizVtr@M9{vjeG8QN_q}TsZYn8In`N~jySm-@aUQA
zg}H4rmN@W)?fAk<C3#T!|I1kz0t&u;mM_~PO>U($%Ovo+Gz_iV1&uhoJ}9KznxieZ
zbx~ShgXQW%(_0dCcJ{O4wqEyQ)s~)P3|L{fWJ?hs69GU=2X%6Fq-A(TvZm(XYt_8a
zBQ_z6YLSokuV^c``BS*1m#5_bk}+?${~K;LD|0FXjae~`0L_|CuQ&|Z#Q`(zDiTw&
zpZ*9;N6oz+=2T@@>w$K`<bZny+gKDKZr((<S3D8)I+`nj-W1{#x;n)zcsgtbEZOqD
zy83bpMCDb~qLz|Pf?YRc@RFi&%l#xFZAJp+tm{Gv_C)np_E#=96lc!Y{Wo>>+)*^m
zR+uorvz;z4Cl<1O`Dlk^l3BzfysAY&5&ZfWV{RSKd_oC33xk#gNqV{h@ZG(g8HX5Y
zhGy&bJT4Q*A-3450cVfS9Vc5<rr`OZRw{D`4^HZ41nnwW7XsscVooq+0bsqM$!)Jq
z$AqDKTf-QGJBPN<;1z?AFCiIh68rCYfC%p5eCyUnuhy*nLZA^x;@IZugqm30TpYgq
zoUg?%U;dI3Q-6N<{owe33>*;L1fqT49q{2h>Vbq1I)HI#-tQ>OZXNb+gfZ#XKRO{u
z@N<&-u81ArhVI$}zn=lQcU0k;!4O+kvxWWMh8Q8Py{+u)E%$OIu)F)35Za&**J1qR
z)^c(n{ld0OWo<1ln~_az$apXLZZTH!ZV^_rL+EuqO1Yj!o`0!V*r-&R#-wbr6`&NK
zjZt2S-MRJ-ax&mfb0bZkGgMM38^LVo;WS%?otHG6rCn&fmrC${nZYPtjk-e~fEZRM
z_);wsCR=Kj6hRePEwT=qR}wh3#r#WJfnDoMxejrAZjvq6X}K&8y@&)Khug_fTu<jv
zi@4w5++dL#lqFRxLYXV28EtxvwtG=SwxTG;Yap9`oy&U9al29<=?!pg>#~&Vwr<{J
z5Au~<=_8ADrP<JxA1x58q;2Eu)U4$An%q=RA+aa2hM>7tQ*qXwzmf)R#LhK(UPgo~
zzgwTHER}P)naoBU(&e>b8yl=M-{m1^28vM#GO}8%o8WBKl0@o#86hn}5_y~`F7x?(
z7gOnykbR&YrCYkZWml2Ckiw2~BBTqk-D|g)aO@rq6+exG7l@RLA4ed|$>gqnP*{Yf
z=%BSkgc6j|D4X4aD1oPns5|`WSjYpG%<tuEuC2ynnf4G!p|l{FYpJtBAx5K&g|`aJ
zV_m~K&37&kqbLe~MF*{AMsi!1M)`a)O8KvtPu&(Ce+o|((PnOc%vyi<wRkVvbuD;z
zlh?sV@RNp|<eqnFOAF{han<DFY01^Qxt_$-=7he5Fm4Mpij9U+HxQQ)FTxVnzW1V0
z%Zxld3?}z0$1`ynw!rhEAo(K2xY$S+C8q<wA*<xrRM9OxuNw!g9RcILZ?yDk<;wwl
z>O^RvF&qenje|2;{b@Tnr!zYFLWnKj!9M%sf;3R_WzMC@sZyu1Rinf#dJhdNLV`mR
zW&USff#lzZGa8Wgo<su~ibjTTw>jl~r@?*23Ggb{<iT9gI>?#45i`5>U)3zL>=mPx
zF(2SH+E1`Dsz!#^Uui~(roLL*W%`9YuR7r%y`_Lky1`Q}rR5FYjt<Pz*Qngz{vN@Y
zQ6Pcj#hLvDX`rke*t`^90lT{=H@1h(7v{h~{~oT#r%SU{0()_2#JBsWr}FHsnI%pd
z@u6?lsuyp<ieoovnHL{BjjPT9drvdIAay_0;sHxF30pp$;M|}vO`2?za#f=^ddzm_
zi=Q4Ta>fxsr5FpGLNB^ju_Pk~FZ1wvEGIRB&`F3iKEWmoUjHW%j(0qdnj*I=R$-Mr
z6HTfQ-NDUVn4g~)Y{6%*;i+DDra(b%IAXz&L6W^j0i*tTO<Xl!vMhJ5?aM35!tNRU
z70qr2_z}x6cuu?<LX8#Z{yijzHiPaX^HPVij6*z>oPP$DA+e*;400X0D@FypGPJ$#
zdn@0X_9>NRw@q@-gIq_t^#B7S$!vs3GPlk6G=k^sC+DT~(t5%*=8gS}@KzLDNtYL`
zS)-HR7fXfC19&Z<QrxV)7`w&u%zzM~cykG&sri4YTq_yZOjMQ6+GrMouGeyHTvtnk
zU}6_L87^xyuq4Vf8~cJIF@&qbPem;Em3v#yK|b;Y2Rd~-p?|%#PG~LybbyQMs4<&a
zSPC^6%BM)krVe@~1KWfU!5-YjUdR&a^axE2F2(X}X)ZFfJeixdg8CS^{Pvtxuzw&C
zb=P%UWRpxX8A><OZO{NR7SZPH)C70SU<QJ_r|Sf_>H?~l%@r0{IYh9t;A19{40v1|
z<w!@$E9>-~1tcVzGs($4vRVLpKb}EM{cM1(X9H#Jz}KHCqWZ?j7+;i{ZF6H`fi}Pg
zp%XC*ff5Stw|2(8R&{Iz20Zc7w5h9D&?R;bMJf2kUK`*-i8v*<f}erJt(^NwtJ+Uj
zlGl6;=nP=nt|RkFPi^J&5oTj)-y*A+KFVx1zyIpb)O_3ur55yjcR^Q0e&DNBYhcNw
zyRQQ%Li1$?S8pEc+m_DY)nKf-aQmE){##0HNA(*nfWwC-eD7{|PUtI~Q@uO#9#>WY
zoH2%*(bA!G7nc=woYLecIR@DtVjO`!T%w2Be54iz(k{_sgWU<R;!wnW*6wDJ4H7yV
zj3AHSCs~}Wz4M|gq#hwU(hp5k(-lpDDJa+dkM|KJx<`PY&Ok2bpkH<Tb37@z@0%9k
zpuGzog0xCDc`8$NeIm6sUQUFR=;oLHZ@ilFhHh>XNP2>1>0*5rYOw%~c<9(7sh9HQ
z9MdA@xrDRD;YOmK(XCYG52hc{?o^tPI6{Rm4&(uV{zMop-qA*#S=E=bwbX9qj>F(q
zww0otk+x8xZo~kzDDCQF?*{ifIUScfbJ2kXVTh+F5$!HBO7@2cej%Pf;O8q!dyDB5
zj_sRXkcevUA>js{O$YYkI+!1aobmG?BlhXqx4}dS!+LJ~{Z!tBBt3BL;RMJ%43GBq
z1(Y7kT#e&!4UN#{Y-5tL$>E-uTWI2}tS8gZiA_Q(89geGb~oFTVm7%DS&6C&Zp_2G
z0TabUu`BZ*)`qF$BT6_?J|NGn>VZHKXaOT)14;x~u?ykt^t!&5Dof?ks2Q*%MhglV
zttKQ8O;kV3(Wal*p=qyXhWq_?`}$?3)@Iu@F<Rq~chn)n^KqyQgn9T@)Ls5Je*7Jo
zR}S0QT(?DN@*eJvC&~A-iTW`L{kePVEUcSuy0#EBc>mo~G^n8E6Kh-&y0b5yqX&==
z47YVwX=2lDTRH-fdr0yPNH)R87#b|#L~e(}WTT|utbzYvr1o$G5??0d3~7d9{zzDy
z|1a9qK?^fI8H18djQ`VQ@t0Jbsme=qN=Q8o$_<jn2I1I#<!ouf@ISr}ESps_f^un2
z=MqJi*7GTdUBHSeaL@I1k}^~e?fs=xm?a`Rja0`I_WlRJaSOs>WH9h9ca#f7QRWLC
zZC(IzQ--^~ITfmRwO^0=2pSE*^H|0mWLt>rE@$QX3QKllw?>ZTHm$-)iLI0Zjl`aK
zCGq2Lml;O$V6_A^S>UCKUPc=TFouMP;!wI&_Sq|?SX47!pI1i<h<NQ0d@TTg%6+vT
ze|Ty<oN?}Jv`Uu%0C0Qp<9F1{o|-pwfrZ(V7<73A%CP_fe1kYWl@?t6!ZAY{J&MV6
zjJHH7@SF1s0pPZzucdwnCb?=RF$gjt05jSkI3Tw<rX_x%B2=Iy4hR6#oNj%X<_g!R
zB9t#QRo#vQEHh!u=&vCr5Maq-8dj|p!Vn3?*SLy@)e7AVLvC@OtP|}_3q!ljFU6#K
z$oa6^sUQN7e5(~hGT09Qe2{?`8sJvzZkJit1DsX(4Uga>>2$@*Mb5w-cp%&n-Y0*X
zlvfIeU~byoRJG8geh-%yKXnL188{_qk&rE3zJvv|_zDIU8~`tlpz|RmC&9;(9>4i8
zcz62}NZad6RMf05i8$xlblP$s2m#avTT7s0@Fha3e|$;6_KPnWvVG)B0k!LWsi3sR
zmj<<3eCeQ<r({6j{&Hr<1$LS+CSqKZSrMaRqMZ88vYHkVGj2w+3F9VgN6Of(G~3^4
zHF0Pg^v$-U<>!iK{rbc#H)ajAGMFf%-D##B<jO<}ol5LLe#mSqCH|9U7|G>gAZl7{
zpv<O9t#`(ZsxmQgeGZcIXyA6MvNK9YN10y2*nogitsj?yVtA{d4k4I0KryANb-qQ|
z&D!QODmLGD(kjz|VXmrmqEn!K0R1(%-03x43=ZoT9h#>s4=@cKwVJv**!e-R-p=KE
z?`kxz)5#fTD)+aq221no4IWGhg#XWvG617Jl^<a!0VTrzl0f9&bXbTDRdEm(s!Kts
zC=I2f3=o&uAF^c2k(;Dt@{*R{UkVf|N>*{Tl_ZacuauyVC@NE~LS@Q?M5<J)=|JK%
zNl3}kR@*23CRay6nJyJI4Q={#^bCwlaOR8=EJ##%*6zuso?U~+%sKk3JF3sg#jUw>
zwbbB0fVS~!g}@Q5O*@|sojLROr!I_cfm{WJdZXv`i0Bp7S4;f{@-%2j%y1uTZN#WC
z<0hh;G-cY1+0M5-Un|U6Sx2k-)IV06x2De4T4%it`P*od&9>NTo9!{}u+uIJ1=?+o
zz4qDfK*0|7c^^6KNLe0%#iFB*dA8WcBytgjN~1HFEH;PB;|qi$u|z79E0ikjPAN#$
z(bdy8Ff=kYF*P%{u(X2ZM}We2_jd@(6z+MTHdAvSJ8J82?A?NzMa}ni()gPQV*h)J
zqA=+3PS78H(E}!-jdCu9ICWHuMpE`bhp=8JgBGD+F{Zx7;8@j3XTgz&_e6X-1G9#U
zH`GaY)()P#NsrL!Nn@Axn%1_HK2aYjgdRva<BA#%64#I(FT`QGI6e@|#aaePswg!R
zdEC35Nm4q{{cS6)O=I%2oD`?a<Q!{%#+M}X_lc$Ti$Wp8sS02@+<VX;%`wvz`?{9+
zP(74+Gm6=|94b6m1y@3)RicoV=~seCtC>LBp{ZKboRc?n>VAcqG~*FB{h}^{r*Eau
zt)jPD4k1Ih%$LxYStojHn1pO;<wPW)g@}oXh&ZXnjL6AEOkiTxjWU)i1Vm`@81xbj
zDV9zpC_$l$GJNdz9*in)pYan$qW_;>R|AvQCruW%EUyzTahcOkB9UI%bL{#iYg?)p
z=3H?NUW3=i47oawpksx>8TvHF?MqK`k8#;p&?V4{06+)^0R%vBg7XnS^B(6D`g^Pl
zKA{k3MFs!7pCxuNd9XlYSo3x^@_8|Cv5b|OeOPP9aDmUvzB8Fx#A%BnoxU)KGgeaT
zZT7@!{ymv0heglP==OLA`(*k3-{&L}Aq6%3DKb;R5&V_wv3#=4goqJ4e(3sst<8i{
z1|`Vo2N?a0o6#GzRtI8a&2gI2O^TZ!49XxyR~_UPUxnNn@W7L-{)X4iHjGU2O^iLM
K!Z6td0002tw^dRA

literal 0
HcmV?d00001

diff --git a/site/index.html b/site/index.html
index 8a9361f..08d8057 100644
--- a/site/index.html
+++ b/site/index.html
@@ -10,9 +10,7 @@
 <meta property="og:description" content="Portable DNS resolver with ad blocking, encrypted upstream, .numa local domains, and developer overrides. Built from scratch in Rust.">
 <meta property="og:type" content="website">
 <meta property="og:url" content="https://numa.rs">
-<link rel="preconnect" href="https://fonts.googleapis.com">
-<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
-<link href="https://fonts.googleapis.com/css2?family=Instrument+Serif:ital@0;1&family=DM+Sans:ital,opsz,wght@0,9..40,400;0,9..40,500;0,9..40,600;1,9..40,400&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
+<link rel="stylesheet" href="/fonts/fonts.css">
 <style>
 *, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
 
@@ -168,7 +166,7 @@ section {
 
 h2 {
   font-family: var(--font-display);
-  font-weight: 600;
+  font-weight: 400;
   font-size: clamp(2rem, 4vw, 3rem);
   line-height: 1.2;
   margin-bottom: 1.5rem;
@@ -231,7 +229,7 @@ p.lead {
 
 .hero .wordmark {
   font-family: var(--font-display);
-  font-weight: 700;
+  font-weight: 400;
   font-size: clamp(4.5rem, 12vw, 9rem);
   line-height: 0.9;
   letter-spacing: -0.03em;
@@ -513,7 +511,7 @@ p.lead {
 .layer-card h3 {
   font-family: var(--font-display);
   font-size: 1.4rem;
-  font-weight: 600;
+  font-weight: 400;
   margin-bottom: 1.25rem;
 }
 
@@ -557,7 +555,7 @@ p.lead {
 .arch-subsection h3 {
   font-family: var(--font-display);
   font-size: 1.5rem;
-  font-weight: 600;
+  font-weight: 400;
   margin-bottom: 2rem;
 }
 
@@ -880,7 +878,7 @@ p.lead {
 .perf-stat-value {
   font-family: var(--font-display);
   font-size: 2.2rem;
-  font-weight: 600;
+  font-weight: 400;
   line-height: 1.1;
 }
 
diff --git a/src/api.rs b/src/api.rs
index 1c6283c..ef761d7 100644
--- a/src/api.rs
+++ b/src/api.rs
@@ -15,6 +15,13 @@ use crate::question::QueryType;
 use crate::stats::QueryPath;
 
 const DASHBOARD_HTML: &str = include_str!("../site/dashboard.html");
+const FONTS_CSS: &str = include_str!("../site/fonts/fonts.css");
+const FONT_DM_SANS: &[u8] = include_bytes!("../site/fonts/dm-sans-latin.woff2");
+const FONT_DM_SANS_ITALIC: &[u8] = include_bytes!("../site/fonts/dm-sans-italic-latin.woff2");
+const FONT_INSTRUMENT: &[u8] = include_bytes!("../site/fonts/instrument-serif-latin.woff2");
+const FONT_INSTRUMENT_ITALIC: &[u8] =
+    include_bytes!("../site/fonts/instrument-serif-italic-latin.woff2");
+const FONT_JETBRAINS: &[u8] = include_bytes!("../site/fonts/jetbrains-mono-latin.woff2");
 
 pub fn router(ctx: Arc<ServerCtx>) -> Router {
     Router::new()
@@ -50,6 +57,27 @@ pub fn router(ctx: Arc<ServerCtx>) -> Router {
         .route("/services/{name}/routes", post(add_route))
         .route("/services/{name}/routes", delete(remove_route))
         .route("/ca.pem", get(serve_ca))
+        .route("/fonts/fonts.css", get(serve_fonts_css))
+        .route(
+            "/fonts/dm-sans-latin.woff2",
+            get(|| async { serve_font(FONT_DM_SANS) }),
+        )
+        .route(
+            "/fonts/dm-sans-italic-latin.woff2",
+            get(|| async { serve_font(FONT_DM_SANS_ITALIC) }),
+        )
+        .route(
+            "/fonts/instrument-serif-latin.woff2",
+            get(|| async { serve_font(FONT_INSTRUMENT) }),
+        )
+        .route(
+            "/fonts/instrument-serif-italic-latin.woff2",
+            get(|| async { serve_font(FONT_INSTRUMENT_ITALIC) }),
+        )
+        .route(
+            "/fonts/jetbrains-mono-latin.woff2",
+            get(|| async { serve_font(FONT_JETBRAINS) }),
+        )
         .with_state(ctx)
 }
 
@@ -844,6 +872,26 @@ async fn serve_ca(State(ctx): State<Arc<ServerCtx>>) -> Result<impl IntoResponse
     ))
 }
 
+async fn serve_fonts_css() -> impl IntoResponse {
+    (
+        [
+            (header::CONTENT_TYPE, "text/css"),
+            (header::CACHE_CONTROL, "public, max-age=31536000"),
+        ],
+        FONTS_CSS,
+    )
+}
+
+fn serve_font(data: &'static [u8]) -> impl IntoResponse {
+    (
+        [
+            (header::CONTENT_TYPE, "font/woff2"),
+            (header::CACHE_CONTROL, "public, max-age=31536000"),
+        ],
+        data,
+    )
+}
+
 async fn check_tcp(addr: std::net::SocketAddr) -> bool {
     tokio::time::timeout(
         std::time::Duration::from_millis(100),
diff --git a/src/proxy.rs b/src/proxy.rs
index ce592f7..244e597 100644
--- a/src/proxy.rs
+++ b/src/proxy.rs
@@ -117,58 +117,15 @@ pub async fn start_proxy_tls(ctx: Arc<ServerCtx>, port: u16, bind_addr: Ipv4Addr
     }
 }
 
-fn extract_host(req: &Request) -> Option<String> {
-    req.headers()
-        .get(hyper::header::HOST)
-        .and_then(|v| v.to_str().ok())
-        .map(|h| h.split(':').next().unwrap_or(h).to_lowercase())
-}
-
-async fn proxy_handler(State(state): State<ProxyState>, req: Request) -> axum::response::Response {
-    let hostname = match extract_host(&req) {
-        Some(h) => h,
-        None => {
-            return (StatusCode::BAD_REQUEST, "missing Host header").into_response();
-        }
-    };
-
-    let service_name = match hostname.strip_suffix(state.ctx.proxy_tld_suffix.as_str()) {
-        Some(name) => name.to_string(),
-        None => {
-            return (
-                StatusCode::BAD_GATEWAY,
-                format!("not a {} domain: {}", state.ctx.proxy_tld_suffix, hostname),
-            )
-                .into_response()
-        }
-    };
-
-    let request_path = req.uri().path().to_string();
-
-    let (target_host, target_port, rewritten_path) = {
-        let store = state.ctx.services.lock().unwrap();
-        if let Some(entry) = store.lookup(&service_name) {
-            let (port, path) = entry.resolve_route(&request_path);
-            ("localhost".to_string(), port, path)
-        } else {
-            let mut peers = state.ctx.lan_peers.lock().unwrap();
-            match peers.lookup(&service_name) {
-                Some((ip, port)) => (ip.to_string(), port, request_path.clone()),
-                None => {
-                return (
-                    StatusCode::NOT_FOUND,
-                    [(hyper::header::CONTENT_TYPE, "text/html; charset=utf-8")],
-                    format!(
-                        r##"<!DOCTYPE html>
+fn error_page(title: &str, body: &str) -> String {
+    format!(
+        r##"<!DOCTYPE html>
 <html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1">
-<title>404 — {0}{1}</title>
-<link rel="preconnect" href="https://fonts.googleapis.com">
-<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
-<link href="https://fonts.googleapis.com/css2?family=Instrument+Serif:ital@0;1&family=DM+Sans:opsz,wght@9..40,400;9..40,500&family=JetBrains+Mono:wght@400&display=swap" rel="stylesheet">
+<title>{title} — Numa</title>
 <style>
 *,*::before,*::after {{ margin:0;padding:0;box-sizing:border-box }}
 body {{
-  font-family: 'DM Sans', system-ui, sans-serif;
+  font-family: system-ui, -apple-system, sans-serif;
   background: #f5f0e8;
   color: #2c2418;
   min-height: 100vh;
@@ -202,16 +159,24 @@ body::before {{
   from {{ opacity:0; transform:translateY(20px) }}
   to {{ opacity:1; transform:translateY(0) }}
 }}
-.code {{
-  font-family: 'Instrument Serif', Georgia, serif;
+.hero-text {{
+  font-family: Georgia, 'Times New Roman', serif;
   font-size: 6rem;
   line-height: 1;
   color: #c0623a;
   letter-spacing: 0.04em;
   opacity: 0.85;
 }}
+.label {{
+  font-family: ui-monospace, 'SF Mono', monospace;
+  font-size: 0.7rem;
+  letter-spacing: 0.12em;
+  text-transform: uppercase;
+  color: #b5443a;
+  margin-bottom: 1rem;
+}}
 .domain {{
-  font-family: 'JetBrains Mono', monospace;
+  font-family: ui-monospace, 'SF Mono', monospace;
   font-size: 1.1rem;
   color: #2c2418;
   margin-top: 1rem;
@@ -239,7 +204,7 @@ pre {{
   color: #e8e0d4;
   padding: 1rem 1.2rem;
   border-radius: 8px;
-  font-family: 'JetBrains Mono', monospace;
+  font-family: ui-monospace, 'SF Mono', monospace;
   font-size: 0.78rem;
   line-height: 1.7;
   margin-top: 1.2rem;
@@ -248,9 +213,9 @@ pre {{
 pre .prompt {{ color: #8baa6e }}
 pre .flag {{ color: #8b9fbb }}
 pre .str {{ color: #d48a5a }}
-.lyrics {{
+.aside {{
   margin-top: 2.5rem;
-  font-family: 'Instrument Serif', Georgia, serif;
+  font-family: Georgia, 'Times New Roman', serif;
   font-style: italic;
   font-size: 0.85rem;
   color: #a39888;
@@ -261,19 +226,87 @@ pre .str {{ color: #d48a5a }}
 @keyframes fade {{ to {{ opacity: 1 }} }}
 </style></head><body>
 <div class="container">
-  <div class="code">404</div>
+{body}
+</div>
+</body></html>"##
+    )
+}
+
+fn extract_host(req: &Request) -> Option<String> {
+    req.headers()
+        .get(hyper::header::HOST)
+        .and_then(|v| v.to_str().ok())
+        .map(|h| h.split(':').next().unwrap_or(h).to_lowercase())
+}
+
+async fn proxy_handler(State(state): State<ProxyState>, req: Request) -> axum::response::Response {
+    let hostname = match extract_host(&req) {
+        Some(h) => h,
+        None => {
+            return (StatusCode::BAD_REQUEST, "missing Host header").into_response();
+        }
+    };
+
+    let service_name = match hostname.strip_suffix(state.ctx.proxy_tld_suffix.as_str()) {
+        Some(name) => name.to_string(),
+        None => {
+            // Check if this domain was blocked — show a helpful styled page
+            if state.ctx.blocklist.read().unwrap().is_blocked(&hostname) {
+                let body = format!(
+                    r#"  <div class="hero-text">&#x1f6e1;</div>
+  <div class="label">Blocked by Numa</div>
+  <div class="domain">{0}</div>
+  <p class="message">This domain is on the ad &amp; tracker blocklist.<br>To allow it, use the <a href="http://numa.numa">dashboard</a> or:</p>
+  <pre><span class="prompt">$</span> <span class="str">curl</span> <span class="flag">-X POST</span> localhost:5380/blocking/allowlist \
+    <span class="flag">-d</span> '<span class="str">{{"domain":"{0}"}}</span>'</pre>"#,
+                    hostname
+                );
+                return (
+                    StatusCode::FORBIDDEN,
+                    [(hyper::header::CONTENT_TYPE, "text/html; charset=utf-8")],
+                    error_page(&format!("Blocked — {}", hostname), &body),
+                )
+                    .into_response();
+            }
+            return (
+                StatusCode::BAD_GATEWAY,
+                format!("not a {} domain: {}", state.ctx.proxy_tld_suffix, hostname),
+            )
+                .into_response();
+        }
+    };
+
+    let request_path = req.uri().path().to_string();
+
+    let (target_host, target_port, rewritten_path) = {
+        let store = state.ctx.services.lock().unwrap();
+        if let Some(entry) = store.lookup(&service_name) {
+            let (port, path) = entry.resolve_route(&request_path);
+            ("localhost".to_string(), port, path)
+        } else {
+            let mut peers = state.ctx.lan_peers.lock().unwrap();
+            match peers.lookup(&service_name) {
+                Some((ip, port)) => (ip.to_string(), port, request_path.clone()),
+                None => {
+                    let body = format!(
+                        r#"  <div class="hero-text">404</div>
   <div class="domain">{0}{1}</div>
   <p class="message">This service isn't registered yet.<br>Add it from the <a href="http://numa.numa">dashboard</a> or:</p>
   <pre><span class="prompt">$</span> <span class="str">curl</span> <span class="flag">-X POST</span> numa.numa:5380/services \
     <span class="flag">-H</span> 'Content-Type: application/json' \
     <span class="flag">-d</span> '<span class="str">{{"name":"{0}","target_port":3000}}</span>'</pre>
-  <div class="lyrics">ma-ia hii, ma-ia huu, ma-ia haa, ma-ia ha-ha</div>
-</div>
-</body></html>"##,
+  <div class="aside">ma-ia hii, ma-ia huu, ma-ia haa, ma-ia ha-ha</div>"#,
                         service_name, state.ctx.proxy_tld_suffix
-                    ),
-                )
-                    .into_response()
+                    );
+                    return (
+                        StatusCode::NOT_FOUND,
+                        [(hyper::header::CONTENT_TYPE, "text/html; charset=utf-8")],
+                        error_page(
+                            &format!("404 — {}{}", service_name, state.ctx.proxy_tld_suffix),
+                            &body,
+                        ),
+                    )
+                        .into_response();
                 }
             }
         }
diff --git a/src/tls.rs b/src/tls.rs
index 966b1f1..a4d91bf 100644
--- a/src/tls.rs
+++ b/src/tls.rs
@@ -112,8 +112,15 @@ fn generate_service_cert(
         .distinguished_name
         .push(DnType::CommonName, format!("Numa .{} services", tld));
 
-    // Add each service as an explicit SAN: numa.numa, peekm.numa, api.numa, etc.
+    // Add a wildcard SAN so any .numa domain gets a valid cert (including
+    // unregistered services — lets the proxy show a styled 404 over HTTPS).
+    // Also add each service explicitly for clients that don't match wildcards.
     let mut sans = Vec::new();
+    let wildcard = format!("*.{}", tld);
+    match wildcard.clone().try_into() {
+        Ok(ia5) => sans.push(SanType::DnsName(ia5)),
+        Err(e) => warn!("invalid wildcard SAN {}: {}", wildcard, e),
+    }
     for name in service_names {
         let fqdn = format!("{}.{}", name, tld);
         match fqdn.clone().try_into() {
-- 
2.34.1