From 74ad89ea2e8fdd99eb11db6ab01e0ed816585bdb Mon Sep 17 00:00:00 2001 From: Fen Labalme Date: Mon, 10 Feb 2025 14:59:56 -0500 Subject: [PATCH] initial security-related files --- .../security/diagrams/PGov-Architecture.jpg | Bin 0 -> 47929 bytes docs/docs/security/diagrams/PublicUsers.md | 27 +++ docs/docs/security/diagrams/codeflow.md | 17 ++ docs/docs/security/lato/README-tasks.md | 43 ++++ docs/docs/security/lato/cis.md | 189 ++++++++++++++++++ 5 files changed, 276 insertions(+) create mode 100644 docs/docs/security/diagrams/PGov-Architecture.jpg create mode 100644 docs/docs/security/diagrams/PublicUsers.md create mode 100644 docs/docs/security/diagrams/codeflow.md create mode 100644 docs/docs/security/lato/README-tasks.md create mode 100644 docs/docs/security/lato/cis.md diff --git a/docs/docs/security/diagrams/PGov-Architecture.jpg b/docs/docs/security/diagrams/PGov-Architecture.jpg new file mode 100644 index 0000000000000000000000000000000000000000..93595787d8f82daeb979ab5483fb7a8b95f5a8f6 GIT binary patch literal 47929 zcmd?RcT`i|)-N0dr6?j@y7Z0`dY4WTYG~5r0YV87kS@(im7WkFROub01p)|4Co~Pc zORv%e1(l2EeDC*o#(2-Y_uMh=Ki@a^$li06z1DB7HCLN^u3SuBd8^6PB?Y$rW ze*PP}O!s8`cj^GZh{(T*^FQ+@gE@HHUq;x!{Be6-W_}5l_L8S{`X|r-o45NXukf4q z_j&Ad8OPu^?_~^CyX0Y)JipT)yxkwX{bR4+@nbIIC?MQ?f9Lg^ej~o=;BI1c`6Rvk zu>iaQP=FRd^>_I%-IwH%3joM`1ptT={`RxO000eP0KlE;zx}x1005Ms004IQZ@<6m z?!~jwkGXOOJ(beDd`%ZL8#Mg;`6Y2Hq*RGS1l9Q8>l97?$q`XOf zqNQ{5)NNlin2o92?g{X3B>zuzPxCcS*|_6@Qdm%jfYUAzZSkzPH$ za!PcC6L6L43K7+ni%tORZ*jVI<+mjM7hS(Xe2s*Z=qlM|F#I+EaQ({FE5xKXs3@*o zzeY?1xN?<<_}X<6Dr!<14l!CfdQKHX-&%${Ql_>($#wN3V_ZN9Nog4qvxlC3N$8Xu z!l{YIjJ@ON;X5M91%$FFh68#ATKz!{A z(ez_sO_dMlaw*@B9J7TqNs;l z7LgMrZ;x#EM_jqol5yjf)JokZl2#K9T;J7+#O~(0?rP{)nHg;C(#>8+!UuLHBwU1U z;%3P1ak#vq$%N8k2Zeh=4y8u3M7fcT(QmF0+V5Ewe{*OJ@-C#CP&m~j(D>$y% zNHH{11BNmgW-}$_dq+v^V|=ovYQ{?|Bqp93oNco)?Qo23I^Of8mWzMB!h{mgk;>a# zr02&~rL#(@i#0m7zH-XU%X?(EjvSpKqN^B=BQM zf_v>ya`#pedLM&%a?4;|1y5rfV6v5*YIoLIu0_(Zb@08s`BvP`l3o;0{59{iRd{k7 z!ZCt=u@PO|$PA_+E?|5y_FP6^YPCKa-W@+{;9&M})LOl0v`vkn2JT5aXRpibaJMou z2BjF8$F}7l2waD}iB;S<{gh=UXm7JW$D=Q>#rn8#m@%Cdx=au=mwO%Tr@J!y3Yl&v$AEdQtFPm#iC0QS9`U9*$Mi3k$&`9p#{WW^t^clht&<_s)Qzc^#vA9Na;&CZ@9TCPj?Srd@GAHl zCgN@$&@Wp+QPXdxk;|T(8gir+Dz6Z}kC#3=9u4;(!A80TK^&xr>#ichk@0V?jDMD) zh%=c!PxbO31m{uXOSsm|*{W)bP!%S6)?xN{#>8?H8Y>x?)hiJZ#-U6MO|A+u`zR`MKEH!zg zMZM>oTNeN(JsTT_YIZF}19y&^#O{1*nuVsR$NYUm=TBK9PnLenpQDvJ7_tA2iT7w5WD9xTvo7P&T=Is1mXp0Fgcu^iv zExySv2cK0}@5~6|0!?U~ylA#Wk?|(*r8F4`Y+C;qlX#ox_$CS6FI<@2H93>XdrfS6d2GA!k3{W{qB`cXO@4J zdl5I-Tv^=DkBZf*(s1>D1mXTcc5`Rzdy(nO#h~a|zSd2pH}b?J^sdVMYz9qqrP9;D zDS8`t={CYb1@`0NfTX#As~R+CVC^H)(i7C#t2&An(4G>4#+=V%I|L8O74&k8gz;>B z?sn>kvKvnJ;;cq6>Zi_o5_sqg%w++V-*m%nQ*q$^(DVPZ`Ka(b&TmyYuW2l6J*5P zKXV>rzqRJNwPwb%tTbVN#KNf*!7U*6@!3a5*8|_Y<6}~EMV;GsLGXH+{O6jiMX+~2 zt#?7|tHYd$?Tn{YNhd~yV~una`9V0D6YA0RjOIjEE4O-q@31U-vLJp!Xg2)}yFNLJ z6E9(DwXX}u*GHfV)~L?|!`P_3z&D#~(rm>!B?oGO;s?-r9?kJSOBYQ%a3R`Tl(m2E zmfo`qK$U6Y6XiW=>0gG@8EytdrS$<|{eS3$3?>`M6iZ(M#<9MhUzj{>njC4oOoX{TCV~nRDZwJ6Tjt9Xo)C0*+%ZpaG{{}uKvX9fwI{Kx>CHlE1-xUf zrPEgGLgSeR!DoOUg%*t@LVRkvtIs2d6zjan?+HNpR5uj1eQ-N&E-q3f#8|iS(^U zQr%S@m!^{?+FROQQFV%7S>Ww!Tml_%mZgvN-~2>kdiM>MT&E6~CW2UR)OG|+j!s5P zNt%N|>L8Gp@GJO=;+-Vytn-XH^%Dvq2!56TL$NyijU&d2m!+bmrf=KloH5$_aX52z zwWB^UCK48dfeal&@Pe8M|WOsuuS ze!W_g@q48YLQ8v~mvJsjJ3yy31qI753t!G(D81kRWg;CIZK#7v$v{0}uY(gf%ItIAMx`nn@-2VAmBW67P7bmUK2>_M>=xXYmiD!H@dtzA3AGD&0C# zXGfkS!kTyrp^pbD5pK9Dn3+_c*SiT8XH1IZ#0)4sQssc!R6TdbPVq!sG*Qp+jM25c zuJKD8V=9|K`XU2qYj@=>F>Qwu0o4Sojq^a`l1A&VspR} zo?<8A%cUU)qp`Qkomt@~+H&c=BtuP;{8sAjy7E>k}CzRr;@GpV7{2kIxtSC*C@ z*k3doe+a334nD-gV=^nOAuxV{35_I|3NDcIAs?L}`3em!*!XDcm)4`)b$O zVLO6-`XX9`C|=!uXqNa|rb=NDt40E%_Bp#g-7CmM@E^kAL0!Aqp?nF?&SHSAE=&iVnt+;fX zzwrJPBfR&c1!w$M3(B;R+Yk%rvKyvm{7V7cKMcHt5Rk$erUf$mx1HDiPl4o))511k zB3!oW+jy!Jnja=!iPATaTFNmLv#BXdi}85ec!1sXF0+VYS&Db3rJ{-sQoOMWDG%wl z4bBnQl@}Ib#)f&?wKzmY*dygBV9OM}kd@?IY!NlOQ8#U1P@bD$ZB6pGIR2XsJY?R+ zrGv8A^JP{Zzlm&8vQ2FZNSZ}n-UuB6%6_#*3J z!1MvmIHqAFB!Tu^TwXkF3u#;!BUQ>TU(b8b zsNS@B3Eht^nc7_Hs1RO2c%09B)Q*_&qyUw2P50Yogc!iqFQe^4K$GcQ+iDu;p+VOO zPie$A87W%q(y7SfoOb&qDhG@ZKREHbyD3a1=x2$us-?I z$jc@7?RN&FR+Y}XHIH=CFluo|gY|XUaRYYT{GQ`KqHYPWk|OG;N?eq$P%*|PEfq*I z%m;YztWCx8L?uqAP@OE;9`kf(BGmIm$VK`NjAeN~$B7g{cfV^CzTz>xV?n66zuV0G zS;!r~+g8sq@(#D7=l^T&!_WyI27VJ@PFiECNa*x8IcCNe(sWWk;VRN__d_b78INk&qi|H*#7 zc5h~^6GAj#O3Io0LytH1q->KSd#O$iqFg@J{<==M#jxa$#|Mg-)w@*E+`j@Mbi7 z=N5Y#zG}OqbeW0lJC-_;OO-f!TxNwT1IC}2vD&rR!9qnIe)bHV5kFCLHdjeF?73SZB^hn&;IYeC)&KEiD>yM_8>}I4-lKcp;Si8bn7) zc8V7S4AyM!VNtWb@=f6@tzh19O&1BSi03g;#FDQkSm^m2MdHkhwV3%siGM44St-Cyi*!&4lw`eC^cjgZCa&| z=W+B-Tqf;scXgXYMsU10`ZSoYS9j)HElILG&MFlk1aDAz9~m?zI^?&i#d^nS-2R1-n22p#Z-BJR zb%$^ldn3;ox40%qf2M;7!ZUe{P>@2-EzUS01<6FlasAcECdv0^$@lhm7$2neyPvF7 zO>?Ty?PTw=k$8QF!rdUT8jrU;8S650+|+}tRdM0E1?&vuQQW}t*ETzC6*+rMyUL)m zVAa0pv?x>L#?o|0VD~%hqZEn;LeVmIk3pj0wpM3oRl0ZRKqUHoMZ;vzEvJW0{5tL( zCOcv*>E=aQ_vA^_BkKI5fN7~aMHt=g-c12S0dcLR;*rj79{1g*cQsGWFkB4d$gZ8k zNptVO;U33QerN&MFX>Is4sRB}homIcE!mo2PYS)n#Qprr~SM*u;liV0IfvlSqD zYNYkdJVR@gS?WfEI6DfcLH^g!PD64Dsd{K#ou5)~Le^ufYviEioiA!ku12T+LKlFB z*}#}8K_&W7xmSoz9=M?!+|XT9ZRa{_D%xRFrZo0jI?h;A^H`4tnpf10_50c9!{AcnhB=I@0rHX2`3b~IJcMeV>jh`Os)5JAaAdw4pzfj_woZI3+PPQBd zsXV$MCk#mAQGe_O;I&ZOTMmyE*|4RFX;RP4&up9O&Ge=?p%P~g$PdJ*$qj!-+iIOX`_=V@-KoOYK9)D{1hKGUrcZ7djpIF~aX;;5-3UD? z<36{y`E}3coZs(ncII%b%w54IXL)J##3oT{Pwn09tT9-&o9hLjYx@G=aO+P8Wpah3 z=h9D-t`fI4PQ-jfActaUpVH*S1t5Cj7oPPGo?XNOyWDj~8ErK6RDH(l&X%x0Th|-b zM`CK$hNSa;D%~&WsHWGg%`3Y0??yHz*9(9Z8^p!MX9qN!O^_kgRTlt;s-H>nfAC5c z^@yJ6W3dAZ%X|H!>He+v_tg37&G}}SE&vCC7l0|Xe{rmqna)0GQ&XldsQD2kr4n!d z-9e$;Uofui;L6Jl?xp0#WmS`rXBIlH^f(gbj;*FS9=&mel?qf zBXULui=5(DrM}$SQC*UoI_E!2ybx{nUj_aLD}Fdvx?O!);yd3eL{e6_belgtI#vz( z1OK08vHyS36obEXm`?qajk*rsv-w#ZH?;rGkRId`5I z9#iugV!qWCFX_g;;ElvB$f1(W% zY_Cg#JO6M8R*WZI02l=y&9g@5gVO?1rqv^NbH+14A~#f{Kv10qE-uj;;Qs4q>(}q% zz>;}>MVZRf2=e3Yvd_Z?fZI_#q*(e4t8R$Sp&wU(zJ~Zg{9FdrcW{I6wEmyI zsg%buPEVj;9ms}lDXv0_0Zq?MX~=zjNO?E=t1_@jE?$*|s;L#W8Z|5-*Wq4ELn$86VK|Xnm_}ho+MC;hs6>g2 z13^?6%rOSD>*z#ql&f;wsZJ_zPWDZFvhE;CS4xPLTtHs{h|LV@L3dbN72`VFy@a!7 zc&+l=BXo+j4Qc)QdT8qhkR32}H2nb~y4_H-d2KU{z0Tn&vSzTxt)OOZV*($}5ClrfP ztI$XY$|pF&obR>X9iP5e26QtY4gVCSGr&H$xN=xJ;lwNHeLv4s@mg^Op1)FNIc(@C zd?^*gKbp&(AK9>#zxq_Qgnuq6Y0@hpx1=f~T~T>}3+8(w=^M9vOPaWxwwWO|)tzGq zzoSvN9Ay#E*(;HVtx=5SRlB#*$5}7A=h$SHYG=5!Yis!SXL`MdlsGlb{>b4?i>dWe*cX6h@v*d_tz~*?Pww$%2-o@*A_>M}j<4s0lMl z7Xa^jvtLF+*8{Q%ZpE_oCduBeFH~birs~iKe1k}BeS66%A)hp-=;+8fpaVo=e+MMN zm>sMhc%~&_5s8?e9U9RYR}zS|7$~Xh8*Dngt7&C6+P^1IxLRrhMDu96?mP`mEWT9F z;~{yCrjRK6qaE=+6T;ySWZ!ns6dm3okGUHJPfmjp(CG**czEO>PurC;yQN82Svidg z4BTy=HxsHoq)#T~;NNMZ zZ~1Uuq(?WG$>0N4kxPr4teq-+rO!Ym*45KM8PYmu%|(>p>X&Bt0E=c9tY|`M@k&@S zonbz$47_ewX<$@XR$pY2@@!v-w& R(b)@3|mXwp^52yBo|{XJHyz77*d<7*OEG8 z=g;Vod>_KUCcFFW>0jRh-gRF$2SU zYPXnqT_BSru3Z6igFi{EMW9C(wKERlEi%rN8pCl%aXSb| zr*;@ZWI6kM14Wc{rEm8<4$i(`R~k23W?DQQ-SKE9KhHVCDrHJFIllnRn=Xm#sNPQ$ z;0>Vv>ZC{B6y7~7R#v!+NuDo@_2jwDqrE%>NKkilXi%ZTd?o!t$&a}6uCuJxel*6frgUt5GIAAN z=RCVK<^2LK$|oiMePl8|BpC%1=~OLxP{Z_k?Q?^}!}E$Q39H7Hrls!_b`m4H*^Eaa zKnf8I;;5NzR+U*A)mo2>k&e>Lj!xn&sc`;SD4O5l2}cR^SSB3Bc1UMv5ru*yQw&~0 zZ+`DONX)xsWZi9SU%mkS3Lz=YbfV4eVHd3iUTnJSDYgd2AOAWI#+)5aImUCZ4q zTFLvdWl-{`WM}fnqcU+F1&6b)eNPE>*PRrDy1j-cD8n>k^%t))`-0@`#u2lObW$!^ z<;h|bW&GGeJB6SdB}S9papWNVA44FHjcra)8cq8mmAe~!>rVB!N56>vh=rxBL<&YO_O?1G5$Uf= zin>`&2;z@&766vcCxrlzK4;@5=E5rwsT31WIE!;x752S#3pI&+w2t;&;x zC6MEzt5E%K_QLngn}(FcMF$mclzpyI`Igk)H=k|aGWqkBSmA_YY)woF$Z7B-WZ@EN!J3%wML7xtS|HYN+_wi?cn!<3I$Z#SMaAk(} z^M9}&xK1PWl{H{xN(rtyc@|@}HlJ6ekj^*AZ^>>L=XwKv!)r~y#+U7|U=(2eK!_~V z1FBRMpr7az5EiepUczqFQq)`9(%$ptOGw(M)$_Jc1KUUA@@)wK*{X*Dmh|`R>7`OL z6}L&@9a$^M>{BV!AzRwLA1xWFH^hk~L_NLh6lzV|%$;hbFWIw{PJE3@;c3^bIouh~P za%mwlGM|Rs*q(Xg<`+=XP4;N6zw7k&hOGr%@ldnBrgQ^N_|%E_4djz%m01 zdbjec4c|Vndnc%nayGlNSSVU{swW@yz|&QkDXB0PEPko=!(@ZvtH95As&GZ%pFL*5 z+7Tmd2S?n;8s&Y@y915Bi-ZiyneECoFR2l-`&@V7gf`Ey1!`9L3jn*=C;D1mBF0Vq zmHJbOO`FE8y(mg>#NR3T?EMJtQMVXKrEn^jQ+v4)ekG(lP%LJ`Hu;VZiF=_+kyEu$ zg{>B-nNuOM;&F|mTS2?ptO7zPwD+4fA?Q9R$J$h%XM#zP;FAit(lSc?%pgPsmZgnZ zGv&UjT&(n_MxR^fNQhCB@ht!loNMjq=PIVUe}myyw*CBq_k4Wx(jSgcdFQ9AgKSP? z$?LtBc2!?qKmHHIm53}oFs|j$En6bTEksk)+rw}oOBc14BobfTBN6*n^Pei7=rgFsGEKQx(=ga>qM+{vc4oPSvEs9* zAYc0PEH4l7~s(OeW9-L z>R6bIAT}`8uCn3_?_Qf6TUE#DuTP+^=^&<$tLgYydU>ZdrpUxWX?KE9Q3v|4* z$wl5x%QOXNHa10vMT!gzCC@!_C?t8(8EIf8#2TIG#zTl5G&&mgxadt2rJdN@h`z>Y zD+t(=yFM`u>O_E9y2BoIul~&2@H$K?Re;Mc%$|iXNffIX70~9^a#vd2rqUHZTdil_ zXQ2G1#z|dGJEB}^Y1nq<@dY3hNJTw0MI$`t?GK!-ZqU|RHnmb%Y zs~IyZW0L5i%=`i^W3ZW7XNFVp7|^=CM3{6(Z3Y21|6--~E1SoDy1=)mPlzVa5##mc z+0PkCJ`BgCc6+@&8?Q(06W#qLdw`;+XFu8Jn6AAGxcWZ)-*#;Ffd7j<`zlwlTzceY zuplnL9$Pe1cD1Z3-V7u)Zd_v3L7=G93hl4V8t4vj3})d@9`@!CWhygQDsH0r@%i$z z4fz5?~Yr4lBu#hT|-2;>gZYXx@}Y1R6P8;!MR)Cq7njvFj;}< z)6XQY;yeh}_Wm(amT{W>2SHX)x6NuUtBydTy$?Z{gz!w29LJe-#vCi&ApRyuc}z^? zdlvS-vY$n0t6a_j!oZQ9@RqlLF98|lW5||nae#tIigYs2RNuDVbg%WiMkuHtmQOm1 zQQweoh4?@qq6Y|p4_nox^Ak$$oXpA+3Auic;N=%k|)@7jycNq>z%c?*n|dA z*g2m;i7$Y`fV|z7`HvwhU`uOsPvB5^?|$`$yp3aBz|*}&+B;_TaeFHtr=(C8HjtK_ z?4sN2y|`A5=m2lzlr&e@I&zWEfn6y~V#=EzLF{ZggGr%oI4d7fs7SZK7w)I}Voe(K zEqaG6lJS|z)0q~-Et?_ka$zWUj&@!G%8*A>9mzaPqW1cASzJ&JAttv++u<)sxghFj zez!7a>vOMELw!r}<)-7T06_s3O`Y_fZuN>2PDvqKTa@#fE<&nO+`{GxEmktor2rdc zn2*mv)cR+sJ1FInU;st;drfMp=1biJL zJh5Km*6tHHExgBEnd>+N35`4`7g`N5*nDj@QjedDJ$S zvfd=>N=ZW!*ljx-M@o2doDG?bQ6jy){pB$cZ;OQ=w4d@lD6g0O@Ih%V7iR)O4^`y~ zX7cH_QhZYi;SRR+^g*=F5lLKH_L4uB)EA^C5Wy&@p+GEt3F%lA&m=yku(5lWWlz0R8Gc58R$s*TJ8zcGfy&ueEsb zt$yzno#z0*E}8$m>Gn!#J!&gDM|p^Nc)wzQI?u$FZ;V0pSq545qUGo7W0$tO|94i7 zM0tYm|ACN_?Bm^O)u&BEG}KEVx9O0G89rv;>y}K$Xm{|XE=_C~K;gE>>#n=k)R4V$ zUN|JP6zghnAalKdf7n}G+%0mVrV=g~7k*XSvCgli- zL`H`9tdhN4wRllrMkjMiLn%Ty{AKl<>ae?0z9oZHX}4WCl@8jM;11P^Ib#f=UQXvy zcCK*+kX}i%hlgcOrToG>p9w}4b)9j3hbzs3Lw1u0ejb?=ZkcK0Tr*0TQs_Pkh8z<% zG1Ov^t&tg`nD_NBh(OuQ9u+=aDf`8*D6Ek7Ydur^l*i^k%@HsY#j4o?cjcN4&)oc# z)f31|^m2J}gqp7V$oQ+9s@m&=;xw@K@Lm)t-~>GtFMC<9|G$+cQl54%Mb**KP2KAn zLhR+GMJ}h@)z6&;w%s9B;^e}^V7wA#d+Y@w}(n5tQK_+ zMR^+QE5O^(yGge@&8=+xoAR*9! zXL8@2AyeX~=nDHEfZnIKf?-{;uf34)8rDKV>B~V)kMqUf15Xqnev7hL7}ZCkfbTYp zn0EsJ*!fe;Gt&kPTCR3o0E#A08)i@QmcISzTD&#Qj`P;Se09Jb@;(5_+hzPY2vN}W z2N?rJm{!V)10y1Ptz0AN1~tPt+Op$zN+>k>P)ktRUqEFh?JI9ZCG)hZccSiu{3=_l zPZ<(U*Rbl}C?9~v7e}GXlO2P;y7A_z*#3x;mHr5SCFk#(|84vM?tWi$P|zKUHhX&> z`1iU3ydiVvQnHJ=fFKtL^LT&9QcDzga|XFfQxJ@)8*=$dqlCA?n8oYiv!(32Ur=2? zC-9WyN>()PR1^|IcM2HDsCF&yus#qAxTO`pWK5{hsXS{QP>5$@waMWwdV^f`6Jv8zt~$v;~{a(WM9eOE-$rz2DYN8=46}A;8+Q zp~k3vc9o+&fslu*kW#DHH9yU&M|SAx(^rp+QPdR}ulT#KERKq0j@TZb#_g^+Tcm-Z zu&}*ON6iG14U`^s8}3_B;A~Ef%+FeZg=lIma%{-j7zBXUseI)`Uu_&$D3sRb_1Ic1 z%&*h1y5F=5#>P{HU)t^}93oMVhhvaQU&fu@W_dYH^i2;^3ikjTC91`5l24Y3zDC0P zE0Q2?nRZrY`mJl3Dj1~60yiO7>CN@A^rU6UhOx)2`Dn>e(%h`>se#vwfGi_!jd9tjjw_$r-Ggt4t_y-x6G9c6| zZIy$@v~Z(Pv^#41I(OmMc-oYy@9u0rt$3(m0t!qu1(`{ z1{U$9xU8&0k2ml0#^E#NX0!8af~m{iZga3KnM8}%a44uwfVjcbX+g+NlOvE)do|r3M^!7n)Zp`m*=+SbCf}w zxtKU5jdTiq=Z}DT48dC`wV}EocpMLdTrJobmgMdT5}$eF9oy=Px99sLV)g<#vDq=( zeSc@*8L$T?&x;&H*R4C;_l!MCnAt!GE}DzzrX|0c{iZ88A!nGf_QZp)6?DH=A?Ql) zd0uaEnIM~2&Z@kLRTH`*CEX~V{pRt$2=AevN`a&Ll<#x-7LvQm7N__TqiEA|iBsm0 zJHBbQsq@Q;6OU)VzVk{Inxo(mkyFQi&(osmb^#~Xa>BV$3-`p)-PRelY2wTp_s=4{ zE1atQ2*N>AqJB-u!j4c}ytWayo*c*`s*Xp2w^s2~Zw4TjK_an9-?059ULe|CUv4bg z_HA6=O+B5l0uordpChis;TBe3c(AZH*4YTm!=K?is>h@g>2tZm0071;`o3y>%wE6h z^v(1e!th@fAw(|E0slq;F#3O}0N}r0<;uFy3%K$L{ntN+Bw{0-UpR#3k82&jZuhE} zYe)=lCy#o(w^Clb8LENx(>#}Ub}e5p6+O;IYZ|7lG9s!sSA8iECTP2r#>U4siEM6# zyc{Sc+QxzpGBf!N76npTtzB43h%dza09>|XvCd~Lxdo)81P?h6 zw%ivgkiS#?jxcy1&lC`ouICx;xH2TqmnfH|5Q-C?hG=o9*Rk!UJFChJw=RN>T07M* zx2`FVR>jJuUlri8AdkjHOl;KhhSumw5hd@?oPlG$?CG(*65T`M!6vbd5Y^-*e?uNe z#}q2bK3T1`(Okkb#j(gQE{Ed16mmbK&^#OI zmfX$COx4Ov{TqPp<@dGEeU0qujoTT~q~nJ};>Fzi6?s+|!L?D%%mts5IhXnQM@YEN zPDIn@nZs+)yY+|9ux(g^uW)`eYS z{WM_C?b}Dj^b~WQFy~F!Jq^dkvV{=OMk}}gEDDRPOU8rp`#oPi9X5fpyc?T9R9Y66 zj(tZTiWrqh9di5CGg5WS=-ThyElYak*7uUTxjTuSiP{x(_iQOe?bwo~j}Bwsq!MNV zBlqnYbERaD?CkLE5Vsgyk%BB4VlY|fS?g^N^AWc`J;Yel_BJVp)}mxZj3#{Mm8rzX zc)*eZ%L%$i;fuusgTa@lP_jPXWdE<-0p;)ALCmV{*9up@&(~G z0J!$zCh4y?XD|B{62%9~wg1?c17nnqE=BdbdegwpxLw$1`g=c>dfv6Jzhh_U`olr` zZoW4V2j=KdQ8o#1l!NTJmFBr8k9Da?@7c4rKQt9fypAAh#I%D{{I}7pthic{(6l6&y;H)() z6dg*?R2QqoiEmeC+c(J+<#FR8y%S~H%x<+ff9b2aFUBobn@9yf*Sc#yBbHP$7 zm_)|?tl?veRj!ky5t||P3qV50C)cF-X(QcdvNXTc*z{q%^a)$T{MHuFpkGI>+Ur+u zwJ1$c7rxQxpf{zIbxg{&YRI(rGeE+*L#5FCr*oPPqk+xxBb62e9IyULgh}o()_n{r z9j`H9(YMqc-(5uAHCrIPISW5)(&>$}9K(1<`w^ zY?JSj3uD`PXJaI&IK~Pzqo$&bnWu{H^s!!PCIxT!s=Ak#E((FbaCA~5^CY-Wft(yz zobYCx?sLM5zpP&J=1FE>p9s0SjyF~L>prs&2nFGKQ5_!+VD_9I|EM}#pT2KHob&s? zWcx1_0SIvM!>oO07t*B}#RsY-#@f;06oN2wNW45oW{IE~+m6=E{K3bGI%Ful<>D9;*%(_$%lx}ns=OE zuEixdjv=P09(_oTD777L>~VuSKgRMjF7jbS`EDRifSV%y|C36nUin%OFi#P)?dxZ# zHt7ZYsg1w4nK-3`n=;^i>?hxxmr$FLh29@|})Zd_+iv(o2pW~lzF)Rxw7 z)N7yl=1Xpn^xH?OCIa`fmyN)IvM9Y{#(YA7CqGu?jOfqO-;RY=jE# ziotRH;Y;;WpQ5PPX56K095J`*@R7a`gl^NcHgIzMH8N9 z(O~z*ThBrSk!v}~AUSo5iPb;sdM@wi0w`-uUc&1s+Qey^$40I}CjhvK0E(~)&@3G5 z)}aLLqqw+BHYrC$CZ1>yM8`T|*ReCH8A4__4WQ;uEXDgQRfxB`qIyyTdWSo+7;*in z$hb!942FK~fyeXPbK;|0x_ZTEB`o*!)K{-Kih7Ng1{icrlz@%ICI?t$H!KGZrOhu9 z0wtzm07QT4N*3!iOULy~MMEzDGBnEV4eu#RFVCR!I->7UHD6{aw@IwAtb|bgL=HxE zqh^yV6VHjHl{onxpvZwImLoz1)%?OF0(cRm*HY zaH(^s@Op*}NnD_BUHwM#{2J(f#~R(P#gdsXf-lNjD8C2ffnCEUA@32y>S+?4Om6kn zdvaR&Er7mYSMn26esmUf?U0Jt3wD2D?{eUe3KM|3B!>_e8aukcnxvN8PAA)*!)J<5 zwiVOrG-XEF{L#;pKS09Z$|Hu30~df-QUIcIf#?5NJCW*%IM6VzN;=MUl*DCh-zp0; zSPloN5nNU$o6gCUZ-mdKyK)~h7Bt*!STwsiY3ns0PB&C)0!lIHtPgkLqn-_QM>J|R zSs^qQr0TM|As}RAZ%j;#ONIV?2kjL2>F&es+1VCb+>;)KGh*A4Jxjc#Vm^barK>T} z^yABYYA9wUDe=jrMR4?+u#l_O?AA?X-^coX8PNSC5Bzj5zr#q5!RsJ=b(!Vs23_RY zmob~6O8vv2*TrsXcV%KbaZxg;N_7uG+a4iy1Q6!7K_ zN4iVq%dm;~%W>$UDJpWa}vOtji4fC$D0*>*cV#eX*xK7PMVWz82B~b1) z^0V21)!SZSn|1#MJ2UcCE)R066KS?hC$Et1QY4(ee2=5{xL;FN$qVu}Z$MVXY4jwm zDy5=l3<=XeD5^;Z2duOkl}shw%}|x?dR(END?$MCj*K1wTP&)3cOI^w4Ox{e&tkBDSLuV6SE#Hqbv`!9HDS%9vYGw8$?1%_|^Re zVurn?X)UR!m>LyyVlm^d(*w-OP3txF$YrU{XDUstQpJhN2-c75yZFGp`BGgbZWBna z(X;U+4xKd03fLP2EAWwk7CXheM+z2ifJ?(rvB0QUg@sOw=h>2iX_RPn^ z5LNB!dB6>&ij(P5!q$fZUDr0A^Ojp>S3kX-h?%PdDWvf3nknoar@w`Ih=uj3%TZJX zSfdtY_N)uXxD&+Pi&Y$mf1|QnSH_W=5st6K)4E16#9EDLLnq$jkpyO_^`1W`6x0qB z>Ccadje8AFyxx>{El*fIDz?AacUh9TG~qBI&p!eYD+o1p*^4}1WF4z3BU~CL4_S4! zJa#Ac2Te46^_{XFra$>s@3-b=>NVh~3+qoc`^eK?r8ryZxSBXgAr!r z!ac6c7S_hR4eOLKAFW)KUV?8%32>PO2SvlDMNm{W?<3H)q7>U=+%n!4U|J)4Ig|>s zTMqwP(lnXijQwoniP)OS7n#1|N0q@rZLb^@XkI9e=0FKaGiC~v8!N3pQf$y|lsMVC z(H*9e*Hd~ck004h+p5KEQ!{(kdLu?1b4@#wj@^TfJ-M3(!Uo*7nF3oi@@M$R67BT@ zuV$nRBom4(4f9V7h5PgS-^BDi0*dBP)Qps4Kc&(OMMSGthXsyR*=wjpI&>2V=|IaC z7Rcjok*5+2h72_#j0CsbR+wvQ96=9ti!ctg9W=^lpGvNgD2q&ROrh4OJ}uP3CI7nZ zTOrU8jq=+mMB=gg%zs`Ys$q`Nu)Q$Kl; zfDtE*3}HGl*=|E^Y^lsM4_qU_V7mFSpzQ@jlbj~UAnibUl-{5(+K75-yd#X$Q0X9r zhNN{3|FLj|yUiOX<#ofk=Jx-ULqx`}1$l z+77ASJ^x>Rt|1xLGKe$>`bgh`NHCh2SMU}j`iS$N=<7!baq8=vQ9Zk(L+L?wBf!&M zH*UpTCuiIm^gq~p3$V7fZe2Lt^-`cffd(xSTuPAQ6eq!oI}`~Jw0QCEwm3mUf>R{8 zOK@m$m*7@f+$m5f+TQGa&iQutcmMC6^W5kE?|+~B+yx8fS{a#Zt~F(i`OY!kfd>jrRm(?Au#p*4M&XDLf?T z9+wmRy=j}U)<{X19CqH(m`9*;%aHscfiltzWNQdf(qN0u@A=N4HQfatPY_}MI6vhb zCa-GIYsH{Q56;p;^uL`ug=?g^S`-lWF~3T+J$;_d`{i-J>s9Y7zi7_zMY(Ws1m;zv zJl`;G&W;zyYV^%_3!lEGxYrkG)7OKaJUIY249O+;eSTl3UN~K9~JtUxWKg@qJCG zSv`Ba@YhxU%AV0}Z25}ekNuCUC!RuQ4=-b!wzpe4tpe7$B$>tjk$tSl=E0AcKlZa^ zGxY&KkfV2i(tmnWeuKPuYm%hcrdDR^hV%Uj1N!=Y;xMAWE}-V)7nmc8-zBZlV@LFN zjZDqr2>-h05Dyh$Bl*mpMZMo8a*&fh0k|zvvmCYBA5Q{1==s$f2%yzIPF2Wy%SlPbKrM6`6RBzg_SJ|C4;HW;gWUEanr}!CyFV<zK zce;D@#$_|JS}-y$C~JHp)ifms?#P*v@x^r6j50}bLts-2zS8s;Sp`WZd26}kt;wOOq zbx*M*lk%VWmyB9RW}6hGq@PN3uLs!Viug6Wv(JsqtQ=Pr7IG2Ptc#%=XP*7eF)rcKqg9O-D!YMRU_Wn3tqiNI#M9O+HI71qp`Ry@DZiD4{& zAXokJb739TPaEn~Z$WfB{O&oN*1d{TJe$2B?)27Jsa#fjf1*hd4~+|8V%lUl?+&&R zK~O;jjp{y7$S)q0nh4Wt5`YJDU0(4^6*@h4)co^39}P}W&_-B7T6-%6`T}Sab5CfjvlUp* z&WKw-EXB-fAKlqEGDN85go!!9gdRlx1gNdAeAhNWamSP2QjcQPda&AfCs)B!Al*45 znjuPP(6K-T+;Y&thQz5PU{_v&Es1r&qDt)IKLNMw-nf{`gj)rBfu%<94WB4jxMPB^)HZF(P;&`+T z?OCo)o%>@Zs4C9=qR3~>m0d#2r>QTAl$fikg>WkG&$`Fs&NBDgKUfZ?-Dt)1#wRZM z1X0~AFt7rvx)!J@%Tvs342zCF&QKV_);T28@(WykC$m{5U%I z`S=lc8>M_x$Wj~ZME8j3M4F68bRJF6BKz*`bPp1+0ifr`2B#>i=2^WDW9KEIe186C z=l|mm)f7F>pKJVwrpQ#5b@Eb@jr~hMt@1`+RjNRXqxk)^A^UWhI^p_imzTS(zjdqa@eTIKESx959OIU^@H6G-=eKWI;=WR1x_oE$4CgVi&}a*qJmgfRuXvT4D1q zUtj`79Quuj)1B~W1=$8%llHhXsZnfqkf;IT>k4A<^ikp^s`FY@*ZL7*F#&!P)7uD}4x5K1WO+Y^26a$T5U0^7;0%qx$ zgMXX<-AvL?z-hP_d5F(M{w1V!0@#xA!2L8hJm?YJE+nTJdSZuOHaY^+@{x4D` z?JqY_{y`ss-6*WNZ+LsN-FN`=;#P=@zE_E1bVtgSM)LeqqCYZu@P8%#yXRr?sN=x4 zZ#g<@QXuPV786`*M3xJQx$%e39z}=zXL>os0x|rg*pCS(YBQ;q3SgfNbN+ zpI!jIsA{da6*a^M7<4+Nz7W>6SR{>&u{2D95ou1sj)uOD?o@rHYM_9Pc4Ft;n)5E$ zymgHY2C&sb?n~PB!}Xx=t5y{1O-B(L1A2NWi$^1hD; z>fxz8nC$-x*3z9-t?lSuj)A6$UGW{aC2l*YDa^$xF2*_@L;`#j8F_8$ zg|IVH9mFlT(v87hX4dme4t(Ihf0KJY+1yasmAqPEUR{dFh^QflyGF=J4{%K7S?*QEW~qnaD^!wBtM^hj-kJsA?;v|Zv$%t zYKA@C-%fr4czUWU{pBY!R>_fuzsvHBws;0JcfOCe7%R!NMGapsDG?*{gD>+7yxjAZ z5}b5et3j)~+htJib_UxGCcNtfJxx}XcNdDY0l}Hs=9fLXW@Wq}R7ji75x^`!aII8C^pnVdv#%(Ic3t_huNy6aH<=IUU%N~UrRu?egQfH+xZo7~ zE~I;z@2OA*EdC@nJZ$sMI(1oTRMi^9kGg<6?#_uofm6=7)w6(ifXky1NBM|Q-6?x) zgr-$uY3$HA#aGTq@ZQ4AKqh+LT8xrJ^MLBJXqa=nS~qmwQ3>x_jFWAuqKV@HhMK~T zjI=89x2Jv5lB2Pd{Z}V9%W@)pnR(H?V&7aiMbT(Q5{*I(5x(Ja2u_gy+$8(wNg5>8 za`$?g%;41IjLTP2r7#u+JD#-i{?$C_N&Lrg{YQjvJqOpHSN{Y&?&gB!3KZHu&B+YW ztice0+N6ciWbGB)96ZSMm1pkxgs}8&zR%~qm}JQOy7f7z-hI(Qj6Y>J(Ef|3+U3-> zqo(zt%R^zGi@nTYs_wp8@Hj2;gxKZv_^XLERIR$N;zEQMUy8?(EU%)cCHWSQ%QT_^ zy5yD$dWo@ProS6|ZT7Vw-jk#Rt<-vrO_KP9{alo;LF#1&uO&o8(s=zysv?Nk%LNta}uh(+qpugzk2)(!?F zLGf00a!-ww_nY}T7zn}d7&tWtZ&^7phq2-;xz+pf__fZkcavTf{ja$1_}GAm7mTaPz{t{2xu@y~6}qQP-h^f@9| zQO;`RhDtL=E3>EG$oMUTuk?60K;Z)QmzMPRZf=*csBvZX6Of1~{$*77yUc%g^zdTo zy*Nk(L744hj7oHruy?USqQ4~`v9lFTLoY**=cZ|D`qPS&$!1xTo__{f8_|=FhwACN zxFm-Z!)i$CaCenil9?oGHI?1K+yfB-v7;P=eAVfL>aL2R%ZeU{QcaFIJ)L6MtRFY? zR+0iK7#lqjtUM?mI(!!tGP@q)@{YG2zpZ+&v?>jn z!(ClhWsK)!Ouk#4_uY4YiZ(SKqwK zD7-X;?;f%`r(qC_tPMC)5LioEPex}O2$g7=H_#*P_-9j4%0uO;SqX$9(vn;oJ4f98 zsrJm>$}FF{Th?+em(*PaJ?848M33y?YYwPc99&aJgALD{VFep>j~U^0h2cb#Dw#Lc z-fx|tcI7^}5>ahbW@vR_(U?qr^@QXLg@o*UmeWgz4_OIBq! zckXE`%rxu&%4x~ zHxrPx6jEPMdCH$mT{S4ecNjdOk~Ib4_vFrt9+E$6{MXY3=Gp@Do_=`7yWy%v+&wYRg!Kj|W?@Q5<|}A?LAU9o46$QquW2 z@?0hUXklZI=szh1(q_%zq~5h+gl4u#MvxlVejsSolVKCD$w3en&w+tMwI{cesv zaPR~+#ID4QVZrQ}eEdhpD*vmM|I%LUN@)5@s+X0j$<%q=m-%BQw<(H>62BQHu!pl| zPgdIR#^&SlJM5So>OzMj5iIiM;|(yB9V=)?Gz`PLA?cAM21gsM=qGgExY1KwZtd2z zMU})gsT91dMisM^HXX*k#C?9}y!9U)-7=%nNtH^=%Rk<5)J~!N%kfO=RIw`+m#bBN z4OTOqk)5dIUSth6PYL^S)=>EEpEcL4_-ECni-=mDoq)3Z(B2S>Q(CNAB@uGaoB;}nAS3NA?nL45;p zrr%-qLfWVWkGAmar_|=vLJ+2xq2m}Q`6=vf2kgZoIzFACrH4oM>~IUgTQ`L4tY3or z;mmke=$WK%ln}gEfmAP^C43=+9y6m~Jh%|MQUG$O6H*os(A2SY!xA zc?8CX8}1wbB_2%+4-%P6chtxh!cY=~5b~-sec=}3!IhaIf)Y4Gz_MJrMhVcLF- zCq)dsC1nsEG^6wp7Z|Hg09@Po@XxQ7U(``Tt&1(GqMv{xlA725EcVOswIf^rfPZ6? zeDS^9K1Rev(A{NT)13dCPmHy~QewqRy6w35WN6L8Ldt@r_2NCjo?=1vaUY^CK|tyW*$Qx+aPeoXmQ-N;QW=7G6gN0fq7W zi~aQuZ%#<%Og}Ws+QRQT-hn=N!;JaE&7mPQ)c^RwYSCl?93`k1I9Kmv)(cZhg%@S% zSrA5a00fN@*%k-4I+p+hG1QcyLc9+E#;>QFq$^&%{%r++`VSe($N19@rjG&j*D7AU zwKxFWpZ~W{sAKN`3*l$ipFY-y=9VIttO}x>WF%cqROURSyy4R)C!!(6zC}=zF+0q( z4EMwgo3z^?>*)r>YjtXoIrLmKy4ZNP&i%o6Xz|Wrcg|jby3fAg5J_?a^hmTLIHxjX zxdBb>!d%ULj|mzFs|Nx-V$tt>E|?icm{Ct92uTrwZmFL?&oxJ$N5Ajy2uj+4jYGkb zQA}i{l87D;3Nd3x_x(XoTA*)|fo=+hvoZQTfK2tpFLj59Z2p>l{8#Hcy1qhH$0~*V z@%$RKAn1lK)x-r7U1?Jhs1%LoqIt-Y=-=jYw9q|2x4xipz-@-hmfE1Kj~i5(Y6I`X z^ab#XBQa3-R%JZC&3h;BZQ!G|mnDi~3asvWDZ?xJ2A1x;liGlra4vi?uhj#tueXWV zwI+O0hV{AXCe|uKhti-`DM8v+Q03tB!^Dc@m~EcRkr;;z>d2h9IL%bsi=P0%7VDf= zWF3yqh{I5odFf7FjJ27#u^g=4<6A7c+%gpp<=A{@wbf7Xr}Y;g2xus+~VzR;pF^sx%%WgI_I+qA3p5 zfJa78tA^Nd%dBEo(fOgl3O39;>)&ORM_oh1sd@r zBj3E77>qqgN^)RsK-nMi?*9b%#gSKe42iI$uDUkrC^eSGVXwemM2n7O;mVJDRPky>L=dc919>_bDCxvL zMQ9?w2*gt_$(I~_k{7j?_lnT(AFTQ9u@M%KB9FI{-D@Xs-V$ynt9Nx< zIQh{E^s_Ob#+6>lT(q7t!*`v2WmRYTsKR1d;Q;Ka5G-;wK?@QR*LstPd-|)cGby5z zjK|II&=AkN|3xEG(yhNrmG4TdddNkTGv!BH+vBxRW=!sKbrMdCf(F7vI-Z+h)F**c z(g1M_Tl?RDB44D&x{s+J`iRZ;HGc`ZxaG{m?sE<{<;cePBMkD9PA3yWP_Jk=vtu*6fA?&$io1VTLtgQ&E3R^m~9llx-rZ7q@% zxUINPU1g7kbX=v|vMT&iBc2}qRt_P{cokT%s*3j-%Rkjn%p`~mFvn94(T28uVD^FVb7|*n9lp&y(QZ- zrCNDEx1C8%Cvj4)s>dE2_ArLEd;vc5aV;z_tmX;k8wQC{TK)pwWQ2xssOLl}&id@> zP%>Kb3@kl+o6IDIh^~@|niOs55f;nA~D zLwXJ3NaM4Vh{Q1NxEem*AE5Um0amR_8E@@GJ@YX?dP@mdSrn?fsnX8Fo&kt*O8zz? z116+evd{5WN_^D%zf2DQF7x-JJD<$HnGhrO_954n@3(F=(6g0&io4z=q8yMQMWj?! zbz++jxFh!_#TiFS`^?1TIzfz8`NrK`k%WPYgjS1>R{d$dPBrf7z0yv`%93y9n^@$0 zZAS`B?b1NL)&)ZXW5~2#VAkA++pUo@CP6U^N%b)%^}y_{x7u4Xj-X4M2pipi-j|dI zevFHCTzs&f0C?AXW$@KF7An(PGsHwoOK)uleL9gGal!c$5LcQ@9v*nI9Pr(%KyvdS zL_PAEKXEy|!9)6ZgRAG?BtQ6DJr7W|Iab(DSUxr*?pK{tL>Z4>pZ}G~hX3pHp7)o@!&@PJU(d@zR{Ttj=&UaCx@aZ&uKjhJvcDAd&l~PJ zZNiH89$Z70KL+KUvb$#!<~UqBet_S;%1P^c?R!S}Xeo<|Ixw zH<(To!!Gz-ugG}=J-nF4Ut-NBh=>loT0Q|b_(;n7b9EusRRVI>4-ev9b`lr(GR%G_ z00q_?oZcD0`OB3I#DN-tL_SlNMV9Fx9WT~;l)HUflgsTA5)K=Eq?1QG2SdMng*rzjo`RvL7no%~MObwYWa#|PNzqQY6g@ONpDF4#7 z|0eQJ2P92@wPIl4sJod%OS-ZeD))99?oMr@FJWY8e|8@5&y;32KIACfE4T@PWPqPtC z->-N33Hb6w(vPYR%(b&tK|~{jx(p+(Q?2e-V$wv_a9Ti>@C>iR7L4=K?CSc0sOw(( z+M(yZ;XPniLQIW$e{GeG1=u6sUXz3b4mw0aWgJMQ1^^YH{*>?!)Tz zK8Wxvg2l=o*80qMD@8rDBPs{)8@*=qU305!Nw~Y`%cfs{z?O;5rQ)MA8nx|Xb(NCC zdSP<4tfeE@SH>_#lthOYYo+bkp75qYU0Rb^-g}#(ofk$5D(Cg1m@b0?HXpG9mwN*F zxGWI!Ks1ab_B1l`?V|Rqp8~T7lh&_~h4`1NF1tGKJiz}Bw-i)&;RRKHebWC=g7~tl zSSV@=EMkthFA6;L4rnY_UjF*rp0fP-c}4wi zDHz1=w^g@AkPMM+NmAZ5VXcVi*02E*nre5YY+41j|K581ohiq!!&~g&Wnn%WSM@FCDj-rNv z1(F^isxeBjH>;b8WK#}$LTxHsfR~3O{!7ut-({jP3S3W8vxJ<3pIgTyYLV=3EzN>) zNT}w63y2FlKhIk*h{Va{x7vGbly%3WOm0qIFB)Kzjy;g~5&LebqZvOm8t=|zJ5)gg z6IdpXw`?nQ-8s3{nSNY_^#F)d)1+m;Mso#D$k$dgc=s}mUo!R6A8R=7-Z6DmN-)Q5 z?)xR>j?PFC*&->Q=VyA{i>fR7`v~;QIQ9STJD5J!rzw;7wjDR|x%UPh_O%9I|MS$L zd|vt+@b!&EO6k1%BO7jKoXwZs2X(C`Ld2)n(0)u&h#h|`0Tr{-lv|g8{uYvMg^#@+ zZ`EBM8i;uLRqAMO96MJ~+z)f+aNCV9k%#9}8!r0IX&SF3gScXH@^NxjHiZ*&Qu{89 z!!ub9zY$267~02mMKD$|xDcRUYTpe5x2T99^ix>Q6nyx1GuLQ@G@Trl$UZrgW;2PX z?oL<>LZq0R5)%_@G)z*!GChM_YZ39aB-p%CgYM>(r6?_;d|jPAmO6b*b{r|g|IJ?yr$!8Cnx+H<($OS)^mB19WD zm%_sF__EW>wcU6Ar|6@vjVJk6$uVW@}^sR&lv_uaUo11pINjdFS*;o zJ+@BSu>nkcxN1?PcmaW7BD`BE`DNl~52N(!G&T4bX{P!8Yg?AD$m-`0ecL0)6Ds2LBgnsArg?{hhSAXQOyh_QM{Q|Y=zH!u*J$y;;}os+L)SkgL`h> zSr?PK3$ioj3%=hY8nPvCIw)2|s9FpOm_97L5}R=@Lr>abu-69*0pnI4d-MKehP4z z@i@shnh};#sq8!6JDLTr5S%pv3sK0nH>{K^P#_2jOoHd?mZ<{X>AKX&ytyZ~Ta%W+oJuX0b zf3_2TFKXL(xu$Z6d4+j04n(aUn{y%=w;$gTb$TuL?1{glq4Ft#>{nk#7}{O$qlQPq zgxcbm#2cv*YlfyoNo)z|@@6L9m>%5Uf|fa)P;4XV9B<_Pt?Y+7sVCt2>afTZSLYwf z-A{lH#ix;=b>?WTUxrOa)ez;p=0ocgMXO7Ztmh^&SwZ6*qD#g97%3Tmdu3llonbo4 z@f^o_+LetA=c|Ijk8Iyc3q_g z#mWAanx2LfIl@68IjGD?b-_KEP-FrKqCpZHb6xoQDwG*-{4gC_%NO2R>7z16l{dhb zlm|}#al=>iOni23JzH|t816^FsOcpW=gSt_?;ja@4tPNPkL5H*f4ukpfz~KL7PA#t zZ4xvPcr5;1Y{(_By}f;B|1;?a0Kh^oPK$}jp3L|gdE?jA3Mbxs2t^X zw1Z9k{)ox#a^Q=9-19#r6b^p^vNrs(T78s=AK_;{@*`*R0pDWi`1*{#6`Z=tr)5;h zKLf}xKe&vTSS60*7XL;P^XQi}z1)WeLW$uN5&M96ULvKS&hyQ3=MVQAztFhLiN!Q$ zgs+@teN_afgiAcHX|4>R`r@J6dC#(v`B{n)SDJ0i;iFh!mZ0c6_WQlI;|lRg=wH6? zY`M+wk1;xwG81EOc+d8^P+9eUIq`vX4Vaq_3 z3M65S?+EgSGy!a%(s&Wey1DsNXjPl5EjfO|>8pL5U@VVnV|sL$No_nTH65|WlHzov zh93+DT}YBJH+-LRj-|$J$1|5mbyuG?h}~Xre0eZFn+1`J(uI3-Q}^o$#VdpAu|d?T z>AM1UG7oH;KV0iRi)N*@Egp0@DB(;TpkXhjP`)fKs* zA0)UzUd~O2<wV$$Dz3~+5p+Bi}DeO;Ky2A0L$3X3-X{*6NS!Rm(qS*$;5Y$H`&^3X&> zO`u;>+uDi2?V&p9U1j|wo0m1t&yS2X-zcCPP2`nPx>h~SI;n!-c@_(*`KTj^`=_1C zxEie7oW0d(TZ@-J?rAwdM33}?M{qnx_xt5@FW)dmmS?9gQfvZUVgp8)3G%x2ll!561|vz8o{o#_c?g9ENy1w_ipSc|6R zTT!sCWQ}CRR8J%d5tDXt13>e;eealHgzw!;`)ffY4aH~<1rheQL0Bn@wtM$zCZFfs znT6HM)e>S`Y~v+xGoh>WEE3PSSk@9!sX?zV&y$rXG>W;|fEIm5x)o+I7w{5TmEXu1 zZxR%_Wu_qvUmJw-^DF^wbF3s21R9`cX%!OWYVqqjN?vyD3>*Y}j!d+`E*HlxkFMpt z`7y^;fdgzpLDkDT6w<{T{wZTcxRFZsO=EZwOVgAlWN=o9Ex`V zhuv(Uk0GRkX3LBcdQnS!DVt8t166BPn3c5@+p0S4@o+tLJ^8{Z=bKtR^-*caBfjN!u%%j(;Q7O>JJy3+in;I(AGJL#k-pasm8XkF6TM}q4xZ82?ZzhlaVpKLM?ro2_M_bYdS=vwh)s1;bX>| zWmc;i9Oa3}B8m>?8Lr$@oxuz5)Oftox#ukmPa@IOft9Z)veed|3NiI%s~tka`wN;= zZr3i9aU`D}kL68^*XwZ29H~9&@W59qogh#sPpd78NrP@fCD!mNr=#JMJ%@2{iDf5p z9?OYorV`WCb?ny88yT%3Ls;eHWN2AiCr}zZx}ItYCr{7iOBuE74T)V64v;4bA>Dy1 zu_TaR^ys45KuK|gd@;dUOhF1(8nh14(P1ETuL#(>f^pV|+*0rqGoM-pl6S0D)PJ#E zkZb8S6Y;^Z2vN6cy`v}cj$+eot?6b(z9UDA*6HuutE(khu}Jlb5;(Sz!#yuO+Lt9W zPL``nlE=GeQ&S0P4-!`TqCpAlrJcIsjMlifU5io|6zna@67b=?y;l8lo@F&%c}h+u#=aDx+pjTr zdl($VZD)idjRRqk*mU;b7~8Zpf+7zQP*h5%-F>AQN0qxfse-gBtj;D0#-n~?sj?iQ zUoh1I(6wIUd&;nS!bXkaS?9p`nlMc(qM;N9h$DJ=s@Is(L|YT3$^w5n-RHhsz;k4^ zPJeA5+lCKm{V%rPo}#ZPWmm~BaL-<~^PcmB^l^UAd3_M2xrkA3kK@|8O6I_$u#ZDl zOv~8(V&UuWBVTv_l0Ij-IRfAFo9Q?Dmh{S1j)!+j^=$wEws>bb+n3&ekc@IW_hTyn zy#LN+v^lysxJb{Tmm*-09B}RZykF9{P>L$M`&Zz$Ddd#2g(adFo(*3X$iY>Cw|TO+ z$Ua542n=(o7d(9X6R@2fIBt0W#Y;j;%*r!9OivU>$RUn6}g_fC8;>_@SKeen;HT-X_{sV*ka z(1%WVr%oGeFHeG^Ge51F`6|C}AW}wm?ubbA(w)?Eo25U9ojdx2>n?T$yw*t>Gy5<8SY zMRF^PJu2HDD57wp4Y+OS^k-wap7M9?)}JS6wJ`b}Q>ZfwaY+#*@S1G^v6V{YK4zq; zM&s){7Z0BP5BR0(_>MF@`?TATM?c@c1_0v!698bsfR)wp>5!nQY2FqQD`M4p^`<{F z+fxAtm7SXk@qEXUV^MK+szd!yRd%T7n$maO70B#+!1~UxoX52^-GU+a#mA+=ZeSZ8 zP$Rem%s5$|8d%fgsDcbeopC$9@0rsiWT~7-uuF1@tI16tdsHhw!k+FNiw}_2CisTP zRi!WQNYY!?4Edg_F@AQ;S~WN0oStgeIjLvTvJoCZIhPLEn4fwy$YJ=Z0dXU1 z&Qg*tljq*WkuQVz5Fy~m&s zW_vxzj{Jyx{W0aU-OO+MFPu(|ItTIAP;YcH^6~xI_5c6={AZ*5{}#~ucl7Rm&|<}A z5SBg{xgz3&qoiHjYmCnHLqeAw9jIQmOB!h5XQm&daTyDQSK|Ud+=3@;rkmys7kcm4 zu*G1lx?ax3lFHh%0%Q96*Jq6yLvfE?ky*7IZxH3%Wnj+O!!&!I63xcJ6UK$zh@Ac$oi7oB$|i40?m^F>+}t}y z%&Qc!19gH4+Io(gdwDc$QwfD{XIN%aWqHU-M1#25_v>CIGxFnqbT8rdr>(6PVZU^`ZgaS_ zR++q5l^}C^W8=isRcOGP|3(NWv~ul%`iy5*eN@^4+Kr@=8y~F5)yV~zK1V_VOw83` zEG?oeZYy$1tn%U7bX#vF;n;z3!{Jz5P;r=;f0?KI6gEr6T`MvaU5aGJQHR$a1H7>uV)|Ri~%GShQ7JjN#zIywppWRQ4T068^5`Y>g! zcXLs0)-wXW?3xLRu7X23@S>R{oQkH}U5vgd2_Liia^10qat?Hf(fHM1wZ9}Cl3uB2 zbx}Ff+b;Xdon@gXNnW@OQ^WjI8R6RGh7>c42A;D|Y99c8HS40siJ8AHRBi>3tVW;b zV^7}kiZDaUH{HLtsEpa}WP}Jn3G%g{Hv}mf>%9Kk`|B6r|G#LNeZ%=LEjIYCC3zZ5 zD>Ng7*g=OzUGI`nrGffeumf%0{SH$#9S24v*` zdQR`5PHVPb@7*WkowwzWLhj~Ff*}a0gQ$tbe!Re}80(io(l=Y=5AjR5Q{*r3dH=Qj zPuPf2_y35o*A-Ylj8Wx|BzTk!5q) zDn9{2C-gjondtRLrWso4vgxbe5*G}Om03kUeav_1?eyCc>DERb&~;Zh*YEJX`c%Hj z0@HxSn4jl`noeqwaP&Dk&KqcaA&E_*9ulfjhE)K+cbVL(HttknFFBzkGo)pc6N(vk1a z$L-2w)ihh35d4>O(|&by!Ks*l1uC1f+VZoPj$6LTesAhi!l{)!pEJj%fHParN$#No zk+^Cg#s~;>r#E=iI{h|BXO?b@3IW=H_v!79<_4zt5~HvG{b_ZYSeiH!7I73DtabQ{ zJG9b{<6}V{U?BWVyiGhOk2lFZLmGm!mCmVMQHp+sow-hq7tyl)H=KV0D4h~&Pw0Ov z6Z@j^RavPk+K$j2=!);00V+Jvq_w+7s;aOutqe_z>LmeE_qcq^dp|Xp=RqkOEtpC4 zeq;#((Ezfu7{#JPyYpx5Iv2e|WC*PV@fDD#VC}$8s1(gm-7r?dg$j9)wZH+5c;AEH z`ip%KZn-)IA6$2)6qrcEi>Tr$rsy4pT@hL@&=2P=<_As&t>N54-|hVZ;YL~<7l zYKO;huG2t-UjyidADe^!F*!+jq|&(Q&daUs$3XL{XgoI2BUTJ>?XWg=N7o|c3!VN? zKw*Tlt;|20R_^`lD<9qgy*fg+uD%fVora1 z900(5=l$R4Mxh;l<03V(v2w2R42kBny9k^1WMFxJh!QhO8COf-r^++IynD1;FeF0Q zrQ%KFCx$lS}&zTbBSomIC$2wQLM0+t4Y&MKKUe_$9JB%m|#4vB@4xfroOmymqN+eQb zhuU$b@^Z)|3%p1A-B`aHgK~9+73dg9nuvG~SsCc8J39OFKdQ`%8h;bsPFO{rv;*Eo z2({nOP8Ue3t2B&$H~c#_8N&eIfWd}K=}tKR3EuhKQb?7%vp5N+E?WAKBniYOos@r~ zwuapAsE%!a*`hJ4nxURomWgeQ+LN1-fHp>2;4)L>juiH<5@sr9ourTCoE&EHg|VBn zn7=lp?{u?pHBa+Bce4`4gboFb*SOcB6XXNE%$w#eORBbAw|W^*57uBqCS-@*<00Xc zZ7AKV(}ScBW$Jg;q?nG^Sw+}Q*BsCkJCf2mu4y-P>nrDO2cya8EKHV}^H1y}il1FO z+sLOXiP}h@BM!H0Xw-tszG(@K5=f0T)>}E+6r!@@dyIf+IV2k+&pLz_6a|9v()jUY zP;Ax^z7;htn|m1CMX2 zS}CWlj)~>mYL5yA$6%7UNYdsc6A!ds6B+7M^}&_2eoErZ!Pc_8sz-XjVBWDXit*e_ z$%(X8a*TQA5L}Tdi4z`YQ*z6ClwRb+3_Hi#Y3Ky@2yiPj#>h2$2qJOg6$N89l{k9VJv z0}oOa;f!;mmF_tX3OZJc7m^$26RLS?S62;6E)O*YFG9uWUk|5g#sxi&Ng#ctY%spb zW1+D2%>gJlyc%|CAp6bE@0r_#RXUBa~1RJw2$hN+|)^%8I zV?aL{F5ae=9=F4B^eUctrTjww4O$Hq*B-^AjH8r*Y7%>N$^c=^P-cuTYbpvJ42-v& zq`DhqpjSwKLM9F8XLKaW#34u~eQB{2*g=S-r!=;j1Q^#y*v@@cHJ97@46j7lhMAf0 zxLhtSN!?kIv1M>=X)s3KI|Y~TyJ+UG2x^#lNv1g`z1!F4(O()5qTMMfIM#$-Qp~lE>?|9-aDs>2mngt+*i` zo+k)DL^8$ogvIgR_Mx)$?6RFwJ89K*VO?YS_D|m;TeH6(vKM|@`w1AQ*2g;uj9#2Q zoN#sv+`9dL`Uix-eu9Lkz+5W1X0@?YWxlTBgZ?{Z;*n@7rlP9I?RU5(@lto>Ofo76 z^KxXVhpo3TTb3cv=9!YeL(?p`B{|I4BDNRBg_-K{;T>DalaR_ha z^B%xJdM7}B>oBC3BHias&;4K0#91#)Zl$jerq;AV&>_qKfFa4VaCpWPcmCq*y1+Kz zorKWbq$}51#3@0@B|}UocBp63dY5n>@LNuWq>uXkeUmlC=w-f9&c}^!4abUDQj81k zz&Q<$K`hza!_y39f>XMs?#+)5*^9CuCga`uE}Ft8j(2RQMj+r#{<&g&d|(&VNe}ee z&X=Rgxie4aw09w1F(tkCwB9MUnLxPX@FBQK9LGic1a}2#$XR9hTr=XDP0MVwewRR% z1${2+g9_|_`ec;WKfX0Lq>J=uK=9rz>sm}Bs>c&_Z^j`|{(JK{Wmip41A3DD+5<}c zIsM=)3xh_QRl*{t2Kk2Nq9zY|f7Y=pP`xkHQDwwd1YXH}Uv{2CmVcPj?oXPfSVd->xmjG7)EQV7V~@*F$4)eWz*7>!3LeX6L+^Q_qzU2Js3 z$>Stj4hU~%Qq>?=^k89&4Phnm1RkWiMxw@IUWNayyzdNaDr>urUZe!11XOzOEl3dvy?0PS5a~ri=uHF>2vVd<^F32_=9-!3yRK)xAMf|& z&&k<2xvzcB*|~G}+Us76e?`N6FU@&9b-n;&geM*Mq!LZQYpoMbIh)SoK9pu^NPhpk zzESea@sB-e1#?JHc45s;Rg#-H^q@@oiShznsOpbAy5q2?{vwAl?P6C^S0Z>VT3>!Z z$lJ)nsNlEQBm45N=pP+GrL64jN1vLJLJo48&V6Sg{UH;0(MKt-$)^ecvSSrk9Zot`hWvY&OBSTPI+CIpw#t zj~H_AcmbknHWQGv&Q3;n|K0Cdje9beK6jmJ8TiOiK8MP=AeLxq#(l zHGo8{nTT!7hAKx*yz@;Yzh{_zaX2Po}h za|r z*bkS4TX(-lJ7sTt37Y7XB$d)~;CB4dGb_!#(7-$9LCRHIUGtLcK69Ld160y`lNp6t zqv=|1DSO_j(Zt*^jbMPoCIy(T^ZECbs8#HY@8KysP^Sse377*~4gD4jKJ)ZTcCrU~ z%I!JaFMdRV&4(AUsaR&+;jt=waha_tSxU8OC+jim;W3}IXgT^eoibaX&`2=5T(@*% zv);l(TV{=%lftJIJ6*WxC|%q-@WolkDsly#Pi8qQEGt%>ny-anteI!2Eio5>pKz{B zo2~5MaRP)R3CP!DiyWkb0xA&%$fZ@+Eo;3;%m z??Nrvt!LEP*l1?{CkBBDf;*eiwgOV_+6OYp8C9 z2hG1XKiHtuI$JAKJxK%D{%nt~(066*T zAaN<~xXohw8_0IMuwAj3`LVg@rZUzhhZCqO~rFGdK64>Dt zGRajM5T~1`MuZv=ss-lJXz-6-tj-dN&oyw-u5ql-qYX7^-Dt>{iZs8MWG~p5FQuny z+zugBs0f|0x*Na7{H&TejEeG3DehiJ6m{KN^vJqN==ANB^+tW`qWp+dPsK*?hzz3cD~Lv1;^(q& zq6}{NTxGpM>9h@1e|O=uLPU8QE_B_X-17KV{!6abtW5r@o<>$<$1@UbU0ucfVVht!bFC$8BDdqzgn7mrQFYe z_Nf5{?YiyuHOmHCQq+Q1lH-D0cc*sKe9}b=qyCz6pf0Nq;y$Q`JnB!mr7I7Xk=t}KS1>D z?4sE;LaMw4+zF^;4l^t7Y4@lZq~&B8Ig1n4GS-qg=EWz*k-~vl#KTZ;0v@xS?JC+P zzF7lxAtRQ~8M!D)TSz9sc>Uc#2oNa(Bij zK=E-rdjM+wI)0mdiFu?0vP=iF6X1@Htdq#QNNyft8|mubfvB$0sPS}rE*XDKDOb;O zOoxO=>vUMjkmptWaU=;xfF4Qp6vg~SYHCt--=qy$PsMm+yP$fvI75y0L416t?U|n4 z{G!?kCcaTvSKb3f4HkoHbiG>3d+otoOPbr)gU{cwcg%>KRTz;HOH0sOoEX$)>Mup> z3>jV~vs5;{5@DRCiZZg!U{Ud0hRTPp8H?DbWYqWvZo~EZFJq~3uW-@a_<~NB?a^1oD=!KgeU2Fz{-LVWn1YudGo-%8 zpFiQXTdU0PzOo%3=vHkYhsi+w);Z!A7Ue)Q43wU zMs`Cbd5N=rS%}&}g2iy8bEI2vy@_z+JsmV@C-9;%Xi29@9oOM2r#g^K8(GEQ35e{( zxl)o7ZuM71PzFv$*>bEBpjc=U*sRDp<~pOW5b84Z1}v@i{kFK`Esi`)t86%3=w@GT zMNM7o5$l~uHAXmHU_lPg6~b$lIxQjOgyQ3*fB%g^bx_@HjIxVOE! z>B?;3Vh`=eLlaj?-^tHJ^3aJ~%I%454}0w#62w#Br6y8_`k1&h(Q*mV7)4$>eRIX* zvt^gU21Us*VF$`wuF8dPR@aiFPOyoG126tQ#3AS$=9QRqS5mqE71Ek2bF!iYm!NUw zvcARa#NdhUyqTP`K>h-HISpz_Y!i%)Zf3$z^W$BZ2r<)KBkp)#@DRM)h!$40Os|P* z;_1Ap&XO7pSE~}CdyGH4$NyQIgqFp%-lZ-s4jkeBSmJ|Vk3we^K~;kAhqu=E4sNY^ z%(95PA!67zInpn}{e52;BnFy@sVBV2+dDaWTX03R?GT&zAa8V5%6M79%7?P5>2y1b zLWih?QQy1!Z{`_c2=92N*QH?-AmXGKAI)m6eLuC3QvbeQAWZl=Pv$`n%JF)_)^eCE z0zVw6r^1E*Y>M{hWbrrq|0)Uaw*5=Q9$5b5oyk|wd+)X?yyxTh;es-Qc*JLHr4&NX zMVe3?dt*D<4AC9=bWtpcl6^&jqEi?s6a#pl#_dv5Kg8o+7r7dzsVle7q4vQN9G6)d zSjbKH@Mctlc~SC!BsZ-g$2-9|8eyL6_0*Nu6pQe>+~pN3kI&Y&xo@-=@eIH;CUx%u z>T6*>+gak%7B5GeHb+L9Hh7j+g_BkLX|ZD7w&ATwf_Y`nyEt+=+wdU{2^@IQ4EXr6-CHbG=}(kVIx#67D{ zTIot&6vs8l;PukF<~CJr7^*fZB}^Q7tLSO1E}xgZudAULV7^zk>#EIP&IRqHwz{$g zScT#)K_T2+(_UDbcm=Bz3WN1rFyOE5qymV9v)@?@FnG3FYO|Lb%}q&X&diQX#CnXF zB(V}p?Km+p*`E#}TQ7!~l5``6w07r}S2)HCDeo;S>OGc;l{Ldvf?rCpF+pzIeo(Vh zNUQb=rh>(#+7jiBDJ|v|XtZB6eKlOhkRKx5TmXHrqQOn$64tMj6F%*V(u+?HfhUr1 za|-75CpA&$MIHrVrFcffSA-CVBSgfT5M_~iZI{Wy=-}+WRUTwuys+)u;qh+V&AcOT zWwxPF9DzJHmR46t2Wfax{uM-}Nf2M0Zg)-WTGR{Y1kCWjn`m_PBJ*+HXH^I*CP?z* z)z^zORhFn_eaG03-k%uATnV_93pO$m%Juq8Bg9>!6A&vsp;q}lb#7tNfsKitVd|nv zpmqHLHq4Z0{nb_Xp=%W}b~|wEItrA4N-|E(Evj)1{)FvX(7~#ZlSO&_L?_&XC0t*7 z60T=1#E&b#R^VXTdbxlqwax*m*)51N6j)GO&XGEVb%>VS`k-CB=dNA9vvak>+r(Kd>)pg;u*FzUl{qmxCol0@wsUvnTT*a_h|SckF90%oq3!JB$A zHrvHm1q9)9B7seLD?@qHbgE#hb_2G79s=otyN)Qxe&g*`nwLx%)E#4ELRdakB7tk0 zA$;{crqhlf$lblM{jO^1F=kaTOXFd%Qu>AVsxh4T;vwR?fqU7DQ9H(Q{&rKwMX(oF zJgMO%7hto^W~LG6-10i5(r||hI|II3T%)Sl#jh`V=;}DwUfhwdg05t8>EO*Wt0&`2 zo~%uQ_XRf*awirJnS*)KN9-eBgs5%XpCq%H&FEp;(oDLDiG=_O?FNm8083Pav&lKn znP6s>CX1@@OoAw@PrW`D%1VV<5@y=s_&c!Ny!$xs)Rv&(Duz#0@t^Nl8|?*2^)9@3j#04jlaz} z9{DmN71{ua`?PS~GzT>hW6#5-v*+|I{nAseNjZVd#pexr6vrs?DwOuZ1mMi>HX(n0 zypm1i=vjr%sp5x_D;o7i1enp4JFb$hDLm+eXp37=M+Xelq7#lylzyUd^RX|hp^7e1 zuk1kyq=*v?jf~*}aYoz)fe2-L)7K0xZs7nugKIhj@7g}+A0@Y)h_`(Oy&(?}x=n{~i(HZ~onXYyOw(Tk>rDpAs;fsNWO5G4739QwsU=3OMtQ zy(gUwRtEx#(#>=3q9A-GEZ`p=f|Vhvo5!VMTic)eBO7I0)C>Kt+qaJM75N8woE<+f zen-fdnCe`m*aF_2{|c(DI1QYTb79E;3OYsmud}{h6Q=L$_%d2iyCst0|CXe6SK})P za=GA!dT~B%$Pp4Y4GGadk8fm!udvuU$C-F*2tV%PD%P__`5^$m z$L*T@|8UjzhKkUt`HY`|xH&o6biRhrv`)>o!gT$u^Not!lU zu6CBAvkG?ZA{gWqTfp_vuWcR4@=mJTN|D3?P!f~>3Yzd^bPcEg1fD$MR8_$z)^t6N z%#6gsHbR0+0B<^uL0=0fL`5noDH-9(IQxP#o9=#A=oC|6;yw{u$?dbJ5vHnI7VChR z=kE1crT;+6?6;;0!^p} zyD=^el+marKBY?`NN44bt*tWGpF%76l;kDH&$69p$7`<>N56OD)z`frDshy%mMT4} z1OcBLT+E_y+p}d&-E*%qfZ}DmXCKt}xE>!OfPa|qn|Kb2V)9d6jm^L!TV#s|azl~wM&dAgi@DL= zHCB$j0zV%5UMDih^no+;kSoj8qzDQ8X2MuU^*!c40UJImSFhfeEGf>2=&Ien=AR8v z%d?>XiHhdB#ZN@fvX2tv|1Ht;w5gbse{|%XC||elF-eW_@RAv&E7{1(6+2;(?eyEW^6j4h5k-~?VO5%g za&}mIN5t7D)xf5lih-qia1A1D-w-XB3!dfvcPp-m>5i zGB(wJrp{;!*0L5ndv6z8_I!!vT^ACtHRJBFN;vH)F`ttAfg8rmx~X^hYHcs)$HcZH z+uD+KoqRug{+NW@wEYxVZ_|rT+P~$8a^&PGF1vFwX34-7 zlAjK3d1Gh2T*LlF(i$ZG!ivmdgG4|K zbJ&a+OjbQ&mqqyJIN6U4#I*^;U6F|L{?I)!YTF>Li z+P9|lz4pDFtYb4}ljmuXS)ysn=3SPwJ9igqnxj$&P{|ev@MJW%y*?IA9cBVbp(^Ck zQc8T9u}+{EU{}+_UKESOITsJgra%%Ll6!c~J$2^inG0L?X6tJ4RbZ7>{^_=O5GE!e z4tsz@EeAtG1t!8+n$j{mc=%|%s(MxTMj%duBaa5+SJ#zD?+cjwUrt_w$CO0bO=pMd zEZ7@5B->h^!c}?cHeV%~W#hET$&HR-gTJ6b^r$+AdIpFI=Yi(r95A9xDQ*(Yj^aV4z;za-|% z)4i;$B!9K}siR5^AIpiwO{=HJOE!QE=mP!4#OiT{UV^Zohv6vLtPC=bt5xM`%G`PW z?T903jP8>+MdZ9KR=Qek?s=OL_We%|{?hhpu#=YE>1Wfa@qcu(st&Nc_^UIP^WQsT zS>p8)r=fRGy4rQ-QJLRRoq|76=n189 zG#kp9D`V3rA{4At_Hhef&4TfhAHZufFUVZ^Z%JpO9VFGK>;{Z3F`pgOU>|7lp297h z5{TJrG!d~A9#aFfJ2!>H8n-=h%QQ2GcaEa$;K@jqH&yG*76yCa$sKq;d-$}9`DNt~ z_bh$Rma+FRXc`y={u028cXN^dGQ1t*UGxh@ADJ~6Bl)1Q+Q9Ql5g%jSDRaT-R}f3= zuj)NHt(Lr--Yg){_j(k+jn04Awpno%Y4JiFS<&rqmb}mgfn_XI!ygJ!JY||hKkLNQ z0^CXx8ZG4}>WAGb0Mu;G-7RlYiy%#kk?Me0L_NSF)s*M6Lr-jG;{CcVA1X@(tu$hz zEYnId_tMkEdn86e!r}p%oa#Sx;g^r3y(2<3uc}MxP%P)dE&Jg5I9W?~7;}=W>knPul`?gTNm(fy?%v>A(O zPBdZ}9y8dDZJCMrsASe&O_=8vCC$%ZbL64nyLw0vQyTdK&xrX}jCsl}&rd=q27CVl zfx|>wUQ#1u=6mw#jZ4Qk(uejhajwGx zcB!_f3}Le`A5BkC7@i)K;?y^Dd>?!Z8K!Gy$dKI?jd^eUX&rCwRrSZsm)83JNV3I% z-$N2WpOd~j#gp_%Aw6(55#GO$B7?+Ct8Vr^r}bDwh!m0V57 zn|fne^9qOWzJ(+$?`V{fjk%8QcsV^m`0}yk?`L%J_mEUc9xQD~1P?#)ux!k|a$LW{ z^ZOZz{T{NTq>6|5t$CNN3$Mri`Tu;8fGZjJ?LxNay$E}~;7lGLutod%9>o8UTlwhx z?5O|huQ3%DGUvLh)2&kb6javB4Z9kaa{*nEeJ!L4TErbaW1xjmgyB{Mx;$ zv7JL+O@&Xl!h4dEcdyx(X(kjjr>rxRkd?Ff{m9%5sqa3DH8|aoPS_%`^4L1(gU2Zj e6*QH@e@fm%{y8DNGubs8Bn&*g{;zv|o%|oUjVSd1 literal 0 HcmV?d00001 diff --git a/docs/docs/security/diagrams/PublicUsers.md b/docs/docs/security/diagrams/PublicUsers.md new file mode 100644 index 00000000..5c1b023c --- /dev/null +++ b/docs/docs/security/diagrams/PublicUsers.md @@ -0,0 +1,27 @@ +### Public User Viewing Site +```mermaid +graph TD + subgraph "PUBLIC INTERNET" + PublicWebsiteViewers["Public Website Viewers"] + GAN["Google
Analytics"] + DAP["DAP"] + GTM["Google Tag
Manager"] + CDN["CDN"] + + PublicWebsiteViewers --> GAN + PublicWebsiteViewers --> DAP + PublicWebsiteViewers --> GTM + PublicWebsiteViewers --> |"usagoals.gov
HTTP 80 HSTS
HTTPS TLS/1.3 443
Read Only"| CDN + end + + subgraph "CLOUD.GOV" + DB[("S3 Static Site")] + WWW["WWW
(nginx)"] + Router["Router
[WAF]
[IP Whitelist]"] + + WWW --> |"HTTPS TLS/1.3 443
Read Only"|DB + Router --> |"HTTPS TLS/1.3 443
Read Only"|WWW + end + + CDN --> |"HTTPS TLS/1.3 443
Read Only"|Router +``` \ No newline at end of file diff --git a/docs/docs/security/diagrams/codeflow.md b/docs/docs/security/diagrams/codeflow.md new file mode 100644 index 00000000..8bdf4e4e --- /dev/null +++ b/docs/docs/security/diagrams/codeflow.md @@ -0,0 +1,17 @@ +### Code Workflow for Continuous Deployment +```mermaid +graph TD + A((Developer
MFA required)) -- Commit code --> B[Code repository] + B -- Automatically notify that a commit happened --> C{Continuous Deployment service} + C -- If dev branch, deploy --> D[Dev app on cloud.gov] + C -- If prod branch, deploy,
run tests --> E[Preprod app on cloud.gov] + E -- Test results --> C + C -- If preprod tests OK,
deploy prod branch --> F[Prod app on cloud.gov] + + style A fill:#1e90ff + style B fill:#1e90ff + style C fill:#1e90ff + style D fill:#1e90ff + style E fill:#1e90ff + style F fill:#1e90ff +``` \ No newline at end of file diff --git a/docs/docs/security/lato/README-tasks.md b/docs/docs/security/lato/README-tasks.md new file mode 100644 index 00000000..fd0cb829 --- /dev/null +++ b/docs/docs/security/lato/README-tasks.md @@ -0,0 +1,43 @@ +## PGOV MVP ATO + +* [PGOV ATO Risks](https://docs.google.com/document/d/1qirCn4MCu3PqM4UDQyz1NkMAefZoPYufIkQAbrmYQPA/edit?tab=t.0) +* [PGOV Security Work to do](https://docs.google.com/document/d/18zuBscEQThnAVG50Ea-13VFEg2hxB2Ln7U-V6uNnk00/edit?tab=t.0) + +### One day goals / deliverables + +* Appendices + * PTA + * FIPS + * IAM +* Inheritance: + * FedRAMP AWS + * FedRAMP GovCloud +* Migrate Github to GSA + +### One month goals + +* Access control, MFA via Login.gov +* Pre-commit LINT, SAST checks + +### Six month goals + +* Provide basis for security assessment + * Consider [Threat Modeling](https://www.threatmodelingmanifesto.org/) + * Consider [Lightweight Cloud Security Principles](https://www.ncsc.gov.uk/collection/cloud/the-cloud-security-principles) +* Sites scanned + * [PGOV Security Work to do \> Scanning](https://docs.google.com/document/d/18zuBscEQThnAVG50Ea-13VFEg2hxB2Ln7U-V6uNnk00/edit?tab=t.0) +* Generate Preview site from Drupal (for users with that privilege) + +### Tasks + +* API Developer + * Code review against OWASP API Top Ten +* Site Developer + * Has MFA access to github/pgov-cms + * Checked with OWASP Top Ten + * Has permission to push to github/pgov-cms + * Pushes to Dev branch +* Dev repo github actions + * Builds a new static FE site + * Provides a unique link to it (named after Jira ticket?) + * Optionally offers to run (groups of) tests diff --git a/docs/docs/security/lato/cis.md b/docs/docs/security/lato/cis.md new file mode 100644 index 00000000..dec9f0ee --- /dev/null +++ b/docs/docs/security/lato/cis.md @@ -0,0 +1,189 @@ +### Lightweight Control Implementations + +From: [PGOV Lightweight Authorization Process Control Implementation Summary](https://docs.google.com/spreadsheets/d/1uiWp6bSRQcnkb24rKETR9SG0vleW2FWe3muvDZH9cBA/edit?gid=280162261#gid=280162261) + +#### AC-02 Account Management + +1. PGOV has defined three types of accounts with a number of sub-roles + 1. Drupal Content Management + 1. Agency: Reporter, Coordinator, Manager, Executive Reviewer + 2. OMB: Management, Examiner + 2. Drupal Application Team: Administrator, Account Manager, Developer + 3. Cloud.gov Infrastructure Team: Pipeline developer, Cloud Build Manager +2. The Information System Owner (ISO) appoints an Account Manager +3. Group and role membership criteria is documented in Governance document +4. Authorized users and their roles + 1. Are maintained in a machine readable format + 2. Include privileges/capabilities: (\* \== MVP) + 1. Drupal + 1. \*Create new Agency report template + 2. View only report content + 3. \*View/add/edit report content + 4. View/set report status + 5. Spin up report Preview site (replace existing) + 6. \*Spin up Agency Preview site (replace existing) + 7. View/comment on report Preview site + 8. View/comment on Agency report site +5. ISO approval is required to create a new account +6. Account privileges in a ticket according to configuration management processes +7. Account login, actions, logout is logged (monitored) +8. The Account Manager is notified within 1 business day when system usage or need-to-know changes for an individual +9. The Account Manager authorizes system access according to need-to-know +10. No HVAs in PGOV +11. No shared or group accounts +12. Account Management is aligned with personnel termination and transfer + +#### AC-03 Access Enforcement + +* Drupal permissions ensure approved authorizations for the Drupal roles +* GSA MFA is required for Cloud access (tbd: brokered by login.gov) + +#### AC-06(05) Least Privilege | Privileged Accounts + +* All accounts are privileged and granted need-to-know privileges + +#### AC-06(09) Least Privilege | Log Use of Privileged Functions + +* All system usage is logged + +#### AU-02 Event Logging + +1. Logging is in place for: + 1. **All b**ackend (Drupal) system events (list…) + 2. Frontend page hits, queries +2. Event logging is coordinated with audit information collection to minimize overlap +3. Types of event logging (list…) +4. The events logged meet or exceed industry and private sector standards +5. Event types logged are reviewed at least yearly + +#### AU-06(01) Audit Record Review, Analysis, and Reporting | Automated Process Integration + +* Automatic logging collection and monitoring is inherited from cloud.gov + +#### CA-07 Continuous Monitoring + +1. System-level metrics monitored include + 1. Backend privileged user logins + 2. Frontend page response time +2. … +3. … + +#### "CA-08\* \-if Internet accessible/HVA" Penetration Testing + +* OWASP ZAP is used for penetration testing of development instances +* The ISO, ISSO, and ISSM coordinates with the OCISO Pen Testing team’s penetration testing services. See CIO-IT Security-Privacy-18-90. + +#### "CA-08(02)\* \-if HVA" Penetration Testing | Red Team Exercises + +* N/A \- No HVAs, no Red Team Exercises + +#### CM-02(02) Baseline Configuration | Automation Support for Accuracy and Currency + +* Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using \[*automated mechanisms as identified in the SSPP/CM Plan*\]. + +#### CM-03(01) Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes + +* All changes are + * Documented fully through the project ticketing system (Jira) + * Implemented in source code controlled (Github) repositories + +#### CM-06(01) Configuration Settings | Automated Management, Application, and Verification + +* All configuration changes are + * Managed through Jira and Github + * Applied through github actions pipelines (Infrastructure as Code) + * Verified through automated testing included in the pipelines + +#### CM-07(05) Least Functionality | Authorized Software \- Allow-By-Exception + +1. Only packages approved by the Governance Board can be deployed within the environment. +2. PGOV implements a deny-all permit-by-exception policy and ensures that only approved packages can be deployed within the environment. All software library versions are “pinned” and these definitions are included as lock files within the repository. Changes to this software access list go through the standard change control procedure including Governance Board approval. +3. Review and update the list of authorized software programs annually. + +#### CM-08(02) System Component Inventory | Automated Maintenance + +* A current, complete, accurate, and readily available inventory of PGOV components can be viewed through the Cloud.gov dashboard or through the Cloud.gov CloudFoundry CLI. +* PGOV is hosted on the Cloud.gov Platform as a Service where underlying infrastructure components are not exposed directly to the PGOV team. Interaction with Cloud.gov infrastructure and configurations are restricted to actions allowed through the CloudFoundry Client and the Cloud.gov Dashboard only. +* The source code for all PGOV infrastructure components and their baseline configurations are stored in the PGOV GitHub repository at the following location: [https://github.com/CivicActions/pgov-cms/](https://github.com/CivicActions/pgov-cms/) . +* The strategy of fixing versions of all dependencies for each build to ensure the accuracy, currency, and repeatability of deployments is utilized. +* There are three locations within the repo where application and build-time dependencies are defined: + * CI/CD infrastructure is defined in a Github actions config.yml file with individual docker container baseline configurations for separate build steps. + * Drupal baseline configuration is hardcoded into the composer.json and composer.lock file. + * Website theme build-time baseline configurations are hardcoded into a package.lock file. +* Deployable Container Images built by the CI/CD process are tagged with unique IDs to identify which set of baseline configurations is represented by each image. + +#### CP-07(01) Alternate Processing Site | Separation From Primary Site + +* PGOV relies on Cloud.gov to ensure that instance data are cloned across multiple regions, ensuring exact replication of functionality across stored instance data. + +#### IA-02 Identification and Authentication (Organizational Users) + +* All users are Organizational users with at least Tier 1 Public Trust clearance + +#### IA-02(01) Identification and Authentication (Organizational Users) | Multifactor Authentication to Privileged Accounts + +* All privileged users must use MFA to login +* Users must be Organizational users authenticating via Login.gov + +#### IA-02(02) Identification and Authentication (Organizational Users) | Multifactor Authentication to Non-Privileged Accounts + +* There are no non-privileged login accounts + +#### PL-02 System Security and Privacy Plans + +* ibid + +#### PL-08 Security and Privacy Architectures + +* CMS restricts access to data within Drupal based on User Role. Using the principle of least privilege, the WebOps Lead restricts which data is accessible to which team member by assigning component system accounts to individual GSA emails. Availability of the Egress, CMS, WWW, and WAF components are ensured by setting instance counts of all applications to be greater than one. + +#### RA-05 Vulnerability Monitoring and Scanning + +* OCISO provides monthly Invicti Scans. Upon receiving security scan results, the ISSO reviews and tracks all vulnerabilities within POA\&Ms. Critical and High findings are tracked as Jira tickets and remediations are scheduled for completion within a fifteen (15) day window. Moderate findings are tracked as Jira tickets and remediations are scheduled for completion within a ninety (90) day window. +* Pre-deployment on-demand vulnerability scans are generated by the Snyk tool. These scans check application code, application dependencies, and system libraries for potential vulnerabilities which may affect the system. Reported vulnerabilities are assessed by the WebOps Team and Governance Board for severity and remediation plan. +* Pre-deployment on-demand CIS Docker Benchmark scans are generated using the latest docker-bench-security container image available from Docker Hub. This audit checks non-host container and application configurations for potential vulnerabilities which may affect the system. Reported vulnerabilities are assessed by the WebOps Team and Governance Board for severity and remediation plan. +* Daily vulnerability scanning of pre-built application images is performed by the credentialed, agent-based Snyk tool within Docker Hub. These scans check application dependencies and system libraries for any newly discovered vulnerabilities which may affect the system. Reported vulnerabilities are assessed by the WebOps Team and Governance Board for severity and remediation plan. + +#### RA-08\* Privacy Impact Assessments + +* PGOV includes no PII + +#### SA-11(01) Developer Testing and Evaluation | Static Code Analysis + +* *Describe pre-commit hooks here* + +#### SA-22 Unsupported System Components + +* PGOV is built using OSS components including Alpine Linux, Drupal, Nginx, and NextJS. During the standard development lifecycle, the latest stable version of these components along with any necessary software dependencies are included. The WebOps Team tests and deploys minor version updates on an ongoing basis, and evaluates and schedules major version updates as they become available. All OSS components used in PGOV are actively maintained. +* PGOV uses GitHub’s Dependabot and Snyk code scanning to alert the WebOps Team to outdated dependencies in the project’s code. + +#### SC-07 Boundary Protection + +#### SC-08(01) Transmission Confidentiality and Integrity | Cryptographic Protection + +* All data in transit is encrypted with TLS 1.2 or TLS 1.3 + +#### SC-28(01) Protection of Information At Rest | Cryptographic Protection + +* PGOV contains no additional sensitive data not covered by Cloud.gov’s built-in encryption at rest. + +#### SI-02 Flaw Remediation + +* The security update process follows standard change management procedures. +* Specific process for discovering, tracking and remediating flaws are defined for each system: + * PHP + * Drupal + * NextJS + * Container OS (Alpine?) + +#### SI-04 System Monitoring + +* SIEM dashboard + +SI-04(02) System Monitoring | Automated Tools and Mechanisms for Real-Time Analysis +SI-04(04) System Monitoring | Inbound and Outbound Communications Traffic +SI-04(05) System Monitoring | System-Generated Alerts + +#### SI-07 Software, Firmware, and Information Integrity + +SI-10 Information Input Validation \ No newline at end of file