From d27ceac1cd069c83f2860ccaad8d93d6870dac67 Mon Sep 17 00:00:00 2001 From: ANIL SINGLA Date: Wed, 30 Apr 2025 22:39:26 +0530 Subject: [PATCH 01/30] Update besman-gitlab.sh updated gitlab url --- src/besman-gitlab.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/besman-gitlab.sh b/src/besman-gitlab.sh index 116fe03..1753cce 100755 --- a/src/besman-gitlab.sh +++ b/src/besman-gitlab.sh @@ -184,7 +184,12 @@ function __besman_install_gitlab() [[ ! -f /etc/gitlab/gitlab.rb ]] && __besman_echo_red "Gitlab-CE not installed properly" && return 1 __besman_echo_white "Updating gitlab domain and port ..." - sed -i "/^external_url/c external_url '$gitlabURL'" /etc/gitlab/gitlab.rb 2>&1 | __beslab_log + if [ ! -z $BESLAB_PRIVATE_LAB_CODECOLLAB_TOOL_PORT ];then + sed -i "/^external_url/c external_url '$gitlabURL':$BESLAB_PRIVATE_LAB_CODECOLLAB_TOOL_PORT" /etc/gitlab/gitlab.rb 2>&1 | __beslab_log + else + sed -i "/^external_url/c external_url '$gitlabURL'" /etc/gitlab/gitlab.rb 2>&1 | __beslab_log + fi + sudo gitlab-ctl reconfigure 2>&1| __beslab_log __besman_echo_green "Gitlab initial configurations are done." From 0ad72b056d2edce2c85f81748722594731bbb63c Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 10:25:40 +0530 Subject: [PATCH 02/30] Create ai-security-lab-user-guide.md Added placeholder for BeSLab based AI Security Lab user Guide --- docs/_docs/ai-security-lab-user-guide.md | 851 +++++++++++++++++++++++ 1 file changed, 851 insertions(+) create mode 100644 docs/_docs/ai-security-lab-user-guide.md diff --git a/docs/_docs/ai-security-lab-user-guide.md b/docs/_docs/ai-security-lab-user-guide.md new file mode 100644 index 0000000..01458c2 --- /dev/null +++ b/docs/_docs/ai-security-lab-user-guide.md @@ -0,0 +1,851 @@ +# **User Guide: Establishing and Operating an AI Security Lab with the Be-Secure BeSLab Blueprint** + +## **1\. Introduction to the BeSLab AI Security Lab** + +### **1.1 Purpose and Need** + +In the contemporary digital landscape, organizations increasingly rely on Open Source Software (OSS) and Artificial Intelligence (AI) / Machine Learning (ML) models to drive innovation and operational efficiency. However, this reliance introduces significant security risks stemming from vulnerabilities within these third-party components and the unique attack surfaces presented by AI models themselves. Managing these risks requires a structured, proactive approach. Establishing a dedicated AI Security Lab provides the CISO's organization with the in-house capability to systematically assess, manage, and mitigate the security risks associated with OSS and AI artifacts used or considered by the enterprise. + +### **1.2 The Be-Secure Philosophy and BeSLab Blueprint** + +The Be-Secure initiative aims to empower organizations and the broader community to fortify open source artifacts – including software projects, ML models, and training datasets – against potential vulnerabilities.1 The BeSLab blueprint emerges from this philosophy, offering a design for an open-source security lab. It is not a single software product but rather an architectural pattern and a collection of tools and processes designed to create a comprehensive security assessment environment.1 A key goal is to provide application security and security operations teams with complete control and transparency over the assessment process for these critical components.1 + +### **1.3 Value Proposition for the CISO** + +Implementing a BeSLab instance offers tangible benefits for the CISO's organization: + +* **Standardized Assurance:** Establishes consistent, repeatable processes for security assessments of OSS projects and AI models. +* **Centralized Visibility:** Provides a single pane of glass (via BeSLighthouse) for tracking Projects of Interest (OSSPoI), Models of Interest (OSSMoI), and associated Vulnerabilities of Interest (OSSVoI).1 +* **Reduced Risk Exposure:** Proactively identifies and facilitates the mitigation of vulnerabilities in critical dependencies before they can be exploited. +* **Cost Efficiency:** Potentially reduces the overall cost of risk assessment compared to ad-hoc external engagements or manual reviews, especially as the number of tracked assets grows.1 +* **Internal Attestation:** Enables the generation of internal attestations or designations like Trusted and Verified Open Source Software (TAVOSS) for artifacts that pass the lab's scrutiny, providing a measure of internal assurance.1 + +### **1.4 Scope of this Guide** + +This document provides a comprehensive user guide for setting up, configuring, and operating a *private* AI Security Lab based on the BeSLab blueprint within an enterprise environment. It specifically focuses on the 'Lite Mode' deployment, which integrates essential components onto a single host, and details the integration with GitLab Community Edition (CE) as the code collaboration platform. The guide covers the full lifecycle: architecture, prerequisites, installation, onboarding of users, projects, models, and tools, operational workflows for various security assessments, reporting (OSARs), governance (RACI), and configuration of default components. + +## **2\. BeSLab Architecture and Components** + +### **2.1 Blueprint Overview** + +Understanding the BeSLab architecture requires recognizing it as a *blueprint* – a template defining how various components interact to form a functional security lab.1 It leverages existing open-source tools and defines specific Be-Secure utilities and data structures to create a cohesive system for assessing and managing the security of open source artifacts. The architecture is designed for flexibility, allowing organizations to tailor the lab's capabilities to their specific needs. + +### **2.2 Core Components** + +A typical private BeSLab instance, as described in this guide, comprises the following core components: + +* **Git-based Source Code Management (SCM) Platform (e.g., GitLab CE):** This is the backbone of the BeSLab instance. It hosts critical datastore repositories containing configurations, asset definitions (OSSPoI, OSSMoI), assessment playbooks, environment definitions, and assessment results (OSARs).1 The choice of GitLab CE provides a robust, self-hosted platform with features supporting collaboration, version control, and potentially CI/CD integration for automating assessment workflows. + * This Git-centric design inherently supports a **GitOps workflow** for managing the lab itself. All configurations and operational state definitions reside in Git repositories. Changes to the lab's setup, tracked assets, assessment playbooks, or environments are managed through Git commits, providing version history, auditability, and the ability to roll back changes. This approach enhances manageability, reproducibility, and disaster recovery capabilities for the lab infrastructure. +* **Datastore Repositories:** Specific Git repositories within the SCM platform are designated for storing different types of lab data. Common examples include: + * BeSEnvironment: Stores definitions and scripts for creating assessment environments. + * BeSPlaybook: Contains the scripts and configurations defining assessment workflows. + * BeSAssessment: Archives the generated Open Source Assessment Reports (OSARs) and associated metadata. + * Asset Stores (e.g., besecure-assets-store): Repositories holding lists and details of tracked OSSPoI, OSSMoI, etc..2 The specific structure and naming convention are important for tools like BeSLighthouse to locate and interpret the data correctly.2 +* **BeSLighthouse:** A web-based dashboard application that serves as the primary user interface for visualizing the lab's data.1 It reads information directly from the designated Git datastore repositories and presents visualizations of tracked assets (PoI, MoI), associated vulnerabilities (VoI), assessment status, and links to detailed reports.2 Its reliance on the Git backend reinforces the GitOps model, as the dashboard reflects the state defined in the repositories. +* **BLIman (BeSLab Lifecycle Management):** A command-line interface (CLI) utility specifically designed for deploying, configuring, and managing the lifecycle of a BeSLab instance.1 It utilizes a configuration file (genesis.yaml) to define the lab's parameters and provides commands like bli load (to load configuration), bli initmode (to set the deployment mode, e.g., 'lite'), and bli launchlab (to orchestrate the installation of components like GitLab CE and BeSLighthouse).1 + * Proficiency with CLI tools is essential for administrators managing the BeSLab instance. The reliance on BLIman for core management tasks means that automation efforts, operational runbooks, and troubleshooting will heavily involve executing and scripting these commands. +* **BeSman (BeS Environment Manager):** Another CLI utility that works in conjunction with BLIman, specifically responsible for creating and managing BeSEnvironments.1 It is typically installed and initialized as part of the BLIman setup process and is used by playbooks or scripts to provision the necessary runtime environments for security tools.1 +* **BeSEnvironment:** Represents a customized computing setup, often containerized or defined by setup scripts, containing the specific tools, libraries, and dependencies required to execute a particular set of security assessments.1 These environments ensure that assessments run consistently and with the correct prerequisites. They are defined in the BeSEnvironment repository and managed by BeSman.1 +* **BeSPlaybook:** An automated workflow or script designed to orchestrate specific security assessment tasks.1 A playbook typically defines which BeSEnvironment to use and which BeSPlugins (security tools) to execute in sequence, along with any necessary configuration or data handling steps. Playbooks codify the assessment process for different types of assets or security checks (e.g., SAST for Python, AI model safety scan). +* **BeSPlugin:** Represents an integration wrapper for a specific security tool (e.g., SAST scanner, DAST scanner, SCA tool, secrets detector, AI model analyzer). Plugins are the "workhorses" of the lab, performing the actual security scans. They are invoked by BeSPlaybooks within the appropriate BeSEnvironment. The lab's assessment capabilities are directly determined by the range and quality of the integrated BeSPlugins. The BeSLab framework is extensible, allowing new tools to be integrated as plugins over time. + +### **2.3 Key Concepts** + +Understanding the following concepts is crucial for operating the BeSLab effectively: + +* **OSSPoI / OSSMoI / OSSVoI:** + * **OSSPoI (Open Source Projects of Interest):** Specific open-source software projects that the organization uses or depends on, which are onboarded into the lab for continuous security assessment and monitoring. + * **OSSMoI (Open Source Models of Interest):** Specific open-source AI/ML models used or considered by the organization, onboarded for security and safety assessments. + * **OSSVoI (Open Source Vulnerabilities of Interest):** Represents the specific vulnerabilities (often identified by CVE numbers or other identifiers) discovered in the tracked OSSPoI and OSSMoI. The lab focuses on tracking and managing these relevant vulnerabilities.1 +* **OSAR (Open Source Assessment Report):** The standardized output report generated after a BeSPlaybook completes an assessment run on an OSSPoI or OSSMoI.1 It details the scope, methodology, findings (including OSSVoI), risk posture, and potentially remediation guidance. OSARs should ideally conform to the BeS Schema for consistency.4 +* **TAVOSS (Trusted and Verified Open Source Software):** A designation indicating that an OSS project or AI model has undergone a defined assessment process within the BeSLab instance and meets certain security criteria established by the organization.1 Achieving TAVOSS status is an *outcome* of the lab's assurance activities, signifying a higher level of confidence in the artifact's security posture based on the internal assessment process.3 The lab might facilitate the distribution or identification of these TAVOSS-designated versions internally.1 +* **OSAP (Open Source Assurance Provider):** Each BeSLab instance, whether private or public, functions as an OSAP.1 In the context of this guide (a private lab), the CISO's organization acts as its own internal OSAP, providing assurance services for the assets it chooses to monitor. +* **BeS Schema / Exchange Schema:** A standardized data format defined by the Be-Secure initiative to facilitate the exchange of information about assets, vulnerabilities, and assessments between different components of the BeSLab ecosystem and potentially between different BeSLab instances.1 Adherence to this schema promotes interoperability, enables consistent data processing and visualization (e.g., by BeSLighthouse), simplifies the development of tools that consume lab data, and ensures that generated reports (OSARs) have a uniform structure.4 This focus on standardization future-proofs the lab's data, even in a private deployment. + +## **3\. Prerequisites for Deployment** + +Before initiating the BeSLab installation, ensure the target environment meets the following prerequisites. Careful preparation prevents common setup issues. + +### **3.1 Hardware** + +A dedicated host machine (Virtual Machine recommended for flexibility) is required to run the core BeSLab components. + +* **Minimum:** 4 vCPU, 8 GB RAM, 16 GB Disk Space.1 *Note: This is the absolute minimum and may result in slow performance, especially for GitLab.* +* **Recommended for Enterprise Use:** 8+ vCPU, 16+ GB RAM, 100+ GB Disk Space (SSD recommended). Sufficient disk space is crucial for storing GitLab data (repositories, container registry, etc.) and potentially large assessment artifacts or logs. + +### **3.2 Software** + +The host machine must have the following software installed and configured: + +* **Operating System:** Ubuntu Linux (LTS version recommended, as per documentation examples 1). Other Linux distributions might work but may require adjustments. +* **Essential Utilities:** curl, unzip, bash, git, sudo access for the installing user.1 +* **Container Runtime:** Docker Engine or a compatible container runtime is required, as BLIman typically deploys GitLab CE and BeSLighthouse as containers. +* **NodeJS:** Required for BeSLighthouse. Version 16.0 or higher is specified.2 Install via package manager or NVM (Node Version Manager). +* **Python & pip:** May be required for specific BeSPlugins, BeSEnvironments, or alternative installation methods.1 Install Python 3 and pip. + +### **3.3 Network** + +Configure the network environment appropriately: + +* **IP Address/DNS:** The BeSLab host requires a static IP address or a resolvable DNS hostname within the enterprise network. This address will be used to access GitLab and BeSLighthouse UIs. +* **Internet Access:** The host needs outbound internet access to download BeSLab components (BLIman, Docker images for GitLab, BeSLighthouse, plugins), clone open-source repositories, and fetch vulnerability database updates. +* **Firewall Rules:** Ensure necessary ports are open: + * SSH (typically TCP/22) for administrative access. + * HTTP (TCP/80) and/or HTTPS (TCP/443) for accessing the GitLab web UI and API. + * BeSLighthouse Port (e.g., TCP/3000 default, or TCP/80 if configured 2) for accessing the dashboard UI. + * Potentially other ports if specific plugins or services require them. +* **Internal Connectivity:** Users (Analysts, Developers) need network access to the GitLab and BeSLighthouse UIs. Systems submitting assets might need API access to GitLab. + +### **3.4 GitLab CE** + +This guide assumes GitLab CE will be installed *by* the BLIman launchlab process. If an existing GitLab instance is intended for use, significant manual configuration beyond the scope of this standard installation guide would be required to integrate BeSLab components and repositories correctly. + +### **3.5 User Accounts** + +* **Host OS:** An operating system user account with sudo privileges is required to perform the installation steps.1 +* **GitLab:** Initial administrative credentials for GitLab will be set during installation (via genesis.yaml) and must be changed immediately upon first login.1 + +### **3.6 Prerequisites Summary Table** + +The following table summarizes the key prerequisites for deploying a private BeSLab Lite Mode instance. + +| Category | Requirement | Details / Recommendations | Reference | +| :---- | :---- | :---- | :---- | +| **Hardware** | CPU | Min: 4 vCPU, Recommended: 8+ vCPU | 1 | +| | RAM | Min: 8 GB, Recommended: 16+ GB | 1 | +| | Disk Space | Min: 16 GB, Recommended: 100+ GB (SSD) | 1 | +| **Software** | Operating System | Ubuntu LTS Recommended | 1 | +| | Utilities | curl, unzip, bash, git, sudo access | 1 | +| | Container Runtime | Docker Engine or compatible | Implied | +| | NodeJS | v16.0+ | 2 | +| | Python | Python 3, pip (Optional, depending on tools/methods) | 1 | +| **Network** | Host Addressing | Static IP or resolvable DNS hostname | Required | +| | Internet Access | Outbound access for downloads/updates | Required | +| | Firewall Ports | SSH (22), HTTP/S (80/443 for GitLab), BeSLighthouse Port (e.g., 3000 or 80), potentially others | Required | +| | Internal Access | User access to GitLab/BeSLighthouse UIs | Required | +| **Accounts** | Host OS User | User with sudo privileges | 1 | +| | GitLab Admin | Initial credentials set via genesis.yaml, change immediately | 1 | + +**Table 1: Prerequisites Summary** + +## **4\. BeSLab Installation Guide (Private Lite Mode via BLIman)** + +### **4.1 Overview** + +This section provides step-by-step instructions for installing a private BeSLab instance in 'Lite Mode' using the BLIman CLI tool.1 Lite Mode typically installs all core components, including GitLab CE and BeSLighthouse, onto the single prepared host machine. The installation is driven by the genesis.yaml configuration file. + +### **4.2 Step 1: Prepare the Host** + +Ensure the designated host machine meets all prerequisites outlined in Section 3\. Log in to the host machine using a user account with sudo privileges.1 + +### **4.3 Step 2: Install BLIman** + +BLIman is the primary tool for managing the BeSLab lifecycle.1 Install it using the following commands (referencing the official Be-Secure/BLIman repository for the latest instructions, as indicated in 1): + +Bash + +\# Example installation commands (Verify against official BLIman README) +\# Download the installer script (URL might change) +curl \-sSL \ \-o install-bliman.sh + +\# Run the installer script +sudo bash install-bliman.sh + +\# Clean up installer script +rm install-bliman.sh + +\# Verify installation by checking the help command +bli help + +Successful execution of bli help should display the available BLIman commands. + +### **4.4 Step 3: Configure genesis.yaml** + +The genesis.yaml file defines all configuration parameters for the BeSLab instance.1 Create this file in your current working directory (e.g., /home/user/beslab\_setup/genesis.yaml). + +Below is a sample structure for a private Lite Mode deployment. **Customize the values** (especially URLs, IPs, ports, and initial credentials) according to your environment. + +YAML + +\# Sample genesis.yaml for Private Lite Mode +\# \--- Global Configuration \--- +beslab\_mode: "lite" \# Specifies Lite Mode deployment +deployment\_type: "private" \# Specifies a private instance + +\# \--- GitLab Configuration \--- +gitlab: + host\_url: "http://\" \# \*\*REQUIRED\*\*: URL users will use + initial\_root\_password: "\" \# \*\*REQUIRED\*\*: Set a strong temporary password + \# Optional: Specify ports if not default 80/443/22 + \# http\_port: 80 + \# https\_port: 443 + \# ssh\_port: 22 + \# Optional: Specify data volume path + \# data\_volume: "/srv/gitlab/data" + +\# \--- BeSLighthouse Configuration \--- +beslighthouse: + host\_ip: "0.0.0.0" \# Listen on all interfaces within the container + host\_port: "3000" \# \*\*REQUIRED\*\*: Port BeSLighthouse will listen on (e.g., 3000\) + \# Optional: Specify data volume path + \# config\_volume: "/srv/beslighthouse/config" + +\# \--- Other Optional Configurations (Add as needed based on BLIman documentation) \--- +\# Example: Default user settings, registry settings, etc. + +**Critical Security Note:** Set a strong, unique initial\_root\_password for GitLab. This password **must** be changed immediately after the first login to the GitLab UI. Do not use default or easily guessable passwords. Store this genesis.yaml file securely, as it contains sensitive initial configuration details. + +### **4.5 Step 4: Load Configuration** + +Use BLIman to parse and load the configuration from your genesis.yaml file 1: + +Bash + +\# Ensure you are in the directory containing genesis.yaml or provide the full path +bli load genesis.yaml + +BLIman will validate the file structure and load the parameters. Address any errors reported. + +### **4.6 Step 5: Initialize Mode** + +Initialize BLIman for the specified deployment mode ('lite' in this case) 1: + +Bash + +bli initmode lite + +This command prepares BLIman and potentially sets up necessary base configurations for the Lite Mode deployment. + +### **4.7 Step 6: Initialize BeSman** + +Initialize the BeS Environment Manager (BeSman), which is typically installed by bli initmode 1: + +Bash + +source $HOME/.besman/bin/besman-init.sh + +This command loads BeSman functions into your current shell environment. Verify the initialization: + +Bash + +bes help + +Successful execution should display the available BeSman commands.1 + +### **4.8 Step 7: Launch the Lab** + +Initiate the BeSLab deployment process 1: + +Bash + +bli launchlab + +This command triggers the core installation process. BLIman will: + +* Download necessary Docker images (GitLab CE, BeSLighthouse, etc.). +* Configure and start the containers based on genesis.yaml settings. +* Set up networking and volumes. +* Potentially perform initial seeding of required GitLab structures (groups/projects). + +This step can take a considerable amount of time depending on network speed and host performance. Monitor the console output closely for any errors or prompts. + +### **4.9 Step 8: Initial Verification** + +Once bli launchlab completes successfully, perform these verification steps 1: + +1. **Access GitLab UI:** Open a web browser and navigate to the gitlab.host\_url specified in genesis.yaml. +2. **Login to GitLab:** Log in using the username root and the initial\_root\_password set in genesis.yaml. +3. **Change GitLab Password:** GitLab will immediately prompt you to change the default root password. Set a new, strong, unique password and store it securely. **This is a critical security step.** +4. **Access BeSLighthouse UI:** Open another browser tab and navigate to http://\:\ (e.g., http://192.168.1.100:3000). +5. **Verify BeSLighthouse Load:** The BeSLighthouse dashboard should load. Initially, lists like "Projects Of Interest" will likely be empty, which is expected.1 +6. **(Optional) Check Container Status:** On the BeSLab host, use docker ps (or the equivalent for your container runtime) to verify that the GitLab and BeSLighthouse containers (and any supporting containers) are running. + +Successful completion of these steps indicates that the core BeSLab infrastructure is installed and operational. + +## **5\. GitLab CE Integration and Repository Setup** + +### **5.1 Post-Installation GitLab Configuration** + +After the initial setup and password change, consider these basic GitLab configurations relevant to BeSLab operation: + +* **User Registration:** Navigate to Admin Area \-\> Settings \-\> General \-\> Sign-up restrictions. It is highly recommended to *disable* new sign-ups (Sign-up enabled checkbox unchecked) and potentially enable Require admin approval for new sign-ups if self-registration is needed later. This ensures only authorized personnel can access the lab's SCM. +* **Group/Project Creation:** Navigate to Admin Area \-\> Settings \-\> General \-\> Account and limit settings. Review permissions related to who can create top-level groups and projects. Initially, restricting this to Administrators might be prudent. +* **Runner Configuration (Optional \- Future Use):** If planning to use GitLab CI/CD pipelines to automate BeSPlaybook execution later, configure GitLab Runners (either shared or specific) that can execute jobs, potentially interacting with Docker or the BeSLab host environment. This is an advanced step not covered in the basic setup. + +### **5.2 Initializing Be-Secure Repositories** + +The BeSLab relies on a specific structure of Git repositories within GitLab to store its data and configurations.1 While bli launchlab might perform some initial setup, manual creation or verification of the core repositories might be necessary. + +1. **Login to GitLab:** Log in as the root user or another administrative user. +2. **Create a Top-Level Group:** Create a new group to house all BeSLab-related repositories (e.g., besecure-lab). This helps organize the instance. +3. **Create Core Repositories:** Within the besecure-lab group, create the following projects (Git repositories): + * BeSEnvironment: Stores definitions for assessment environments. + * BeSPlaybook: Stores assessment playbook scripts. + * BeSAssessment: Stores OSAR output files and assessment metadata. + * besecure-assets-store (or similar name based on datastore.ts defaults): Stores lists/definitions of OSSPoI, OSSMoI, etc..2 + * Potentially others as required by specific configurations or future extensions. Initialize these repositories with a README file. The exact structure and initial content might need refinement based on specific playbook and plugin requirements. + +### **5.3 Configuring BeSLighthouse Connection** + +BeSLighthouse needs to know where to find the data repositories within your private GitLab instance.2 + +1. **Locate datastore.ts:** Access the BeSLab host machine via SSH. Locate the BeSLighthouse installation directory. The exact path depends on how BLIman deployed it, but it might be within a Docker volume mount or a standard location like /opt/BeSLighthouse or /usr/local/share/beslighthouse. Inside this directory, find the configuration file, typically src/config/datastore.ts or similar. +2. **Edit datastore.ts:** Open the file with a text editor (e.g., nano, vim). You will find variables defining the URLs for the datastore repositories. Update these URLs to point to the repositories created in your private GitLab instance within the besecure-lab group.2 + * Example (modify paths and URLs): + TypeScript + // Before modification (pointing to public GitHub) + // export const PoI\_Repo\_URL \= "https://github.com/Be-Secure/besecure-assets-store.git"; + // export const Assessment\_Repo\_URL \= "https://github.com/Be-Secure/besecure-assessment-datastore.git"; + + // After modification (pointing to internal GitLab) + export const PoI\_Repo\_URL \= "http://\/besecure-lab/besecure-assets-store.git"; + export const Assessment\_Repo\_URL \= "http://\/besecure-lab/BeSAssessment.git"; + // Update other relevant repository URLs (MoI, ML assessments, etc.) similarly + +3. **Restart BeSLighthouse:** For the changes to take effect, restart the BeSLighthouse service or container. If running via Docker: + Bash + \# Find the BeSLighthouse container ID or name + sudo docker ps + + \# Restart the container + sudo docker restart \ + +4. **Verify Connection:** Refresh the BeSLighthouse UI in your browser. While still empty, check browser developer tools (network tab) or container logs (sudo docker logs \) for any errors related to accessing the configured GitLab repository URLs. Successful connection means BeSLighthouse can now read data once it's populated. + +This configuration establishes the crucial link between the visualization front-end (BeSLighthouse) and the Git-based data back-end, reinforcing the GitOps foundation and the importance of the standardized repository structure for the lab's operation. + +## **6\. Onboarding Guide** + +With the core BeSLab infrastructure in place, the next step is to onboard users, assets (projects and models), and the tools (plugins) required for assessment. + +### **6.1 User Onboarding** + +Define roles and assign appropriate permissions within GitLab to control access to lab resources. + +* **Typical Roles:** + * **Lab Administrator:** Responsible for installing, configuring, maintaining, and upgrading the BeSLab instance; managing users; integrating core plugins/environments/playbooks. Needs high-level access. + * **Security Analyst:** Responsible for onboarding assets (OSSPoI/OSSMoI), triggering assessments, reviewing OSARs, triaging vulnerabilities (OSSVoI), and potentially customizing playbooks or integrating specific plugins. + * **Developer / Asset Owner:** Submits projects/models for assessment, consumes OSARs for their assets, responsible for remediation based on findings. Needs access primarily to their specific project results. + * **CISO / Management:** Oversight role, views dashboards (BeSLighthouse) and summary reports to understand organizational risk posture related to OSS/AI. Typically read-only access. +* **GitLab Permission Mapping (Example):** + * Lab Administrator: Owner role on the top-level besecure-lab group. + * Security Analyst: Maintainer role on the besecure-lab group (allowing repository management, potentially pipeline triggering). + * Developer / Asset Owner: Developer or Reporter role on specific BeSAssessment sub-projects or asset tracking repositories relevant to them. Access might be granted per project/asset. + * CISO / Management: Guest or Reporter role on the besecure-lab group for read-only access to repositories and potentially BeSLighthouse data sources. +* **Onboarding Process:** + 1. Lab Administrator logs into GitLab. + 2. Navigates to Admin Area \-\> Overview \-\> Users. + 3. Creates new user accounts or invites existing users. + 4. Navigates to the besecure-lab group \-\> Group information \-\> Members. + 5. Invites users to the group, assigning the appropriate role based on the mapping above. Adjust permissions on specific sub-projects as needed for finer-grained control. + +### **6.2 Project Onboarding (OSSPoI)** + +Onboarding Open Source Projects of Interest (OSSPoI) involves adding them to the lab's tracking system, typically managed within a Git repository. + +* **Definition:** OSSPoI are specific open-source software projects critical to the organization's operations or products, requiring security assessment. +* **Process:** + 1. Identify the target OSSPoI (e.g., a library used in a critical application). + 2. Locate the designated asset tracking repository in GitLab (e.g., besecure-assets-store). + 3. Clone the repository locally. + 4. Edit the relevant file (e.g., osspoi\_list.yaml, projects.json \- the exact format depends on BeSLab configuration) to add the new project. Include required metadata: + * Project Name (e.g., Apache Log4j Core) + * Source Repository URL (e.g., https://github.com/apache/logging-log4j2.git) + * Version(s) of interest (e.g., 2.17.1, main branch) + * Potentially, a flag indicating if it's designated for TAVOSS assessment. + 5. Commit the changes with a descriptive message. + 6. Push the changes back to the GitLab repository. + 7. (Optional) A GitLab CI pipeline or a webhook could trigger automated validation or initial processing upon commit. +* **TAVOSS Designation:** Marking an OSSPoI for TAVOSS implies it will undergo rigorous assessment according to defined playbooks, aiming to achieve the 'Trusted and Verified' status within the organization's context.1 This designation might be a flag in the asset list file or managed through group/project structure. +* **Example OSSPoI Candidates:** Identifying initial candidates helps jumpstart the lab's value. Consider projects based on criticality, usage prevalence, and known risk profiles. + +| OSSPoI Candidate | Rationale | Potential Assessment Focus | +| :---- | :---- | :---- | +| Apache Log4j 2 | Critical logging library; past high-severity vulnerabilities | SCA (Dependencies), SAST (Java) | +| Apache Struts2 | Web framework; history of critical RCE vulnerabilities | SCA, SAST (Java), DAST | +| Spring Boot / Framework | Widely used Java application framework | SCA, SAST (Java), Secrets Scan | +| TensorFlow | Foundational ML framework | SCA (Python deps), SAST (Python) | +| PyTorch | Foundational ML framework | SCA (Python deps), SAST (Python) | +| Node.js Express | Common web framework for Node.js applications | SCA (npm), SAST (JavaScript/TS) | +| Internal Library X | Critical shared component developed internally | SAST, SCA, Secrets Scan | + +**Table 2: Example OSSPoI Candidates** + +### **6.3 Model Onboarding (OSSMoI)** + +Similar to projects, Open Source Models of Interest (OSSMoI) are onboarded for tracking and assessment. + +* **Definition:** OSSMoI are specific open-source AI/ML models used, fine-tuned, or considered for use within the organization. +* **Process:** Follows the same Git-based workflow as OSSPoI, updating a designated list (e.g., ossmoi\_list.yaml within besecure-assets-store). Required metadata typically includes: + * Model Name (e.g., BERT Large Uncased) + * Source URL (e.g., Hugging Face Hub URL, GitHub repo) + * Version/Identifier (e.g., commit hash, tag, specific file checkpoint) + * Base Model (if fine-tuned) + * License Information +* **Example OSSMoI Candidates:** Focus on models relevant to the organization's AI initiatives. + +| OSSMoI Candidate | Rationale | Potential Assessment Focus | +| :---- | :---- | :---- | +| BERT (e.g., base-uncased) | Popular foundational NLP model | Model Scanning (operator safety, serialization), Provenance | +| Stable Diffusion (e.g., v1.5) | Widely used image generation model | Model Scanning, License Compliance, Potential Bias Checks | +| Llama (e.g., Llama-2-7b-hf) | Common open Large Language Model (LLM) | Model Scanning, Safety Alignment Checks, License Compliance | +| GPT-2 | Foundational LLM, often used for experiments | Model Scanning, Provenance | +| Internally Fine-tuned Model Y | Model derived from OSSMoI, used internally | Model Scanning (inheritance), Fine-tuning Data Privacy | + +**Table 3: Example OSSMoI Candidates** + +### **6.4 Tool Onboarding (BeSPlugins)** + +Integrating security tools via BeSPlugins is fundamental to the lab's assessment capabilities. + +* **Definition:** A BeSPlugin is the integration layer that allows a BeSPlaybook to invoke a specific security tool and process its results within the BeSLab framework. +* **Integration Process:** + 1. **Identify Tool:** Select the security tool to integrate (e.g., Semgrep for SAST). + 2. **Check Existing Plugins:** Consult the official Be-Secure/BeSLab-Plugins repository (as mentioned in the query) for pre-built plugins. + 3. **Develop/Configure Plugin:** If no existing plugin is suitable, one needs to be developed or configured. This typically involves: + * Creating a script or configuration file defining how to execute the tool (command-line arguments, input/output handling). + * Defining how to parse the tool's output into a standardized format (ideally aligning with BeS Schema elements for findings). + * Specifying dependencies required by the tool, which should be included in a relevant BeSEnvironment. + * Packaging the plugin according to BeSLab conventions (e.g., a directory structure within the BeSPlaybook or a dedicated plugin repository). + 4. **Define BeSEnvironment:** Ensure a BeSEnvironment exists (or create one) that contains the tool itself and all its runtime dependencies (e.g., specific Python version, libraries, OS packages). This might involve creating a Dockerfile managed within the BeSEnvironment repository. + 5. **Reference in BeSPlaybook:** Update or create a BeSPlaybook to invoke the new plugin at the appropriate stage of the assessment workflow. +* **Extensibility:** This plugin architecture is key to the lab's flexibility. As new security tools emerge or organizational needs change, new plugins can be added to enhance assessment coverage without altering the core BeSLab framework. The lab's value grows directly with the number and quality of its integrated plugins. +* **Example Default BeSPlugins:** Start with a core set of plugins covering common security assessment types. + +| BeSPlugin Example | Tool Integrated (Example) | Security Assessment Type | Purpose | +| :---- | :---- | :---- | :---- | +| Semgrep-Plugin | Semgrep | SAST | Static code analysis for various languages using pattern matching. | +| Trivy-Plugin | Trivy | SCA, Container Scanning | Detects vulnerabilities in OS packages and language dependencies. | +| Bandit-Plugin | Bandit | SAST (Python) | Finds common security issues in Python code. | +| Gitleaks-Plugin | Gitleaks | Secret Scanning | Detects hardcoded secrets (API keys, passwords) in Git history. | +| OWASP-ZAP-Plugin | OWASP ZAP | DAST | Dynamic analysis of web application security vulnerabilities. | +| ModelScan-Plugin | ModelScan (or similar) | AI Model Security | Scans ML models for unsafe operators, serialization issues, etc. | + +**Table 4: Example Default BeSPlugins** + +## **7\. AI Security Lab Operational Workflows** + +Once the lab is set up and initial assets/tools are onboarded, day-to-day operations involve standardized workflows for assessment and vulnerability management. + +### **7.1 Asset Submission** + +The process for submitting new OSS projects or AI models for assessment needs to be defined. Options include: + +* **Manual Git Update:** As described in sections 6.2 and 6.3, authorized users (Developers, Analysts) clone the asset repository, update the list, and push the changes. This is the simplest method aligned with the GitOps approach. +* **GitLab Merge Request (MR):** A more controlled process where developers submit MRs to the asset repository. Security Analysts review and approve the MR to formally onboard the asset. +* **API Integration (Advanced):** Develop an internal tool or script that interacts with the GitLab API to add assets to the tracking list, potentially triggered from other internal systems (e.g., CI/CD pipeline, internal software catalog). + +### **7.2 Assessment Execution** + +Assessments are performed by executing BeSPlaybooks against target assets. + +* **Triggering Mechanisms:** + * **Manual:** Security Analysts trigger playbooks via CLI commands (interacting with BeSman/BLIman or custom scripts) or potentially through a custom UI element (if developed). + * **Scheduled:** Configure cron jobs on the BeSLab host or use GitLab's CI/CD schedules to run specific playbooks periodically (e.g., daily SCA scans). + * **Event-Driven (Git Hooks/CI):** Configure GitLab CI/CD pipelines or webhooks on the asset repositories (or the main code repositories) to automatically trigger relevant playbooks upon events like new commits, merge requests, or new version tags. +* **Playbook Invocation:** The trigger mechanism selects and executes the appropriate BeSPlaybook based on the asset type (OSSPoI vs. OSSMoI), language/framework, and the desired assessment type (e.g., sast-python-standard, ai-model-onboarding-safety). +* **Environment and Plugin Use:** The selected playbook orchestrates the assessment 1: + 1. It typically invokes BeSman to prepare or launch the required BeSEnvironment (e.g., pulling/starting a specific Docker container). + 2. Within that environment, it executes one or more BeSPlugins in sequence. + 3. Each plugin runs its corresponding security tool against the target asset (code checkout, model file). + 4. Plugins collect and parse the results from the tools. +* **Modularity in Action:** This workflow highlights the modularity and extensibility of BeSLab. The effectiveness of an assessment hinges on the combination of the chosen Playbook, the completeness of the Environment, and the capabilities of the invoked Plugins. New assessment types can be added by creating new combinations of these components. + +### **7.3 OSAR Generation and Storage** + +Assessment results are formalized into standardized reports. + +* **Aggregation:** The BeSPlaybook (or a dedicated reporting script called by it) aggregates the findings from all executed plugins. +* **Formatting:** Results are formatted into an OSAR (Open Source Assessment Report), ideally conforming to the BeS Schema structure 4 (see Section 9.1 for details). This ensures consistency. +* **Storage:** The generated OSAR file (e.g., in JSON, YAML, or Markdown format) is typically committed to the BeSAssessment Git repository.1 The commit message or file naming convention should link the OSAR to the specific asset (OSSPoI/OSSMoI), its version/commit hash, and the assessment run timestamp or ID. This provides an auditable history of assessments. + +### **7.4 BeSLighthouse Visualization** + +BeSLighthouse serves as the central dashboard for monitoring lab activities and results.1 Users access it via a web browser to: + +* View lists of currently tracked OSSPoI and OSSMoI. +* Check the status of ongoing or completed assessments. +* Review historical assessment results for specific assets. +* Visualize aggregated vulnerability data (OSSVoI), potentially filtered by severity, asset, or time. +* Access direct links to the detailed OSAR files stored in the BeSAssessment repository for deeper investigation. + +### **7.5 Vulnerability Tracking (OSSVoI/CVEs)** + +A core function of the lab is tracking identified vulnerabilities. + +* **Identification:** BeSPlugins performing SCA, SAST, DAST, etc., identify potential vulnerabilities. These findings, including CVE identifiers where available, are captured in the OSAR. +* **Extraction & Storage:** A process (within the playbook or a post-processing step) extracts key vulnerability information (CVE ID, CWE ID, severity, affected component/version, description, location) from the OSAR. This structured data (OSSVoI) is stored, potentially: + * Directly within the OSAR file in a structured format (e.g., a findings array). + * In a separate dedicated vulnerability database or file within the BeSAssessment or another repository, linked back to the OSAR and the affected asset. +* **Visualization:** BeSLighthouse queries this structured OSSVoI data to provide aggregated views, trends, and lists of outstanding vulnerabilities across all tracked assets.2 +* **Triage & Remediation:** Security Analysts use the OSARs and BeSLighthouse data to triage new findings, prioritize remediation efforts based on severity and context, assign findings to relevant development teams, and track the status of remediation actions. + +### **7.6 OASP Engagement Options** + +While this guide focuses on a private, internal lab (acting as a private OSAP 1), there are potential future options for engaging with the wider ecosystem, subject to organizational policy: + +* **Contribute Back:** Share identified vulnerabilities and suggested patches back to the upstream open source projects. +* **Data Sharing:** Anonymize and share vulnerability trend data (using the BeS Exchange Schema 1) with trusted partners, industry groups (ISACs), or Be-Secure community initiatives to contribute to collective security intelligence. +* **Consume External Data:** Integrate external vulnerability feeds (e.g., NVD, vendor advisories, other OSAP reports) to correlate with internal findings and enrich the OSSVoI data. + +## **8\. Configuring Default Lab Components** + +To ensure the BeSLab instance provides immediate value upon setup, it's essential to configure a baseline set of Environments, Playbooks, and Plugins. These defaults provide core assessment capabilities that can be expanded later. + +### **8.1 Purpose of Defaults** + +Defining default components establishes a foundational set of security checks applicable to common languages, frameworks, and asset types within the organization. This allows the lab to start performing basic assessments quickly after installation and onboarding the first assets. + +### **8.2 Default BeSEnvironments** + +These environments provide the necessary runtime context for common security tools. They are typically defined as Dockerfiles or setup scripts within the BeSEnvironment repository. + +| BeSEnvironment Name | Key Components Included | Purpose | +| :---- | :---- | :---- | +| python-base-env | Python 3.x, pip, common build tools, Git | Running Python-specific SAST (Bandit, Semgrep) & SCA tools. | +| node-base-env | NodeJS (LTS), npm/yarn, Git | Running JavaScript/TypeScript SAST/Linters, SCA (npm audit/yarn audit). | +| generic-scanner-env | Base Linux (e.g., Alpine/Debian), curl, jq, git, Trivy | Running generic scanners like Trivy (FS), Gitleaks, or simple scripts. | +| ai-model-env | Python 3.x, PyTorch/TF libs, ModelScan deps, Git | Dedicated environment for AI model security/safety scanning tools. | +| java-build-env | JDK (e.g., 11/17), Maven/Gradle, Git | Environment for building Java projects and running Java SAST/SCA tools. | + +**Table 5: Example Default BeSEnvironments** + +### **8.3 Default BeSPlaybooks** + +These playbooks combine environments and plugins to perform standard assessment workflows. They reside in the BeSPlaybook repository. + +| BeSPlaybook Name | BeSEnvironment Used | BeSPlugins Invoked (Example) | Suggested Frequency | Purpose | +| :---- | :---- | :---- | :---- | :---- | +| sast-python-standard | python-base-env | Semgrep-Plugin, Bandit-Plugin | On Commit / Pull Request | Basic static analysis security checks for Python projects. | +| sca-generic-standard | generic-scanner-env | Trivy-Plugin (FS mode) | Daily / Weekly | Scans project dependencies for known vulnerabilities (CVEs). | +| secrets-scan-standard | generic-scanner-env | Gitleaks-Plugin | On Commit / Pull Request | Detects potential secrets accidentally committed to Git history. | +| ai-model-onboarding-safety | ai-model-env | ModelScan-Plugin | On New Model Onboarding | Performs initial safety/security checks on newly added AI models. | +| dast-web-scan-basic | generic-scanner-env | OWASP-ZAP-Plugin (Baseline) | Weekly / On Demand | Performs a basic dynamic scan against a deployed web application URL. | + +**Table 6: Example Default BeSPlaybooks** + +### **8.4 Default BeSPlugins** + +The recommended initial set of plugins provides coverage across essential security domains. Refer back to **Table 4: Example Default BeSPlugins** (Section 6.4) for the list, including tools like Semgrep, Trivy, Bandit, Gitleaks, OWASP ZAP, and an AI Model Scanner. Integrating these plugins provides the foundational scanning capabilities orchestrated by the default playbooks. + +## **9\. Reporting and Governance** + +Effective operation of the AI Security Lab requires standardized reporting and clear governance structures. + +### **9.1 Sample OSAR Structure** + +Consistent reporting is vital for tracking findings, comparing assessments over time, and communicating risk effectively. The Open Source Assessment Report (OSAR) should be structured logically, ideally aligning with the principles of the BeS Schema.4 + +| OSAR Section | Content Description | Purpose | +| :---- | :---- | :---- | +| **Metadata** | Assessment ID, Timestamp, Asset ID (OSSPoI/OSSMoI Name), Asset Version/Commit, BeSPlaybook Used, BeSEnvironment Used, Triggering Event (if applicable). | Uniquely identifies the assessment and its context. | +| **Executive Summary** | Brief overview of the assessment scope, key findings, overall risk level (e.g., Critical, High, Medium, Low), and critical recommendations. | Provides a high-level snapshot for management and quick triage. | +| **Asset Details** | Full Name, Source URL, Description, Exact Version/Commit Hash Assessed, License Information (if applicable). | Clearly identifies the specific artifact that was assessed. | +| **Assessment Scope & Methodology** | Description of the checks performed, list of tools (BeSPlugins) executed, specific configurations used (e.g., scan depth, rule sets), any limitations or exclusions. | Defines the boundaries and methods of the assessment for accurate interpretation of results. | +| **Findings Summary** | Aggregated counts of findings categorized by severity (e.g., Critical, High, Medium, Low, Informational). May include charts or tables. | Provides a quantitative overview of the identified issues. | +| **Detailed Findings** | A list of individual findings. Each finding includes: Finding ID, Description, Severity, Status (New, Triaged, Mitigated, False Positive), Location (File, Line, Model Layer, Dependency Name), Evidence/Code Snippet, Remediation Guidance, Associated Identifiers (CVE, CWE \- constituting OSSVoI). | Provides actionable details for each identified vulnerability or issue for analysts and developers. | +| **Attestation (Optional)** | A formal statement regarding the level of assurance provided by this assessment, based on the scope and findings. May reference TAVOSS criteria if applicable. | Formally documents the outcome and confidence level derived from the assessment process. | + +**Table 7: OSAR Sample Structure** + +### **9.2 RACI Matrix** + +A RACI (Responsible, Accountable, Consulted, Informed) matrix clarifies roles and responsibilities for key lab activities, ensuring smooth operation and accountability. + +| Activity | CISO | Lab Administrator | Security Analyst | Developer Lead / App Owner | Legal / Compliance | +| :---- | :---- | :---- | :---- | :---- | :---- | +| Lab Setup/Config | A | R | C | I | I | +| User Onboarding | A | R | C | I | I | +| OSSPoI Onboarding | A | C | R | C | I | +| OSSMoI Onboarding | A | C | R | C | C | +| BeSPlugin Integration | A | R | C | I | I | +| Assessment Execution/Scheduling | I | C | R | I | I | +| OSAR Review/Triage | C | I | R | C | C | +| Vulnerability Remediation Tracking | A | I | R | C | I | +| Vulnerability Remediation Implementation | I | I | C | R | I | +| Lab Maintenance/Upgrades | A | R | C | I | I | +| Policy Definition (Scope, SLA) | A | C | C | C | R | + +**Table 8: RACI Matrix** *(R=Responsible, A=Accountable, C=Consulted, I=Informed)* + +### **9.3 Governance Considerations** + +Beyond the RACI matrix, establish clear policies and procedures: + +* **Asset Onboarding Criteria:** Define rules for which OSSPoI and OSSMoI must be onboarded (e.g., based on usage in critical systems, external facing applications, handling sensitive data). +* **Assessment Frequency:** Define minimum assessment frequencies based on asset criticality and type (e.g., SAST/Secrets on commit, SCA daily, DAST weekly, Model Scan on update). +* **Vulnerability Triage Process:** Document the workflow for reviewing new findings, assigning severity based on organizational context, determining validity (true positive/false positive), and assigning ownership. +* **Remediation SLAs:** Define expected timelines for acknowledging and fixing vulnerabilities based on severity levels. +* **Tool Validation & Updates:** Regularly review and update integrated BeSPlugins and their underlying tools. Validate tool effectiveness periodically. +* **Reporting Cadence:** Define how and when assessment results and risk posture summaries are reported to the CISO and other stakeholders. + +## **10\. Deployment and Interaction Diagrams (PlantUML)** + +The following diagrams illustrate the BeSLab architecture and key operational flows. + +### **10.1 Diagram 1: High-Level Enterprise Deployment** + +Code snippet + +@startuml +\!theme plain +skinparam rectangle\<\\> { + borderColor Black + borderThickness 1 +} +skinparam node { + borderColor Black + borderThickness 1 +} +skinparam actor { + borderColor Black + borderThickness 1 +} + +rectangle "Enterprise Network" \<\\> { + actor "Security Analyst" as Analyst + actor "Developer" as Dev + actor "CISO / Mgmt" as CISO + + node "BeSLab Host (VM/Server)" as BeSLabHost { + cloud "Core BeSLab Services" as CoreServices + database "GitLab CE Data" as GitLabData + database "Config/Logs" as ConfigData + } + + node "Internal Code Repositories" as InternalRepos + node "Internal AI Model Stores" as InternalModels + node "User Workstations" as Workstations + + Analyst \-- BeSLabHost : Access UI/CLI + Dev \-- BeSLabHost : Access UI/Submit Assets + CISO \-- BeSLabHost : Access Dashboard (BeSLighthouse) + Workstations \--\> Analyst + Workstations \--\> Dev + Workstations \--\> CISO + + BeSLabHost \-- InternalRepos : Clone/Assess Code + BeSLabHost \-- InternalModels : Access/Assess Models +} + +cloud "Internet / External Sources" as Internet { + node "OSS Repositories (GitHub, etc.)" as OSSRepos + node "AI Model Hubs (Hugging Face, etc.)" as ModelHubs + node "Vulnerability Feeds (NVD, etc.)" as VulnFeeds + node "Plugin/Tool Updates" as Updates +} + +BeSLabHost \-- Internet : Fetch OSS Code, Models, Updates, Feeds + +@enduml + +### **10.2 Diagram 2: Detailed BeSLab Component Layout (Lite Mode Host)** + +Code snippet + +@startuml +\!theme plain +skinparam node { + borderColor Black + borderThickness 1 +} +skinparam storage { + borderColor Black + borderThickness 1 +} +skinparam interface { + borderColor Black + borderThickness 1 +} + +node "BeSLab Host (VM/Server)" as Host { + interface "Network Interface (IP/DNS)" as HostNIC + + node "Container Runtime (Docker)" as Docker { + node "GitLab CE Container" as GitLab { + folder "Git Repositories" as GitRepos \<\\> + interface "Web UI/API (80/443)" as GitLabNIC + interface "SSH (22)" as GitLabSSH + } + node "BeSLighthouse Container" as Lighthouse { + interface "Web UI (3000/80)" as LighthouseNIC + } + node "BeSEnvironment Containers (Transient)" as EnvContainers { + label "Runs BeSPlugins (Tools)" + } + } + + folder "BLIman / BeSman CLI Tools" as CLITools + folder "Configuration Files (genesis.yaml)" as ConfigFiles \<\\> + folder "Persistent Volumes" as Volumes \<\\> { + storage "GitLab Data Volume" as GitLabVol + storage "BeSLighthouse Config Volume" as LighthouseVol + storage "Other Data/Logs" as OtherVol + } + + HostNIC \-- GitLabNIC + HostNIC \-- LighthouseNIC + HostNIC \-- GitLabSSH + + Lighthouse..\> GitLab : Reads Repo Data (Git/API) + CLITools \--\> Docker : Manage Containers + CLITools \--\> ConfigFiles : Read Config + GitLab..\> GitLabVol : Store Data + Lighthouse..\> LighthouseVol : Store Config + Docker..\> EnvContainers : Start/Stop Assessment Envs + EnvContainers..\> GitLab : Clone Code/Assets +} + +@enduml + +### **10.3 Diagram 3: Project/Model Onboarding Flow (Git-based)** + +Code snippet + +@startuml +\!theme plain +actor "User (Dev/Analyst)" as User +participant "Local Workstation" as Local +participant "GitLab Server\\n(Asset Repo)" as GitLabRepo +participant "BeSLab System\\n(Monitor/Hook)" as BeSLabSys +participant "BeSLighthouse" as Lighthouse + +User \-\> Local : Clone Asset Repo +User \-\> Local : Edit Asset List (Add OSSPoI/OSSMoI) +User \-\> Local : Git Commit +User \-\> Local : Git Push +Local \-\> GitLabRepo : Push Changes +activate GitLabRepo + +GitLabRepo \-\> BeSLabSys : Notify (Webhook/Poll) +activate BeSLabSys +BeSLabSys \-\> GitLabRepo : Fetch Updated List +BeSLabSys \-\> BeSLabSys : Validate New Asset Info +alt Validation OK + BeSLabSys \-\> BeSLabSys : Mark Asset as 'Onboarded' / 'Pending Scan' + BeSLabSys \-\> Lighthouse : Update Asset List Cache/Display +else Validation Failed + BeSLabSys \-\> User : Notify Failure (e.g., email, comment) +end +deactivate BeSLabSys +deactivate GitLabRepo + +@enduml + +### **10.4 Diagram 4: Assessment Execution Flow** + +Code snippet + +@startuml +\!theme plain +participant "Trigger\\n(Schedule/Hook/Manual)" as Trigger +participant "BeSLab Orchestrator\\n(e.g., CI Pipeline/Script)" as Orchestrator +participant "BeSPlaybook" as Playbook +participant "BeSman" as Besman +participant "BeSEnvironment\\n(Container)" as Env +participant "BeSPlugin(s)" as Plugins +participant "GitLab Server\\n(Asset/Assessment Repos)" as GitLabRepo +participant "BeSLighthouse" as Lighthouse + +Trigger \-\> Orchestrator : Initiate Assessment (Asset X, Playbook Y) +activate Orchestrator +Orchestrator \-\> Playbook : Execute Playbook Y for Asset X +activate Playbook +Playbook \-\> Besman : Request Environment Z +activate Besman +Besman \-\> Env : Create/Start Environment Z +activate Env +Besman \--\> Playbook : Environment Ready +deactivate Besman +Playbook \-\> GitLabRepo : Clone/Fetch Asset X Code/Model +Playbook \-\> Env : Execute Plugin A +activate Plugins +Env \-\> Plugins : Run Tool A +Plugins \--\> Env : Results A +deactivate Plugins +Playbook \-\> Env : Execute Plugin B +activate Plugins +Env \-\> Plugins : Run Tool B +Plugins \--\> Env : Results B +deactivate Plugins +Env \--\> Playbook : All Plugin Results +deactivate Env +Playbook \-\> Playbook : Aggregate Results & Generate OSAR +Playbook \-\> GitLabRepo : Commit OSAR to BeSAssessment Repo +activate GitLabRepo +GitLabRepo \--\> Playbook : Commit Successful +deactivate GitLabRepo +Playbook \--\> Orchestrator : Assessment Complete +deactivate Playbook +Orchestrator \-\> Lighthouse : Notify/Update Assessment Status +deactivate Orchestrator + +@enduml + +### **10.5 Diagram 5: Vulnerability Tracking Flow (OSSVoI)** + +Code snippet + +@startuml +\!theme plain +start +:Assessment Runs (SAST/SCA/DAST Plugin); +:Plugin Detects Vulnerability; +:OSAR Generated with Finding Details (incl. CVE if available); +:Store OSAR in BeSAssessment Repo; +:Extract Structured Vulnerability Data (OSSVoI)\\n(CVE, Severity, Component, etc.); +if (OSSVoI Data Stored Separately?) then (yes) + :Store OSSVoI in Vulnerability Datastore\\n(Linked to Asset & OSAR); +else (no) + :OSSVoI Data Resides within OSAR; +endif +:BeSLighthouse Reads OSSVoI Data\\n(from Datastore or OSARs); +:Display Vulnerability in Dashboard\\n(Aggregated Views, Lists); +:Security Analyst Reviews New OSSVoI; +:Triage Vulnerability\\n(Validate, Prioritize, Assign Owner); +:Track Remediation Status\\n(e.g., Open, In Progress, Fixed, False Positive); +:Update Status in Datastore/OSAR Metadata; +:BeSLighthouse Reflects Updated Status; +stop +@enduml + +## **11\. Conclusion** + +### **11.1 Benefits Recap** + +Implementing an AI Security Lab using the Be-Secure BeSLab blueprint provides the CISO's organization with a powerful, centralized capability to manage the growing security risks associated with open source software and artificial intelligence models. Key benefits include: + +* **Standardized and Proactive Assurance:** Moving from ad-hoc reviews to consistent, automated assessments.1 +* **Enhanced Visibility and Control:** Centralized tracking of critical assets (OSSPoI, OSSMoI) and their associated vulnerabilities (OSSVoI) via BeSLighthouse.1 +* **Reduced Risk Posture:** Early identification and facilitated remediation of vulnerabilities in the software supply chain and AI models. +* **Internal Trust Validation:** The ability to generate internal TAVOSS designations for assessed components, building confidence in their use.1 +* **Extensibility and Adaptability:** A modular architecture based on Playbooks, Environments, and Plugins allows the lab to evolve and integrate new tools and assessment techniques over time. + +### **11.2 Next Steps** + +Following the successful installation and initial configuration outlined in this guide, prioritize these immediate actions: + +1. **Onboard Initial Assets:** Identify and onboard a pilot set of high-priority OSSPoI and OSSMoI based on organizational risk assessment. +2. **Configure & Test Default Workflows:** Ensure the default BeSPlugins, BeSEnvironments, and BeSPlaybooks (Tables 4, 5, 6\) are correctly configured and execute successfully against test assets. +3. **User Training:** Train Security Analysts on operating the lab (triggering scans, reviewing OSARs, using BeSLighthouse) and Developers on submitting assets and interpreting results. +4. **Establish Governance:** Formalize the processes outlined in Section 9.3 (triage, SLAs, reporting) and communicate the RACI matrix (Table 8). +5. **Secure the Lab:** Implement robust security hardening for the BeSLab host, GitLab instance, and associated accounts. Regularly apply security patches. + +### **11.3 Continuous Improvement** + +The AI Security Lab is not a static entity. Its value lies in its continuous operation and evolution: + +* **Expand Plugin Coverage:** Regularly evaluate and integrate new BeSPlugins for emerging tools and assessment types (e.g., advanced AI safety checks, infrastructure-as-code scanning, license compliance). +* **Refine Playbooks:** Optimize existing playbooks and create new ones tailored to specific application stacks, risk profiles, or compliance requirements. +* **Update Environments:** Keep the underlying tools and dependencies within BeSEnvironments up-to-date. +* **Integrate with DevSecOps:** Explore deeper integration with existing CI/CD pipelines to automate security feedback loops for developers. +* **Monitor Effectiveness:** Regularly review the lab's performance, the types of vulnerabilities being found, and the speed of remediation to identify areas for improvement in tooling or processes. + +By following this guide and embracing a culture of continuous improvement, the CISO's organization can leverage the BeSLab blueprint to build a robust, effective, and adaptable AI Security Lab, significantly strengthening its posture against modern cyber threats. + +#### **Works cited** + +1. Empowering Open Source Project Security , This Repository includes BeS Environment Scripts to launch an instance of BeSLab \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/BeSLab](https://github.com/Be-Secure/BeSLab) +2. Be-Secure/BeSLighthouse: Community dashboard for security assessment of open source projects of interest for BeSecure community. Various visualizations on Projects of Interest and Vulnerabilities of interest are available in the dashboard \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/BeSLighthouse](https://github.com/Be-Secure/BeSLighthouse) +3. Wipro's Open Source Security Solution for Enhanced Cybersecurity, accessed May 1, 2025, [https://www.wipro.com/cybersecurity/o31e-wipros-open-source-security-program-a-key-initiative-to-enhancing-cybersecurity-with-open-source/](https://www.wipro.com/cybersecurity/o31e-wipros-open-source-security-program-a-key-initiative-to-enhancing-cybersecurity-with-open-source/) +4. Be-Secure/bes-schema: This repository defines the data ... \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/bes-schema](https://github.com/Be-Secure/bes-schema) From 5869740fce08f43c4ef1274cb89d19a0759ccb26 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 10:56:19 +0530 Subject: [PATCH 03/30] Create placeholder add a folder for puml files --- docs/pumls/placeholder | 1 + 1 file changed, 1 insertion(+) create mode 100644 docs/pumls/placeholder diff --git a/docs/pumls/placeholder b/docs/pumls/placeholder new file mode 100644 index 0000000..caf02f0 --- /dev/null +++ b/docs/pumls/placeholder @@ -0,0 +1 @@ +Blank From 61867b50e574a7a38993ac5d25a956de167762f1 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 10:57:31 +0530 Subject: [PATCH 04/30] Add files via upload Added .puml files for the AI Security Lab User Guide --- .../BeSLabAssessmentExecutionWorkflow.puml | 45 ++++++++++++++++ docs/pumls/BeSLabComponentsLayout.puml | 54 +++++++++++++++++++ .../BeSLabProjectModelOnboardingWorkflow.puml | 29 ++++++++++ .../BeSLabVulnerabilityTrackingWorkflow.puml | 22 ++++++++ docs/pumls/HighLevelEnterpriseDeployment.puml | 51 ++++++++++++++++++ 5 files changed, 201 insertions(+) create mode 100644 docs/pumls/BeSLabAssessmentExecutionWorkflow.puml create mode 100644 docs/pumls/BeSLabComponentsLayout.puml create mode 100644 docs/pumls/BeSLabProjectModelOnboardingWorkflow.puml create mode 100644 docs/pumls/BeSLabVulnerabilityTrackingWorkflow.puml create mode 100644 docs/pumls/HighLevelEnterpriseDeployment.puml diff --git a/docs/pumls/BeSLabAssessmentExecutionWorkflow.puml b/docs/pumls/BeSLabAssessmentExecutionWorkflow.puml new file mode 100644 index 0000000..da84b0c --- /dev/null +++ b/docs/pumls/BeSLabAssessmentExecutionWorkflow.puml @@ -0,0 +1,45 @@ +@startuml +!theme plain +participant "Trigger\n(Schedule/Hook/Manual)" as Trigger +participant "BeSLab Orchestrator\n(e.g., CI Pipeline/Script)" as Orchestrator +participant "BeSPlaybook" as Playbook +participant "BeSman" as Besman +participant "BeSEnvironment\n(Container)" as Env +participant "BeSPlugin(s)" as Plugins +participant "GitLab Server\n(Asset/Assessment Repos)" as GitLabRepo +participant "BeSLighthouse" as Lighthouse + +Trigger -> Orchestrator : Initiate Assessment (Asset X, Playbook Y) +activate Orchestrator +Orchestrator -> Playbook : Execute Playbook Y for Asset X +activate Playbook +Playbook -> Besman : Request Environment Z +activate Besman +Besman -> Env : Create/Start Environment Z +activate Env +Besman --> Playbook : Environment Ready +deactivate Besman +Playbook -> GitLabRepo : Clone/Fetch Asset X Code/Model +Playbook -> Env : Execute Plugin A +activate Plugins +Env -> Plugins : Run Tool A +Plugins --> Env : Results A +deactivate Plugins +Playbook -> Env : Execute Plugin B +activate Plugins +Env -> Plugins : Run Tool B +Plugins --> Env : Results B +deactivate Plugins +Env --> Playbook : All Plugin Results +deactivate Env +Playbook -> Playbook : Aggregate Results & Generate OSAR +Playbook -> GitLabRepo : Commit OSAR to BeSAssessment Repo +activate GitLabRepo +GitLabRepo --> Playbook : Commit Successful +deactivate GitLabRepo +Playbook --> Orchestrator : Assessment Complete +deactivate Playbook +Orchestrator -> Lighthouse : Notify/Update Assessment Status +deactivate Orchestrator + +@enduml diff --git a/docs/pumls/BeSLabComponentsLayout.puml b/docs/pumls/BeSLabComponentsLayout.puml new file mode 100644 index 0000000..43778d6 --- /dev/null +++ b/docs/pumls/BeSLabComponentsLayout.puml @@ -0,0 +1,54 @@ +@startuml +!theme plain +skinparam node { +borderColor Black +borderThickness 1 +} +skinparam storage { +borderColor Black +borderThickness 1 +} +skinparam interface { +borderColor Black +borderThickness 1 +} + +node "BeSLab Host (VM/Server)" as Host { +interface "Network Interface (IP/DNS)" as HostNIC + +node "Container Runtime (Docker)" as Docker { +node "GitLab CE Container" as GitLab { +folder "Git Repositories" as GitRepos <> +interface "Web UI/API (80/443)" as GitLabNIC +interface "SSH (22)" as GitLabSSH +} +node "BeSLighthouse Container" as Lighthouse { +interface "Web UI (3000/80)" as LighthouseNIC +} +node "BeSEnvironment Containers (Transient)" as EnvContainers { +label "Runs BeSPlugins (Tools)" +} +} + +folder "BLIman / BeSman CLI Tools" as CLITools +folder "Configuration Files (genesis.yaml)" as ConfigFiles <> +folder "Persistent Volumes" as Volumes <> { +storage "GitLab Data Volume" as GitLabVol +storage "BeSLighthouse Config Volume" as LighthouseVol +storage "Other Data/Logs" as OtherVol +} + +HostNIC -- GitLabNIC +HostNIC -- LighthouseNIC +HostNIC -- GitLabSSH + +Lighthouse..> GitLab : Reads Repo Data (Git/API) +CLITools --> Docker : Manage Containers +CLITools --> ConfigFiles : Read Config +GitLab..> GitLabVol : Store Data +Lighthouse..> LighthouseVol : Store Config +Docker..> EnvContainers : Start/Stop Assessment Envs +EnvContainers..> GitLab : Clone Code/Assets +} + +@enduml diff --git a/docs/pumls/BeSLabProjectModelOnboardingWorkflow.puml b/docs/pumls/BeSLabProjectModelOnboardingWorkflow.puml new file mode 100644 index 0000000..ed9ec37 --- /dev/null +++ b/docs/pumls/BeSLabProjectModelOnboardingWorkflow.puml @@ -0,0 +1,29 @@ +@startuml +!theme plain +actor "User (Dev/Analyst)" as User +participant "Local Workstation" as Local +participant "GitLab Server\n(Asset Repo)" as GitLabRepo +participant "BeSLab System\n(Monitor/Hook)" as BeSLabSys +participant "BeSLighthouse" as Lighthouse + +User -> Local : Clone Asset Repo +User -> Local : Edit Asset List (Add OSSPoI/OSSMoI) +User -> Local : Git Commit +User -> Local : Git Push +Local -> GitLabRepo : Push Changes +activate GitLabRepo + +GitLabRepo -> BeSLabSys : Notify (Webhook/Poll) +activate BeSLabSys +BeSLabSys -> GitLabRepo : Fetch Updated List +BeSLabSys -> BeSLabSys : Validate New Asset Info +alt Validation OK +BeSLabSys -> BeSLabSys : Mark Asset as 'Onboarded' / 'Pending Scan' +BeSLabSys -> Lighthouse : Update Asset List Cache/Display +else Validation Failed +BeSLabSys -> User : Notify Failure (e.g., email, comment) +end +deactivate BeSLabSys +deactivate GitLabRepo + +@enduml diff --git a/docs/pumls/BeSLabVulnerabilityTrackingWorkflow.puml b/docs/pumls/BeSLabVulnerabilityTrackingWorkflow.puml new file mode 100644 index 0000000..f6c1ec8 --- /dev/null +++ b/docs/pumls/BeSLabVulnerabilityTrackingWorkflow.puml @@ -0,0 +1,22 @@ +@startuml +!theme plain +start +:Assessment Runs (SAST/SCA/DAST Plugin); +:Plugin Detects Vulnerability; +:OSAR Generated with Finding Details (incl. CVE if available); +:Store OSAR in BeSAssessment Repo; +:Extract Structured Vulnerability Data (OSSVoI)\n(CVE, Severity, Component, etc.); +if (OSSVoI Data Stored Separately?) then (yes) +:Store OSSVoI in Vulnerability Datastore\n(Linked to Asset & OSAR); +else (no) +:OSSVoI Data Resides within OSAR; +endif +:BeSLighthouse Reads OSSVoI Data\n(from Datastore or OSARs); +:Display Vulnerability in Dashboard\n(Aggregated Views, Lists); +:Security Analyst Reviews New OSSVoI; +:Triage Vulnerability\n(Validate, Prioritize, Assign Owner); +:Track Remediation Status\n(e.g., Open, In Progress, Fixed, False Positive); +:Update Status in Datastore/OSAR Metadata; +:BeSLighthouse Reflects Updated Status; +stop +@enduml diff --git a/docs/pumls/HighLevelEnterpriseDeployment.puml b/docs/pumls/HighLevelEnterpriseDeployment.puml new file mode 100644 index 0000000..341ebb5 --- /dev/null +++ b/docs/pumls/HighLevelEnterpriseDeployment.puml @@ -0,0 +1,51 @@ +@startuml +!theme plain +skinparam rectangle<> { +borderColor Black +borderThickness 1 +} +skinparam node { +borderColor Black +borderThickness 1 +} +skinparam actor { +borderColor Black +borderThickness 1 +} + +rectangle "Enterprise Network" <> { +actor "Security Analyst" as Analyst +actor "Developer" as Dev +actor "CISO / Mgmt" as CISO + +node "BeSLab Host (VM/Server)" as BeSLabHost { +cloud "Core BeSLab Services" as CoreServices +database "GitLab CE Data" as GitLabData +database "Config/Logs" as ConfigData +} + +node "Internal Code Repositories" as InternalRepos +node "Internal AI Model Stores" as InternalModels +node "User Workstations" as Workstations + +Analyst -- BeSLabHost : Access UI/CLI +Dev -- BeSLabHost : Access UI/Submit Assets +CISO -- BeSLabHost : Access Dashboard (BeSLighthouse) +Workstations --> Analyst +Workstations --> Dev +Workstations --> CISO + +BeSLabHost -- InternalRepos : Clone/Assess Code +BeSLabHost -- InternalModels : Access/Assess Models +} + +cloud "Internet / External Sources" as Internet { +node "OSS Repositories (GitHub, etc.)" as OSSRepos +node "AI Model Hubs (Hugging Face, etc.)" as ModelHubs +node "Vulnerability Feeds (NVD, etc.)" as VulnFeeds +node "Plugin/Tool Updates" as Updates +} + +BeSLabHost -- Internet : Fetch OSS Code, Models, Updates, Feeds + +@enduml From b6153a3d876cc11eb163db2f809df0ce1aaad088 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 10:58:50 +0530 Subject: [PATCH 05/30] Add files via upload Add Images for AI Security Solution and User guide --- .../Diagram1HighlevelEnterpriseDeployment.png | Bin 0 -> 91788 bytes docs/images/Diagram2BeSLabComponentsLayout.png | Bin 0 -> 92473 bytes ...ram3BeSLabProjectModelOnboardingWorkflow.png | Bin 0 -> 54615 bytes .../Diagram4AssessmentExecutionWorkflow.png | Bin 0 -> 81034 bytes ...gram5BeSLabVulnerabilityTrackingWorkflow.png | Bin 0 -> 58150 bytes 5 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 docs/images/Diagram1HighlevelEnterpriseDeployment.png create mode 100644 docs/images/Diagram2BeSLabComponentsLayout.png create mode 100644 docs/images/Diagram3BeSLabProjectModelOnboardingWorkflow.png create mode 100644 docs/images/Diagram4AssessmentExecutionWorkflow.png create mode 100644 docs/images/Diagram5BeSLabVulnerabilityTrackingWorkflow.png diff --git a/docs/images/Diagram1HighlevelEnterpriseDeployment.png b/docs/images/Diagram1HighlevelEnterpriseDeployment.png new file mode 100644 index 0000000000000000000000000000000000000000..c81205427a9f273f01e0ab15a791f1c5bf386b3c GIT binary patch literal 91788 zcmeFZWk6Ql)&=^Yuc#=XQqm&QB}k_Vh|=Ayba#h=NC={Ii&D}hozf{C(jh4&op(Oq zcMk74?|1K?d;i>f{UhRj_Otd{bImp87-Mc9X-N@uGy*gP0)hVIv5+hRff|HBod4_6 zIrz8;>nHy)ekC_PgT;=X=H^R@LD=?-IxX)4YU|KWJMY;5Tg)g`&= zqK($@7MgC;a|D7d)6(PfM)A7%%zOeoFG)4yZC{mqeAOk5M^9w%{^*VOQ=j^(kK6LA z0Pi>v&?^-wBB|62*ZuYRux8WEy zs`zByzOQt6GvcDEqm%OZl9$)%U#Q1W_emI=&Ak`$l)^PZ^|@VGbT4Isr{IOMLGgQ< zeCpM*^wsQ2t#lb2W1YDn*M3G0ZnHq{RkWJGmzN8r@1bU_y~iy_n6unN!|uMm#K}e) zu=KbN)uCKh{+ZiX?b_EhIXZ&j>+!3P(X~%GCvv7s!C>4|0_oASz;ot z{=t(qL!UsrKotvDoJGq-s=1qCTT}JhN~-8QwQ((+1LyN69*D}j+Q_-9>gOL+V3PGoBmmF~L6G9AUZxu|V>SL0D> zZCn~&$=27#UyXIKJ$6iKy_)8wVXwzyKKT!?{%*&!xw{`tz=P-b6U8u5z0Q;0j(}J2 z*Q3YWJ|vHZbrXzejO0|_i6^Vuw;3j3NQ;Q)3ORBmlXXp4M}L~?LGiI1dHwz8~o(QQ<-V| zcAdod?X|d@dT-i8(v-?Amolhk1C>9MMEki=iZe41L#AyBmj=URswaRjd8h>6ncqwX6pH&JV$s8Okw2XN(>|U zpZJ(1{jZQ`T{89--D<=qoJ6C4I+|xTnBDJMzvQx%$|;m==z?i=%dseAw_qp$o1=OR z+eUO0{XKt%e~g};fM$7w%j!L`Lo>O`YVoi3$m!@Bn~ovpbW*=YeZvU2GEL7T?~nF_qVLOBYzanv9YlB zWOL_=?IAzsW@h2i>4AbCkye+@XP=w}i*mo4C>HSk(+`tJ(+IhpAE+bayLH$F= zW0VoUOpM)U>;(vfC*q0F19?Zyr4a{L?B3CaHF?!JikQ&H#rc2D3p?XnQTWn@^O^cK zp7i+_mvC8Sv9Xy_9C7HCA~$ZJ%;=_|JS@F$`1<{K*~eqE!>!+jH%+Y`vJ7rH9S8L< zt+ckbw-0jdw>gD@W)ev+2G>oj{|r=mrj2|?AJsSpZ=(=6`ptg z^v9(uHuk4KdAjMeW1Rk&&D1*h=T=)@Ts)`0tg5*CPd804YBwLNaGRKzAR!?!M_y{( zn<6u{;&JR^Z2ToU7Vfhy(H*U!tUR#Ln>IrW7mU|P#`1DGu8vd1xym9x(#RoUV?R1N zs-mJ|jRXI-G^3%RxlP-m0FUC@&1x|FGs%bzeqYslEd&MONy18T^~EK`bWfdzs1{xa#+gKH=Vx~{G+f4uh} zKJfAK_GN19*IZ#@H66(II6ktnvRY{N@$r#M5;q#kpMM(2_tmg7Av&5U(H(Atavt^B zvuD&CD33}7fGNbfv6OJT2E8 zqwb_fZwb7-yl8A}l(IB46f;y;M#~FL2iJR*v=maLb&d{po89^Mm-1i%(@Nj^`mS$m zh)YO}6x$>ZsO9Om;WBB`FN@LVn-0pV%>HbP(zS5g+ZZe`>3>flM&dMmJ?H0OoLWR0b{;6%rJ~XaV(YNS>wB|M6ooEw{Hp9 zjOV_8Y+e^3b(@}_-~C}xnVK;BBDF!~<>4>>scvw zSuUO>@i?%uqtjXJ%h1%+gk8wR#icvTRKD?kC^$BDw8U<4zB}1KU*Ff8OQ+_qPrnd| zV_|tz1j6}y@ZC$d5x1U*iJ6R+?e?U~-Me@1N50Wh-VTLI_d_n5pD7$17NhE)9|wK@ z{F%+9uc)+?(1UsS^OFxlg%%c#ZX#;%KpbX6pV|4=8_7xCcRnhos1;`B#?SSp^%q%9 z)z;L%C9E5TP1u_ROXEZA>lGXv%x$+|yVz$2f#Qux%5OC(G~bn2dAOyfSKz$4;I`2z zvY_~S*rMq7#>Q~D%Qgi2#NwjMY&&tmJn8X{$V_vH!_vUoOqiDMg*9dWujdg5cxM+T zwYIhvp15Lr)CKn6WlYRCK9{d#+l2&WWo5U?$$NX9XIZA*f5#*zC-1Fw_4LSlcpQ6O z!SkKDXVCs8Xlt_0PgKsrYEruP)RJgSA}F#}QS^Qtqe_A8@@$E7a!iH->^$|h!K3w7(z3OMy! z!$TR=G%H-4V577}vdLj$BDDR_?uzs@rL6WyHZgkjN_W27w`<<*|FT4%fHdlfa=xafCb)3qa8}^>I{B{-fn)kmh&{+>vyCSartU7{n~ol3hMYQvAC@^jf9%8Fq_(2~Tz(mMf$w;?T%W4;S0$IzcXh zK!pq|@6Mq(^wD^@$O=NMEs8^_5<`k;AT6sRGAJl0HkRLM{n^@fhZ+KLM0$1=9*Ko9 zqNAh7u$d^raA_6OmCKzs-S)RqGqhaSgne#M2$d`6=)w@DA>;HUjh4HVmX?OmDP_uh zdh~%x3YSM_OEFJh!Y=05k3tt0m$Yt!?j#AUsl3X{N@XW_D%}n^c3uz9e}%l~!`2eU zGzM!PL@q+B_1vIDu-6xdj+d7ggNXAM2aF8u%*gI*)-^OB^Gt-$J^SM$H}QWL1S0(G zMudY?<;;IqJ&)$Hp&Y7(S)bWls)uBWib--XpB&eWz8fF=s?=eHHY7crKGFJcZ&M)4 z>6gwo>izLQ z$pawBkcS;|T$YLN(DTn9{i-y9-hZl;gwH-Hm zmEZt8hNPLUl9wdtjRCZ-lp__#ucM;_ z^Ag8yrmCx(kY9+*J!U_?@;PtZWz5tpSH&iUL;@$pJ#uov7RqLBkw6k+cGGaqudA!8 zj2b0x`XGPONQ4H|2Cqe-U%Yx#`!0upfsuv2R2`hpbuT#Y>JeMzPySq=X{pO~w0((+ zeuKkdWi%r{Q>(H9j$3pBRzrXeuP$RTsu#ugwDG%6ag}atY=mjKtEAs^KiGl1qDP0w zw)xv?PIiG&)yglL|ET^m-ZY2YI!YidCibJYc1ptoq zOtX&{z@^a&H?(**omCy9_V(t{)>vOSxoBIGC1Y+ZLf#jl=P>CL zr$65MVIkTL=Xz~h;i$7%u}Zo!^NbFptgW53sn?axJM;7NQhb}iYRgXp-@avYW<_ZC z|2;yO_ucH9)yjkC$(We3V1cwM-OKHN4NdC9;|R$;d{|@C!AE7z52wXiv8f~JAOb)Vrb@4vK2ZJg;yo4?R1Bh&;i(Wh zrF4sg*1=zcc_M@A5zkting(GvK&r?f^`V)$!)nrJI#J`L`w;;9(&MtLzcf7}}q%@@a{Tg=L*-Ti==XRfXHW@8ml& zLHC0-k;38gxE_V(BSYmb4mo#ScPw+-9md>}mz)4SHY<{gK=tP4>Uvd?v;q!5wPlyX zBUpkdMMSoT`AMvvKLOZP&y{!id8P)LzrBn|{i2XYFvc320x+R8 z-2&B~J)72AZrhN*Bo<14y^dDli+D6=XLt8+2*k;skmiB~5BC@4{gYish0RO)nZJ4oLveYq}WWd9IryrLp6phV!U>A zxR1xA$r`>S@ew;sKJ|TUETcK2W|{KfOBQcEJ*>p=h=_=o7_-Jhc~f81~GS_6i5nvHQ7b^YB28NX!4eLt#tAt;9XELL9HTdPAg~a+d$&d%CJqh`x=v!@vDNOw7X8<-Zv=;35Bl=S``Oyw)*#@ zAY6VvLZ)%kMAIPo8H%aUQ|Re75p@I|Q*mJ8N*D zB7^We4bne&0E%JyvsWSzt+&s>h5y(7w`b1u^t0l>5SeEyK;Bm=Db%E-q#T^7!N8uj zpj1&5pH#pYCrp87nJ?6=o0~WuGpL+J8m0CMU*vuIFCe6u?*M20XF>r-$K=UUE(vw4 zmjHqNTIgRC!F?XerRWfD9fNT@6omiXGoK+~)|pNBr&_vN#)$B|e)c0*kRM_FhmUyp zT;?&*`=^`rA#c_yIe_n|fk2R7_4yZz;fW(Yz(ps9Wsj7<>g!W}Dpw63L z#XN_nxm)w@(!XkAO4Nn>vsG`d5WUuj6W|*yqycOou4KJ~QH~8}%0r z^vVq~ARUVRf93=4%K|WgIq~=NyO()~lJb#=$n5m=O}yVLz;rM(GuMXzcNEKI^QatB zJHxWlaA_xPWGkHcKvq~6#6u13zB?0UU2sihMP)GqF)n-a#=q$)v2|{KBz%}|45|+S zoZ%ZYTDSe7E|0x%$Odd+;fz*Mm_ z$+J>MuGALPM|4-aiY}{6w?}gzeLHBk$H=qpBluN%I_$(bynz4WRK?csi9OQo{j9#X*<_! zegi0vbATXW1GdZQ_s?(Mn1O+TN=iSnbp#=g)qMN5zq#lD>`Ef1L3^~v(eF4?U=M)b z0nqX>GyM`2ZR}=|xx97@J)NIKkfpXCQ-w6Gl)#}aa9zD2VN6=1nHr_p+1UnhZd*%( zdB!6fjQ+DrfQ%UfYyfGZ+FV3}`M*$6`vA~;WC9{shEf1n7vM{9T%vfL)&Z%79EN9d zc^tV~J;n^E8JckW-Nq5;zGnm{=@1YQWj^z3DH5v6|H}#~N92i#iT&Q(B<8VSYLDUZ zINF_k^XAg#;%q3BmS*m=CWlccgZ-^vP}0+DmhHfEpci)=z!3>gu>nz1M_FHrQ%lSS z+=dG7_WowSRtLcBfoz>geMw2l-SwFj@JxZ2vb87w;H&AZw_g4oQqZ?3LhOMcwbMiQ9o^XQ-UIWpuGe=fDh^3mY}HqafW zeWtIk_(k3bV6L$q4E+2>4A$v(<=#}ehOQMQYAvI%Xy6clXaIVyH%$po0P2OD8 zTNu9%D89UiFUWDVzP0@>Dr~DNttvmJpK2O_8(! zb%Gx@jWtkBf&6nZ-4bpV0O=|X_L(BpnCPm$n( z^Wh?9;54^>{earE5=vhnQV2QBSxb|+4YtF)4a!0|dw_T#q$dru|KBD(2FR+h%1Wyl zpnVu+KR>p&2QH~!15o}@o?X5AWeFajhw!Yrk#pQUTTT1jpB3CIdaqNH)u$EDLB)|T*?4s#7;RPW` zpah^*snp(V%9qTc;t6)Lc*N~cAcKGzci)+~Xhi(7$v-3&5Z+hQ!CYZKTsp;cXD$d0ekjHMU9p^bc~F+0j6G1G#kptXEP4YHFd@l)q|7(@XZ}yr+*Z7{YB*Hq{8n$ zNNs3n@awkQ+c26*QohE~%f&Or782DQtr3gS;n*&z=gK?uzhz$`5fQ++mHW%3Mn*=1 zgM$zQj4HX)-lXo-k&}~?wGuPv4nW?2{P=Ofe;}`epYX?-JPG7& z=UHx#qcYjSBCAi3{Wwjn?kpI?9=Uquik!R3CeZY_B1Im@?uktsj6J@}$-v`5u3%N> z-vL1aW?>!3Xh`-=O-+-JL+Mp+FF^7Ct1Hp3h}^Ed-LVa{f~m3i@9vHZ(J_fro$byY zsumXzVShWz*RM@|11cT%`Rv4mOunIvg~dwF(+1kHueexPQ?s*5z^cN3`X$Bkxg>r5 zOdWNHiVEn^;g*&(*WGn~e*Vc72rqQXdx}ZHS@~BmFcj%v5Stqt^uWWf>)HDP<5Fn$ zLy<^!Fjr43nEE{ovkF2`Qr-2)&wZ!c>UPh|1dP8e~Ki2Y-f`eU{?|I_r< z?2M=XuOATYcqA;myR*}%fUs0hL=^|(%sc5sR!~NMj(*crUOqT0D{F_21L2vL%c>2C zaoYPt7t+2w^)ip;N1pfqiYHCpc}f6m{6;5aUFcnYPP*<`y&4QeD+}>mqy#2)Qsig9 zTB}xh!q@VO7@=GvMs^0sA#b&;Lb-&fLeoS$10rscMu!ZYe1%;ZHhlLVw0iOli3Snb z=RGTH|MNySPQJjf`t0w0$OABe&bMwdALz*OIT>2MWo_6)1Va1xR8A8c9xn^eK96Ad z8x3Q#v(`X*cyQo;xT#b;@o|osokYO>z`|qyM~ciRNT*05Qlo2X2GqGfJjOXBEem`U zlBIm@o!C7P9vsXHVjmpyurV6V5QzOx-7PRDmR6@+;3u_g?FWFUfQn-P!Y}jb6hy0= zn;UFgo?;Y)wt=l17u=pv?35=lglw6qlJ~RD4{zr6L8pr;ukD<)q2U}bXe=x&(=eWq z@B7H{6j7cM5LV^u&2&KW^=E2)AY9M5R$tHKu)MK6QVL2O2zb_nh$?>Unv)SdI2{pr zb8|BRm-RC^H!Q{~7z%M-JtQO~CntwNLH=g~B6#Wk$8sY0j4>U=# zz_*Z(Ag3Gle(9ZQ2}4fqFYNV`p4n2_cm3x=a^A8U^GdXllZ-4(emlH#YK?Ezd1h-DR5~{`@ag$pF0O>@OB{z0xif)3lwJ0ysi_mXlWP}v2*9nDQ2qEaLhH4 z)Yqq^q>PV`1N`Erx`Ozsi+M6zyQj0YMNdoH+~4m2Ph$PDed(ELnfswLK$0H?CflHg zBID|Cu<2x~SWc&EL=_mrtgID)nA50-gB=6mF);v3ma3|%fZuI`55x?1oP2=t^aE~t zz!e=H9)9}tY3B7q9gC+^@X;49UmCQASI<5}iN8De;OxmwZBK7{ z*x1w*!D=My=(q!SoBmp(*Ks^K&qBcv^t4o()8`gBoAJ|`w3aTLHxWG;we7&tze6q7!BXV&xd>@#qBZ2R4G5e*8)X0y*9~m! zjosO}7WA#^2MzUbs)1}*4D~($r4ZPEPP6eRgK0m_(q0xIO}V?f3mmMz9McG}9oqWk zp;bT*GY^jopjs3Z6t%CWK`?d#&IV+dWOJN^$^D6N4hv04dc`)g)2OA>;!mfTDi35q zHR;##i0NoLcVCn1B*$ixo?cIe)J9-Jj*(jheXF^tz8>%^XgVRM7Z0A?9P2a&Goexh zM?f#^WZ3adX7;VS_4U!w(eP!csHp2)Dv0mxyC=)fcN*FoA3z%}v={^U4bY>-Y^zPB zp&kqlzfUezIoSnfr<2b81eiU@??6;{cX!XQm(JEcor2P!)NZjJw!{4^R44JxemakH z6F@gIsOH}UJ^f`xTuX7oBV?cwaBZKA7w2^Lsz8T>ynGCHg%Cm_Z#w_Cu*;#~MT`4z z0YRreft+b<{?luBBHWq zO*e|GJB!)}Qd}k3Z{6}lUP{yNgp5+JCnr%#O$~z6_VzYX?wCQnIBootyb=beUp#~y zAT`nH>_3Nf^@dD@)KWP(De;I1EryFaGt>%!cU^@!k}e)Ux%{uw%a1Zt^6DYg0V1}3 z`OUiRbd0rZC-XRZN@=;O7F+Axzh4Dn#tf>+&*rD($cGJ~JBh->)7`e4^ zldQR=B_lukD1cZvaa<*F5$Y$IVNU4eF&qtTezvB9V5+VjJv_d1^W;Qv-~Z+5=?SBR z6J?ym5&6`AWPXx%pos}t4K05Su@zU-+-0XtNJxN0Nq+k_ax?VTBA@1ud*+=IAaBTe z#+?auaIa~0gX)2ll0Uh-&;nRHra~0Yyb}cR#}U!^!QbB>gn%TdX8|``M`7uhvW7zP zHt9=`kBcb8L%cO?|h~Mcasl{^Dy~$Zqd?;mK*W1`<56gSd<`@ za;O0ztL*M=E+X$ie)b*p~X{TC$#d8T24|I9@wQmLAC8tqw)3)Z)B&%uTgetJ18EoPx!_dlnF+rc z5bGlgvaVtP z1#tQ5Rcst53WMMeAEu_JJR)GHc~dw(<|0A!=rB`TY5 z*a>;g^duM(fJ@hr`CaaNQPDQ3WCW0tZXA) zS6{!kyNko1Dj$;!<`hsRl>wc4!1DmR?R4G%8xL<5D2ACC3Q1vA)yUziX%)vuE?Qb+ zP$AQDfTaEN*RM9UUkFadGw~Nsz~^lH`0<;YxUi-z!8F~FkpWRbh3Uj+fJZ{IJU`Fn zvSnI~LVz>_(9@fOV+bl!rn1!+j@)mFc@#A-BZ&SwV{niLtHvj&+QjNm8&2c{pl3ySJ+XAv2C|#+b)6|1VuSbrH`s}zKKYnZ(Bvomg1IDG|zt91t z>+0%OKv@oq4W&e+ql*h&Ts8@$_%d1q=eaYVToRI%?E)JOkL}zwA|iT5@iirSKi`y= zw1=d&)q*YU?ML9+@(B8u1?>xWMbe#C9(=qKePaYIKK@K<&=!R6lYk;7 z4fhRO-JUhht{@&K1w8EovVV(GRj(a6-nISHXvr$owOT)F~f3+mOI*}w#XVaU&S zhb~lDxJNjx3FkJa`rx@#7| zXenw-=UJvZ{IAp7^Z%|d080;Ar0c~Ux^?_kj$I7xE7n=lQLYye>Nw|tsQ7dIFI~e+ z`m^Tml>7<*C2D00s)w_SoUVcstaOHmPN&7Gt_X0%AD1Ujt=IpA!Zgkl z2*>~b7r=i0e`bnCm!NJ@51-5$_N;k$vPM;cXLm{_kOLPkT#$(6RXMi;R-jTOY90BBX-MVmNG7&g*l(oc=SGz{!h`QXG~*bBS<>mT9_)+6>D=--jsBz ze!uMx2++VPe3Q>^@aP%9FK{9$NGm0`NF~U1+252oLpiF+|Mv%f!gvkjZ9;m zIpEm0kq&35F@dAC7G#vcgY;00a>4s_kOyZFK-E{U9?i_o;t>+k{a>V!*ZETTh7q1s zg7N>5C+VCH4P!Sk_a?~xq*~9jS=+~ZAI()vD<#nTPkyRCqv^-5>KPbpFAdtjTv@+F z)uqeH74-Y#l!35u85d3 z=Yg~#787p1m|2P}#IBKlak7x=?j&{)-Vp64h#Z zq3UJyzhkifb4x=}JYbO(sI!1z01I}J<66RSdLTp=vM$d2sR3df2x~``CS%f;-tyt# zwYwIx2=sQsO6}mgernDDM|UD&XXib*{B~wF$cq}q*1{QnM|^e*!Oq=#iIMN$gX)6Y zDFPzGQA<{wUtr*IhsO~)PDt_xLl#ELJ9pkpg4@mC5223x?+B~vJ%GaS`Sa&+{(~9Y zc{)f0%%r1Ev&2pm#8+?L9S>2`lnDjGw9dPt8>%DU7G#`R3y$&~Zgfx8zx|L#Fg?5T z+X$8%G-DiEd1|H1=($qBU;ZR~dr*U{J71Xi*nyd@1~$qfRIw0R;Oz3?_h5A0UhJ2O zaK||W`;?j<+hW)Pn6GNPZ^5aV(?Eii76S67e2=0W_~Jc4F-=S;;;~}m0|~6Y4&)nO zUBIJn{dS*y6GOeveXlt$Oic=Aa4vq&)Zmel z>d^8yR4{M(nW69JqR%xW(VC~B)w7J)_gkE-Q! zhb5Rqs6uT4TG>p+E8r=w5_5xrEot&GrBp2aR=jya`;)_i-yNX=6AeL*6WxmOOeDGT(Pd}AIf`d7{ zb|^Q$xXugBE3z_6 z#lRNG%H)780OG2-ceoTQOct691a`*HC$1wc_1_429kbV>HSF!Tz{SuF?owEGKOATl zNmrk57N**hQ72A#!rN9m=*QFLd-|)Fu4J~O}L4RyLGg`k{0E6Tn}Yy zDn0lRn5n7fU=_h3wh5Gs>D@?#Z$N-~Pl^oOrlJFfkZ^H+z8Ew;y>I^hSE1@cg7|^O zIAqNSjND{n9dj_P0xdLAnBCY`h9!nZpLC!Zfm4DWs7aYOdmu4#LNvgR2BiYY1qSkM zg_rm^KL)jz#pNoNEG@0ne3O33C6&lLEH@=6qmkwfNK9~GV2xy`&nJ-9VLe%T2LA+sd3}AI zfLXT|Lb_JMDiCx>4)fu=;p*#Nu1$!>GaXgW(*_GIw4h*i{ONa`Qdc>%upz3iuMdW1 zTt@YjOfJ}xpbQXL&t^A=FIJUH zXHQ%_Y;7L|RlWS77aD3>%s_(hmCgOXU_(#-`jyd|tUM^hC!iYx=IK;72BcMo?e^`5 z#Wd}%P|<>XZ*2o2eRCnY>R{e{_cvi8ephAQPY~o(9K71Ym7$EiKmkOI_^c}gc6N5k zYDCYTl2?!IzQOeN^z;A?>NgTA;BjKoWnqp*I#K8pzVv__CTSQOoXN^EF?l9K`Khva z+c$`ahLNd3AFP8nSu3E&WhM!o2_JE`&aiwiS-Cjoam>fUB74xnz=)!U3qkf&*Qqs} z8Kk#p=BJN@goGdj!Pb2%5^8Xv4|}mZAuze1CV!DYO|!8_vfOKHGC${Gx;G%(q)F5V zlgp3Mvx6ozHArU_Sig_G4HCXZjwM6^^a4R@u0RT3i+y$u4r9O<3yX(g5xN99cHxdiKK)?L9Rh}vbWzgydX}h6V86sv!_y@NkNQ91<3W3D0d?b zIO0LV4#^Co28ZzQSWGylRl-~n(g_*`(liKE*rjYo_=CVs!L!!mJp_+Xu){cQEzUL& zPP8rTWzP_20b*61k4H~=d3oLOZ$KA#Vc)=g@)KXCqHq~VCp?LIEuExyKbK;mU26(# z3CE-8inB{V`hf)%lzwZ_0v#N-!77jrx%QC}ZEDXKS z0|l(SD~OG-&2w^cCaaIY`_Rl?@BM84=KJ^WL;vLv@xu{HtDfGu@?nsx6mmCgM_GF1 z`C4Qep;I&k9SB$|Bw^uvBi%G1HV!P>Z|s5_GH(jFyMl!&M9=EyTLFh%uq^n7VBNTp zzBIToKXJRZ`w6c%@QZX1wO>7O781WKP5&w!3snq<$n^I1p3_P_0$mJ~gjboCw&#DG zJvpFk0+Y-JiAXXcx6*RrMM=nBl6)#@odPs_iEk#Y?P&iOb{GZ-1>Dq!_wR2&|B%2z zlEvtCs1PV3LFZxUg(%sFFG}M8Wg^|GU6Ni*z-JX|?bqJkeiF5k{)=CL7KU^E?M-G~ zuORsT^0j)xW;6(?$*HM2Hg~XyB&N7#L=AHBeA6O+$tes1S}a%>s)yI`2)emqU?m)# zooTfs4HB`?iv^0|^w8>@niT)Cf}fx3C#<5Qog_%zo3+B6}1Q;Nt zR4>Fz#F1ozACLsxqtNDdkMRqK#J*CZ=9kyQ4kZd;51}T@-#DdlS@7rAc}zhs z+YdlQb#35L?t#+;PFvB%KTZ{QRCacDdziH5bue+m_Xd&*m^a1{59ApHDu?qrSpx!r zRfc#3$n|r6KGmw-e6rRD4#_h6U#haQ@7ELcp(T$VKnFBY)w=r^${y}a1;Po|rPR_E z&io0|UNc8(L`^W8`$p3lV|+VViBO_tn)Xa#KTbMYn#31j(GQx|3ZtO2y>f;zvp zwx){=P26Oe!zK)?pThlg2Ahx~Ch1ePq795ru?TmjcmxYH0Tgi(z8+390+$m|?edf@ zJzPACVPA?=z^{jtwJWP>_Y$FBB;ob~=JM<@u=nlUV8Y|a&Fk9(9|bR_rj%Kj1GGc^;36+TSZdgL+p6m5=xFj55?rkn(YFoa ziwBTVQr1I{i>W5y4-o1=r zyWiWU={o4mbY0!SWr^$)Sj(qT`z*Fsaa=mP$iLHUUCSb5sU4vN2T&38z#S$qFpSjzC!mPP;GxEIy#nd;8iH`hgR$ zIFqly*DGr0qMwMx(3$IFO&jbZ7Q$@>@Ew0@rA*FfFz*U5prM=$V2<-1)~?-4G;WOH z2xENm1dc-f!wtFONX!H*;6F3V9B@48&XmJdKcR?376Z;sPWZ>{dSrRtPc5YxkCM1} z3IVr6Qf}8pq;1~jmjE!E~pMrGW7u5hR*XO0W$O|pEHG-b_ek4P&rY#-Nf1h)og8J zV_NB)x}2h-BCMK!CCPQfnHnhD2C@k>gO#d#@k9OX>gqa8tNsXTXC}=uY9*ASyJyJO zrD4M2Y1$1io4$qY+oVwB4+#Y_fl}r&C#m?CSc~OFoFMhb222{4P3%`(E%;?;9dxWNrOZ} zr;__w{la+7nMJd_1cd{<9-!RmH*nbJ3bd@Y9)-WRMTm4lNsB|L z*rf>D1tJL+3c8vhm8<2y2IoC}`;wE|EsSNEcWmtJ_D z?YSWm1Na6Y@}vnj{uVDVBA|J~qENt0Vk<@b=hJZl?3xOrw(SC;6KN|_D7pdmOsE?n zC=|{Hg(bZ7Vt!>ME;5pqEwYq203u{Xa&& z4CxP8J(z*0VNYIB2?-?XhPw~I%Qyg(zykH3O?Fty(AN)S!;Z88KLsTvvaj)-jUsfeY%sak(E9$#RS|%gWe6YLAb_d{g&9u@}0u@K5 zT48%pLc;@o*3QmJZRo50U44<%6&wh=ySQRv#Ad0Qo*=ZzKvW@(L+HgoL2pcdkfLpA zp27jLVHoRsmzJJ1gX@E>g=KIOVHCD^NOj_wBjnjqq+ej+Y=>e>8=T;RUl44kw(73K~5g| z#sIcFcoPEBov6eH67MoV+Ta<;>>0{AlTvLSNe%OdEj$Icd3Z`eBZt?N)C==rtbg@b} zN*6!XW|qg{BGAKfp~x9%v48O!>bS{?i5xJb z7Cbq$^MX0g&u7(BA^Obu6SBp(m#NUv@CveXU0q!&AsFB^mL#IF)(~0h#R=F_vAi@S zktL*p%W5gL#^C+N_q(?X2dgiiUqZ=?=H_`e7ZP#5q}jfum`HQOCYa6Rt-?xtrF5dt zgUjq{tbCGQgXiz5$v+`>o2Y;J>EkJfpzmHGR@>X0q{$YLoqb_82~@DD7XqPXSw3i$UcLn zBjXRudB=%S3}3cZ#>OD2>kVFR?*PPCdx^3U)w{rjhl~QGe z^N~|xii3sqsi$o;HJ7yW&hj>Zt;7DxBODwYg(PwOPA14e&J$jEP$~%v32lH9Qclx0 z=;H=iQm)u&t5(&iCMuTuWoNg-K!J%8R8Y0uYD?Wam)c^ffzlf6#SWE>88rDW>k;8r zhPL*ZEw<2$1X9wf2fWHl9lPOJz*0KrV}fjkwxGN;{eUz|4w-I0HSVn~WnCWz_Jl`o z>qnoWsA0RT_?8O`XZ!i;TEtVo@El$_EZr@Mvs*S-S;M8tnkD65)(0)aVEgr8p&H`; z2WLd51&k>D5_#YAqq9P(jWCYTG!8?#x zUtFH8BFZqBSH-$uJG#8E(9Cb};)o1r+?I%Y$zfsO!a5W-xgOd}z$Be2hzY1%r-Oh8 zPLrUZPDnJ$&cJ5yyYAeNqmqmc2U-m@gU(sl|G@8{>Bw1K6WU`}$QVg0AZ5j}+ss&4 z3^8VGmi5{Vb)<{C4bM!1B>biJ6<{2c8Bg)Nj5KJ{8rs_>-w<}q zg3CR%r@TK^j!J{M6v9$6f<<^o^oQ8n&k`heweQ12MzI>zFdBFF=FpB@EYt5#74kL# zHWVDA053kuDoKXCd1|l9Bl>$(Iiv1QiR7Y%^y1O`0nJ?S=m49UX!0=a$xNO1MKA z5;r~jm$*abEa4R&ksm*jm8#1mR){;T0znj20Qaz7B@!>O=}RNJ!ed*f0^QevXUEyU-_^W}79i zF2E4Wq{XkZ1}FWc>&%iMtN@2h>pJsw8~DiNbF@tXI9Q~sks8T2h%@Cs7J2o=J-lLP z7p&hZX~OK2*}X~FGpyD1qtxlQJ{?`!u^I~Xc{x1@cFG2o1I=nD=B6rE1oDj+FDaKg z<>^VN_{SK5c(Qzcd4DKbigY3^yf4o-!{-H%wm=tB+}p&2-a?ioT3R(VwTT=pB-3-P zZt0cU>Lucb@Ujn``7we#=zHnfOL^e4jAQugBH0?yB_(@`i=qX6^&c6K!u_g3LePy; zHIsxsdlpr~B(|VVUS~K`RY5=u**lksgl&G`C9!J^t}10@-u%#a-cv((XSxY1v@tX4 zQ`QYSoPH@bIj0F3hlW5>4hZ7ktE+&D1zu$hZvppn*W>7b7N3~z8ir$ArkoFklHy0p zh-px+Ug0h*P%l63RuEU}PqjTp#a}ymKRODl120?oAa$XfJ0VTZPB^#!E3Eu#S9ykpoL`4(2 zTi_tiGlmJ5=&kTL)-<`jPaFSX_Qi!Ozz_;2x|hjA5oc;@s!Zl*yeoqY{(@xsm0V%&!O+oh#}rB09-;Wyq{xLb_D7z**1u+ z&mGVWwD$YAT&m!CFlA#;UI1#GMlt=SABHKIZ^0%_U-8a2Tm#vzghAXKyFfwNS+2VO z0M?^I!L3|2<4SH8(E^8wiOHH3Md#y?0A%=^oPE{qW_)_SV`*n&^NF+ucmvVZ6s{zS3Y`|M~-b-rzo@p^KF;N2&#=bs{Z4F9vc^nF;2rGci z2?z*)I>I*g$p!E`Yo^Ll>}5Ny>4xl0%iRkSG^hlW1q2^n%q{@isP>NI{S|>wirUXd zfG(lZb}I#kWj_pVZ9%+i25oEu5@mqB#uM;`eE1OTz)4jnVC zZEaA_tH)uojwoOX8}_c5z%;!_6`iJl?J4D{~E z#_JeH+*hG=pP8B>cW$R-6RL^?iz9cVpMsd&3oIv6brv z|K?b^OIV@_9PuJVdC<{q4TNS2zHQH2Qi0L?BCU+KZ@<_Ry`+ftL#)zV^*fN_%AzI> zqC~5zBInm8_Lc_k!OJ7R?n7fgsVceO0CI1x_9=)bmM-QWq1ydo%J`8ct94DZH#h8^ zr}fp-CB5)xNqwM456ZNlb|tTdv=$+QK;SngGdsH@A5#s$d_H4}d}f$vy9|BTW@~z) zs#t7L-gj|j^!;`U;l7javTe?<@M~?Vq35f`hP)2Bz_STRJq0Ergq#`4$5<(?W{`XhTIiDZr|2?;JyE&uY@7L=&uJO1Y*W(&x z82HdRH!vpu;n}{Xojs76c=I6mC%(jSmQJeRrvraQPtRUKIY~XYv8~iG4{MY$x&KAg zatR}fyuG|M?BD_TK4>t3#zJNNR&-TJNlVD%C z2zAvZ$L1S8rDvCD>NJ*ywxPh|$2)JBJ?|}MK&D5JtI@kMm&YOCDbn#$zIJ)WUjqve zKHWl#0G1-|o&1~22l`I>43Jx{FZ;y->9I`5Zv-IMR%=LY0fgp8pXFnzFkFq774@Ej z)an1C=k5SaqZfo-C%b46Yghq?NBVW6Os*$upT=)EDu`S=M4=EX3i-=eNo>vxQOY4u zJLAQR?*^-z|L~a84N(W(ZNsKoICSscoiwfb#yOEFW7%&{tBVxmR(pF|CK}nm?&n|9 zM`cH|hNFVTLhzJe6&so0PNEv+-=Az6rZ$N{nL^Ob1JYYSkTLOJhNeUiMyxMMahvaU zcMWgXrAwD>tJ;eqI{fBxjUPhqAqigsiqyJoC)6`(@SXyf3yDR%t7D$QcFLbKW?Zj( z_h@$!BDH;b_lAMuSnu#K*rmC|C;vCXeonai>HS^a#cWD$WyRT;Jk!smOkl zjP~8T_a4Ke*E~jROPcQbVPUEYr+LIPF@Et$5W;A*|LH5pUP)St)NRx+T4!{`_W$&dq^KZ z{4YpG3f}tr_s%>aCcvXxKlBam6mUm?g(T#ANJ`#VEfTHS9g9A&NN(Cgu{J%si*Aiq zW38!Ua_CJKFJ^&-z<_5{0z+?FbJ1!WPWK!@qz3 z9&qI9+e$#ENhV(N-R4+8-8gyjq;PE4`wLWh*B%!4#*FFS%Jr@_iHww#6j<&{C0jYP zNvKUX7~C4kGb{oE!hzJVZyCQ`G|{-zICB$YW1t7$2f5jWg|!?Qp0Cq_1q)y~p-`jF z^9}6y+u`#%Px@6*TI#?hbaZdGa^*`7Urnr+Jk+4|0O~xQhR*NjBft#mDXOx_Gv8b7 zsEFqopzi!iU-l*Bt@GjGFVAKk`%9$Z_G=ZV|GkQxNNNmFC9O<0<(poXm-9N$(UP=T zzup<6sMbcL(eAf9r6KjHB5!b?KF4{9FVg0(a(p`btynb<8U=u#N%}fz;a$4^zSi%~ z(Y_oR`5MRjO)L#B32$Kkd^fQXlO~;Khp^PMvWR(94)Gu`uhqP--Ad+rw*m!yOD2UnvNZNM0byvHCLRvJ^ua` zUz6GP_lJw0t)oMI?;+KT^R)=#=u7!^kj|q{f}gH5X91q~`F%fALI5U_p1b7qebEVj zt`j!JQ-9!Khi{)F4<5WnYg2=m$aTZs-;Zk`M;u3{y2*pn`9}PV*XfHcKc5myK6@7Y zKqS(Z{C$-lj^F}B%%;XGx-jSO0E8MtSNmSAO_g7x)v48(qW#y@xU+tSX6jU&5kk^q~bXLmBrgDdPnuadF zfA+``6DOXVvA+i;Mor=Q<;*>W<2c)^%Yi-<62WKBrAdowyZn2Cv%8+y*LSl0-Qwb6 zk!axb{Ra=e-mBCQ%E>gvub@HnnQQXw-t(Jt1xGTl=P~7L4GVf6p=gCy$jx$WC(_7} z=-YSQ`t{A>*>iGN(Le|uvb~{3R=CMsd)NQte$*`n?Q-oWvKTpXnO6A2uF^`={IZ%G z?>u~14|>VRxSm{AEU2;z;bKJ7jK5k<7TsFB$2F)*>p(!r9auos)zzQ`IoOwquI^6! zq>ymUl9@lF8!`_EX7)|ikNoD}F+&h~Ss1CqPQT>{)pok3_O~e-tT=p7hvHTm*;m_E z8(2-Y+%*c5fI!bUGu2iiE7AXc?%uFpKNlv=N51gyXhM`j$R7=3izxri7uscAmot&0 z1>!iO(zE+t)uMqb^JMtxB7U0gHEQ0L z&drJvO&>pcG=UrNpp8gR?B92D&;R?Qk8~)G^&Y?v6F-!cmSVzu*?GO*zx`wzk?Vn3 zMwjPB{_yV@C`d12<*-?TmCL!7+?B@_!U;WxL1DH{B2nYesn)aK?s`g}0{d7Eej%Lf zp8wk}o%u7o69+p6~thQ3LYHr<%VH8ZzV+Txu?%qik7B z4ITmZWfn0RdziWX%d8W36n;M3aZl*WCbr@4&(fu95(lZM_}bj3>2gL}$xmdMh;@By zY~);z8$aHAkWbK<$XfXv2?0;Q-jwWBx691%LP@h%~hd_nK@ zCVvz2n&wb=^uF6is^k4TclN~e2-ics^&hYIz&lXI#<~Wl9uN2O^Xt_8`}S?zxbeA^ z0AK658m_mtRxpuUg&7Wugj~=dW;5RC6BXCfzGw$8F{pWrPUn%p7q4I6z&p@cz3A1O zH?x8<8oI%A=ggtZ>DC$^L+!cD8N2?yiJ`SKW>hvR4ITA{(tm5I zDXLrE9MH2w#DD-S9*e*qS_fr@?)ieYPRuLn_M&7RDPLc3PF7tfCU-5<67E?s*bWjAqzG%dH5%>P&KMNYPMmHzy`+=pTvsGn2cv5TWU7nN@Lf&nWmJJz#EaMwPI{$m@Z|X5su6mN1+E zh@dGjvvLxa;s3FI(<}Gy%dcClGt$F=v=_Y*Zsxi3=cQv-8fyAmLK$yoO-eP|Af}sB za$4HKLx-YHA##*&)VLK^Ag|NwScFt?A4skG#X}_#Fw&J>j!$=Ji`5!-j}%W;>H)Pmn=Ou@KBnd zT29y!+0|ef3s4)1!5En_{7}gPo5CseOC7;#i?!lLHyH!Wq`${+K^H%^Gh;)^;GaEu z^eC?LacQdav$Y8{JZ%W3m#yJ+?c-174i-u+NAbmyyihfCS1Bnx>DpOT+4Da}V0`fE z)oa$s?TNu}SzB1l*iU>El|(G*>+4(VV;UyV>ywMcSFT%E{r2tf%tv#K?tUP)xmxf< zs3}URyEISHUA{AvB!)u${`&$UeqBhHF;kJfb}@7eEpcw;Su%C|=RIwkof|8o5iTR? zpp21c1ecbtl8G^r=+lSn{j)v$R#8!b3Is`BP)d%k;`ccRO=sV<$_s1jQ^~LgFHLdF zcrzF{Rk|HU6J~I0R<_;aUk0F3Ih|NYX2SY81GpZE(r3=3r=yH_tirm|DWWkyxLwui zDw=_YPMo;-+>ng~rUtGL*N1#~@%BNm?xQGU$t7+ZZ3fq==(Y+F8zOj;hG76-n>KGI zK2Pg*znw^X!~eXa_sM;7rY=#}!?cO0q&XsBAjNfp+PRQsyiVzyqK)M#HVqrOi}3fV zlsZ&eJj|(t1mm%bj>a!lvfN4)gtdEIT1u&J&&*u08HabS+$sAa^A3T1N^4N9W^+mN zWW!f?1J0E7f>vhn+W78zg3ju9T*s0@z|dp#_FkfvJ!^?haI84wYqSGhyX`spWs1PD z*ORUqzbOpP^UlU{!CE~u!aGTAcJns{ZnpCz*W}O=S@QPh{mZy0mG3C*yREXbv-9}A zuP*x7v159Yp_ZNZr;e`Jf;~5sFN#W2@KKey>f5Pv=a(rOfjeKt3=Qf$4h}3H_t}#t zjtCDDL})nt{}{Sc^)Ifqw>LCl4JzIN1R0MMve(x$5ou^LR8%m8sDX_VFZ5e``tc+~ z86PDmB00h8>XDNtPW%Cv7>12S{9@)GjJVu-I=0!u9B|BdCp`S0MW5Z?D4cs+(((94 zB*+%Inl{gRAMpUBgt}|@3nP57^`1IrcN3{58AJi!m0!n6_Krz1goZRWej}KNW@5K9 z;ST`iR2-s-nJ4&DE$$rsOy)nFymk?|GF&2zl<8K@kmQP z?dl*bJmGIdSGE{vJJ9QX*aqT&UMJ^7OY7ZiL_J?3e zGf&yS%C3($x&ok{L}YFhn{*EKk9JOxX|N@on|}lhUAPi}U#<)=t!`-IY8x9xgZNn7 zq(L?%s1pqkS%vJx0ZoL;XTXKSh7Rp`zTDr`!eWR|#ER;sKCiP5l^7Cw(iVPoR}WLg zONR|Io?TmlU}2lOGgV@Rm+oa~W~i7Ng1y|+xO6+iOtN)GZ|y@S`RBdDFlPbBkIxTM zHTcoI~5?>S#HF9@%CzW5`ws?s==6F241FCgRFzM#bom&#QygKnV zX}Gdg{+=>}wF5KM=Ea<_=mpz&`F_5fma~O8m=dE=mRdG|6}9#CmS>Yv&YrT?8EdIk z^(bjWi1YfO;NW0S&(3$S0VuA&+ z!mmY}p;*+^EW6W#3*|e}QcDPG-Zt)EX%DbeyPewm)m{0filG^vs=Bn zVY;?o%v>WwYKRfG)_wfC$d7BW#nY}5zVuf+b4@D&uRleA=_jv0Yq1JtF!1SZO^s=ZIRW(hb?HCF z-}K(<6)VP}^5=X1Mm5CM=arSWQ`Xtoki5$qj2JfDQfqElY4Pg~r)tQW4XQ?zL0i7p zL%i^P^f5>K$qG%6(Y=zop`@2JXHkrKw*dnl^v~Yu~>roz+_nT={1xXKaj*!IJ{b!wk5#iiEfx!vwMX>f;5kdC@umGyzgLkOY>B4$khf z^lw2i+p%Ws<(m&jJr5nq46UF0e)X_xScE`?JmSh0+~e}rqTCQ?78sV?f$r6zKrhKnDQu_jOozr7HlmSy_NJEwv;VDayIAN*U{b#BEezSYlFq0?KaYX+%%pUa8)cS}9zWg(B`sej5 z`%yHZ=yE1CwHje#;(~^CBGIO%jCWO_;VHm=wI_1ICcDo*1T1xhIx zj_}x)-Z%EPB>D*Q4k>6#HZSYt??546eethTZuv$^~CQr@{WsO5$YqXbjy8PC3i(H*&AI4rwmts`Po;<-AT!J6*q+@5%WsCBbGwVF?KOaAf zoTs;h1oXOlnCeqzmt-~sh(z7)IR1K`_Wya~14C6+9fx{x}&e*X!KVmjqe~{2;sa8GB z#3!Ob(g4YV(X2SsrB6l&jL+^ zj~qs(QG4b7{q>Y93{H-?tv8h3Q{v_qO0Q;XYlqyR9xv0o_cjcRTA$1XWZLB7F}lRx z#PmM^+`l(As%&`rgr3#xZ1?)8ZhBkj&9k$!$&cvh8G_i5@623Mo7P2wYTqeHpQraF z0V{nTAr-nbaZ1tUxG+`Y*QrwJswSh?iqiI!PEQC+U(h)=sL-Twj$(AZeydWc(m|!8 z;`XMGZR6%4AUIEKUn5Ee+fWgfH^z>0j~Nho$+i)1*~FcoZof9sjR-F9&K;84rQixg z5*zL8rfz&LG7?g0TnGrzD1#WUpdiy_%LW>`o?vhg?cJd5sDzs$RZ2nHT+`GNER?1k zxVL zfEp__!lu6ipe7cPj(--DR%mHGDJ?jCSGrsJzI4y@L+MA-z0>{D1Ji>XTpM>f>~7qX zG_;>r%hBIW-BTC<6(-{plH}NtC01jIEQFt97lLak zMxEw`UGT&PReHL5dV0iEf`~q;h7Qtz{Z(z{BCAW&JWZ$C((*#ckK)BK$$_|Ob|z}e z8$_st3j=cmhOxnW0Pa1KGqtp6r}G(Y?hMNZ3Cd6z;#?A}*`Xq1$_;LAH_(uZEm5c| zvQJGUDA2#>y=K)aJFtdL+ucnX1pLBno&08KpeEl5W*6_KZEj7Q*f$WRJLoQO!xgg8 z9DkuYxhO$K`LJDU!veH$Fy8&_X;rPHES<*S^z0vh@CrYiW+h2%rcuV-NwwS#J>2xzQE_RxQv zfilyLqG{g|_?~!2PBLoG!|q?Ak}fpno!yWH*v%{+-nXH#kxKDI5IM3Ky)M!xacN(_XZUbg%Kat`g=@5M2A zew2>T{{S|nxb&Qt6J?|`X=!!9k8Z7Z5sw`|ejIMH`-5(kV5A&w!>aGg6Hc9iwE932 zy?}N$)lm2=l@e0E zgKr%2bJrQHsdt#}gAJ*puNz~APc2FajE{du0rvprD_T*1ITH#(tE4}cOq0OOYVVPn5!(R%xY~kL*W9n7*CM|ogHzYWp zBVT!TDdTXKE^bfQQ@OFl+sx7U$J=_!~rOIy@BNe zH(4ri7+xT`(`I2X4JAs++`8w{GGR^^#Z_jdohcVPKJChURatd)b=7(hVaD7kugn}c zpss(NY~7H$;dKhVe$H*v5-OU6E%<<)h&4*;FD}7I%RJ?ctwfimVL+L_^I6%S8u)iQzr(LZQ73_5c=?8H zl9W-7jyO>KKu+h)U#*L?%zL~IFOT&X7;`_(R^Ka3&42m$-hA+bomvk!EY0j zdtP8DT5N13Tl4KeQsg$}fK0sjk@@-EAV3a}%n_=&Lss4D_+CH@?e`=)N7?51=s&>H zbe52N4l>BxOepXBO_RL1EHG!y%I~krom^#8^+n?4)n_fqT+s!ggBl->XMq4pv_h|Q ztnHqD6xl``Y>9tw4f^}h3|vqqByY|>)bBBt2D4OPGUS8Ns)Zv(Rxddnjz@2C!M_dZ zN7fGjfAJUX9~umC<5b1LTd5g?b-vP{w!H9d;TOla%$8kl#Lk`}alk$ur|0#;h0%0K z-srro75o+}r53Bc=BcO#2U4S}HU+O=y1?>%S8+JLAE-Dn{9Ouuav z94)4rtnb*qLq)&3^H29m%*~JYy5BU{HH8MvW`PrHdyp4EpRyHLUfMBYoRcRG9fQ-=7@hYXq&t9;M;hWvXGe?VDG4T|T(vlR$Kb&W`B$v8CT{4%zgRgfK3 zgGv~jM|p4%5pH@~8mRKb;Lr^`@TJpMvwl2X>?AJVBf>~FXoTXVN#9s8?5(Z6{V1{q zZX^ak;cX)_uQ;IJezOLpe2T7`%$X%2L!apNYFSfakQW5;(~B^PR< zqIm#0M69nz%i9c``S%7a{0Y#Cb*ABla=ti42~zPNsY36$8RnuYUXTC7mI? zyLXqp@3uknl9rS9)Y&a|WW@cVJ6?n4I!NZ9-$f0aI32L(92rJbR20~57bIjqzv?Jx z3+GP=XxaG76OR0KYxHtBYP$GlUg?*{p_e*UKEWpu#T`(I z(Ae1;1O=7+ZxlHi7)ap7ARi%Q7sdX4)<@ToP2doZ&i8o>?SR*(%6JcM8>0yBu6{Qk zijRvme3y%iV0*Z6_aZ_tArzB>QMBZT#fZ2XTzJ?nd8W%%;h`D~Y-|%2j0Ru1WL>17 zrYxQpb^iSMPqB@|-d@h6mkLp3*H&##Fz`uH@qKkQQ%c>%q*Iuq2$;Ob&5cUUr#lwb zsh3iVQr{Q0DePL)}FK$(S`#9uMr-bv+UVcEjo;r0Z#80iq z!dzm3TGS1SiH1pwO>zA=Ict#sQ1`i4zZ|ck*_GJsHC4cv&GKt{nJa6 zm3NR_f>8?9P|BLDH=yx1ll-yPifI8R^WH}%gxG{ChP@9<2)Bt)jC>!N5M>kHKg2oY zX^7ejrk^M{G%uN*wCi=s@*%h};Gfik7}#|WPnAG+5pvPd?6!13?SQuY>00>j=_A-2 z4<4zeJQV61ul${7W^l{m9NYjU3jK>-!|kris+b5Dj?u(TKtZ?`5k*(L%Z2et^ z_M?k^j6(f`uFELx#d)F8`XluJze#%PjWRlEz07by(5cNPotN}W@Kbg* z(R?4eXu*jWZKm^9qS-U189a`0E1YMo=oICv|23@TS=yl9BU32ZiScXzgB_t2rqIsIx6B<6|l(8P$+1@ z)TDTrkJ+WaUDk<2l_mdM=1(AM`ksTB3MW=e>n7fNDJ`;cBeUI#ktVfz{1KjIrgehs zs8NS<=qy^aSVySYky(2i(h_O?g6qzlO5=;9!UTjX_X`}L>@f&i09DU z9x#vT07Rd}6kntpqx{+|5n?0yxN@WNrlsKl5TvC5a;AgK`?gZk)|RA1zUxJAc53(K zt(2_*O?r&hRPK|zg8}>`opH&zsWdltBR9>_y%bmR<<)H^Y7T(RY3oYz z@7}E@*c^GMtV|e14KCEFQzwQx9oFerCd`vYp{olJ5ChXq#*80d8(&p;T{fKp8X|pu z3Wgr0_lGTL;}c7T9YA;dGmrQYmJ?8+$s$Nc-*Az}$HP?? z7OBK4NxhnW4tXe-H!pDsM7g;;R7Q?G@R|b7c><2Y;M#zk+Kz_=NEtl6vF9vZrj(CGu+ltqh-3_#NpY$_xvmJ%S z8uuG&Tx;kenBmGJ_9QN;Rrr$6(p49_ccuihGF$9LJeeLzT(J=%NMysEjNUFtJb(Th zEb?L_pGLRdCZij_eEKxDn>@5Swv$5PMnp`IHtZeqF=?WE;S7^FT(uuD$3Ademe!VOhNB5IUKuuZ=9vqHiiJLL@0s#&d&2x>!Awy`3vsx`g0Tv;)IRIja~SLdXJoVKnT%a}K1EOC zIojxqwXUC-?B&%h?)sA_KXCQ(54}#D5bBUuQ|%Q2ew z*7mSV*cX>Vh<*CBG))uqFunS?c9^_8gJ`N5F6ih!uGVhZwX-_^=hiNEAU=~%$hZ8WHepJZ7ayC3ppBuS;lHw={p?fZ2!i}$+JFWFzAN{8D zC`tfA(>0J4GgwD~Jf0F)SkS^AFbHih-g)4<$C@NXG%~OUgs*aFKyDjwd+dyZ^9|km zcU{*o%qsUwkNA*hX*nvqp6%6qu(y!(YsCOx;^HOlVMGvAo)!>rm(APc={zeb0QbWexWI$DxY6HlT>|v zv*z7H9flHbTCZ3!$gybVVh*+PO8W@FJ93C<8MvQr=-Bw10z4W5p4S$Q`<&rjx^ngE z3ETv=={@WY#l~8dUc91zxV?(wvGEn#_Zw2iU6`1VAhe7NP85_wW;PO0G*S#7RsZ}- z8!6Yxo67&{e49xV?lUVWdEHuJ&nOhIsamDg)27x(EnBgC`IXi#)lOFg-*QS!GHNF6 zRX42>1yhUv0;ZYjfqgoh;N7Q|IYT?Ne=HEzOk4S%(EcYar2WVMgX13a5|t5t^AebO z5xOvV-2h}Ep&HeOQY)ulXnE35K-+}S&=-`gOBM!RiN&n>fQy~GdCVH&cdv7zm*LKS zYtNNpB=8|YAmo5pakh_YNcw0-pcpv}Z!gTNuk7v_fynjFU z-Z{$ZI%PjkO)yYhREtICN}PH72@w`|DQ_3!$Phe4>|zB;i~hybp-{05Te*&KrSNh2 zDQ-@ZNt(`yLC6Z6vwJ5MtYAgPMu*jNeY=or&jF0E^PyAaoLvVde9cNa?R2xdhfrkZ zGG&d&bWM$^uxZY3$4xnm>U3_^WiAsa;na z#ExFIYV0|d_Vncep1ByQeK)F6WWAhNwuQg!>>|_7^ft$h#U8=gSejS1pLZUeu$43{ z^`CpEnf|ZxZRU#?_fC+L++fX2p4y0?a>B+&9Qr5s`3d`e%a$({6>HR{=d;*|U7cBV zXI69)FMBp6WkstXB5~xJ^cZG$cqjTL(S_N^afZLBiURY8_8vAfqY#~B|( zhJwjs2lu>I9kUCXV76k`~-+`Y>l|McF>j=mIanjA~>`p~Fw(xAQ#$RGPjq%#FjHpQH+)v#}p;y_uFl7DKjTyD zsj2wZ&!|_p(`svL6PmyjHmq2Yk0{urt+tzw2dHj#Xr4SfNz>>9aYJPdV=mg*tc3Zv z)YO!@m6};8$l#=Ic;;MNkw*&;p!l=KkZc1_PtTRIS@3__wQv9N@!7*|D`Cl$(=SS2 zq14rtMm2dymaSYlJ-kyN>xv25=2l}uN6L(i>D{!M~&9+6t zt>l`5o|!6Lj}n>^3C`oWbJBp$_PV=Un_UgJo4GEU-JS&{)O&={ zydS%|yG3kU*1mmvL7W4H+pB9ei1=~;XQ5gqb#8Wnc3Zwy(#Nv|I?n+UVJx_P=+Nyy z8cyTwY6nY9DqjJ&1Gat)z8m=3qwD-vDoS<>tG|65PTINjK5ktAWI#P2TZ9w9@fTN4 zh)XfSj1ooowV8PH)18Pm6muw$aGoQsZNmkV0dYhu#$KS^1fZNeE5E3y==SaX^*fM= zyKzL#-q@V_OiVEV`I;lFgT6R6azl;Z&HB8gljcL=IMvN<$*^7L{2jv^W*tBN7$^75 zKqO9PZgy^?Y;fEL`ToUV@c>Y-^=CpF{0NMbzZdA2fgy#^$%m%_?pAmN1x?wWujSO) z9zcJuc%NaJ)rAb!q*O(rH`Xv->UBz>@`CmB$J>?Ni(7lC@4Xeg19@G4WowD=acMz; z$7ACoQYCgYf9J%hPMFC#>x2dC(4qH~ZDYjO((sa=oLo~|OJ4tq4RF&kw44EkE-~ue zV`>4^#`<|t7XfbmT35$C=-D)Ajh5#%M=045Npu>8pTanIIQt4CvAY7~y{`!@FcL>^&u z$-$25^jvG4Z{W1CmXPuJuV00hFf^j8tCs@W$`Xf{<>bV%w;)Rt=mJqKK;&(PXR`~$ zSC#SOPbjVK;x{U!PKALU3-(Mk(>vpD`2~jIa4jvZdgHZ|l_%&M&9=&)n$$}G%H|5j z@jaOz1u5`X^jYNfLPT}fXi$^s)~%b2OkC0((*jx5jN-Bj)mB0eTPHCwqKcHPEEg(@ z3=QNNs;a7}gz1)P?j2v}NdMxV-sWVVv3Dsq#7t4t_S7E=_#4v6ct&rL#^_o#0qYaR zjMKmS0dIq2e5>CowFI?30JCofPRG=eNpE8=^V)9ST&$GEOzVwa?9p(=CHC9|U$?eU zc5Y{qqj925I-C|~7U=!^A6z1f7RSd7U7B%O>t%Njh=9*KSFU-AlO$L>Kcnc;d+*E% zzK;i)iVfLeHd?^NzBiHT9qv1691u8t=fG4LW#pQ~VGKf#OKo3bde`_N=66u$#e;q~ z8h$i2fe1Y(iKc{UWb}xD0a#oDo}#_Jz!cj8uSY&8`!5A0JeI;wxS_ebt{%(?Jo~}5~`HwiKeQs7<+2Db_djzvZc z`aOU)z_jJ&>Md?tG}`(3OV&!>Xq$KcYbI&*wQmaRePOQ8rSJZs%AehA$8SLC1R%2d zOrpJYcD1dK_rS6*4zi~`2p@6|9ystyN#YB-4FqIxA_VJJs7s|Nw9WoQCkP{RyA(Od z4jBV}C%E~|uXQ$V9Mi8JV}WMNm#<%=%{%S*HVc0Fo(UUX-SIoDW|Uy!lMnQFJ@NT* z;%db-bmilOt}}xrftNJ@66JT@uii;;y0OE40Ym0>(j;AL2cQC_Bw-hrGa}jWq;w z>ptA0(qy#O+S4FL_&z_Uheh-5`3EH)?Ge#(2&SFiZ1y$O3)~O^VH|EW**&DYoZ}Nl z+fA-RzT<4Bk<=*?+Xh-<~3ed6^RhUjC=S)Y$)O-yR)_ zGxXd;p$-jtN}Y{L+ky$!neu&VceM*(<6(5^KR`52dCZuN1bNlXPXO^UGBQfxM-><6 zjvhqezxGOA-jN;v9y@9)UVQvGf3oK#v)x@}N5-Dm~Z``MA^7TXDoh%t6-+eS8(_Xx2vA)oLYliV7L9UcgkeHZ~> zXrs`dO@VXx@aW@%@b3&tQyw?YgctX5!A+y;Ato+PX99fAGf6l+UQn7M{GA@*DkzkU z-|+N==`kOFe+IZ-0jx{u^FaAge4TQXn)&+B$S2&0xhE!`2Et8DOdMH1Ja685rJ*`i znojekK8UV5UK=y>Jn`0<9=>Ny(^jgxyH`OfKS`$NNT}H#52MNY};ifK+r* zUIyCuBb}c_B-(F2F27)5uc|GRj9NPnhav3wIwiS`kNj3$`wBzEG3d)E6l_Y&Vn(Swren>L%4qp&moc z*J}s0EU+k$0mq==dGydPY(I+96qc6GDcm2u76Wit+^BPJ`)g*@)x4N)KmP+@ezD;W z&?+R$H`&=GER6I>OG_gvK6p^vDN3R=5AD&AaRx`HuK9><%V~PmYTVe$zfJ4krG@>C zgrf7`4nZP?dgWabua%&=JxU?r`2Ag6oYr^@u!agf8U-XyXDF);8#autr>AFDcQu~} z!*sbYT%;RKTJ8_pTng(SNbeQPZh{7p`-0ap~Ii zFx(hu!s%Gk&Qc>gbnJNL!WyMiN?g1#RJ08odocJ^PvY3(ge4P)Z1Ra?-FrYjZbR}n?JU2b6vst*Vv7BMe$n0Psl&5vO}mqNl6&w z`$>9`K`0ef0m(nGK`VNy0-HCFGjE;QMkwajDN^=5(@?);CWXzVAJ{_3yW<*tvTDx= z>MI1I^g2@!p?;q|>WZg_N4ckF_E!RinwlDDaWox)?OdlF)m{jmiU-%PalIEbd4dxq z4kB8~9hpx_BTH^Lkkr$m^JeW|w+jErR3qOF|HYf~zW&}6P!34ob4?9~+dc7XJ4zUf zmn=adO6%RR?>B}lx;|xF&1JAL>bT&$gtYQTZ`wL-P89#)+`@j2@v0T~kzcPoeaX$? z`}KwwqyrZndC(x_B?cPh?gi`|CM!v3s&2>wQ~!TUa&rAr+gcUw5a=R>!G-aKXB|7b zu_%G(S>EvzCaCYIAL(~;8hmAY(1)JG=B$C`y|Z;&1%sGeLaP>-%2#8NhRgWM)!Oar zAwVJ)^5NshXN0nR)47ZcK_CA5b%A{ZyNH7!g#6@O#r@84`KC~_ouz)uas1!4rs4mP zf&$2ZKpEGF?;-C<mTq8~^IFth zKYWU8#f?(7@b zEEG_bNj&QJL?PiOG%<`YT2IP@4L#uLDd3<%R)U;A>4D}{0J6MBjRC69LJYdVwJd-2ilvRlJ$cJ5DCdG}N>Sy=$Lj;?qe>2_zu))ef;JUJND9iQ6TOs*5vwW(`Y*Rf8lZa&5q z*>ZuLHb64E=du22wy(*8vuyY2v@cOoZM4EZy49QFnGPI0SlMeTJXXMf=a#ddPjP8J z;ap7<4;dI3y?W&aa{#&GRSveVUfnzHr9ed9)OTS?QqE&R_S^9eSJWl)fTcO+nxoNM}5))S#pg z6kYJ2160=eKfIGfSrJ+_S5E64+83XJIU9OZB_u;~FS~FSYn-@sJ$?wsww38nw)QjL zn&K6o1QC`XP@^lPbJ?szdnCaLAridJ$1beYx*Cn+)2y95#5_(n)(-1 zzrLX^b+GsN{`qE6%M~G`0OFADlLOhjIb^cSj1%z!RK@lO4D-Nd3o!@}P#oFM=&UlK zey*exuI^~Nlve4KuPdnuyd$}iS9>p^A={$`pV5f>mrpg9)BzBPsKO-4=h#c!CB^3n z6DACR(2Ff$NU|VcHG1^uPv?(~kA)3?)p|Q@Kl9ToW>Rc! z*QGBsbLUNq3=F(IJ$2cobKf;c=qqd^IYuK-Xw?-Ui55KS;@uWNO72q7zehs095aM$W!@6IS%Vff{o2hmtp9VC-mmE8PTz zgffoD#sNK*FF$yY1gih!rN^3B2(?5ai}r2iT<*7CUl4VV*d)f2gE?*Z$|sdl@1rQe zFyz(a{uh9-Q_A+!Cyyn?!NbCH$Sp>t-8rBm z#okv{l}60&X`TjCt}#BZznH<~&9AhRWp;cE_fOOwG5!3~?QuH|XWFIYSShZvOEr5a zvhJ9+*JP$mxYWYQv1!%k>k6F}G#+a%neljLU9L*h-p&;kEi8Pi_{v^GHqEq-nz8#D zZ}*mB^tBKlA46;pITjY=Xt{WuD6nGwZA>f})LDX6m%8s`>6l?Q-K@P*O^s{308Zv% zFvu~+act=f1lrV9*O7cadG_xtl*&dQ=+a{`hhPu$(Ue?!S8fPJ>_>?p2OKKe-~H8` z92^~|m}@UwxUfe88F(0&wXG$$Tn?y$?1Sx@we-OKS#m-1c5@-~F_y$J1r9)OIh$b} z!{o&c%5{;SrKQCwI*%PMUv`f(R~ZqgK!_WuR0VOO!lCcUH~mstt7?r?Qew(h4fQ=5 z43puO5ExECo!8NL5FKVePj7v;Y3`7pKQA{usg(R^AThoBUw^gg+}ggn-;NvZmsa+= zuvO*$)8wxnTk8|I)qf~?FiORsy6w!%nxnJ6?rsX$u>Ppnaf@C(woUz6)BVk*fS|JK zOeLlD_Sb}-H^>DfBEp$|`FhX59!_&?$LF7`g(pC`Nc9`>m4Gq31$=FJJ8Ddp%31OV z#qRF3T=U>)u4~+eP#JGZ^j8(um|oSfdSBS??=3H|9~cnR_sOXnhkK~LVQCZAs@&3{ za7Ckz?#(%jtCq`3vnp^;xySbxzZTifFdwQp?n#E-2q$TAbc_#;YV4AdmKNFbSmscH z0)glyA^ihdFiB0&In&EJJ<>HXe{KuC$e~-&HLnYU2W@RKzRX3T386cKf!SZKtks3% z^BMAlNIhgepEGtk=rRx#5U)|PR4ghW_{OUPv*e6lTZ4^-dGd(Z68kycto+Hyu9qb~ zosm)x4767hVtkC_iSr+;UlIn>Z%xX133?I4#9Z`J`EOfJ8ng*Ho1D73Y(0TCeiqUz zAa*Q@=%Jc!nwf-S`$)nU z3|;%b{$fhPnCdKb^R}W-4aS}WBpJLdj0FT-6}Q+x^vHJ!np<#)QH#vPC8Lk;`ctBx z=o-Db1zXDrFqpSMnd2@y%|8|2yQfGU7EvrZr>NIZ^vne{fLAF9HWp+Yk+TquwGw1Q zG>pO=dT-u33#aRjwi?yh&CL17DBSqOkg5E#U=L0HQ7%R zO@itn;J73SBuBmRhGMA|id9*>;w*z&dA<{NaK{^8KRCv|N^+MdB_ z4GXeaSlaVY@p#Zq!;@+_+nxb}M3WBrBE?qVnx90S7y4>g?(_7-AwGqgafvb$=`?cCb7EBd8KY7q*y6pxkIzKGeDk{rz zc~)AgI&q@ExQ3wGq{Igi8oa%IESgWCMPibD^~H|3FEid1H1Lbexk%H4o^G zoFkvTML0(Qz6jo_@I*dhKZy%&P(FpdTXJ@qd+ucLaFJ-^zCYeFNAO>Sp-Ux(od@m1 zD{#pTz`$5rD#0d5myvv773XL{PUalbI-|tVW(5}kg+F;hbo_&ZT}_iD(Ij-QPc9bWX^@Kd((C%{ze?F6;mc=p))cW9CeNj|5f-M26TF{kET&KW>chg}Df;-v@c( zaN&zotPA&b`3y^n@p;j9co$zmLCC_NK6tPJ5)YwTwq0h%xG62$7Sr<|uL7aAe6^ypK?DFYb2Du} zJdw^?ac3JxF_@Mz&_Se!siYO)9RN@~Ogjwhj4&q^?jN*LP_x(L+NgfEv9XbF%l2Ah zBQX)Ho{4@Ao!w$`mi>7^6wIh^^SRVvN<`hog}`AVW^ibUKAqJ6*oGmb|(2KnP9PDVPwliH~iC_R}C3A4*Rr{+-IF= z+#-$}VHE8$mF4C9Cbuh?veirX-Cj;;whJRV;Q|N;vbOdIT`Tg+brpFlVK(A*vn5XM z`DMjs|7k!?p;%F(5I+9rp?4-YPBo(&0bG>KcJOyN&3_{dNQO;q`JaV@VS@U#RKipr6xU&GFW# zzr4gd=x>912Da(PeZU%lxmJJtn1w-G_gT;6c7Y(krJ?Yqnnr=k4@`cNiwcIEu#&U1pBZ z`sH5!JX9OTKcPZFwW(7d(MlmxCb$MZeu6{e{DTG2X0f_g>s#|Ux@jwKcA<}&%FB<> zcShHKgd7|DitVTl8>So8a{Eh8{CWG`LG060QZihA(!%_*r;H3@Lw6|vyt(6-#C@h{ zay!nbcdLE9diLahNUJJyQHcytusKb29DQPe&cheX%>4BQ0e^l$I}`Xi^u*&Oi$%TT zDc>T;%VfIJtFOv%!eh6$A9#*27Nl4JG%Er7XbX-~Z6<$)ZC5P~>`t zq?NK^lTug#mZSb-Tb_JpRr-P1Ev>9&|GD@+v`-Eg5X|aHe@PoY@aUNBM&KSiEv)fY zymysw3i!Xgw_r`7%K&y$(rI-;Z`f`BUpw?42hhXA(=(ow8kbls@;?PKOB$sx{3CO2 z_w%H)936iUkjm9bj#^q=QnDRK&V9D*m9tpdx1}+AN%ubwtqEpUVM%&5MQ=WFV$to% z1hv$!={`>G+{$7H-X-#{3iuw+pO0anG}kOy*J9s+7H{F@^q;pr54~9?X%rkMaSh)Z zf>dl7h47nq@17#)#wE?u(OJPAsOLIPqAQIi339MG{$pNHN~!L#Ip_JWH{bK;+1$LX zu{Jg+sEqWiSY#o~g+do}Id+KVL=r`=+fe(CBJH_|)t7Rah&)I(QaD#ohV45_TeO6P zuGJcUTC@Os;?10#DoAAOL@6f#3EKYk7hI`{lP4E=QmVG^=(=t+s5%iD&Q@7T>0R;Z zmxQ+^Lx=dtw^+%PDSyU#ueZFo+SW~T6N;uPBI82rJQJdLPQ;|nAt}whO3@Wr>;S?b zV4&Za$%MTx?ep+h;pe4k*<#*rmHy{k7EvwdGiac=({A89oTVxmJNES6-Me_AR16;v zZ7=J(4r0_6PN;2Q!?$m4d-mXyEmjBy%XQ?OKVSa5O>y#-r%#)?7VDm8!4cgGC`&}m zWha37MxLd)9Ul*?=JT^vk%GoHJJ>0S$aVGz@y?yUKj;xK<8flQ!Ekx&>v8ZUgw6Z+ zm%t3bdlDq)@~XVz8Qoi#wbgW9PRXFcHbYTh2Bi!cHEKQXfoRgeSfSsb!(+eQe=_n7 z7O*ySv9U1#b_Idjy2X8895W14pJeru`~cY7QnzUQy5f!8^>wj<%vRR@i}2omd(5?YQkNch<59=X9~#x!uU418exS05DAvGdFIFw#J6>F+m&sZI!63e zMcSC97}s)aaPfrR)fgPqaqj@*xv4W+(~ozfcmK!M*g2O=Bv-(wa#vgb+Fp7;R}wnC zKuZUn#Be)(DsOvXkL`gM;p0og;|Z%stYql@OtGNoX`q>4_-laz?ms!Dpr+Bq`+U91e%ETBVA#ik^xAlOLZFmImxIxcTxh1&T0ii#MA?`Md3$WWr= z4z6Bfu>*fg0cgmOA#$Cey?(8GXCyNfnX*O#?VQhrsn4viiFKeacYRu8#fdrtYZ{3N zV1>N|TerG=%-=sIqnPNNNtBy7szpUsBMZ|9)wvbv8f>zk8RvVim+vI3J=VH#@2FB4 zUwLx#VgwLiN5VF0CZd9*RNcejk-cRrS`Ny5(C!>qu{JZ&D2U01G~a7X)ck9_u&GVxRSXulgeOzue%8L%+O->4mB7GYeV~iiiD} zIKIE4%-KPPe!lSo5?k9SuO0CyU9o%#?P?C)l#{)8{E+|OLB5t-aVUFAl~V<{!jGD3 zU9rZia@xkd48Wq}D)O}HlR8Qg4CAv$PVAmpTMaZj|77Mdv4B(#n9}^0w=t%|Ox;ku z7`5vHghG(f-K^j@0Wf^9^>lt-RdcQ&AJ)v};pB~%rk9_*Bp znh4aq9rD}N)}^JhDwZKltPOXe(iE`XbKgGgBHPq8Pdb?{NpwCJWgQ!!pSWp>tqoEQ z71IhYFZ}Q+`d^eHPwbetcOgL*7L00CjIW@>XA;x5W{mesX$OJUC@4yLQ$;(A@S3LK zc(u@{=Qk#hQBPiDF|*&+PTRL{M~2^Q@yTq{@h87E*2U`?66+6ezEIZNuF>t;8!=Eh z6FCX6reoQbS3eI?RW(@>nl2eT`jpwAi+bhN!WJ#j*&RSPVRTel1leNFa{qL9r}%MS z2>&e!<;RzYO%vRV_|H|xvJW4vpH6&E_!)4*{!@qdw^16fag+J#pWSud%H?t02bjh_ zi;@)rVWv7XZh_=Mc!8w4RFrJQ)a*SJV=+^D>($LsL-%h{4;#Vr= z*XNDNvM<~=D#H49e9qR$sHwvPABJ75nJbSIx;l2g)}yZKKXS>~1g(K1AsJ%Bhj@*V z-h60b7pwVF^ZIx{+mvx~{nVIvVc|A$ceV-AJFezzibGIdZZqzY3MSubVcDyFK zDlg1tgssi_#usr3mNu_T(`P>N#cTGTAwKeTf0vwp5tVz|&<$}=%bIsL(YR5lY11`U z@6hT!cP4nNKM3u<@3ZN6HDl^Bdi|xPXA3k8M|wFgg}lhA+dx5j_>U(CI_WaEc;x(* zS4sJifIVc!koMi#Dp%LaT+a0pik~^Rd)c^^E{e!ZcIdeK%!pK*W~^m}+vi@>0Zeaw zvgsX_uslcg;7#l%ko5{n%ZEgfn8oNHTNfD(u^I51BJCP=SYIY~%MZGh*8jd0YlZ|5 zpWk0qn}HV23~GBleoyL6|BY`vtRy#HM2MTZGxe$k!7}&aV`pqihO))KYcvZt;@Gd(`FM^@laA_KDL*i`4-Y^KWLa|L>jH za%)Pn_rD-h;1y=du9+CxH!m`(%)#Ac8)=VEWb@(8Q>ITp$Kop7fjUxY3ap^h^zl-@ z+h+p0s@E=G%eL12)NPP{Lu};Tt9t{IaS8@&$|sEP-&ssdLX#M0J+yuddB1-Bu!nI8 zUT6OCF>dMiqCca$U})S7>HhVY0|jGVO7!a|$SlbW%3tiAeK6;p+Kl}A1^Lc;Wp=IE z#b1jbn%BSO8dS^#HKaiRLWM>fyI)KH`R?4ahF*!#i{&IdP&8a~{C;9m{mSW$2U4BJ z-#rnOy+zhg*UZpVq_+$M)VML|}S-qBXlYj?}EnjuyXL#QS9eVBN zBm2!-qoYiB=QkCFzZ?g_x`|C8>zxEtsJNxYNS??&Pz#$p~>Q5&o*=K&! z@?{EN!zJq5Y#D4nPj>ZTs~^w(HCL)-RJj~?pNNK#A#F7?91?H|^}Y3j_G`aR?{s|| z^22zjC8=vdKXva^S2S$e=7_w8JVAt@PHmIS12+S_NtS2C!eJjDB?VjGX7TWLv74@z z-M;<*5%wPNT=sqY_*aS&DJ>%*Tgjdk(y(P$l)Xo!jAUgr$(B{f){v1xR4Sp!%*rT~ zy%RG2$65Dvb=}wf`~QBg*YkSa&vW1R<2t|R`T4xZ@ji~@t@QnifG*=9EzU!=n$>Kh zRpmD1=h9QJ%bWy=sc=DSKEvsjoJn+q%)b6{B_(hpfJ!}l;E-k0vd$X^ue!PZV$?a; zY=!k!yI1cbvVrZrlLk^&2KYbzlepirP0wln-8@^TCy^b)%)xcMi+`~Q7SKZmA7X?K zJ*A;>$-{UJLXT*js7X~c1Vr_>RzU!}6Y!2QJVi4Kb1jg8fM>DqzaQP@g1hd~i`aYr z{{4V=x@Z|=5e7VNOc+jK5C@_6GQyLn4qDJl8t&k8@}(x{Rg~-S@76MsIlBKzrTN| z(?EWHZtf;$F0T*ED1*vp?iLneq`T+s6NAkS8TK|dSqb@OH@5{FB-_1frft#T7duxi zcIHM!G*)$!Na6oef8`T?ALZp=kTJ>=MIVBmv)sM1tZ+z%akaQj!(n&hyF+4Y0VbwR z@|C`WHFJdu&}q8r$HDwIeM;X6<5bW&MGLV)JoVr>{)o+|-FsB)0p_mFiF#IAidmXU zCo%Aa3oS&5;f8y##zV}3I?3>_>TA*JO}F*0J2lHe^C45;&Tbgm$jsUdYx@}IBkAxu zH%HLJXv4ZKk5D_cIWg8MCUH-uQSofh?3!MDIRvR|K&NbSjCET^k&*6LQ6{`0^?KzM?b=Eg?<5qRvRqs_e#G(v1o#zRNvqw&x=q*a(&k-hC!9;=5 z8~R7Y>OQl*ABPKy9{xd?Q=q?6M_ic(<3Y`RJ@@NSJ_g&4tp%zmGIaIkd^luJ7Cb&U z&zv!7{<$D@b~;AL4Ew|tF#99C3~OpeG4PPTDpLYWZ`eRX)eOD*Ct&WIs$m^X%_6f% zEHcK(uJlcJw~>_9+a0K(9o0Qb|b(Ttw^>(kRtYHcR$B zshORQW~HFMaJT3gnP3xZ67T*|&D$QYRO^93W4DWD@p&6Yty?dj_M z0$OIt3q*^OwLPx7{tfr25SQ*fxk1<;Vzh(C+lrho(k5}bUQqPTdQ%jQ5CsHuF~RRM zfXAQU;sCH1dhYZsfF4on`)Ojc`)9v1r3_sZxh!ArtS|$KGyC}_aruSE8s8bK-rqHP z2YaEpf6oZw2640jMG+hJC`bjUs@GCe!yaUIX696>huGdM-;uAl0+{``KO7dFDxl4S zTWB2$i#9Ew!My(lt8A$&U|Rv|<7ci$k~A#NoxmLiCz9ZgET7{e<;7q|WT3AP2dk?z zG4j7aU+w?FA;Sg$TA;C=ERnA}W^FwHDizeB=wvR!yiA-r^a!|gn#mf1A*qUDVZXpF zE`@*NFzjK!D}JIGOig_xL^_M6xB!OofXBd(14?sn>E;~i!lV`iTw`+50+3JxEF?o*fnDo!G%3JafdFp4m5}fWoDS@*NsTl9^*|A<|9+se zbUQCAuH=!C$Z=ONFV6t_iryDc7dD@m+#(5Dz)pr=JN-RCe>I^|a$h!}6!2*kg|*C? z?jS5W1@MSlZM;3I9q67_OcTxx#Q8yD-yu))R2Dd{mSuE6hM>-Mp1hRvI&f2(Cz zV8BK+?&7L(qP)`5aSv9JR73y$#w+Y`uA8=}ssMS-@~(3-aAX8cG0y!v>Jx}s3d2U`s2QtY}G(1A0v2HXp)Cv2?Kp|bQw1KS)&S@Lx3>_0w2c)fdAA}xRXcHVN zMh6E6hlhU-Hgbzc-vQ;J;i8QJcv7t~l96FR+bzw^AQIauo}Pm{_85j;_#Nm9?>bJP z^28<=O|~UMP(Uce_nd41zY0YRMD|wQ36HV5im;QyDcvbke@W<1fI& z0Tt?3H^5i_KGX&v8#52#B{PGA1zZ-xr4MBXcM(E97f8(yx3oP0Om2dO2r1xh958)V zOnAY;p#%ilnf`a%#kut1ss#!T%pYCakK>3#aG7-A1I2kj*)rKf7!2CWDG-byB(`@^ zyA>XMF`C)FZJRjsc>PntI4Z;?)@)73k+ZBu`3%Ur& zy-+BFspftY7I`Ing{GvOJL3{Z8xw8M#CM|5XprX*OvY70l`@4lG0hs`?C=>)z+z8EkAV?t_=mOCP&~Euz!5EXx3^0xm zFYp|u56`BAT#m-rGbtxWp!62aF!AaD7$P)w;u5vRjAa($4x;SQYRPzw7UBV*RUina zsBOV_D{d)y^ZGTh%oIpsnn;!8u- zpiD_Hmgk?3Q1tw}#c2va4y=HnCiEgVIgzSNfy;`{4r3kJP7~^Md9hK1(`Vq@fJeu7 zb|aQ|v;zNy>2K%DSz<(hk^npf6pI8?#Dp9aV2Flq+wK%HB{nFwIoS^3Kfq1sMnnMA z+Sc8@LJZ95=#n=rBb8wR@5U`#h@xr14I&1pywSQFwH-;@ymhOX`-CyF2^Pu{@}&c|p?*h}h?ciOIY2a#M6t_Hs8c2gF8mYc!$uFO2bMT0C3uRn5t5 zQ2J{jxTEo^oT0vgkLuy>PMEHe@k5vk`ke;&*RLE6Co!+UI2uh(Qz+#iIJYpVfj4bz zp($Xc_J^G*wL~>UXn?$~p$!}G5~acm#wIBXJG&ByPsO=5c-@DL>MrA4A6;!qIViRX4(w6~wqJSKflu!~fOw zAxa&3Nv9-aJd6a}V#=&b(P$HMdu&0*3&9os1~DKobiQOCzzw~FgY&2~k(3d&kVYFv ze$t$S(I~b8BE4%-Seo4hpAh3oyyC0)=z~Rgn5d{`5a-)`w?O+a26U`@&!G2H3?4F; zP;Xd@vxY&5R%e<0LBb0g5^(tnel$2Fv$a2Qlts=i)QP}#fk_Y6Kd6XZ0-CINtsbVX z92^0`*W|dGewa4^(8JYHRRpfw@AHV-DzH*VSL4=$ahw=B~ht8aQWEV7-Y+ zkThCF(BytoxgvM)9MQN-FYCR3)M_Cq>y&%b6vEm=?`N0RZTi=srKu0Z#5ZX45i{-K zOfMRg(IrlE4gB1s?#`<(T^H*3E7LSNjk}Ge$M3j>Qo34@f^kJkLX}3yyFpIH@x2!K~tRL46@ zuu}wy$|s*}ux^tU4n1DW*)k3A$zZrQplD1Uz5p^0^Nt-lIh+|>&EQ}mi}R^e`P~$S z_Y*+%{7Wl$8xv(-;#TC5`8#wyYpbqSUVLU?+kV&yH7LsKxHI`;cMsiA-@S0c<@S@i zjToDuR&Vt!L%{)qXo3PMp2V)a3L!2V$s9{fhkJ*bxxN8|Hk%O(ZSSstG zbuWDK_Uhe_sW`y8mWBpq&Vsi`?B#ahW};--DCKjQTa1|rhfAVwQsBHROt8A%zgJzP zp$d$TK+zOWLw~vU2I^m2(Kwo`g(&VIX4J66;;zIw^2^bm;0GHYZ-89%y)q)SsCDP% zqeIM_Y^weqgNSJkt#DI^h5-~gDHH7Z#GkA#zM??({6HOM5qW79eEaufgXOYl`e;Mi z`rx!?$CVWnPYA&}AWowm260c&)0IPAZaY_>RCZU1{@3w(M2nbDNMre;hiFi5WE>Cm5_;_3etKmr7tvsFs22DrM*N{ z@Me6#40xWXe0TqN9y(U6n@vZtF!aQQX`kzTSd`3N*m$U})&{T_4wZJJ<-@_lb*@>F zJ8%@huu?4)tw9|>GCB$p?pq2D7qB{@EI#ie2dara+*Gr6R(PSikyd)MW3)Wrba721 zE$0W&1&7Ykn1LV%1a#0`%43FyY4a8FgoWvXZ>Y#@DtGXh3(_2*c46GNi!S`{frf1{ zETD;v?LsRi8(3jmRS0i~dV1uf4tr|WX=~M=qN^ahrKO@WC9k-`n5DsE&9nRKw=~?v zv6dVbnpE7#nj)PmAziJIk3nK?^NrVX(w`G0q6rNU<_=<|1Xp*q^#`}3$izVRHNWMXKV{(e5^9v9yBSPGniidI0 zbM*)--pAQQk4D45XR zV~lXIf_9cfpHQ$uq@;mBez6T;I^j?cw&tdEt!&PR&gwI-kiFc#g`I?JHuP&T7dV&d zlENzPGIFnqL|xR9bdX$%i-ub*P6zN@t?quTuR|dY-_w#Eb}Li;Hzw?if~PkrqdXAM zFUb6KOkd+MCUE-fA_|yy+ev#1TU1=Ha{~*5U{w#epkRajQu*F6wt;-(8^W(~ya)H` zd~f5O@rpB%rO|_zNlIzy0g)&X80$heMxHoae(-iHYSE8b+E=91c=m~%`Q%Ov9|EUh zAt=J=X#T*^f0z>r>~FsjiwXd!xAF6Ir3B_K~Poe%tw(*kX?{+vuvIhmZ1Q~ zoCQ7{Aa3DUvo+_RksP>sH;O7mlZu8W?O62b^3?w&A~iJuV9^%fW?y02CKnG<9^lkB zA3y4a@8tIFlC(*5PKRj`0&lCFC6wEI#~>SUCMN%%ny*TGu3ZXQc$4MI(f6|d@#?tx(jI5w8SR}H(`!v zw-b+|;n2zrWtY&p+6~(fQL^>tmV=1k-gz0`mgrvZgTGgk5jnheV@f zjXF(^{YS6q{Xju;JX^;G_ovuU^9)D9tf00RNWe}~+-H3(Z^C=>ch8j|^Cx?5NRGr(`r;mt_kM%EQH2R1Y=}JWO@#o8i4~1PR&sM6O%}Z6wdk?jtH2 zKvo96Q@p_Z1MbN3uT-k8+{gxMhxE~$sG$^`g@rk=GLCVs0-l8(^^b9^hi*-1T&?D< zjwRm$z8VKZ~;^Y9jtUWA;YhN5Aw+T+~Zd4hWG z+XT+cmw|!GSm`D%aq(F~Gdz1NPE;vlWmU2&v5dhZh3#Bmwl$@eVGZ;IAt4`t%{Bkv z_EG{)lY=u(kh8&pLu!d#6SO1eO7iRRtMuxB2ACfwAoCddR<(3Oh!kdBnF~W_ES{H@ zeIE48U(%PgvjCyD2YBtHv{=H(C%pT+4{V)a(UD*7KMlB8> zUJE{jNDsHOsrk2y_K1*U=$X5^x`0Dlm@)7O3lp}|h?KDDtatA|6zjRPfF9M35XhRt zoA4_FrTMMUZj}G(>tcDSsi{+$!%a&3^vvz-?lr1@#7>o7?2H~Bjvw=Bwmygc5l9T9 z^SR4S1&1ZTcZK0!HD7`w3#a~_DIa_;B1FW$xE!o2eSrF4G4m$!KZ&eH*!q)&g$3vE zxyPjQ^0$|9HtHk^^-|ue0_cKEqAY+dTgtUHleR|v>l|U`sQY0 zZd)A=7D;<+YwFLd)F-{>CX!JkLpf~IU3P%UpZW<(2#9RW=4>XAySGri!K-Zbea~YA zzXI?$-gk7w2U}c)C83InO7l<0T7VIB$0=l=4IsQXd7-YNX3~I($9{|IE!7;TF09O? zQSPVh*MLR+(!=`%5e4NZ(o3_z{azJS)l;~J@C3)&KlS5lEu+tS(EFX=w~OLW=@b_Q z*W_!`CuRhgNR|7WCV{^e!Vwt(tCik&|LfEx^p6BdA#^{tyujGAt7+5yHwCRNH{r9S1y`UcS6^v~om#D(Q1(L_{N)rrM2P*{z>6)>>^3 zXLt}+mQG04{A#9w~*Pr@v$lN^j$rCqVhN-qD%F5N4@V$%VO&LD0+0V}} zlURdbK~6N!D6&#O*keeHb&2w(W!F8W@OtAPu~~i$(s2CcLq{7r$TbM-Lz-F;Qh#6> zkvIjbSeQ-XQH$808*2`?9IZf6x?3PEX68bx)X>+IMf-wQ>kM&n=K;o9L9r3Lu@e zh5ro5?zv=U#7HTR{jS8H>f z5hWg~2|hHTNlx518bE!Km5VeGP`n$b9CNh00aX>k(QxpoU|NfVc_|L`eLg@G7&&X) zQFRj!-8KNx9;$>R>J!(_0$_$!3`Vf|WGQU_`$HN~KqCzBe{SLS)xn%;2z;0?Uz~vt z;A3r?wDG~*M0A&_ipXmq1cYUar5rsI({O*k7?`erOc}2ZO&*rFIe_{V)g$&-v6Ne>Vk}uiI)nEH4{m272snu z1AtpEz|NLEfCK3aae6ATeJnb$-{ zZV^xTJSSlj9wnq2{rT%z($T%z%i0H1Fkj%=LS=C=lM)V7v1G?C+(e0k3H~>&GSmnk z?;Ssuo=fqa7B3OAZYOc$)tF+aNcHsNBSM&#-g>nXZlAx9q&yPte0o!LP!=_7SvekZ)rj ztM<+f>(_6lBEV^=doVnCikvaeqG7tu_@SOC{X zq$h(8H8n5=xN?}2$0}nY-E#Bl!+(5O2aJAabS04g#Yx7ZncT$)_<{051Z|8~fxPb8 zLmQ|!<1vqIFcfeCcn%9lgmw|xRcMRj&_XazfbXou58*-G(Wiaf`^e6Wf>Xf?2?00wn*n^)EU@f|h;xr1BVQ;+X_xM0E<0Kpqx zl=-2%_?iK==LN)n&`u4L12PI`?*4$_4=(96<-N7 zlEg}0?Zu%0>(Qnr zM1ee@4iK7xsvyJ^HFjHwEH58ZXo@v!Ksqp=IApIaWQ9d(l!RhEKN*Y)#xU>%8J
x@{9yGL7 zxMGTg1|)q814C5>NqC2dm4xZ*tC&A(7JkaNI)+9J-*XOt#agLzsI5Q-DR4qx)Sf1V zg+>z(aob_DhimH&Zass@(fJNl3kU3X!YJw}QpNneo|Xz5-)uztI$6iem0>wzl2Uc_y06LZ79qd@^@mNeZga$Tl4k&Q5c1lPP^1mfatWZmCkajJDzG|)xp=TRvD_BbxvgHOw6E$}G;gQ@^V5WJG6f&8hwuHz zJ>B;G6+E~hRmSR7<4@=rj+zxB9uTgd4*9el8DR$`;2rEQkaJJTu6hu~N|k%4&;X3T?uK$!$N`J42Jy?0CFJ~QQTY<^DV z?aAsyvK|YvJQelxpQ<) zLqoVS^x3~eTio}LgRrcp;U7qqH37f;n#obOrwOGf;I2(s<{VATZ4Nz@E@Uwt`#M)4ICYisl@938u}w7CmKgDZZv@#gGH*^YU&jyyN- z5-K{w&+|tZTi!WlKV-TS=UR0P4y+Rk2vOx70;h{PBAvdD0FdE*pS6y7ub?Nbr~L?` z#MTElsnAF$bh`n-=RNU=bt&task-$vTIfJovD&tNjW()&J?(s(&DOC5DFg@Qxdga= z@$3!_8j4=Lyu2%m)3kd<)3yq)j!XAB1v1lb4L;|J?!7z_L%k$fVAg@M&5pywG^60;?H$N{ z8@(m?R6hcaWB+d8@IL2*B(7?7b`}}6^td&d!;h%#;O3^D}3@~dlzTH^=kO7a4o_m=A=m# zZpl~0_?FGfTcDOG-dg=Y1}h-*G#;Po?Q%ytg_cdxr@<9wfL>TATh75H$8|j`hszQ2#sr%j(D{>G=Mz=+L7{>Sn(oTN1$1lugpe4VOI@1Kb}>})DqTz;D*g<~Mr8yy?b1nX0s%T_dPXh>&%Ju-8jRTb@MT0EeZsnr&zD~`Iw2N19(d1iCDi#^+D*E!VX=(x%SH6mrIis zjGw&RT(m#yh*xrcKo64*Fdii@A7oW(C-7nUQgc}e zPR&LpRA3<;s4mCU8}pL1>}IZ>`+i0S+36I5Se*cIM0vFLtHgYihuG_ov?jm@`*S!J z%SCk?J?7P#U0y|Pf4%NQc-M2E=Mxz*QYC2fcaI-a2$(NJ1%wG5a{iG_D|jhn*~lux zwRXpn(&KgOvBgwE(^b;#EJ;&s4r3TQaW8laYwEp)f-l+{Vnz zzu)aHCK%<~tfCKZHR_y}Si~ifU&0@bL&U|eH2pdfVAr3?gw;6c4{bg}DdUO$I+}gd z&>2B5BYJ&3!XcF=2206=2O~yB+s1CZjm=k4yQp`0Vq1G`!`Rc%=~BfHJ23i6;(dpwz7$-8+}&@vUL9w=RUW zGHmvq7J42ajhQW6Jvn~b2HDXRJa9z)Q8HfE+vgPgA&DM^dLXzv@;N>rsDIA-0#4Wx z)CyS~f`Zr==OLxmZ1xJ$@Ic;tL^mwSmdn(BpU{cA;dVkoK>xbYOMu70S2}pL;ReRi zYh~wZ!e$S`E6`}Z3rZ&JL}P100}S3`pQ2;!UQE(}56Lc0_)qL@H$x|$^{I3cm=6H| zm<~(1yYv{#x*$`tx>d+BQT}U#MfbAf}sw zEcU6)YoEAyG|g3b4r5zUDIOFnqVsc`bohWGeZ`fBY$Zkm!+KDt!MclaF2fFsc3XY+ z=>fyquB$;o&*G1ottS&^zRip?$_H^J{7RW32=;RT^QPcG4U-?=Lbe^`19+l9mT*!` zCN9@LDJj^S9P+9pYrBNUM`P0M^@EwlsEtIb>_OJc+fYcx`VP#M2rNzZ3=!W3mxM>` zcf2IkCAeKrSJwL~bwJw+r#vt=uycsX|Gr9g!E;QvQQiXB ztg5dUB0pnCgTERMZ(?lLKvgNlBpCC*fAlEAbkcYckzL71+6d3_u;@nJid~yA!3Vd& zsb*zyJ|ENy%n}C0m}Q?H+J&BK-MaPbcWb3y?Q3+!tqDJWSn?mwDGo|2I(^`DmgFQZ zYp6-70(ZeAo<>fOL#Z7WhQtpIXhB_plQrwpi>EYh>We8Pe0NgW%m3)NECo?!N(^Epw2=+w?5Jg&MW0A1Jq=i9==Q1R)dt^3~5aK7ix!PW1R=;q-&> zud9N;`eF_{uU<7YOrc)3mlMD*zwCB+?$0lmFGl)5jw%(H1v=tJc0%KC!OUXmj40K~fOU+~Y1*O=AICu;yLxkTf;PMBj99TnKp`DxwuFpwphXX2E_T*Yjc z*o)4;RqcPe&4b5@c{9v{0RG`Iua$uM&fEdA4@{VMGm%G_Dz>wrCnTIy8XUm}1cB0_ za^(YIiNjS4X%Lp)6BU-PByr5nAAbF321(@sL1HZO7HW7XB(9}wIEC;9t6Ava@cTC$ zYVbx50x7yW+8g3<^D}2|W=s-~`w-9thNpRHUm$LwZ`icyA9cY1HwVY-zno2kL%LQ> z)&`*g1RT+0yN^Bj?Ij1rc5KsYz{u)VboPq?X5X+nb}5ptX4U=tIXp;VVIcrhd%4xX zi4IBcGOaxQeDM19>*zf9q4GlA1_3GNutse+82C%^U!{z)+0y~V%vpbjnj6*A^cLVXXr zE3pp}H>we=p%_#!i18qi=>zKm_Kva?4n*;Wh=K&)45%G?*!7B_!Gwd40Z!I!)kBW7 z+R39UW`hGdr-QmUpWPlxZqHOt#^TTiH$Ey3r#;qY%H*8!``ZF_#?@A;WP|U>CBj$m zm8KiCeSXUpF?hyRE}(HHZ77+9a{({)~TX_lERxs=6Cn-ScU=+$U0D9%<4Ok zj{)=GP<4T1hFuew?BzPvax~G|(muZ4ew07eRm(1`rpeh>)?v->m8K5NKP`RlUnQQF zJh_A-R()Wm?jX-_@?HwO@lZC(!kvzq0ANt_nyaXhsmoPzQ7dhrD`%igk}#9J(f!=# zSofTV>eN-++)qqgZcDK@WTJp}1TjfG#3U=y3S0Ql@a>?dr{A#y>&rXQug}tO1-2hE zIQZKo)g&_DY~X z?<}MWf(z1quLUlkL~h;&naN&CrIROGVyzr z!u>!0^?L~`I0CfcR}0D9_O8^#xh2sADOL}Ba{N-%1%oh@9X~4`wbZ+!+jN@8c=UJHw?PA3wBvFkC$Qc<;rW2NhJMn15BrhE20u zDFu^F9+kBnOc576edv9ly2s*PQJ38V8=OM5X*w$QlA*%94YR_yA>H$GTjv~BY`x|a-MQwK) zBbw%>#S?tF9b3=sTj7Zju~G-d*E?hN{H|(kc*1TeGh5PCmIX}}mf*FGVy_e0Qs0hS zYd`TDBT-6qJaQPJo2cSW{B*ui%{Kc-9hs)00u`R^y8a@jHc=$gOmGOnjR$WdvWllggsNqYHa_Q`*K47(3Bpzp*-bb zw$F1t#hwr~f3vTmd-C=x z-`lJbJDpz9*xGvUiE16aUUb`Mi{jR~gxfC859xaDrU*7l7<)BIXH1dVH%iERHJz;A zzm4urnbcs4Nn0yt>kWajR#0BVnpLPy9Aq^dh%c5IO3GwjtGIt*EG4Aa0U!dc%v@4j z9E%F4Yl-QZZ!BxH*4(kO3Y*+tvij)&&-)pg6D*Hwvph*1Gr<}xE_$LNfdLtg>I>E< z#9h}F;?kg~!uaJL*#{ouHJ99z9fuY&{qMT6vQ7?^gvbmPq9-J<*Z+DmtDZC29qDm1 z+x-7}{v&65gCzhwYpZ<^@;koq>iUKBhau8Dwv?;rLdt#)q@1yszgB zoeyI=<`ph!2C{h1C1cnIi4@pgI!}0J%6^XRlM-?E?%OlJ`OE*~ogJC{e1(NjcmMzV zGat4?-3ExsVX-gruaE85!v{G?59E0{$8);g2|Oo!G}k!j(u2?7ii#4AJsikV5@O{% zR-HP(#d3k-eu(}z9T{JTg`=4v(!1l{%9l4vaC?dFVJhMAlrh4oM=5cS;#qRf*41D9 z%Cd%2He7GNPvbx-)$hrCD#A;3EnYi9iWL$1jx2O5bI zO&W|-TL zi$_C|<}=?`o`cOxPmQ^NnOl{DbHx7O_x(K1d!+8}IDT`lMQC{Cdfuo=HD#Xu$cE}M zE$8p_(Odh1$b>Q+Uo2$0sP~h%raJ~KWai(!u!m#6*SQ9TS9!TNV!z$FI0gqSJ#Dj^ zmsG0^)Bp7a!hxU@ODr(dw0-gCSMAmP47eGK9ze>*ZpP0Yj?dBA&OysUgOvhScL>*{ z{w!RUAr?&2Zp1`b8>_UvYdt+BBpjK*=_7T0hssT!w^1o73{9p|$yfJTQD5EQMgCFY z!8tyb7vf&*O$xWS)|jz<9*mEWVT=ww{XPNg<)M2y-s7b|n&ecaP8@vkZbt1ii;G6n zhSeN9y?)dybUI<_`n`w6wkQs4UkLyG0oG{*^7IC=Jsf0uBx8G9d!AG{$doKIbl-aC z`gO;;6K3ik*^k_v#Qlc3Hx||C(Y(HyzjgI~mF}kRnv_RI<>bE9yRmpR(cn-OWHg z659sivN^eJb?*?BB&_0TN(8#knTBc4TMzttHpP&w8J#b`O)I^F0zkp(Zu;J%W?;)W zI(>mund2-f)tA@i^ID@sbtORt+iv8^=5+yK6~&*l*mAO(Od!#lslsB`~z8%#-m#D#rz5u2jRYp(UpqMa?SSwzf9>eT1EM+#gK*Hx@h? zdz$>J7P6c^op)*L)T!+-Wkh5+uAMUcxWzCcD=^OX(yyD4=an?)wRs)Cc~e|MgB_I? z9n*XDs|PM=3dvFBoY}(trF1(JnAWGD7GEWk{_(E>e{hu!8^aQ3Dv4wws&x3EPPL@j zRl8pib-RrWCJIkcbvHL{gaD#HKMCAcGn`cbR_Q`RsitUq+p`- z@<+3!L&cs0Tl_C%0tBtRuy%1C1(4syb>mHBsna55&$s55*=xR7vn8-}^X`l<*LOdhgI`~>ocFJ&6FN%%W;|Ze znk}WVFVe7A;DnOt-hv534atkS=hHyI={Rwp+TyP~%1V~K(IP?Uwb-u!cSAI>=f~hJ zBky^Tq7y}Jv|x7u>ectemBqJ;m^^!e71MWf;Ld)GMZ+bnYIj_ac%Yqe^Ai^c%?lxm z%PXo~c-P1eMCiCgxwFoE_(Oc1A{lC74yJd^<**qKI-g$^YYnnB?m&%cconqRe|&zl1C8MXC3BRHZvEc~YC)U@jzm{2f&hx!gJrR$BVZzcc#! zAyL3hnfAbp2J2~&HMc_T_dMB6kQB92wJZChy*GK5Y%SDm8&)>ChsBV*MRIr(+6_xw z+-;6psdW(}5&}vG+YA3w`M$YMY!~ntexOzJ>C-8(ZKuWgc+|kn@=(4Tl;}*`E8!?& zIcPFSc`iS?ck<<@`>iJHlTN^!7GIb=u_lsDk!s?b+VWxTDQfMu>ioHU>QKy@O-LzH<8Ri9Odvrf$IF6V?14C8thpe zuGJuggkJEq7lbfuy}&cUiJo&+sfd-rB?~?Nv_NIbK#!B{cti0EP?1lBK`R{$Y3}Q4xGRpPGxUo}XdmC599)xFujG#hO z6K9NYauHr1W)M5)8ux6@D%qhT9=%J6F!;a3;wrlPfhrlWdQgIh9pTmMJh87LIOEmo zTBU)0!FSa>zRps99~@du(JObU;B@L%_$53a*|l9?37#Q$Q<)M6gzRv%l12TCPQIJGcu`Pd zci~C0E#RU={`Bm9e0E)VS2Lw`wZJ#MJZUDp2hJmY+cY3qIslt|IX&myJL%;_txmAp zcOF{LWkAUEraZ@rzQIg{Cnc?o@;*v(&e+2Xqt0I1Eeg!$<8o)0xW2eYBaEsMEoFJX?!E>$@oVp1LeVezjM)*}o%gy*iS-QuHA zvq%3G_nktb-MlXNQwIqOPg1F_m8S5LJKd#%6W8TAt=4;t&FwM@JTXHRE+n3{JJUtm zC`8U|4XQ$h7y*YT(m`gvZ?jnF@oW`=Qc*$9a9J>aI9}bB9e@6SLlhT;{d`|#n9AOw z*D;R=hUrw*bx^BtuAoGICrO+J%CgPLRfmW6UR)zHI@P3ojN!wL`bbwGuv%~HR+87r za90xtg=Nfn^^_3tN$&q{m&11ME-Us=29@cU%zUcsc*@a+N8~G8GcM$hg}IfufMAUl zdJb%ZR!ltBY(K@SK>g`VtQcR%>8krwK(TV5cx@_xxr_5akHJh25r)EL`#9|W>%^#^ zdFEKuzfCIm(!Pm-8wGw1jIVA^RJYxai&=6UGmDiPOR?eSWQH zakYB{jrYy)QyY5kT!6sz==GEHOBcQsDoSqKu2Fu+ghs71%CD+b7kJWkLwB}N)1%k< z)+`TZBsTf#ZF2ZO9FLf-gdwkU{K`iIM}|RXWuk0ztYpcv-0o_a{DCb-%f0tp&GjA| zrPd8;&;2Y#FK*2?-19g>uO7erg`dsKlYap-l~1T{?l0txnYr>}<;vm1abeWe6%hwT z*`Iby9We8~^{a9|ojSkzhxLUPT5mVNzCW1VKAAk*;N6RTG^IPzFlYn`hfwpYmcvW^ zVy8j{E<}Pez?DSKih`M{2b=kDN|f zo%8!_^nbW$?hXhkwH4}{64~)0`J=@rQ}Q}dWrubI0du>#^MHPBP@nN9>4igF!4VfoOBN5m{jXUk4e#RX4*QeNewIu1Y~K%dsVq-OpvmKVe^pHQ>?4jP1G4eCcMX zDYfKnh8}KFrBG^Xs8;X>GmYKA`+M_oTe;ueN}Hs{v**_&yZZ2?j5aw!11hF^)MhTc zb19yf@_mr#qdl3weqT=AHv|v3o%ROFDhdcT)TDEo?2BBcimM;db@w3j5@{bBt|cr* znV^SyZ0h}EI>gWOUXqV}M0cMMnPs=lEv2CIqzjEvCglU9m)!v^KAm0|M#7Fp*f2i0 z$7FqP%hzXJ<{^@;U?r?2D+bu(W)lv~XWuK!KG-E%(*7|4KYpx$n5kdmNsYJ>}A@E1V|2 z)7)g%a+J2Xa{(iPG|qQFf1+DjI{3uEGPv6Hc!LgG%=v9uk0)6os?9s^D=vp>Xa83< zL&1;*R%oHgD+;lmGR582K@%%;Z)GFT$L1h|7eSk>*|6kuMntb+>8pQHS--ohV9WM> z_GDWmI?p$zgvi)FBM42W{9YWYUN!b?TK$HdYxSd){ijq<7CrqrR^m^@lh1O>JVZpn zjzq0O>aqhuW_$Qzmwc}={LVDJa+Awkbo!Nk5=Dv^gAW?f<(twEYoMdQRQKRXSKL41 z$O-GuG?tCwkC>Hx*3?+f@^O?(iil{}PQ&#vVceg27Yf}m-S<7N%bH0!e#^OP-qUYa z7YNO({{*Gcf+H%~3VnIrjg=3jUYWDQV_VLJ+ zPZi=zhks6AzJV0-$(_H{fFimsM4n!LeE0i2G#WXPt{A2tEq)d%JAFDe^vT5Thfn1% zC(k#h=g3gHE{Ofd8kLjO1ZudtXK-<2;=u>e3*qFSf!q5!@3Q zK>@c;IbV|87~&CPns(0-4@>N7+EGKvCZ%^UOZ4E}>Xn0|otq@Qo)!^&a^qf=}!6&y7U$5#AhJ9Y)oyKg0-jHrHlU%QH2_LP6kd| zS?7G*ax`LE&+fzewdt~EzHk4LcJkf4e7dZ*VLE}H`*{`h(TV`jA;A!rnjrfQJ^_~e z)wwf!7@0(m0;DG_Um%qA>B`dwPH4fEVU&vEpV3^aIr$K!RHm%si+NPJ1mR79*mw&9 zaPQ_4gyM)#1g>nB1IKjmv8sNS%8swl_nnp%d~GvCr^>JZge4+8oGwN+#$uPttqcB| z1i)2w+p356u4P&$@DYrpgDCG;>Kt`t2>Wqk{N=a9MLR4{&L2`QTlp{_!2hoz<&^@9 z7YF~z3rs}bEKn`-Om_T8cEIn%UrQ?6-^fxH*dwa z)iv!wCl?Z@mwoLDab!sCm3Y#auK%UT1$*@^YQ#}{| z>%e(OY)C8e8~bkRqo{E6mf?PoKp?-uWI2=U3R)?qt?Mz$LLe&FkGSGNAG9W??(OQi z=>><@@q(WzL*Mz}LQ6L!E{HV( z#RI#{mWjK7O}o#5F9=(NG59XR&-nGD*nsraRzGummWFYlz;t-_DVzXy^BM%S==(bL zry?(O87)t3kNr_ORuNl7MVTU38vvo z+6d>UQYsiL6+;5yeC|Y^xzhacGo>7F*2X?&$e)qz|9Pd3h*~xJH@iE~L*>>`B}syz zIYKv=tmM-be?LKv_woqm?bFVoUgT~~aZ^|B7+8=UIrAJ+LH;9Anq#&5#;JD_J=Bn8NZi;~pQe7tbIBJJW9oV#Xuy-ws4 z5;{O>iVU9jLpz5M6f8%TJ+agQrEqvWV`a!+Ba-{;J7R8oZLYc%%w<*5V%=vz?bFqA zJm=Yza&L;m$3xrN-W`xaKfpR(Bfsoq=NeZ&aBf50egW1KWw_45e@zr5cg;j>3cU2c z6S1422K@yE1pqskj>WkhyU#ap`Ss5C7R6n#dRnrTr#|p=B)@)sv=_zSu8CpKO}~Lv z&3zjeYrn@~Dro|G0eDcv`r==_ApVPh#yt;h+q$1JqwdDih21+t4$Pi_bZNrzTnQ$c z%vmv)adr*@0iQ8i+q}Q9%5gb{#AN5{J)Kj61*)Td>-S1-o7wpPHTK=Z{ApG|=L@y54{nLXVZ#szX3h0*VJJlMyZUsjl*WGV&osB_ye<&&I3rgYK zoT%QS4zMUI`W&>ThLrndS2t|a)zx(<`>qfuHN1DG_V&4}XXpDyHVB{cIDcN6dYsbm z(j{*0*gNC|ovyD>pf|(vsU%C6$krW^DX*?M{v$R(`@|&1y^+#b>ETG9xr?VuJK4Yl`!BJ@zL<_S(rD1Qa=9b*gI&zvPD@2WH3m6@f0k)&(aN=s zO{PcMZ&1cAoKTr>-EJb}VxXW@};5JC7X($rS#o0p z_H~D)LS0bwHW9|htiRKeXBqDJz=rFJK}_-6=GZO4li0P#Z`f@MDW`8sDR|-xlb$NUoL~~5Dy$fm$ z1!h0dx|a;RvAG)z!oL=}Mu^k5*COp^VSE>Iwz+ARAxvJmTeAQ1!Z&l4IhC2*Ym@Pk z>BdBML}#&QK1M}mwQlIl)*nI0(h|9Zn`wc45DUJ1 zHO|@U?T1knt88OqgHf3`9qyN)-_CpOfa8WF2><=LGxx6d%!3y?~_ydIiEIh8S!>`h*hrY@evRQ_(Z(XPJPC+dPd4Ur|1@P_RYe5aiAhg9T8UVKgU973AYf-7Z!S!J! zo+MuNE$I=>Dg!%3!X^)8Cx01OCbzfY@2j-d>Ozi+d)BPPMeJ1{Bq*_=p~9%jjjKzrT7N zeb*#k%batpvn;lu7*YpJ&`y46qiUH=4zq zfV~AV*pCzn%mRcGVEWt}_phtIO0IZva`hn513Vfgy09U@I&e(u`mVnbI)^IJz0wM? zSnl}_+dVeiQXjevI=OJ358Y>UFg?jmeJ^KfsFrKQjm)Q%#S8wq z2TcnTCHfm@S9`(hK9Hvn?C%iDL#N%0y!Mm1=X@e0{+t0tzPcAL5WT;J9sOF>wv*@2 z@vA^26@C4B9soy_THMDi071+S7z9V(<0CpV$?L@eBTJp$qi4C&c@>i#C+%Ss{B9KV z^8M>!^|)^}>`M6S&*7|fd++}->FLthrEZZS!>FGyYokW<5YuC-1_~7z;oKn|>Q@)eJ z@nDT(dwp%~2{dLEs+US+gs8V{gSg`{AfIH27^7XD@S~kQ`?ebY_nU}{1uR=wNC^E+ z-zPi~EGnUNq_*~`>GgvD`8Kn5sG+@}dI3qw0-^8seyAW&j`$m#LIUGvOZ=+f%l^#& z`CVr16(A9x25d-7nM?6;3&+Ug4)X{vjLEd&*c)!Ketwj{4lX{WhnpOwxs+7_LnbKs znZPBeCt5TNcB@1E3Pu{&ppa0L;d-v{qg?5gdC!KX=2Yqu?=+vXb^Yr{XW_QH&-DEz z!c3uTy@109$%UqJ;DzK3enXf2_y5O3wX=>12?`=s(Wsm`i(UY+h2ULKyoo9$4JI86 zYd;f*&BtT@V{^v*enVD}hXQIFE(+x!N4?a@VPK=pn$Njw`3IHvWjRZFQyjyIMV>=h zRMnLm7alH(N^9EV1f!ogSSivnm`TU;q$l&{05-M%=A_r zs!4mK|Gvln@q<|(O~Xy87Fa0Lz9Aa_lM72_lOcjN72UphTheOk`F#oA4~ytF@>^5<|2`b2U0 zNS!3@)UN@&hEb{L-E)a0w+j0*wvQB*9JDJ+twHqvR$1^Z?}00sb`&PWf}#o>+h z$BQVJYsWMvz|SC0{{@P(8Gq&P4RK9+dOE7yRT=*M(rgZm4+suO;|FqjzJEpY2)M); zD$61zp@4IT_ur#c#gJ$e#KSXnWG#42{Fn?md1clNg0u>FZ+OoIL zVet=!{hhOewtxv- z*83qlGZDm+`y4BN{qjQmL$F&kl?zJz36SHO8tC^TC4P3w4FMvAeo2gr$(2c`zwj7d zXlY@wea8-37>W0~>7!^0KaAaLRE@+z|M6-z{QjR6Gv!}OKck{B8AroM+Z>bJvUEof zvuQERhjDz{L*MnSbt+*fe3~48AC!q}QW;WY|Hl18nD#X`33Vp%2Y7}K`ZMrH$8cc? z0pS$lJcln6*RinxJ^g@7VzBsr63P7YTDCZ@+d6p(C|5;(uZG)HDTJQ*JYU;TF{jN? z2Z!e9N#9jQv6LEz@*i4|A)+!ggB;_mYSvN1({EaGO&%c=N)tGM<9AnpzPvt48Xs^I z-e8bQ-SiY2g|hP&8e9NKGVDsJkCsTRiYC9UiT2z4PxC5=eNZ8-H(}@l$P)|X!-7Ez zEcvxegX!)gJaIDZ*RA;4d6Uc1+?*6oLu^djwrA*$KG2%&0Vjw0Jr-vwoRA0oK;)F{ zK8j%{9#FN&{2tXHhxT|cwi^wL(DhWe%q@?_ITSC?q`&-Zi8PrW=|mr#PP;QPPzIHu z9009qRq5;DL0gZ-zIL0b>foDyY3r#nwxQj-0FxZ~{r{RbL7vTO z^kHlkBw#2sqP)EK`A)u7l=LtR~F>YKdCibYDc zuH-!iMAL#ct|u@-nz(=QJ19l~Uqr@%K)l(CiSZPl_In?~^@&%_AYREHYx)i8VK+!1 zmRvs(NxX!k3fdKYAQyv!c656P0yQ)|+~RA5p)RWMao7|;ekaZcqaevboUH2`DRk&Q z3sejt0R3xp+>sR^I7}v{{6a3ud4MRR9cP;FRIUZ0CCcLf>@FLA82?<5i#oB}vrS~zs!C05X1#^x#g3s^~ij;|p4=*}Pc*(X0%dsU6v zJo*EY?wp7gvuMu9h45{&!CmCB+GY57|3F0QzzB4ScUd%W{lLZzA~vB^n{)J4WJJvo za%bAp-Ay?X*M-6FA}#Z1TP3#?L(H;(?b19Vh93-}iI`{!R-9m*Op`Iq+CcL0M}pd`e`Mx6em1^6+^2U-N$_Qo4x?+Ft`Wmz`+#ps25 zANGp&#a56?lg`Nh{A(GAPLLI9#2xI-M8zwzua;&<9s0H(gWJWCK1%!7U6{6u2)X(1 zf9*kaHzZNdX5*JVNV~`&o_~H8_#Y8M2GJfo4eA?|B&VlupZ#!Ch~CtT}s71c(G2oab?3h4ALB!9q zDV;d+KGJ~%*8+wj{qJkhg(^NYp>V=b0ovtjg*V5bBYc*Q$gw%JP4wBZlubMrp8~6^ zPC`W)Y0N#wbEHyjm}XxAL1xADkJ}*Z>!4mW#f!So6)pi42WaA>!O%)SOKwk~ag&68 zEm>*ZnfNL=zbQ8`m?+E+jfzTVfwRWM9rvOW5N@(bjZQS`Ov~XsEOOrhM2{F1^war@Nfvs&~M2aWx+N}5l*z= z?0guy=M$GJH2Y-DpsJ(MMH6yLvJO%RK2lNM-e%-+Vo$8ex&YcGtGtJ#o}*v}1%o8# z3B;;8h=V#t8b_!WG^@)LxJN$$QbT|Ia|j~zt0B1{&dg<948k92-!lPCFoCd1}6*VOTX)4OXSPh z2dKwhBY@S$EyC|k7ogNhoSnK$owsjYV8a$cK|%6KfN>G7qzjy$wKY-LPxMtufP+Wf zqL!%|nxo#p@~xY*s*O}`xw4;fxwE%!Nnmd9bM)Xpbg1-4t3IT~Es?f=e)cSb9bx2N z-8Yh+m!^+glAaU#jFVm+CHwi*w~n2z#pgVi3|w&>M*`>>woaQN=j}uMaLP$jgpN+1 zWuV&?S+OK*3y1Fp+igu{ruPl@9@urK?B&9h!BJ7VNTg8{QuRYH`|5Cok`7QBnL8Q8%G4UyrSm%n1mp()b4jfTAOiOhOk))#W$;(GC51`BGGS$6XC zO5w|TBw#nleFOH|A{Ve`&MImLepTu7Z8mwTk#0#VAI5^zNJeu%G}UHWvvl1?yy;sw zKpW`)Z|fJUFg;#&I^f{3$&cBz@~?BLpZLmU76*|U0f-9YP=my{*oXdnq}$Hz(t!*N z8BX(!e0Oc-qQl)~bpGz!n%~K72j2b#n{I)W#o5UTA)$dAzN=Cmy_&{Q@|2ODSM}GH zRgw44e5RFm^>9uq-41%F0ok3TQ}02M7GC-fVuoFtMtOz@5L}TJww(f-efw_~)9YSh z6Dme0cS@PVzJjJh!w4;gB1hU@9TCT8pz{@`WW_T|`A8~k<@XwCr4{2m&=`#{V!zl% zs*Q0eZ8CW154L(520(VSLEa`q%<-xJycCBndXbUamFcF>iQlN5ot?I~%Uz+Ku;Fl` zy@z8A^UDn2UP!Po$D!wcEWsX3`YnN;mv}I_3-ntuC=JpD>ae34(&zujlZlZC0(?vk zm1Prc4OW<9rno-pZ=`>1l9a{vSpC=bI7|)})WguFrYQK+_U19-!bgCU6I0w5{g3T* z7@qLNmd^l8X_nhcf2e?#G&NJCAT}8h|LfOhK^tHUV)dxTmIt(BecT$F0_I&>qZ6Js zl}ejSO`)LtjS#s-vtkAU15#Z^WidnU0Xue7k=AN4?>! z1x{_z$KXs^bZ!g7rnc#3Nxj z0MpPHqRDiA+!RO~#-=4*T3c#NNK2R^yNN`#%!i_}p4N+VkxIdl&Pz2jH?Q{He8NN2 zJ_Gb7LY7xtc!a^gRt%xW?B1ov&(gOPT2)jyOV?(8owr^aLkRH4rv>toV)V zYttawct3)V?9)G;>ec>r5i#q9_o$vMl57);J zB}X4R^^9~qvmhQ&*vPyMQi9cFYj;PUz9bRV9<|T_wrD=59}Mp5 z^1P0xie+08B&!fx){LS3+#(gv9^VCUxurd!s?>WfPpw-A&qXn(BexRO+6+<1NraA> z=_)j2!j`q>Y-8c{+cc3GM<_1So)wCCKCbE0|j z8W*i{Iy$T_jnOO^U&t3nq(_oAm#2o<6D4I(;1*z~MDA4i91?>ATfuDEb+#Cxc)ZLT-tI?iAj=ouCx ze1kG6RtkHB>IpA~dsjhEd-YJyY~FxBBO#4TRtnRWHY|%sVK|XMJmFp zi(G3qfZhpx{9k1w=SkT}$z%1E2&@0>1Luwzgm9!A@l5?tYu3Gqk^Ah@Xo3kKYkjsA zFjQYvN4|#BRcK#M>RH9N4N_wU!@|S0aJk`|9Nv_QbO#TKNSdx#__|P}eEXo>%A&s} zm07aG&Zfo_t6pXYCKGc$)HHbB(?SvfXSBpCDPiJ{annjV9pLmj8sTD0%!#Q9_$K6p z6KEMFHXV9%1duYLX!uQ&_jMBEyyaMD#5PE_MJzkuBnqYVud&)^(?;QftSk{Q5d@GxD-NGrpE30448A%#J@ zuz`oaj0CDW3Ou}T1Wgt)!w)H57O^-0u{i1A1!MA}ns)<50nAht_W-wJ(|qwCm!N7{ z-%n+Ux=26?fce)@GzH&+kVJjmd$vRRHxdb|19%}+=o@aZ111Uuy`PDLMx_Y-!M~;E zSrBdo67&N$eb7U{G-zlLk@W5oVfwxM#Lj|OoR;H=l)>SJ+m3cR*AvhIoSoROfL>%f zTSE>?hSELns7_5aJnS!op#w9{_e4J1@2xw7wo~98F(bVUaK?PS>)lS4Yns|2@>w_j zlHI=69@R!ph6LVwGX%{(Vh}qmt#BDLk6M+Ng|+U1-DbBIp15>2M8P(%+nRp;p4Zlv z_uf!C$1b*ECEckBA-WCsfTQ==Ty9Fb41cIPi=eYA&dI|Q2@zw0#npv1g1((R3pR3j zkJO5>#)GcizHM7MXesZ(Axy)u?71{yb{pm}Qu@kSv}jSkj?JDJDatY^$?sI&5T6?B zK7is!QKL(SsTxMRx+Cu)Qf3gFL5v!#@BV(wsBz2Jypwa(_f!-qSj5AQ0CaJ|(N%bd zBh(w)u(J|M|80Fx>n?Czl!-&~;K*&E*1_HH8Zrm9fYu{?cGbYJI3&Ktc9)qk@Rk_fQ9vZwrl|5#SrlzmxK3s2fRb{~|L z?~V`EM)~H)_=uiR7TFtk|NDq^;2t=)MTt4Y=9zy>XaN_*yXk$~?-#B8!nUr!f+3)| zo2POb%O`^<$X7L&NQBS_{QYu|vBB@Qwq|Qz0mVe6f%J~8Z^SPFyv;`14dsr;5$SEG zFZ&*;;v}QAj#c_p#`%g!z85+V8b-Z!aOxx3i5NENZod;+l3Q3j{ZJXPL!VK`BMnOB zqA47NW}omsXWnU;)M+A5s$q6O?hFPiAa1fS-@-D>fzg{S3o-KF3vUHtS8y52t*nj> zpLLx|7&u|lD^W%`D z9Jr_BNGUNq!UdMy$x*7ZTRcc{zdnyaw=DvP&>RXsXCFV;R~ za2pHqZlv(_GQaGAh@dMCH^#MnHxcL%9ADyvrV4>(wo`WJI(Elc)YgqFUcwwm^s`d_ zGFE$bquAhZcnXdDEQ_tmpeCeGbwi?Ebum zv7QyKwY&{)0>T;)=gI9Hf1jYWI}u}!RY8i+-EauJbTra6se?^5eVjArn#3H?JO$NYqrI%>UT5f@mIPyj zcA&s7tdshBdx5GmU(e|PHoPlX-Y4H;M`E;a8ydrk2RGrb-X}UzgDq;mG#+5jMl|Ah z#csp6{XJcBXlu#BdL@cjO~&}q5}doBtryI&EAE?(`wTt5Kk;Q3`oZmSIsg|U?A844 zrK}jQ&2joUB&Wds;9O(?=4RdQxco=Ou3Qbb$GDL>Y48--Gq}ja3W`II%Y>JJ$*k z&!Hnnhz{es!3Y>(g4$O}psN5)tiGHLC7g=oaONh1tab=BaSWD8jqGx(RT+geV;~`` zV?vqNDyYo(HQESgZspZ48UzIwdID;oxw7-}(8gBcwMkp!3%F8=M@04A{KQT54XH*& zow_L*RK>{R=hmMbk;LyS%kyVXo@ec!UwpLS%XXUFJG1-juWXk&5^rJGgRE-pfrvG! z^v<2X*RP@b)+dNxKzamz6h84vxZlsW+fHB!f@YL>Y`a;Gju1^%NlZ%T`P32~gLbgr zCt~N<-|%qDH;J(=4>)_&ttH4B+A;e;adk1eLf#Fy;Z}l2zbx_qf_2ueiZ0 zR_PRBggJL5FYg0wVdz#Z$Uodu|I4!hK>*)9((VgNo#C%Q*dBfPP_Hi|j$X=0@cEv? zorc=6>lB2XM|z6EWaf^J#G?+r#_;R5?u{DHcz&PkQGh|57$1*a-9wqB9s>TqW&V)yz&Q! z0uIC?{B&76?vs?JUz`)zr$9#t4hEUGCeZH8NT1i{LCD)Plb%PhWA^Nw@Jfwk*)9tG zs;DPhp0waXP6z(uNDb#-+31$*qZo!3(l4{7O+*AB13i(Vw(mSzqU+jXr74O?>zGqbib&I*@Jyz{h=&@h=2 z7w%nelvSp~w2iDiTVEvL+#$YGR2H!mex7?(ml_;};L85h9mO$qt!jo{0Vel~QrbQ( zSiHYo!8W-&s*(O9;nF@ly`Dvn$Mb}dv%l`9US|2S{s*v31dN)%EqjdLj^0HoC5BE# z71!STBe8QuY-W?OB-ZWS<(a8I*}v0v>eJyqFGuyNIPkfIJ4Vk+AfcGLl3RMc1pQhL z-0^a`aJF5PmySVsyuG*%E<)mOud0N&vjprz;Eru))}9V<2bz{g(GBY0#{tKMJZN~rSoRw`&pJbGbo@JyT(!B@>&t zBTWWlZc{+MX@wV(FfN!t9GGSwu?t;C<}Q-A?h-KAHH$1ds$ygTntj4%0Tu}$$_1Yt zaISqw`7|}keUs;H&F%U4*XzPrYZ5{guB6{`c8KTTz^CEuVpGWJYw7E-;i1udD-!9Zrbhe2e;CIuoAsg#FD zJ_-Q`5p?)Q9_O61=rFbTKMhKP`Fh2(yp3m>l+t}4{o zd047xp_(Hh?LqJp%0aGomh$LBE^UoOQbpw&;c1N^JWWU5L`L8-wLhejHsEX|U~Vwm zq?o)Wws&NL#D1`)+Dz?qDz;}oFwIQx8IZoySpJ_tqd9nZhOi4ZmAo|mjS}<DP?>T;$_C zIyWf(4NXq8(p2A8%>2Gheq|#xi$dtP1t|u>0R{SI>5fa_ppDOb2m{*p0@@~|;TTDX zazuh!J&!qGibkrAPvL;zmzuFVShq}p1GCg$AbbtPUeZ6BHPD@-ffOCX2HMJ4pBqa`<(aQATS(Iwoix-${uGW+8Hc1Vr`7* zv#9i$b8SW@Ys2i%at5l3U}qhtx*2vBIs9N#^3_tX(T;neVqbkkN)0-BkRo5&^W>TC zU8eKWyaZhUreg&X6h+m|Ai{R~z~I6a{sf3dt|F{BWF0L$owLkm1P(9)OH?sEMB)kN zh;r;X+P%cVhQgVOICK$p65%e2{nyeT&F#ncr|f8PRSU`oJ9w-EpANER9DpPCAs)yS zK8Rpg&4CHm=+AWx(`QFPDr$h?^=B8D_-I{;T+SGU`>>kmr$Z75rl+$sHXC7)u+xNU z!hU}50UE}MC&%72%V{EQevd4eRFi>pL%Cap6bm>AgZS<K>Noao5k#>r`oJ7Gf^Co@nZ zurowzU1@IQ#vN(`j=^SC&ri6@azreoeH6n*DCIqxw?+^g4tN#_J_N<2e!z72LMvEK zoDvzF8yk++*(1^Azj6yvD5pI93JkiOs_9Q)dL-CT1l?qD4Edg291yTnWW_0IC%Nk&arD$8yEVpUPZ%y~lScGODTQh%{Q9+sBNOa>xXL2-iNM|j% zjoSw#&Y749e-ZlT-8~J348o?vH$|11*4X101XMq*DeFi23{#BQ<21}M($(f%Nvs+C z97OtP+j;;EWSR~nt#31Mt_?XNlU}trgiJ?OzETRXD->np2sv#y6d;8#g2~4fOG-&W z=%>lFZaZM@0ZfU2o(XljIaLOZkd)$%5jBEuDEJJVB+`U&kABG)M9LUqK8;wr*=GU$ z+HO4uTIN2)UPj}>8kK~WO!`EAe(%_Ag!eX;UK^+QBRa3ljKs}^t|NjEV5kWr^Y7p@ zMA7dDRt)PkNjecZu3_3Bn1rKQReaui=J#n4194J2rvAHqS}yeyAnQAo$QIZLbGJVx z6v;AaZV}N23?~hA#He@Ej$ONyl&@Sw0s#g?K0_8(9G)Igp4^*g%_?*(Rundv#L+(ihud(h1)Ccc8aj%uPHDbY6Ugcy z$p27O09^|N+8U1#Cs~Iydl4d?!?l-j94|muw>z?5wJ_+Z3cXx3#hj?oz5wX~iPYGZ z%mV-k{P(EXl`8O38Ki&db5hH{SFxh~!`Sf4V{}o`s;9X8=oEiMM5NSHCa!Z7`hfl!+pqV} zCzN){_*8hC35HzeIi%~pW9PZK=XUE@EjljG>AL0=!=W{MxaTa{|Jd(J`xa5neZpyK z4ecv(pDc4Vou{@beE-U@oUcNI&j!Czo`>K2T;(b2E&kby*YRsfAKOQ%XlMK5#}iUg zK3eKt)iyN5pv!U)ACqOMrjeACOg^ExPhOSf^W?+?0DcTVzQE+Y49T5~0GuY%0hr#@ z`1tE_aePi|pU#`>i=mL8I(N&&v9qypJ6*XUb#_WeNeS~{mBzah5;mVYbt;T{J%bHZ zVU4Y=yxiQH8XCU>URMM2P>U2w-roQ2-6}Nkjg8;eEa5WHtT_6W4ZV+>Z8>?~o`o~Z zh;HUhdub);kt~cwkHHwJPb=Mpo3Gw?`@VOSLmTJC(#D4C<4u^0m_vRWSFrZfp=Adq zF{gPSW5}2%L6lt-AHJuU^=1_s793p37@AyG*7^K-CbU@(lNIm-g};<~{N(kBJ-1&$ z0YTi|w-sN$d;uK8e0i6us%r4<+k9R`ErkC1sABFA3cXg}hYsC>3(!T(97D!#J7 zv%|Q0F%LiWDZnkeckgC;$%A(BCK$bPpa<9&mDeILLMxBI+n{M6RjDaFsP>LQ;87yt6dPG`NBNDHiY z8W|XLI`$$PC@m#An$;3Yn~>z#T3hRCX>Fh4i>v=RIyzOBIfKb!)+Q#6y<-C|XCM#k znHokJR9RUW*t`z6=Ve&a#zgCrS#`{%BF4tuRbQ)DX{M+}Jb8Sqz4n?Ic8%1+V$Up3Ep};aEZJAh3 zCEIS#asE?>psQRvO$vdUk6=F1^jF;)baUKb6NUm2ONJki{!<{2Ee7YR$g*t4C2axbM7vgQ{^9!joTS3hDD2b;2X;98_uAEwW#O8}cu8oiaE zmVIm2%9)=_GkBTU(B%^ zfuG}T_SO-ZAf;zXXk6Uw%*=aalIkrA`1FXYSCudjU|-1G03dZ%*4D78mzf+-V3reR zz6>_H1I$eFjXT%%i3*KFdU^-HZOQ{&T!I3kl~Y@DGykUjK&Yc&aU3PgoIedC5R~6m zRlTt2&Yfl)@z<~Qr*4XQd3sVk6xh(&KEJ5wEM{D>j&BtdY^ttSwC-;Po}#`QTB)9= zlX@9<*6mSUgwd<1si{Iw5y;i|jYOTl5)u&s`=+L;`IvDaIVEMFzn}Ajs6DhhQBfU8 zk~@6-(YV1z20qrDVK{zrEep#b5sh*CwN*fMF+Mu9=n>1QmCf70Jo+&SW5iB-aTjDg z9g$`zkufzjm6tXNaXzbm2eSK(LF?A8-JY`l>S<)>NZ0iB^hAxAvTK5Axs|ewbaJaor)2^FkWm3-0BkvUm zukK?oGXjbZIWMO8zLws{I(2F-Hcn%iX|Nv}Q9E}g^CD8$Xx7`-VODVKR%K-+2Pfxc zre_04LwI?4ac7tdxQO_=`9O7a)QxC4j!#X=OHN(3yS1U&DDC`ELp(#F!S{X@#+EzZ zzBx{cY_e38@fhRg;P83Xh;$u)Ivhv7bXTyiUw?32?(rv!pZpfpT+vJ73JT@Ej&S|} zf*5oZ4{_ez3rVkn=~>*fYRil01WQ#g5Ei#&FgU2JoIJ<%YNj#5Q&_e$U%RA5IYKb# z1|9xcH*C0U+;M>62~Ocl$CwcplaQL48qzIj;&2Ym8OH9eULEqW>Ds%-H;p@~v01%* zXV!dNvU$sv4xi3}fdLGC$jZ)svSaYVCqb;(>eZ_|D5+^WES8xU@9{#Su0G1qhbbRu zxqtI{D#pO*zG$+}X;{4hljE^!9dcVhAtSg?+*>S}bo0Y^H&lL*m2qZaVNqwbWN4Da zq+m?0*;;OlfljAhEjGNX{5vTuENm&?5DzCOv{x|aahRQO^|@QWHp7o%&8KM_ox%cf z5XQi|AjT0x$^adkfOq^EYy#9>n3|Oy-?(~;`|H{3>`pY9HO2TYZ0eHK^};225laC! zVZ1H+H=iYAjazRlSiTVx)q+^Xu04`|BHMc8U5KYr7J33SDjpF`JP9*k3#Mh;2E(?N zmd1s;#>O*9_v`{RF#4#tpy1~2QyF)j8$$b=u7g2dJS}YDP?G5B=(xGL`Ri_Yv$eDi z@IS^W`7k|ui_F8w$Oxm4Z`5x{dM+v|`q6VylIn>QLl}#4`0(N3k&zCa-?8qRJ<)?r zE$gL!gO=`SY*h1-fI?aWSUY}TbpsE4<2l2Xz;&!)%GN3S{inI zV^CY?YpxFnWklR-gdNQpZgBGQE?c-zRa<*G6BD!SWxqOu0t=?2jF{Ym)Fs!X8qr95 zM@Jx=#Ep=MO`TcZkzdiPCrV6Iv^68o7A}UKsbr<PQYD;^_cxQse#;sr8Fk(01XyWa^3S^Y!G&(BY@ z@6yr@dw+VMk|4^v?O;w;)*vE7Qds@0gGV6n3cI@7* zH=O<0x;>6cJ(QS_NDXE{N=z(58m-#eZl}g`8(zL6ud9a879*A6`roZSteo&*W8fnZ z5fNDUCuT?2Z`VD>Fe)0 z9N)y8FHjAI@?%W4&k) zw4&!q(}puMGMdJ0r`3wg6nXhaxIUuWnI?x3oU7M{daka9E1fKXzjUyF zFHvo7Y5B7Fiobub&1B!x$>LAc$VkVq+W3b_jIg47zH*gSTb(D ze@RoQE=Y+TU^e7BB@VnTLMmiQ2IbH3PD5-8`2r|I7CqM1Ur6s!rm~+w1^V)pTNEJI z5X1owi8^o`Ky@WBy}CMH+>nQbnn?We^70;X2TfUD3;J^YHI`SjUyeu&m@t& zOY-zI#TXgA7#=J+I;Vas~3z22xT|UcGvye&YJ3&j&<; zZDIlg1MkQd`^s@dq60dt?^0PqD;!)+)_&f0pHPHagoXwU@Vq2wJ##;RAM|E1>vGRe zN_zb0Q6eM_&4=3~J=03JZ{L0m!-jYB4oIAl+W1>3DCi4ycMCGT0%MLiI7pnGhVp~@ z(is^UsL{hXa1}#f$!#6{X;QQCMUPNsb~Xy6Qcm8_$+0&x>je};Raz5^$(h2!nuycu z>w`v4jz66|BYft}8MI=4EmQsM*|Ylk2>z&@3@lSeZi;3jw>bHVhG?`USGpbU z^sde*GF~9?_MSD;d>J_e_1WG3@uTbbHZDl^*rBk5`vcU8KNy8F2{-)Na=`H3?$&VQy~l?;7tCM6kF4grElT>5>YC;wvNt z$VM;PewjD-0j37z7*}92116+NI`+uDwFY0D*~@qE_qsDcJaG`;ym>>CgFDt+qUUjW zuG|{`UUOmoiS0W}5Sn4(G1gj54Q}(-SArF1YQYc05!u3@H9&C%FU`* z5OpX1h*_U5511w(=waJQ@HxTr=Vsl$@ddz0W9xfc8D^#M!IxnHbXx) z0UBT}w~k!mNfwXKpFT|)m&3szb3Ehb1`(Mlau4Gdk4x7=8Mt=M8svYUk(b`6;JTnc z`VxHcyLa#Q%FAP@<(AExF#`>amiY|sa>#gZ6`Cvp`G+7?6}A$1^}D{lbeL|;a+B%;;I?LW zTxMzMZXTZ6+FIqv;=s$76>)TF zjBq58nqnw7bU{eADE0HX0eN~RilPYSqnesPN&#SVBCe2<@`TE5)P#&usgHBu4XTPq zp6j=!0U0hsT0qD)F7Y~M^+yEcYiGdXx6&blc$6`V;0nr4=Gh|9dK|w(; zcbHZMT)ui0t)$gD1zjm0{{CVL^{ATKNqi5i4^VK0{reZSEsVpv%F3dpnJIVAN0XvI z+8-aAJ%1h-4_x?XZ}D%p^k%&&d7UcHEFMArCvEMl4I=-exnwp_C;yW%pKkcce^Xk{ e{r`QWQKh7AxF}}Z!V~^L@#o}4dbKh6YIj?yyUlk>pT_m(5L_|cp&dN%u z5fKqD5)p0Ov3(<6>3kgGgumFYOKV*>u(EbCH#E9VBx7i4XnWPKQjcU$?ds z;pVnBzhZg)hJ`toft7{*$LfPbM4MYoHMFk({W{SGT*onHTvJt@L3odQyk5iLUNKgm z(Kwk4;kVxOY)~V8Q-6i|PVJ0WP1 z%n)KB_K-&-@a&9zS7~|v=fo=!0o`)fHia$eawcCpd+x?IAEiL$Q*Vntrwp8WMsxlA z6FFlQ(Mj*Sk|m!%zHV3BSG(h!b@cZ4Jj!8qGX(Sb1DrSYD?`vl^0{u?$^zqomIgdA`+YSMVTX7pLM7*%e7H61|GWEwWX| z)q_83)dtE-O8KxovK+`El7Dz{!|@D0+8syDKD~Rv|8-BH=ke!R?LuTn5vb5ZvcKL|IxFWG7cFQwhd83A~$mucQv&+OMQ30E$Ql5Va1VD z#woswhhazFjmDH4UT?C+3%YnSs`)FLJ=N1EqCLH6lr)737J^q~5*i%KKf7l;TzFG@ z&^)fTB)dgngXlv^`sSCmj+sfvANNUW+J2<6{hpHHS*Vk#zZ`S#?7O-%2?BdguqEqW z4hht3$yNAK{z%L`B9N_8+G{J_zF4uIXRrD=<_>M5pz&|Hwf*=Zo7%F?bEBP(vTKT| zKB1h3EIsmx=VGqY_!<0d$)Jh@#|W&7RM=VX!BAQDEi4)rCFU~i7e07lJD{e z8y0H#)%@CVt??V9aRsY@+)g*np7>*T@^#pE*#}#&a{2FHi;mNj-m!2=xqaMPxi%)d z`KPN2%L9GStHV!Uc^X!`WO2}~`f>U?1xYY(>!+})4-OFW&$XSb8JDs-{%f0oQhCAQ z#zD1qwwFsAY%7|rsD8B1E3`^9Pqli#cqMVCzeiF_+J1_zRo$dcp^h|7FXFpqp_VJkh1>XclSXgT zOQ0rwOR9OhI`0%UU!0!JT6wClgR9iqHEYFi#>uma`4?1d+*aqGopp-l&M%&%^vu+= z*KToXq#~X#I#kg4NQQCzLIJVE`PolF@r!*XO$G$na?rL6JnA)7hC&xjYb%s?uNBZ24ta3GJ3X5^Smigzo&lsK^ zY*c&tI6Np^Lt8rMYxqT4IWum3-<+&8&h2DZUzbeRxYo{#um}qpm@#G!9(1ZL?3#Rd z+-`#Lp<}d5tU1c(Uw=FY14HQl{s;a}cAjx2RM$U$x)&ugssH{55mB7P{~te$cUYRU z5Kf+@a4Cuwu&}*x;|8I7{PidKw!Nx)|6bBHZ13Mc#owX{2?-Mu z6G}>7-{gILrtWiw`=1{s-)R{7_R93LMAzu!h8_RB&UQt>x%{U@$A5jbYba+WyGWO| z=%2R+ldB~)&+VRbHl6wBu1?CO2I{s;H2s&~zkd~P4Vw8cZ)I#A$~m#5%N?lu&sAlK z74gYrB+xi$Vjy&N>$l4VeE zprycJa`z1TbF5xSyhH#4MqWVKn(qqVY}&F8X?PE1{c#@cOW#i%b&)mdy}Y=1BBkI>5Joa%c$_EMp>5r;E z321qyo}y&Sz&5g{z<&JLJw_p+mW)qPyCs%Y=qu=~3JpxXG+2 zVY`7)F@d%hS0q)(1_r(+$ppQ6 z4|+uMOROzVw_BB5N;rM@*}1gh`A!!jIw9kaF^RT~$!CoW6%=awYa;5-<&c?03R>wR zQp!53!#TCHjq2vRJS2`CYpjhb>MZxCZqB&06sD<5ymM!v$6E0>($ydlsRu=!=hDs> zEe=HE8uPQW<6R{lQc`!w@R!HQlPAO2&$+s~((;+`Tpv=gVLWmsfK|6JzvaC@cX5k| z>Vr!PWEA|ZFAWRq2JdN6$_!0Ra52n2 z0Zn~#PbR8;=0}?3={rRy3k}kL2WH$Z77K@S@#ik2oxiYuH(}|1Ln;xkYsmF3*)nP{?v{)~^?3*2JmVPFCpF#he>n;+KwnC@u6&Gr{ zFK5ydbc>ubGBVbFHJ4x!qYq1NRaJkg#x!krD^NExB_(AcicOu_V5Zn@NxU# zw!*QSRUs^N(UC=+Q@xdR_tP(Ai-?MfGKn8@`O*FM!w1>k01_$=EuBK=~H z9LJaE+RZ~G?eos%on_z4D=OOP6>|poU!I7p$D3#dbqgJ*CQH^j*=#HWgZPTE!Bb-M z2%q$>=r>0VdO&`em?tac2qM{cf2JlNj8jCwMUO_T6Pv^Sy=1Ygb z>!vsbkLQx?*bxF=i8xBB{O?Qi zbiWJ0LoZv)#J2+frY$?D_MIr~Dff?f`MJ<(+Ivnvd%uKx;kBk`O1?qfv{s_#>h_jG zE^}k3DXcyH)nRl()|c}vzXcpFUYZb1Dm7uvz1CE%^{vFCMD>N^RL@#_&8Cq(jf1mM zDL)3|J!rR7^yc;mmH$Mjj5cRl6}n`9M8*xkllPVyvt?sL{jMjh3?a4QKQ;OB(7fs=mn!<&im#Mk;=pGufKo)KJdBy zLLGq#`h591m^c{xhS^C#UsMYA(A*>SeK>;jyvh&&m=sTW*YeA-k{h+IH7Lao3(Q-%D?< zqk0BSu|AucDCRDjQMOCwCZDX{xJ^RX-jk>;c0*Q2oF09rYS+##kRXt*$eF~XVUEF-MqsXOsxkDc< z91T%xwa1^kcGs->bEiP_DnS#;)2CM*LY0(yD*})AMinvTrJ)q~O~krGzK@mb8P zZ|B_38$Q2icth;>8W|jG&)TY~+01_Knd@|&pwX$TSNqV)dV6~GDfV%;+!+1p`{l)z z_kPsemX>HcUI1Y_Mb7-MW9iNW?Bg~0bf|auJ6fbttVoj&QWg#V*U}Q*(+5oQUf$l( z1vwE9bTfq*vjlr>w38OH>&3H~#4n7Fk6UbxB@bGw6YS#a6u97O(U5qzVTJMm{R(ok z!h4rhXJM;&u}K4iUHshc-nLNPOrYXP>|5De9c)bPNXo@&+SUhFpU%k0_%901F+X`1 zU^W-tk)i86%tWS_Z=FD~jqr40=akweo{6WuJpcTq$N|DD-K{?N?uk48=)QkMCNVKF z`AZ<3;5($#yLXnIg=~-cGSFwcOK(O-?h~GRaoqSLy|`Z$fvj`PwRjX&5w?wH%Z zaRuR;L`01&|M&7gSnL1RnFD=UZNLzv{lpD0E{TsSL!?9X)x z{~Ppn9oo1pNy)CE1ttpiB zfS6-#B(E*Sf8OJHAAWP(KkuX(*1q{SKeuMhQ8Wc$ z7qsf+Sa;i6$^W_~fye0dBW*cp^jrS(VVCd!>welpb@Qzc1Ki`k`|HG=^iO#k{}w;G zRoG)1y>`)Y>Ex^2`$vj-ak`7-%U_K4w&YW5IchGQ77%P({YKX*iPCVC(J!>(?o1^m^4bH?*n_kMe zVay7V-Q(j$#`On;@5`1+pa1fAIEn3D-^l6p~8%p zzog+)LykwZ`ZY6*dkssf+7p(j`&VFfvwfb|nfXg~>&7Si^=5*$a#S-T^ndr}lQ%aG z*2hQuuinfJPB%aCE#!ao=1H=+(Hr*mR3-gI2Y$$FfWUZ4op7Gnt}s)@5`TyBBIv(K z;*TFce58K5|EVUA9#6g=`b(X9d-w^((>)PPL_|-!j(F&1HsnwSh)+}m(gl8;0O$+Q zo&1y_88~6}`H5nnyETM?!oos7D$bEmRv@1nDnH@14yMpMd5Dz@O zx;(9HPzJK+9rQo6Wm6dcMkDU9| zcaV~6Z_-&yR|K6|tF;c>dPPp12XtRHE_oQ51W3L-}DW=_g2 z54spsaAPz)C1o(~giGI@(?|wYZkE-8t=Q#s z`S$~&+pfH&b=39Sj~+u9B6oeRZj8?ZC0CAD|CDK7pM~ftG^biW0Pnd-x#zQb8_s8(R%w#$k>- zAeBq_v#{{WytUC$jER}~%$MKHF0hCqE_D2Cj3(4m_Vei`V&!RaRq~JIGMbOxd+Qkg z9Y=yL#g3w5ZO;IIhqn3fnBhp{V|moNvTJCimo8ljG(Po2;o&i-pM8Yp zrdM2uoaHzB`l?Iv`@6gCuS~OXG2*?<$S7!JyNtfZwS4#7u&FOKDVrc&&yBU-zICh2 z5<3@-;6tGJ=ci81&VDO)bJ5Z1xP4+pnMApIu4NE_>zuLiV7>T~f?u@SPx90UW3x!` zb1^Q~);}ObMhRG8$2!fLGfaB~3UntSznu^hD|@|$v4zCS%x4HNT@7g6T0z-YPv&)3`dR}VPJUo?i~c>atke4*$*AB?KW-NRKD`8Vg9*Z zNpXC<9x6#uVPV;~^!(e-Q{~ikd6AY7T~dczvr}56I3EqnRafeM?*YZ{6Cm!?Gh^Rmr5DK|tW^w{LE3uS|_> zAn2n4m%oE13z=aebm4Wb{wE~a*L0^lAumrfI*orT&@_K(+b_pvNr+fAmm>WG5SI8& z8yW3#5c!B9B`(W!j1zh*gZz74)z(ag`i5R^M%$`>uAN5+#y2-c{h}GBTyy|RjvLj= zo``RVR?;c3=LABjmss1mYuBY*^9xu=h^|;jJjx{-|E0NhtEI)oqF*Cvy1Kdt4jkwS z15_ug0Slm*0>1Q%LeueawwYwfU4gn+=3X|Q+A>%dE!h9|Pw-Bk?6Pb458@AnOJQX$@uNN=EomO-po!+_HLGI$_(Zm_tb= zBZfbI{0LbzTlL8JDf;)&pA0jikf|t7My`I(rR=D-k<#x8`GkI$Wl(t!>e|du!!BAr zR>XYPmD8u+eT)^oefxGfug^2}|we~HSlH(tcV#7Jm7qQZk##@na?*^{@=XX?6P zFgI}RE(v9T@fiTH4m2!1_eCZSj_UE9ABeDv#cH0o>O{aj4kH|54>C))FrYu`gDtdoV# zJ%UuhTIH@4>e{4c8`ncpa>CT7u&8KUFsu5zA-IuR*ktk2$F8n5NJy5JmbRp(A20$# zG81NXpFVxEDqb`~KSI;T)WjW`0jjsWyiBOq#R;zp3JSC`&OeXx!9XJmWh7CEm6er| zu@3_k3Kt=?*cQ4q;XmysMeg6Br!hhc5CkRGW#Py7vqm91pCofSPxVOKFhbPgzomaF z{o;r(iD6Cn%IeZ&zX?O#1wwX6dhLwbW~_*@3P7Ylryma!i=q7T;EPHLZV!(&25CQn z8Yym)@uZJQLwbJWW09LC!sky6^*gikjYxA)LhO!Vxsy&Aa!DXrS|8K1$2aCd`)gV`0!x zerykzQ?^ZSMNg@@?__u(<|uxYM`@M!rTkt+-2{+~o)3f}N_ffQ0G&-L<}#nkEbNOq zQ9hnuD){Qi(F=%(xY^NqYVwh;Lp zlQT@8xOsR~I#{-C-t1GLh{Xg}q~yH#W%%v3oj?mdmmyq($8)hupj-wA@3HY-UYabK zCT;v3PqH&7sQ=cDh5D@JL~o4r&74GVySlk~EKgN3W_w{?ze46*lv_4ofZUk|pE=<& zr!2AZrKzb&OFD}2u&}HMMO-r+*)O+@*07*a|kDNS2_z5=u*W#k@lG^?Km?YmJ-V3;c zvct)xkrjgYcbfdYUdhtG;{4Z3B+iiJH*F(DEU7CcpL~8X=eL0K+{e!kQ!A`y=t{wR zblAzhsu192=T}L`#6CK;`UeD1$T%W1gr}rpPq>^9NVLBe;@^J!8UPS83y0h}LjCFrW14v3wON+#73=R%PxM8#*cIeO})uc1H@gF~bRzm|v z=$D-?_oG}{UY5G{>Cq_^9_*Z;xRTZ~r8VG;Q_1hg5wlvq|Di@tu7f}bT6P2{If_4i zNMOf&+yVju(Cv-u<0xwYD%>#e?;|-xiAU4W($WHd$m?=96JzSYsK}wysj|L46YL#r z6={WH%??Y(R7L|@A{9R>=juekWZ8LdJOO61h3dcWL2d7P?!^08_HI4^siUrWM}9+d zbF&tK*MX5NSRZhlzzp{&Iy;O8Yr`q=*rCNoJZkt7;a?Z;ju;;PZUDef*oUE+n-MUV{F)k>pxnS51TZ583L(vI?<}D_|&OW z6+cllFe_ZNJ|IhtX2^hgzBHakFkx8HoWQif)00R-LIPR`;IZFQyO`6@eFqPBU=vqY zmbPu(>Q{|wh^$vMcUfC?b4vNM=EUnm2$Bbh4H)YW9a&jfR;?G^s9S+e-QC@&Oeb_U zc6$)OZ{G*9-jzhy6a+9g#Al*Lqx3jCIla!$@B487eS3R5)*Vp~21&AW=Q4&z7}$Vg zgo6NqdR4gqGZ7IT+OmGP%R(6_djO`ysPR|?p$qfu%jWWIrcIcd&cnU!MlF{=@N zwr86M?m+lj1CShC3T7GLQGxq--*K(2b$x&Bv9^lLUjrB%>s3DQ>beYw{V_(^z-6H@ zfLgW%V{eR}B-Ur?Ybytg@^M>|aq{1xIc!r9T$+E6CYL?J}*0OAKpthP8t4@r8H zUV3dS-MRnwV*CEjPYkC9qq{MXNnHSj*3wc?A51jE?f~{hPP#0YfomyW%V$1I?>gR= z)1P|UBlSIE_Js4R*CH4T?iODt)%liZ74Prw&l(B7LGZ&Y?41Wu*T~fUrj;wfokggE zhz4wqWFZ$&RfKL7+9pDxO>+R19Q_wYps~)PC7`p~l_9+$be1HjMFcR)BNxhgcLkR-@ z>DfrtOhEsd=~`KkI(t1%|6UG^l-BXCzjLkrF4#;zAS6661Gkge#%3|=+f6T|a!>rQ za&B{)#23gCW9Wc7`+>0uzM~AKXo2Sl%z+X02f@JvZ4ab|Fh-85L6!SCGlNxqoW_xmO()7Cb8KlFxE?rCC zs2r5vg0Rd*9s)&j7cVgI@Vo$`0SM1jd+e9Ly_`}zRV4vS3GdV^6sL-mE&lQ+I5+}~ zZxO)3A&d3O)8F#l51pYePd_74bu)E~s5md~BYV0f9|Ld?4-e!pQf8txyK*~%Hyc|4 zHeen*gmoqe*Z2KUvF{Vi1!(}9bjOVXvN&p^1%Y@8bpYK)V~-Z)ZFLYVSEAz5Ay}#~SOkQY-+8s{u_VEzQa6zd^OFj? z(YB?fHBnR0C`=6lju4ZQa$#JKQc&h~CQnP@-o7u*&6*VOg7g8K4CLbDrU~Y@5#-3x zt^B=bl^$JP`85k;5d?hx^C6?NBuI<8c!`qNZ;J} zB&3fc5IVuUC_gp^FVqVp1hkG-w2T0shEYlvuJh?Fs8T)fGQ_rIPg?pZl2CJXKY&W6-$L$>hN7Z(@9<)i$wC@O+eo0+t8?98U8!3%6;WMo-4M$b>} z5=HEz+0#yv!mLw8uv;vbl6CD+jN*eFFt{+)8@QWT+EkqD!dl+lU)R(7nor3#+A)&dn+%moqeO0*<4vEqaY1r;;}k?(B}3P zaTZRc+{?mB|HPu=C!V;r$?hLo6?tm`}q)Z<;h z9RW|hiwmCpM+OBAFcOp5m`uKInYBI9Qa(oV_Cj!|rRu)9Xha{ zm(K?XLq=yj`2eTszzLQSE5*w{<$K){%JW8QxJx+PH@_|@@Q)|z@veeOU6xk?C(R3& zdCMuglbye(ikR5^V~Fnls4GM|mB;o?Cofg=Coe)S7Q- zBaatB7kk;du_MdCTWcRIqEey*EDdr+od?|)4#RPX8eIkO4Up1u4U)k@x0!~LwH2$R z%ZOBcD{w|W!QtjiJ%~8wyFElQPf1|`zK@Jx-87c+rAB7kCX>;@fT@p%kMC|;O$IB` z06kj@Ar~b(&I3{9_i9V$0>zi$X|=RkP#!Mn=n&8w+IE)mbg#GKFXC78ZDyIXW38Wc z!kmk)ZENPi#}Ew3X=l&-Q8zmh^Ks8e(up0?6}PcBI-b z0(jki&0w)%ZhMCRFdajIJqkAz{7+zq;(#@1Zsu*T*q}eIuKbzyDhIC*Vtsvm^rPu_ zJGg~5JUt15frVk_l3$b~RE;dF4Fpt&5f(0JD`&nzx4>R;Sxp-(<-PWD(1Kwz9KLq^ z5P&J>;hTdSNB;)03kB$@ddj^iuDa728llH!lQVK)fy}W`7 z>-+!dar6O8l&OI7^io4h;z&4NA}b}1cT4}S67BbE`a*^ zRF$_a(`e|uV`GKTzoHwTlZ!Dlm_4sRgTkXCz@La{qDE$~U{8lsQ!mv`X%f6YaU`PL9IOe)womGfLO?q_x`9;K5 z_S%{@K;JXWs*oTZ9UWy}71K`y9xEP|#svq_NX=V#mNrU~xD+)e(6TU*9zn)5p7o8@ zcz*E)?1=;J$@A7oB7k5f<;5~x{ljIo$_Cy`}X_jfWkVr z%Vi&5->2uFx4}T)Cv}kznZ3L?op~Yq3`X{z#$4>|?2u}~Rcvf*Y(Kt%7T{MTEhAIo zYg|)bZv_%Fa@N=7IbrZ7&hQ%L5dH9ht6(n#Z;T4{+%)?_6}sV%!2FXJHO@mXAe?oenma`lG>J&;5w!%k?x}15(pz3xk&obtMOB45#*bMANGn4z zI45S1ChpFJU^(ghX!4)q8(z>dQm~7*eB*7fPv9&B8nan({9)Kn_u2sCpyhQ!3Rh|| zCv+_E0eZJzmR-e{P?}&b{NQ^P3qOFL*v<^^<1_gLD{>#JXUYH;0OgOMprI#rVtxm9 zQ}pBA4rI^F{QN;7>u&7a*NjVMYkemOca`k4Zix>m0NA0Q^NXM2Tv>pMHwrd`W{5?q zMg)7x@WUDcTJxbn3gSg0o!q9A*Q_z+BJkW8;puM!mwigkcEO92pO`v zLF(<>x2XLOl8AzTl~q=HdwXZ1)?jyFOGrh^6co5X04LlroROxVpJ1G|3N1Wbkno|N zgX>z2_w@;sTbPR4-`q%xkyQqQ$8G`EU$I`2OlL zr1C8!6x&Hj!wF8L^8`x@Leh5TCTvyESwE-}Ia*>6VvHsWIgA!#93-WD7(2!_r~^6R zy2{Z4;}A~!_x?V0lkC237aOx74iVPemaj;}?bmhSE=;lPArKK(H24@EFAn2wdbe)u zu<}Hb>xM%X`JiGL;bSFmGUgM!x)kghnEki{BU7aTKJDDG!yk5vJOak|^a%Z@ZF^rg z10)3VEV1eJijl2^Cf$Ts#I8;~)F1>HxR?81 z0rLp?!4Anx_}UWErV9~ zk6ljI8x{^sB9?I4p@vxO2W%OGH4&5OjuC_{s~T;5T!UQePmRUS{#sbTmdSRZDCA)x zjIHFiXwz6ed>*7pz@lyQwr#)#{fHi0e*7+xnCbf6O2F7R9d&hTYRYz_J*K@YGD?SNz*IP4FHunmCRhX= zwV*9Q?qijqgl164#6~0*H8eB?u|+wOCjnQ6@P@b^fh!15(grrh*S}qZY6@NdIZGz_ z<`|GaknaaolS^pTC@;6S?FQcqCZvFGncHbl1cVYh3k41goB*=`-PFSU7ems965sau zGhtkhG1>$ebW&nsp9p@B=+nAWj=}Dzy37D0Y>O`FH z>+aGBUFWCh&<9B!ynm$8lQ7W5g#kzrPQ($E51ju%orFvm8XSCx znoyx+mDjI`6E(Lkq_jzB!+o0%oWtd@t7zD!^H@DX7-{EO!kf39m>4HklMpmwcG$+a z+l+f>67-xcJA{!?(lB%WF&Em!5oz>w>+F>cD}C@84~p znG4^nq@tsfCoG2R&ngzwoA9J6QMk(h8v0m?4p9=UOem!=dGR1?F@~uzCETj%`ZE3M zIr#KJkL4`-^1bAAbnTGnkkpmsHq?qj)sQq&oznHU-KEk1%c;s4IRt20n@;q z5sZKYw`;N~fXpQvZKA)CjQRx#8BVzB2o?&0-PFv?^3NLXesC$kiTHJC@#-1U0R8_d zeYv_F;1JAW+Q0I}(NS~?oM)e*`=PM*-8q8lOV6u+hw%88K=%;eFtumiy+BA}(|~ms z{A8j zSe+p3QX}~~0Ai{ZFYYG3(7j36FU1N^E$v4kOz=GtK3NIgY3RkQGU}IMoD>%qC**Dn zc+^3V<#}L)Kj)9@*Pj+Kt%t%6%;1K}m+(zveLOXk%b!TceoTUXvmZbx+^C}P{f)5r zIKi}m!(I4cw{Vu_H<8`Dg8)(gxOD3eufNfHmUvh4J$nwxOznjK1f}uJ@5YGTp#&8A zIX@qf#5UI`&rOI%LM1qe!G-~3{g3ey+`paH7&-oPRwkJjzm1B888ueYtEZ<2JsrJG z_V-Hq0Zh5U<7CTM-swF092gmGywuJRH48M=@7}%N@Qf(#==uPPBpBs>{i3Y_ETWG$ zfx=0!V1+o>&S1IFc>)6hLihT{4iJ(JEC5?i)e9%QN`@@&RI@G4d4ec>1E@w+;S8m0 zhU_=U?mhkevp70iLo8acJLV9GpY6DGi z9a?jmst+Q9g+qYhQQNbF=+bb~onWz9v-sgD6bVidDYKENzQEYt-(=Eef_1EQ%`S2L zVaJZ|!aoBt$7S*jU!JJz-O#-r#q&KuaOkadEyzMuSaXcj$^(NJar(HL5Bs8 zTpiV0!wIxASflcx5Ef;sr{F5Jv7*iC%Zr2YDGCo66u$sFuUhHtjvfeA6x_Z zRBJWpWMZB-zFSskQupDAo+@pSeZNGnME--B(0ixe(`TVK^spo>EIo#TMQC)fu?QH# znRFx%UwHZKc_b$2!rW-HvW^wFGDWj1!4saoNG7!%7SE_IRZu z^D)Vmz`!5K7fWxx_C%|P${HEbBU?u1cgy&PUh_ei31y+XKX8%Zp4y06lS1Lu0f|aJ znCDPV@nr*ydiSui;R;2HqNX^&{Dft;8d~Uc;24Z)$+jKRRX-Bhx1qhH=j=pvaNm8p z*^2&a0k)WU5vICG)mIXyiHHu!oIF_y>qlQICHyv+?dApfbm_rD^P)uixV!L^W$M%! zd7i3W1d9%2*o(9^3zxXv2XQ*2V`$O0tFS_=Cr&YdiS$gUuV^5Y9XbmQNpvgtddO*L z9-@!}Y{8aZpFc=gJrq++^6;$zkrE!OIP^*Z`%wPpV0Sb4ha8#6`Joo08M?c>_Y8az z;#ul}j?g^hRXqDuyT|Jps5}CmZ_bqdnb1yN1B?uhI~M_~(DCY*QR}&0nGr3|__9P| zbFJsx>ZHe-C^#krCJfxQq{=8-Lw(yI45!9okV~M%Ba#n$WHGSHf;0nRnAT-4S^(3; z_wkytoWm1?4>ETYo=FkQ;SZUGrJibi@p;}vEg|clJ#WsBaCLQ%AaC1=Ri~NYL*jo zo?&IP0hM?W_$dCR_4m`3dAGi8?wF<7w{Ls@JNCQ#qwh@3vr?5bRVrV((-wTorMTOH ztt;g{lQ_#_&{Ox^th4_8Qb2!!9gyCp_< zXy=_h55ipe$hL5Av&pRDkz+rS@$Sup)Fq{>t1fP5`>OY;xkzVOdDvBkw_Vi_t=%oL z^RR|gnT%$+-D0xz^jXf`PYLJgtUaP@pQ}FFs|{25oFGnLG=ztTfBpIu879cX1Bd*^ zvzVVkAT&ZQ*4EW&zcM++Wwaqx^;J#|93Ym4h9K#Dt6Gyt02F-;AwMc!{f6W1fUl_E zgd=z}HxG(Ao@_k4rOht55kqP;_<}cY9$eqHZQG_TtTqV6jx-IGgwx(#6%|{Jbgh*% z>M#>cNI09qUb+=ZA`J(KHFr{eM#|&ITiSj0kDkjF4t*|YIK^;Ou{Exgy^ON}y9R#! zuJA3x`}AYg#*qc(TUg3jxRMfyFbj5UN3`r&r!S1$< zD6*QN4_uWB4=7y$=2(7-GhyioDv46QXfp514$nhTQTYl)(e07ylMsqh1=)}&il!q= zH?hCPgJ+g*CFG&4Iro2*4B1&zg}k1B3aD1EPAITF+a6NgyZc~d|OL=QJSZ!&Zb*u zmLOw>ags_GKCQ4&KYJ~gx4N0wUz^WdZ*ER6_`!pB+*~|7pWeSWnCdBi@xJug?c3Yu zbaO9Nb1JE;?-khfdYEQ_M0{jqWEJEsS!d$FmZGhZ6s{-?_jp3!8opfu6zAO}{rqH0 z<%j%LI4`?D-FCVyh3~I;sq zSaOzvf?~7pt%yyRD*%!U;LQ3-W<<;`{Zoh|l{uQv^ygHs%tBXtySBW%|H{oqoF+*a zmtHm2Hu`kfd!(+a%2&0v3bxI%_`T;gS)A8$!T9;f@#1^4r(Le&aK(=)0G8WKIMl=; z`t@kO@V@?0MIPO&kA268)8Bo2S+}-CPyUw1$kCu^`K)iPaM^nj7RC4HB(K8@gpz6g&6VLY0yrOGRwwn04_NJi8xwE%|_U`=^sxRKuocCYmG^s%wA zM-R7!xGgX6PIpybEX>Gz@#0WkMrXdwrfRpjF&g5e(#=(@-vC?iX;S2iH~1v(s&<|y z+exKxl_DGFmmMY#-makyJyl7#m7RTjIsX2ARdfV&S;NP{lRw)JGX`91vOYzZ31jnT zA=%+u>bHYl6hYIIEZ$)jE!Lsk+M^;Bb!}&gB2zKjq8-yqB`pT&qeqo4WItC8!(6)N*n+qQY1p0w^a6#O8QqWojwTyE29=04KZ zyEQ&O+atfj-g~BM)yFst{98u6l>Wy<7>rJa6xQ;fpS#qniF|fesK3n`+|b zVI8~A-#R)jk7wy6oP2FP<}uwGu>Ejy_2%fLfKX-z7ez0!=K)%aCaOGgv^=#Q+$_iR z%(mS>YLL3XTIMFoEh-R_$-MWySrzLJ$?cR|b~QAdo6-?CZE#hqk-XN6>5odCwfdto zha(pGC^Uby3~J!yD!tkx&4a(fa&rZo=J$O$w`ZWI=OwfYe0NwW#UWmHc9NdfK~-oH z-d&7u+*d>xNs6zEi-^#^Y#CG%bD0YWymO7bnqj!Asw!BCOMyqO!a3p09WKGe*}X{% zk10KrH1_am?b^8$hYwCa4$10FPG&TD@J{Wd!MpnUp#LeXHC&{vy=XeMxINSu>`14^ zo)dpMaO;Ezpk~MD?d^x}sBAcOv>%C)q|QV_N_s%RTnqL##Hw_hgcx)soPN^N>w@9p z!i5W`6pf9IBVuEVAhBbpb3t3%VdRVH(5Hkw!q7$0^`?)0f~GDxC?Oya9>8&|FpB!w zN5Gt{gNuf$dSscSS1MMmPWxG9&EK{?bu<-?r|)6fl`B^;NISeXJ!;}kl2rJdVIN22 z2Uepnw{8JGbGdMiDsgfGTDo`dUbWoeuKqm94>GHcWs9sv?)E1_MMrJFjxpVs9QQUff+M=KD-7MCwl}% zb#BR@s`@)VTX?9}-Z8P&baln6HohA?$bIVyh0r9{BWQW|j(4%~81riW@=Nv!n6;f} zFf7=Uq{XErO+`iJ<>kfG3T-rNc?|S$Q!KCFwV%M#9oOwoYFMXJ55$PFU_`zwtg84z95Px>=l0Vx z8UeHKBoJV?b1W<^NoNHe(lxE^c&eMDFBg80+uOQV>u!PJ(>cHHoyQBabXSw524d)T z6TT}6{1-?BU)$#Y#(@Oowt8D?I?6?8U;z$v>>A-W@oa5xCwMEsilCFNK$#d4^1_Zw zL0ZB&sKf3+QJBo&v|DfS!&Lxo6&%O5y`!q}2#jcLt-j*i5DGKu7LLz_8E z4l7*mUQ&{Qi3uw)=z;i>y!Fovwv9%QG@h!VlX=Tp8Y+(bf)*dTi&M>!qp(m4o`n#6Ei7hobVEDNT7c&3B@{ zN!0+Aw4itfwLLkf7P~0F9JkufMMp>1a`bZZ-QNAo+qGZg8D5wylTw$ROet+^qy4(m z+)XH?l&cLV3s++b-Il_2oN9Z;_L$#(=&{V+e$AZ3pYy&n*XK(1P8QCVcY{GCBwniB zL|0w%Uud5u143Xp2o!N8-uv^Disl`M7z~O!ie#@+-|D|5eDgh3wf=6&2OqgI^YR>^ z5a2scg-WmNzzFf)$CKL+(^u1Ltp7mB#RF=)afCudMC6NPQ9eJ(jPUHtjI8EE zopV>L(nwzpAOL zZ>cQWKEcX71@uQ;e0mrt8BP_|LhU(^)KeR+k<}m`sL_(K+jp@Kt(pCQWPNu$mwo%b znZ2@QCo@sVD%mv1PLs+Wp;SadcG+4+c6LOH%J_uPkd;yrQ6XhiM#S&9^gPd3uU~&W z&)t2e&-Hm<=ldMTd7Q`T;$5A+!K_6+juxz=s#D1WegJqp#1;S^CXJ~cMZq> zDvw941(L!#jOitnBb1cx{;{KM#?9S*r@U|92h3iz_@CUz(Xd~XY@L9WQn4k{ie;m( zt}>y;^Pu3=ciU>T{tlP@gf1koSSQMgsj@q^>d7~5jE;?6#pTBS%)J-P-P=Bz#94|+B37ybU(!7!SjAYn;bk_6g>UQu?05~cQ3L?Q-%=vL#`Y<*$ zVH)gi=yGxGVu2}rO#`*W25YnH>~n@Udzpb8&z+)B7gJpq2+x)xa|Ef{Ro`0YJoQ4HJ@Jcc-v58IK-g-3m$$Zn&mQprRwi6$^1U;c z!P~3##~<7Z%o&(_Yau}28#>H2+V2EMj`;&NMyCd~uzGXb8g z^W8z-tph7p4Omp!QwKDvy)*biMiMcs{q}7_sif(Z9btcN^AiDKAuukik2+&pBepulNV*X_3pt3G(B zHz(Z=*iQbDSvr6qJ+kELJ6{gV`G`4e#nsqI>RolpgNb#MAB0=!GTlfNo29l{G4 zmruye-N2g@;&LhG_;r-}F8-Exj_Ji4epigd0LJ9**qE5Gwxi( zz-a2eecF*GCa6&AVq!r5FRr9^^>ly{F>;bfso!dY>e(fGAsW=Z=WFBdCPEUp!8I zp`SUWa%O-mJdM{X0yIdF`~-6rPEblXftVN+cff(bMoXrQNydlTi z+nbS*vE`u;38QW;_dcI6iAde(2cQyJob?@ly5%RO4+`De1pDi$D*;28=G|}`v3L31lA>Q|Hh?kZT=9q!&>9V zxLm>e&;J}@8y6d&G7egMVQJp+dLpuOmDEh{>%yu*k_R=%d`!9YgX~8?)a_VcbKs;u zP#3U$Kb?F7F(f$<{mabWYwvkci49?|&pUW^Wr|v(>3QJ?HHgq_YxU^$5a?PB*x8H= z31``z&vusznxK@Hbg%eBpVE#AD<~-B_hxDYTPgc`QZMAM(f2*B|43H)P4Qa(ulBm7 zmoq;K3oYDh+0-oQJbI^ES0j1Po|_K?{{I{6nI&OK&HZYBXrZ2s%?0@C$qR^NKl_!G zluC+=3oQyLWbywS4Z~wx;qFnUA4FjZIO^UK+Si-$hcM)O=MIr0B`HN_EHITkz$?)_ z`vAa?Nh2DX!hcZrwT~+(Dt32uU6lTTP$YI_|Fg@c8a)fYf4Ms8K2Fuy?FH7h3D^D7 z+aEFImZIdUA7J#-^U1mDs+XQts{t%csbX0|z{K61$viMjDck>lcUD<2s;i?T=+8aO z%uT+;xSF9FGU|Q$`ufBz+E;apCva+VQsu(ZHi2e&!V70-ub(x3h-Z75tVG;e^bO*@ z%w=U|qf1*NlPS`kmtM?Ub_9%o{4;NeBe&vs4N&v-_ixd)Iqup;|4;?Z1=01{zEtPk zu0KZ04b!F2P@z#ElZ`??ofvbR$4R|c<~uu-x)Z}c-l)g8BGL};z6<-UtxXyZQ{Oq- zux6w+aXB$D(cRr0IK4a66^n`vLN@e_zgjG(PkTs$z41}eUX~|#-r$8^ndTLnM_oX#Fsw>RMqV>qh&L*~;Vgl)kblXL$HoIpm`83MPDz*GXsI6CD+ST}S1NZk2uGCQ^ zCL|1O8~XO`{Vk()D#3;ON|~ET%zLh0dZ+~fY;tnXL-mUdJ4`k`Uo-pd;>PP799nJR z@?Qx4g=HZ}^+e(UQI*s6s$6Y%<@Z}3w&%!jt)K8DnbNJJ?qS@>J)UJ}EPSbMUEGFp z6crT}7fbZp(#w|WdPgr-(CkUQu&6CSZco}3m>XCp&jJjMfraG@*Hh0KPirdcX!LG| zpU~dSm}|ad%R|jY<8V{`5y6YL=CTgLYnT5rc{;ZA?0kivx+T|HxwXBaJV$14G~H@= zd-2cy$xkmh@*`~ns#u=t(~9hm>(&h^Okey+FU_DbN}@XhpXqt^R&urpFX;xC@mrJK z3CXjF!Jab#ON*+?m+wj%exgVWRaivd2K|ZRV!g~_@@%)i=_j+;w|5`{x_ciFJ|@Wo7aV3=C?OWWg6N zRyX*OjrBqg2_7^2kJt4Ke~XMV3+!dWGx|II-_ve$5{`=OR(DIDg zAaPLT?EL)vc9;a@$op)|9c+yf67K;WOC^COHaIXqww-n8;byaSb-d%0hCcNZVL{~egme6!s1SI`3i5nliEQJ~_J*LL(VkRt+&y}7e~kGYMF zjgC%3OG`uz^$ovZ46A}Z&Ad_R!feYkU-Zz9F7CTockY+8sAzDFl0j-tjbR_iIDp}` z^Q6gtQG0jR%`c$%HPf?j<#fG6iMjFB*0U)YS2#7|0AxtBQ?f5y;~qqh(~YbCjF;D#OY4 z6;1!L1fuid=Ehhg(BlihU_RDH>g?=n z_Y@S%pxlbGGV2H4Qc9hBkSJ+dHl5$t2m%7wSbLh!pWn9$3j5Vy;-%cU0a{NG{l!vc zmu^FI^9lraq7#Y%gzpzo!;@Zxp@~}Q@k>1nbjneZsszuv!?Tt4a$R8HUm)pAf~bU z>UWpgd;p4MY-x@kKI!RMR#B0nc3OHNK;3sgYGly7N4m3e*2pl4SZvG9%lq+x?5X6< z1EXjh#oRPbR&4F>Cw33y4so1)RkklHIy$;_`(98KZw+zm*zG7`cw`$L)yo_BwU|<5 zQd@&W;xC&HgY00^gqEzIW4MQYC=57)qi;iP3T8y0d(vJ&tpJQg^@v;W3-51lmDD&R zQB9<^7z$o!oWkHja2+LR6l;7nRJna)x$VI(8IKT}*6idLSNZ#&Z1*e6q82JX30AkVHB<-mxFo>+C_uaqv1joT-FNb%g5{k2mM zH|=V&xF5!cN-c}74xGvBF+(rBYGLhyKdnk`Vhy@M&f{&W&`KB~CvjYrvth1D@S;cU zQ6`c2_G&)r;7BAPS2xmKXiWuZ{Py{CH&oK?X+gZTXD0-usG+^Z+}ZlGSDBi&ZJy;P zt|Q9g_qFF!2zY^$3tJ$LAJ5LsRRTj1k-eOy%u)$%B)Y><=wxV%$Q5!2?R$d0 z*!je;kyYK1YJ{k84c`+dHl+nwa4Kq|KLyNGN{vz^q}$ZRMVj}n%K6`l)f^9j4J`fO z;ccqX9oAN;_F{)ZNG(zj@6?Zieb9F*LDN9`wd zcKLEdLw(RxQ&Amflq_^wUFA&?z^3O<%%VslYvE5 z+j=q;>nE{76PP{2Ov+5edX|29d3j+Wc!HMK2O%m3m8C64A3=i;&Z1%B`-vIo$IroK zy}r=_^-WR$W_GPZFxu-GyPjk(QF?kHIM)fXQUd~TayiKuTOwGum)N5gKEN#^<;Mw2Fs=NJ#H$Gkk8A;WUG3RGRJYyIajyooAv z&jIdX6SN^hq&y8uAzDLg4r17Q0KCb*zcog-kVV*Zz|{MdT}W!DG9>)>3bP7FN; z3=1yEdyM6A%rU|3=aTq`K&S*#hQGM#!Gm%gj`43LxQqBL7Oun%6X@KZrvQWrO#Ad0 z2k$G-Q>Ts_C=s2WX0Io)T1RUxvy0>yZ`ra1Cl|&d#B8}X^#Z(_vz;B)a+g=9)_a4t zM9-(9c~bck#_1YH&6}Tt1GC4-sMWlnwc#!a87pQw8NS>GFi_g?;x)671~E04uh`lQ zK(bjnK#PKD>q#qufUf?=AHy0C#KLYM`s^Vz=Z5dgg$$h9h0b1Ej2Wf%Zu#>n^Icwy z4Q(QRwVaDLn6(Yh40zte@F0E-lz!-@`>6}vijyZ#=6g?9INXMe3m9k8jG8)0?n&i{ zfqKnS{X)8JZw>|TO_z>p0Y9npRDqqw;2!4D?vFZM$uT;#nI8>SztLhneSH)>9R-HW z8FKDUPIG{F2tPV4uAo3ndjRLYxTz0DmibH>-9L;jwtGd@9>RD6LA?N$g5E!xaBtqd z)A?`{p=o^Ft+VS{OH0NNR4j;W5)!S-noP50f2HCywGed$_p# zM*mrD=pgv&t(J3OAI34LVg3dTYP>@gRaMg9-Zk4I0GAT2pO^(cI`BC3!pI>FE39I4 z-QDcBQrou@v?{WOfZ!^jC2(NUxpSED1Nd*?tZTc{CtIR2fHG3n(6lR>vGDH4Ke+I7 za~l}QGo~62`m3WMcXG|`{T1S=`P2tp#ZE#uq^P!k+z-=%_{lCW`o%$}$;m;TGf8{| zXIx&2B&8{37x3l*(ow@nfmd$BKpG9-lN(W!oV7<^t9aPN#Kz{WXVuoDW3ER!w+`(J zFpN+7t|j~Fn91_^W+jG4a@-yf@OeT4GllNaHv zS#}N%=llg80w7fLeu+|~14=Av#vKO1F+E_Ah=h3;L0to5nWk#YnU9YjKi>85tVjMM z44?QyQiya`tx!g#cECE@Ja;_{8_`$i6}3;d)<7>46RC;IP@LE+$zY{aZDo&&{KN?i z_zW%^eUd>FbZu9u&5n~=G`CJ+t&*DYRQXZKm<9F#{{eYz+B*;}^~1MEWAQ;%6|Od` zaSJ+tc^7%aRaNH^2!k(HiXv6a&db|p9lOI9n9*HMbeCA%cZ`@mzHtFkdchveDyW?- zSlbiCDjTGm4u&&$F{VJ7FtytiOf@@s2P9cYMspEKvGpVk?-3n?p7!=CU|PtA#Vp?u zkkgiU>LrXt^y*JwZe+llN+J$S z1aNvNf48yfUtp)p{2mZ6Jxo`8kn}J;vs7!-G1m5@A+n#a!3fta@%?q00+ZhtF!ZRqFw0gix*9W5|V(DEd1uV_D7YRaI3H8;UsY z_iLZcg*r-m9^me*As%rVnP*F1-^hAD&Q!qqqYc|$WlszsL&vxvK_vud1d)pA{b{u< zABay?3?#~9gF?$`nv=b0hpr>OZ9zQ5fJ9K(13(bf)xH=CYN?c+iEJ(?C;-$dK5;gX ziJTpM{%zG(ocM)E7yB@P4YB1muHd`3Z=t9Ksh9-xcY%DON|;8~GpceEePm3`MH|Z= zvwJ=Su7pV*v~ku+OI>F|i(M_|s4(}KI67?k*TJG@;_QX9#&Dr_^LZOLCJ@7nZ~sC< zxCnR(uBLt)nmGxZDc`7-ZA2F&cyCT%lSEg@tCL1k^lS5vVgP$oC8WCpJ~hL2XWnO~ zyA}}98OTT49TEPK^egA#uI9~*iYK03kui930{A$M;}ydH*j$e>Kg7P?{XKp#AyZc^ zi&j@xmmoF=mu711*p)?*R_GJlfj`+YFLaNOcXSzCMB?ooW@}rvE4{dhbJUS8MiHeg z{h4a$0b2XZkZT+M!xfqjc4=*CkyKYlVm*Ba`3*AjjsjYdd11Gj$z`!=L<~cOJ2Y9&s^+%MOu*hfKIw)m! z@FK~xAf~5)0VBb|=CU&w%2zw+70zx)l1l3f|BZMU(-I$Rfd`6hY zMR6`Y#(dj>=Y4&TAZe9Wt8v>G;8bw@j;D3YOAOB_zAi&s$@}I&66$A&=-vZV-q4Vi|1tW&xV*2Wn~F$~S2+s<8F1^t5T&ur zhp9Vmy<2Fx9<3M36cSZdzP5Nw7@|OnVFTdjdB=UcPg}N5*}1dv(3BMg6H_z_AH

e{?p37v>Has1%3LQw0a|$rJu_e@4ubkq%9%A6kd^GAGVgd+i zt{`=ekf7#4sdl$rh?W00Bw^ozPJrpfiAcfW!IlLA3#!h4|0=RIBo6xsbV0wrlVczqS(r>BXK`kBjzq%a70963r|Ls})c zxZ>jCpuu>r(FP<($HI~hdFqmqk~??206ar1&Kemfh&3HvClk}sm@H*|zije7q;U6Y zb!ojFh_)W^<3Zv-k&}XnMSBzl#znbKufj20M|3{~Z9F2^lySUF-vKb!qe@;u;kd_9 zehvRBh%DRM0rBoPil|KiQV=KcUHjr0WO`)^U2Kf(tgP)hJK5iOAluj-&_l*F^ief< z9i-}PNfabODl-qbrC>*g{I_qexsWy=b9SctGLK58!;A406b)3)fJTm`1hfYH-nWlW zomQo7y}CNa%>zzPLH(5$HN56PB1-aHUYG-fX;YC~U2nimp2C1zN!z(ytx+9-V?T35b;rwmP`<%t*wmre@ zgOjtf);en&8=-Rpm>Ue~uNpXPg^>3Wc!6zj@E>0`{1w~LXG=Sv2(=b+cS<75j&svG z49|w)c@g;TrS%b+E?ovKVthJk!$dO^g&>QV?{j(Nsf=Bqrf?K z8VKi5rOszA1q;ps_!*3F?Z~1|9VF0E6}_CIBAL511L;Jo5Hm*JRN5m3>_V%GJoEOP zqC?eNmUbC35y=`) zAP5$el(@qN&Kr-Ig@uIVcl!yUMu4wkt~msdh2$vl9k(R85+f@iw@)I*wX7eaqB&&F zG1C2*l095WYVKiN7ORjD3lrs|N0(T&#~jf`B_O7?#JC82jTU7kI-^7ze4EcCzB@u$ zzPu6ui}N_>lMCa}b|AQfo#7mCAgBpyPzu4Uw4Q18Tx)67sc7BX+u7MU;ugk>9{t@5 zKY#wrkfpjXxQyuo`j|1~3#{TBRM>JHZ0`phr)m=c8v>e18h4FXsGX;d1DbYtc@w!f zq^h#aWG_^=JbgMnJq;^fSFB@TVBmDMi;b4E9>o(l!Kx0=dGbFK;$NT=sI+1pITTI_ zAO%8x!>E9Vs^*CLzsHaNmXqvlSR3$rR02sC>@P_fq(>*r==a>tP^L^lWe{M;OCYy+>I2bH+n=k9?Y$_^=G!BVa0DAG_Z)`2r!Hb}+0$% zJ%!GY1-*9D3p^FF0*nEpdHfl1n2AT8?Dt)7)&|^K$nDaIF3*1vQezRRoIyPyA(4l( zg_hLSwuRaZQJnrkWc;mrHxU-2{s7=B>^r^WVjFUBQrBI z0D_RDTpKul$AvPP30WEZA^t17n|A%%Kz)F#gao~=)iXfz)Iwn)wRs?SBTE4_v<&Bp zLu@ZZbQwqHJzC|lzt-OuzB`j?r=xI)-6koi$Vcp2lL@bp7b3O*YNB`ih3i;VT@9q~ zJ2*8sR7sD2l2OwWCvHbZ(#230CL-xQR2Pu;#|JhDw9adq&CC(+&ULZwyOBZOWFVfJ-?;^hFqc|XHjI^}y zc+GeYcQ-ePFiXw}QZ-7tOk!pa;sj35krX(A?mXrvsXf{B2{ymb5@jtIscN70B~BIEh4hz*`q@K;_?)Me4J>)kMs- z{jiXd3&+9~z`TU_?t5uJ=|N@z8T2w%GC-iBqRxiPpIk!Q@CNQ7(&&c+EYf?8jH08W zf=>*BNl%rY2i}?Hm-+#j!LkhUV4ewe zfM{r~9?q{<@g4?FGcgf+e24EHe0@-)A@HURe~r!nd@j0Ka-Y+tz>Y%78ozlO+G)LQ zZN_D?Noi^4QM{pmg4UGvukI7X5E8Ax*E$OfPgIq@3*x$f z`KA_zef=;G@JvWTZ$!n`2cP{4qTd6UW&7yqlPA@Dr|o=vs>U8Au#0et`S5d^V1fph z802$oATR-!1!2r6RmE#1n40lmqa@;E+JT=LytXG!#IVc*1^smj`X-P|>L>_xK?N&& z;BKI?Jxm{>(5H|r`%7CN@n4){dmsT2D0uxfKqufn!A~I~K%>JR zj~Kky58^Zc0+ujN6cO8_(-gNllTt+tdWWg7Q429;6mGaWjzVXh9UUQ5Pd?{}To8S; z&-$V{zmYRTpRp485Z2`qDp&2VUd|S^uxi84z|9re)YW#sZWI?2!{TRtHE-InYnW1` z)9~PRNyo`@Cem}G74DH(^i{ zNH!k4xAATlu^Gw7=JXVm`!l3!D@6$-rBMMA)`qw5 zVAlA)&~)my^%+M74~7gx8F!)Uh|sFz$eoKO09t1q1tSkHrd6ZHMfMz=ZBN_!8o?ar zj1~rVM{|!>o8NO&gmehnxOYA9LJq@@5ed;NxfYXn5p)w~ zK1D+i*q=XVOzs0-0BKpY7`+d5w6wPNf{B6OqfeO@9uP<1XFF*N;xR!C_RvIcg~8-~ zBjBQPpFOr~j{So~j>86XksW(WCzQZwA0Kr+dejRe)9&uypqRm+VO3-m9iua1fNjM= z4`Q#6=!Py%{MKS432xfrCm_JaF2KL9On1wvT zJ^|3D{T46+UWojT0Ix-EU=>&e#Je-M7o$b+`yLMq2EWufVK8g~0nriFl;Nf2&PIAc| z*@l&%yLaz4GBR>nGtpO_7$b8Ipb-oz%ltwrObK7=G{_shy}jOoX4~Q7z;MkmXEQSg zIRk^O*Af%i?`}YrVc@u4Oy*;D(Z_24&aC;ItKoKeh_wlVV-XfME-o(kWPtYjZ|&h_ z3I$=LQwv93YEwtxz37W%bcD?^i2ls>@%6|;Qk%bX0t-s+O z7=c;kSHhs%hp`*2Kr-h?u#K zviqCVk(;47g?KDhXLJBeyYw-Sj<&T4i8Wd(_vD)+CQGFU*zy7 zWO6IHL;L~EcER|-Q#bk6(M!u2g!aY=6l40(T~Z8r01HMb-`&|chV$3zzr>hA=8>wWhr7mr z0N3bRO&bKALSn%ejNbK4*&zOgQMV9_z<*xte)LMv)gH0P*);y`Tajha8iUQXVsxAZ z-QC?teh@#N;GamOLG)VY6pn^O9l%rKL7)x9a(>;M4~7g8h+w^)UWQ6=r`87!bQbI& zIG_KEjfB1}@Am3JgmeISVOK9#R{p}=&CR4FU4smY-8*-}ynysi3j;BSe>_=jD#)or z(B;;`4Zd2xIu|+u8iCLJw7nWK`qcQpv{~(j*{W` z@89dTy4By8Z)t+I(F4pEs{NwD66x-a4$|zc^&xS|K~_OGZ$i^+TUzE@Xx(iG@__=d zi#NXo&Y2wz<;TQjI0pRC6GmHa8u=$&$x&#Q>??S98-g#OWSm)nS)NCu6$+M#xAgB#@Vt8@ z3UZLRW8T$i4aek_yG`bh4uCIu|Nebz#02nK+>Up^&eV+UfmA%e@uNSTsSu|I0m-I? z^K2i9svH{MFh00yyV>I^IfDOqa6{~C0seq@eg?1}248ZQm){;i8iQDj|KSY6(LPYV zodCgdIM7#+`|&5U*66D}{}48g#2Wql3J}Tf-{03O5r<`DJ^7}`kyd%HF*87m0cmE} zt5<)(IY8E^Z|wd?W{|k z1VC%|36-Iz#txrJVel#Xfq)?!)yrFQLIeRnd&PaI?lv~Y5VlpU#80@-)~2S=!l(j(K?OT`4@O;n<3rN8aNi5J!u;3^R^ud#}U=9U1X{HZ`^% zZX1MJapv`NMgsBZwEZ!KvRikWeL{bYiH^aQbFhKnv#B~zb&G1I-;R7JxU6_iO#U;HF zvsUoQ?Y=uW&SqRA6*=P1#4+aHy4AUpmQ(PbkA^JS#EN^$;quJj<_rb0i1-OaC^O3& z4MecG;NbDW1^^E%XZ9xpo?Z#bX#BJiJ?0jp@UdZl2yi)QH|Ht@u)6%`6ID%OxgV^z zh=A%pags!$Mw$6oxLH*W4vIZ@e2rmTsS?_u^ylM zaSWvpMv*}xP{X8TTDVD27xmC|uLCAk%}d zIm##|gZ4Tv=C#ubcOeiJm&aZQX*OvG5G$h3X>KZlJMfTLL`1X<3~1Evg1=*o!U$)ihi{(YmVp|r$Pq!^YO3ei*?Yh|VW*u1yB6ar z?<3*FMT50S(Hss0n30^EEU4xk(WaAMwQKioP|dCIGJ}JI@m$lp|9LKAjvqD%pVS5m zL5ZScW@d)#n7Lr&C|r$zb@AT485sBoBd5Z##t4W)U0g}i9NU%s!5T>`JVR)caB}M9 zaq-3n9np`zeKRyXykY4SU~si;Ym6ft15of|iDG=BZU$Xe;wGT=?+hWg`d(s)WTFwkiJCZHrjgB{BWnGIsjcIQ(Y98kJX; zkT=iFJPHncn#h>n?d{ivNVI-a;;UV5JQBMNJYt!74l$=~xQu2qOh3IUMJ@V*HM@Rh18#svb1Cp0#{;C_0 z1o~Dk9v+y8*ZRUKJ!O2~=Qh7ln%b+jHfXtDYm;1q9x$;vlIYs-`dW3n%5C3X15qtw zW8;-hRER~`>SG@RrjvNDu0yecvzz1K>5w5A}#oPfU~2m+L?U2uumQ>vd= zScpwam~?dG7Y&JfYiMLtVo}hEuHy)!67@565RTy3xJEroeew=&+ZVG%K>-ynKeYE8 zIVcfhK@YPrHfBzXchswyLDog!CwZb4JeZIMZnIsD6Biue1aa(1+m@$7tKZ@)V!I51 z+ZGspCLZ(zkQLxuM2Mmt9v;4)l7hZZ4>~FqLVpnp(U4;xE_-@1h)g2F;I__=_p&c# z{$Tyh_0RKs`S@`f9pwK$kBo-Kk$wA=i59LV@(sK%xV8N;XFCmabx{mKAA(Sm(mN*+ zy#+5(5OTyRDeKZqsemhd55P_iK5p(jw?rTVBqgr(? z*MTE|>IOsq$vs`kv*uyW^~pj16YryLZOQii?wO_Z|2QX;c0Sq`H?` zB)U4pI+MFFv9vUha~E2UA*Axn>^XJnRQYw=#t1fQ{_nDVcltq;;NjzYOohtJ_zTk4 zW7oki_a5txT=i;IvAWE)uWAZ3SF}{3HjL!xNN~_tne_kj<*RV4IN`yA+q+rtK3So- zQ2{u3<$Yq2Kmh;~YJTm7CDfA?zl`zd)ymTZVu{N>d|`xwNpM>g&_diIl(%Qx+%~Se z2iZqt7UQV(|Dw>&SdW8?Rp&oXu^%NbTC4K*7~y84$3=%)2bNGe;o7cKbh34IC6szF zP`1=vi;;IUJAkbMM-QU|kUR&k)6I?6HG(R!j%r3`;}+V&ygUO9EYFK&42Jq#d=g}= zNV*U?D6}g14YeLHE9Phw_MFuFY~)EQ&`SYZb)L2>{00_dH(<69*}SbNEN23{Uhpx7 zVwr9`rA%0p4rXdoJBgx_ddzo=i=8V60D;|3Ozk}mFtuYRbh=~slnBKvc@LazOhkn3 zl6nt=yD28btO>e@R>$QLMwxeNC{V-cz$LvJtxGG?Nbt#HVwlqoq{0{#oBbdQhmhZWOznC5?W(~0Qmtg@? z^-<&Ng7vN@VW8QJsfjX`x5+i^=x?afw-0O-kBE-mVEz@$@piI(Xe=`k<1Pp6F(@=W ztb8Vt2o#JwWXmbZ$q5gs8Xc{BdxBaY8(^d4G#jn}wR9RhNP9uknvLofiYu}>)4O%< zcFEo>S_5TB3>s3XSsupOtEj1Ars+nTq!_i0AG%C1z6Mielz@i%jqk$$hiF+43*f}} z-rSQXI^Uqf$tk*T-)jUhq*a-ZKY#ls+Z>*2Q++a&@mYyY-OaY+*TM6?vgz;vovD@& zxSb$Rq5UnSQ9gSt!Am`&8Zzd9T+x10s;xb(w0W}^kdH}-p}#HVM0XlFXYZGI%!dSV z2yk#TrtvBD$f!)s&COvYQGGMuD^fFV#g-Efjy2KGT(Siy1&%E|$$Iu-pfd>L0xF)i zK=F1-si>=0klO{rsBO^iB=iA1`>D7Oc^2QtE}pV+>>L`W{fbl(j;!^0qNCF#IjLNm zx_~%hTko_N0J>r3 zJle|2O9*aY0&|6~84?*UOw^l}>C0#!Pu;U;4-8-5arjc06A|T^a&FxMv6b_CNoQfh zix)3?dhU(rn=#bR5UQ}KZdOVgRx1X_ zw{AZ88!eeCbKBZYrnq^E9QVJKpB1@qD(s4T8m|7d-j=JES+yf5zI;JK(OJ;62U}kN z2<7ETq=}^cJ;&{uSKgz91Fu(2=QDT~ncqyiUql8MZ+H5^!^1NW`z|gj&|wjwXQe;0 z?VsbkjjA37e9Jt3aWE6<&KBg$+%hsn_}3l0CnrC@Sa;Ig841|vwlGzI54-^kbaWz8 z;0bn^^u64rVWxB4?sC`j=a(1a1*Vbhhe8}7htN8J(I7_^XLs~yXXF3MnX00G96sKP zAJyHlI?1Ka`+%5cXS1`j4-F2QVvRFX+Z)**r;D$hR~4-a-WDp{st?ODq>%4*jJwMvJ0wJbLf4aUn{OLyi=d4H+Eb$ zXSn1E4t>4QkIg-x)NY@CkFb$=DDLJ>L2mBm9(g&v&wO)H%Bedej6Vj z={_cfrQv;jsSAoR{_U*ayf1wzjK(eF<>N!+u${M@6T5v}T#^$Kv>iEu7E89P#H~|u z`3Va{-6iw|JU`$tFFts1vzkeGp8VdPNjclxMeFrXDpC#~M>O6z3#hkQ;J$A{@tJX) z9|<{B06=eTwayMZ=2H$d4tR3+-0xazG~ecsS4^{u?-{|xr8{-@ti%USp=s~ar#DOi z0uP!a^y>q zf3D7nLmEwHXOPmGv?JD(XkZ*uaTNv?d5;!yfA9|Gdx+!!nGoM{O(h>}bsu`3k#pbdd zjt&l;zO?clZb8cS6jHw0SO15<%DLZc7y2K*3|p!luMIxB%2P`SNnjNQ@=9VrZ9#U*Xc06EXt_^c zb~QoM5B_b-@?lC;1;B^9Oc)hVKSjJmI64j@+9<3tw-XgU8_ub-ySwoVJr~zXrgd9w z9-UO8q>|o?0tq?`8RnM~x+}Ta*(;!31W@`F*rXVCjcc} z**hh323HtJ7|D8rgp}epINSmxr+b54a1Y@f+@TDlJ^uGL|^*z)HL)Vlc=Dm)Y zFU<|HEIsp@Z&dbzGGdY-CnxoCyYH@HudqnOKav|ZEDxnop+QK1M9||#H<_C#{gGc5 zG1i>GvU{<18?We=VA8{`oAGwd-yT&m+d-ZG%S`DoVlRcb!vpnj#lShiF=RK~|&s`;XNt{e=7~w$y5%+A6Pqj})YVA1>tV-6Pte!$t?iw{E<3!HFJjyOU?D=U~jR+gx7O7S_M;6etu zJ}onqKv4kIMX`+hD10##!>XMx{7)L&gSrX2lG=Hqr-M-43Ohw$5*ZHf27y5&fUfon zbva)5AaX_w+q=v>x&?xspO4R9s-QjmA9@?v=JAi=2BC%U{p;7=j*=n-eqgx|?ct=M zt|4Lve2t$$UcgyVSC;bb;-isKS5QPU@oo`=N5cnY9@AfackGewV=&RwTiT4&e+>ZZbbgs}P#H`GJPB9pb z{p>_m?NGbM<>M2zL)nr`%RxeVj7n76Io$DC-lm%8u8E7v+Opvht&x+HLriL2v*PfopA7|?oF$yPGMrk zW;3Dj+X{sk%wmVU{-!WI@n{23{OBKd#b&C&9bmA-pSI^q=^7Y7-WfG54cX)osHou3X0Q6HTpW^nFkf8FDR;yltz1PH zL&OvzbRD9_rORirNa7;$mbahq_zxo)#z2?^E)^zTPcu2BqfvCL^lozhO#OAVD-qhA zIrdN;<|L~x!`5jq`W*PE&3&*Cgy-0eIfHk^`e_W!I%C_|0YJaPK;HfEbEZOf}&V_2b-F6 zSM;@ZtQf>WtouTEaq5m^oKt=Hr=R@-TKu11Z6hPQP69&^FG(-k_RQj3+{?mInUY)g zx69u`u?xsBLZ75dob}}b)P#rysxX9z z^y0y{>FLhk>R~tr_j4Z)_?VbMa^iTN1@BK#?M=HdB)uP{7Fs>Kv3P3$2H^x^F+CqO zG3nKPpY#!Sx{-`b5=ib9gli;>T~uU&)&CgcH2A^zYgWEsDAhZ_NpOcw9At+wu}=X6 znLJbZP-viFE*aoCXJNpP69a;&=t73n z5EwdJG+!&2U7TE84$o_72E;+Bl(oojNB_`?qMk<4rP~RRyCVIq)fPrcG`|qQaqQHG zIoB40xK@>}9H>t00EQb^q<0`T;vwbj$lr;PlsE9KxLt$+hrI^4KfPel?u0db#CqfD zIO6qdWPu9^N?B${BYJ4p(Bxlm_RGe;8E^F9E?3Wz^|?UFi3r`MWI~=mFL3bqP@E3K zYTxCAlLjhr%T%7*+tRQMnzsa*UZ1?)87Unh-V0BUPWh+jH-6wi6^|al3La-*3`-oZev@_C0B(pg z#hwr$q3Qif=W}2EyhpREcOyuhC0Q>rA0s|yP| z0v4}}V?EoO+WF5Z0G~P}N1AQCf9(HY3UWKL-43TL=>vC1kQX_3%Y#qO%gV|Ml?|og ze(VjJ#Yk+&JCC{=2s$K_RSc}Uxa7p4qNAcn{}~sT%vO?e4P*U_b4JBjW{*Z$j%h^^ z2=yr52zP$D1WEOba#|?WN+g+pp8ON6YtYJ${DM&#ESt7MeQ3l(4C29kY+By>miY9u z;D_vmHUn%ic=ao=!1;qr)+KqJ;ej++U?xUu98i_Ol08A;Btm*V3&ADOCJFWb)*)Yl&vi>dy0!49c+Bed*$fUx8Oby z{0k@1UM!s??O;v81Ur(aE8$^p{m2BxHz}7pym){i++?hcGF}~5GSHsE-*;)n`Vd!+ z!yAH(51+*_mHrSC0(`%iu+9+N9tGm72c7=jN5r=r({?Fo>0O7s3B@S!Bab(zk_G<2 zCMn>yc9W$}WMoc_tD;P{@6uv5_Rt?X#BUT>y^^>Xpi+TD-IHxgj}jX-OU29ECCczI zU_l~=knvap)&)aLD?1~-Y6P7Q4?8;5~_YI+L5El52xCFm1BL!MVxf{t_CyGR5+g*|)5}O`C ze;Nb{ljJfI@x_X;xU|49UUcSJ3MHA(`qi1h3!uGEugUGrwpAM`j3dKT3~Y}pnj)|Z zJOjLQeSAMeZd7}e(Z3TQ11yMHNFp!GM>_I@XpydbUK5#|y!<2#O)-4;Niwo)Xc_EA zR_x4CKaLy0&c>#dJy5wi4^)H|gKGirwel@7uz-EyaqwQMD8}28m1KxK6?GCeixJt~ z;O=u!O~9}T;WV;QAiTmUIdl9>JFda#C&a-jBFDp&@<3NvdJ7?Bm1*CV))$u zpO5{hHk{&7``^R;Z%%@b#X0&x+ym*@QCJXmwo^y{z7EI!(N7zxNX~!5T>IW5-gQ1x zL;xPUqUW`fSYT*;ZgM~itSOWkyV(cQ{`ou$Hf@ zY?kSI=bmChIKru$#}5my*FFP%4)!tgv56s>Ozt21bp~pH(D|Ro$N=sDwBnX2nP(g1 ziwHzLd*BZY_shh@GAioi$?e3_dTcAu&BlE-M40Kv7P{!*fE725F34tlEGRRZjeMZb z=}ANtz9&R-kh62hlbiSG1UZ?eXd$E^0vPxI+T$}9>oMHe2_ z+nWwm$w${FjjS96*2FJCFTw{@&SWx=)!{t56_ZN1CwS4s8?lAv8T0GQ6oFKJAjyLr z3cXh+ibpmu1=K%=*&3tZ34qfA1}~ctNa9nEP~!0Xct}O$;O9+%MMITCKl|odHnzcu z2_cXn*uyphdMC&XBfBFX&XO?_9sy=d3f(#vgAYaypQKNEw>o$^p#r*q0aav1E5R!m zo{w9`>asp*VO2&kSOn>}8jM#HcVGxIxv$~ZoH%~21Q3>FSPnYn&fVrq7{5eg8xcGr zt)Y)?z1OT@AUV>jD+r^IeL-eoYrFcLaCnLCi5I1g4(81yDl!tR2vJ)b?*c9C1DL7c z`*jqAp&^Je?aU^#Jva~)Mz+?{)^>nMn>c=&+jtx3=|!>yFCI+$<%JXvwU$`)xu?Jt zk>?m?>zmzm>L55ye~;txC>RC6oxliPj|1i5T;=;1KcRN~xY01%R-Y(K^yNW0Szi3I zL$RpJxI~ zuo$rMf1gPUlfC<}10nm2e8<;lV$8R|Yy;mfU(B%aV$n)8#hkQihYa%s&(({WhcM2E z{8^En?qk{6<|j|Mq|EHV<77q+GH{Y;pkrSg> zD8#OUWDIxGO(C9u2#aA%o<-%af|J9o?4PsN)%#=Y=qGk>wM+U?GN`Yr&+U<13 zU+-<%{uMw2+NVS)WZm~3&>~S59K9HML=Ij*5d?Iix(RuCDJJGgXAfD=K8e52M35m+ zjNzFc|NM>uaLfKc-45_C@S(&`3-Nl_$e^=Gw=p*yGJ1q8eaq3uAt07?;$c=t%BS@~ zl*n(4R*W;_HKx~z{U+ID10m>ed}&P#*LTPJs6iZ<#%{F<+IxZ}sq@*vRb-h3O*E>>RV<=q!jl(XGTTmUsAIq2GpwI+>%eW?9KlzUtAfAE( z$hBeyk6ocF^L8n-YU_0sudL}fJ91%iWbQ}6f8cA?eD<8+7kIdl;jGXNiGHBx+dszL%ZM_6RDBQ*&PIJpBJy z2Pjy7ut{w9%0WyX_;7wU?T=$TE@&E%_SZ_G~k)_I_jt@&vW8DnfVQ~p z^`eRoR7Q!{zxn4hiKM2|mHR)ZiFSp$yu2rJnrQ<5L<8|`k-Mlgo>O#Tmor(r2XYaR zfGT5cvtGXgs8R}OLXrLqf%M>aU6O&lP0D{ym#BsbFz`R8n~qV~0tBNJ{r4O3kAyCc zX#*BH1Q1z#H=D$);QwRnz2mv;->`9sB9%=^QQ2e^QW?o85g{`pQeo}__NwlXQTBR{OLxB2{k(p^=l<(E+x)ve*d}Xq{5U>Zwf6MvY-{H~6KK*Lbk=U(`@=(F z^V_K;Np$#PXcm*zjbZ2Z1RnwS@*nI1)MgD{yWq~nE-?5T8WRoft@{(JG^ruuLkpN% z1TpaTsX4>?0{0^puM%dYfn{gZN!~zkBS$z8kI~SVaJ_-P7rpI!o@T7VJA`h@f}#Aw z)j%VDzy1@#kfstly$GPLeiiw9626APnfj zpW@oJ#+)y=a4f-D!ln5RVWdR`HxaquI-HkKy;?XOL50;(s-wCBGorsBBRR^oYpZO> z-N>HsS=i$*bBLpw;)6~J_YUEVvqKVDJy~JJei@NLBW%(hJ9^0uRo*B1&Y!n;-ei)0Bl85W8#my-U7vBYy`eA zP_TOdO0ZbwpU$#H-23Ry1VAkz;f%r)AuJng13H?_0<8$}$91TrA&)7>>rGO@N>X=| zX#@Xiqp}53Omc!PbXk(VffP)2s=sT4!6b?k26D?&;_|{rEwkE9NM*Kn(wBNM%xBfV> z7%$vZ7@#Av`)zfEvpiT4iJsB0e;N*H6o*nIgP_4xCX`~d^U4PI_^Iv9CN4m#UmwLy z9a@o&{kV{V5cYobB%i9;I;I6Y{R8P+pxw4$pz|39iebJkKT+LD|H-*CKnw6HFj!s) z69bm>RWC{oc0`$F>8$M#5JymArp6oQXJg_y%FfQde=Y(OV1NedDje==vZ_ULC~aG) zLBEEFEr9B{08a^*T6GTj^-N06O{UOnyuE5O#~@4!jNaIqj(e9rp9giNkj7|(;<0J9NNmQ3EiX+6+it~Oom0%Vy=DqFwheZm|vt@W=&>3>Y$@WRk@W7I)h+;z~a%= z{S3JR+wq?=(BRZo633v>UXJO?Fz53}1ATcu_&ouOw7c8SwG0GE#q#S2&Ia3)kZjM% z`3Aa(+rkI7$=`;p6{UovGZPkqn( zGY{IECcw3zo+5TnREu--*@nVd4tjXOStY$aJ6Mb#fKozc)wt7f@$)UaP4;(scFSoK z{#6jWwgE8!P}!4MY@S*9u`jlD-?=a0Zj4wv95vqm!4_t!m`dc?VpMj?@R;B>q*~l2 z7*-s>l&Uk2N7bNRmd;}hJBcQK%k@-L;E8;8+PDD*MBPzm6Q1|>rScWqrWagya10_7 zC}wv);0F}p0^1=#5r-t1Y?2R#{)?(V2LzLMstzr)1`hbG!ovWULW|35;-&T-S-Jl} zVEPO|4W6ZA4VbC=Nu0ibZccfZ%o3D`k2cXl66)Qx)rXwXEklQ<2a{LA6 zCFf){m*MB-Y2PujBma${VKeH zC@GnsMhJDDf>TkQ|JRSKdK48yEPlu`+*Edc6-jT7#U?4s zJ3sjl3Bre0gbA%VFKWHBNQGb&9ySZ=1E-XGPZE9<q~t`a+}LzOWX;j0w?|!6d{n(LAGX`{mK0U z>T@Z#`r8l!6TsO$6I9C6_@$|Doh6W;_BAdzm7ua|N0yDTO#|||ef808%jW~|h zR!HDGQyxNwYqBvyX6{J5x}A=nRAz6N z5ISh!=eU@nqkFS6TM}W7B7gx?fbCH79#y4x*c5=jSz`^>5HkAjWqj7GjlD{guG1vh zM10PewZ`%b%&N`-6{&<37hwhU{@ySUJ}WF6yg7WsZQVo*utL<*m4cMv6gB%|+p?QF zP+{2Y3XFx(3C~kh!}x%8WiM1x8^qJN%IG&TGdrOjM^P6*iiFDLd(G5=OY2%je(Bj= zQ;&_#+pH&IrfNRgzgp8G)Gam&BDpb{b)CM!>lU!{yGm}FpXJ??o3F5?BBJ3!YV+ES zJ9X(qo9c?qPB*ncbk%5EHm~SK(nS>=Y%jbs_|w~Drk`YC$VmkHu`IeSsyAA)aS%!e zP=yfVmt>wB_mr6>5F!cC9VzZ)2Tx~fV}M#`e%oiX3`Ag0=;a}B8O+q`dAd1stjFre z7u*RvV!{cpMnAB<9KA5yu|wvN2INjAD7m!{4lGdC+Q2+~XdlEpJH{pCO3a;IjHNvl znI;e>+R5lky57K;1tszRWNAg!A3+`6Zk>HrIrUJ^eFm+Bn(e|x5;X*bOOkrEt*|q= zpgteLyp3}P*_9tz?;92s2=E4I4{8#_@6Bf;TJbj30|jmjOL)m3HS zDq=OSR>1uzbMW+tW663eM+;o4+z_Dml(Qf3xuFBu_Stktf%`aOR2{>ac|fhG=<%u&}vz`IJI>R=qQq;BHlqSXg(vSQOk45+Ce_o>M9O@Q*0luA z0r@T6rd_B!Ft}K>W+4?SYX{9C56@XxU?IQh8Bb0VzL@V*l%0T!4GesZ0G~PEVxGVV z^&d(L;D4CKN($j8YFD;W;(>m_MC`PbtdQ5g`m3L0lk}|yWhNgb_1h(RQ6>v=)gj>qS@_7hjsmd zIk|vILH@?#=zveGv?t3n#lbk;*|U!&nD@t7KdZn{NsKpONGDlfc<`vTb;gD^R2;Xs z=r~H_GEOz++q7y=lZ%r~0ie3jR~Hv1qamBrTVK6Q``U*jBE-kJh>m+ zy^!7k>KNk>mu3UZKaxA$)6c&@7OZ6s#rady?ZclK*=E_+Fz{=uNGpiIVg7V{KKc&= zn+4N`nc17Du7iiT$pMt?t z&Bhi9w17s(!-N60>tP~TP4HqIzWj92n#WHu%n(C<2buGDZ_6(23)JDpCxm0D(1FK9 zptpbtO@NGiSZrQXt>gE;7u$DBfKlJMzVt=K7CdGvJm%ss=@|>CcSOH#0wVJBG1rqi zZ|R7VHbu0<{Y_EN(T6o!&uk>W=N?EvOn@JWu2HN=2wraAdcR=GptQMvUq~m;E(3{k zq*dJD`yQYjeJriJhP>+9G4X?19V4ltiJcg@5D-Vb85x0wM$`o(Em}J*WH@>CVeyvY zJcae-KCJ`_bZwx$%%jX9DjtJ>b)P^4naMW}e*WwPh8IWlqSXUnPsRY`J+zwVP(h46 z#sCQy?~Cqvmzd68eH$TSUsiVJXWS5nMociel`A5U zpwC;eVr}?yd|2&fd^`S2{*xrzF|iRqIF+vN4iaSVizvkZ?V{b^A$4nm4KNG2Fs=PO zR#d6?r+1v#Klk|RvLNFM>{w2|z0hegk`)w|L{c7QP>N^^d<}JcL74MhL%YXlsF&a> zdNYiRICveswsS2dWdyD4v}$~1YuK4$<80?%v9oPhR5YiTYZei8w*qI!OuI2dK%y9$ z6ulG3n2YHZiX~}2ZGH^A8a$2-6@W`(NC8O___fu5-jj1_0=L@^-$upOV}fQpQ)oB5 zcCYVjzy_bu5%|i-Qa89htNpgZA7PQ7xxb&@s^LB-b3m+P31UdD$2UlJc-Xwc@^bv0 zqzCvm7*<-rihE{y8Un+2J}rB0E1EM*wQ)?FtUM|aK4gw{_iiX1ooQmJ>Pw}iFkyM&rkzjr$92$3> zyS^Ot52*xE5=!Z0dY?mw@VL(waw)SuR5bY4a+@V&n&6THgM#-#$0D{Vz__L(%W$7w zUhaJEX%Vhy>aflGxTsLp_Iczt^W4x!=8lZ)XhmFRuIx%g>b# zMLt4D!&WlBo;*^zN_wCU$v_gz-dWCvK_h_Zp$cRgcfDcU%GG=Vx3jbt;T(ARL~|2G zaX=vt54wR|3L4L8RyaEXpAcQ+_w@H0dJjY;J}@Yj+MItw*`7Ji`dtTW5OA<-t6I9} z+J&e22zY&Po~khRfq8eGxW5Ik^PmuUMa9}fZjL1m-!!jvJ$xope}7I<+o(NLFHcdL z!?6S}DVohr<%akXrlX(qhIntxAS3cWMX_8nT=D$Tx(QT8?D2I?j<9&THV-5=qd?&^ zaJrSFN3HK`<@47VWV_UlxbB}d$Syn(t7h=P)c2*n&7vmC;8>5S&%aKRWJs25GI%e( zfxS}{{=NHszY{s3ekKBkFWe?PkS5*zl9E z9Zh#T^vNX(P{#ckRQUjLj*R9YZ|+oXwzY(q1)yXkx7wD`N%S-s7bXWdTTd8Q;{{0K&*9NqPH(sK)NEl$Ox)9`#HWeWc$;=vD^G?`j zb}rIRNi2n_*HN|(BzA|S)*sWo`3*(Bia5-{{oGzaF^ox`!^z*aDsmxw-c_%Jr@~=^ zddj`o;`-8+?xi_;y;^(mL=7J(p~8tuLxs*)M)E23+6Hevo={i_n*7t8L!88_p^ynwQE9=Ae)eY^|Or2)+tN%ndBy zY@+*C@jmDvWN>3clch!|kD)U6~Wx3+EH4kZQ~1H&En zCvm@DxQJcms{LC|o^VkdxDQoYeUNQZ)7P}^#K<-pzSB#U?g98t5IdDZy|zHMvtfxx zyGr%Hj|j%H$f18t=yjIPeN!1sIMjra2ebPSmnKto3VSTLh3yC#1$sOx{ek7OHalB=6MUUuhYA(1leJn{u$ z(zkSOOnH0u>}N*!Sr`xm54kWi0T z+pa3MZwI_gD1t0Epk=p)(eTopn{%ZjA$i${$f78{^12en))ErfLZ5m6{`9tXI11|3 ztuOX^`{e%Hg4HB1LuEdV=;^dz69q!u(DwK<%m)1^cknEFNCUa{Q;SUfn4I*0!Tu4F zs}#SUU=V>OIRAs<1cA0u%${crR>|0+x`S$<17DVa!J{*#(ZyY;UMz#Fpudj~Ob?^D zSl?>t9xm6E9L7)}s1=C&x=})-dR2Y@5uS$xk}i5bRA-RWf2!lDd488wS03<5UYOd3 zk`~f0#*>kd?4qQis=Ki}JJwbF^7n@cCexA27eW@Rw>Z?|Zz?`54r$a1Es!EPadu9` zzy3)rG9Eti*`>q5hY(lcpCbs7Unqhih?T$*qTG;lYRaC1lxIhFE$9cFhckN)V&GX9 zV9VGKI9FVY5rcSmw1Im*0mxHe^fPkh=?ZWcH009Lee|>Ji_!9rTqn=wcEWxp2h^Ls zDxo@d!)+V0^)K==87ZmC$tm%!w|v@EZjR|kL}GV9N7qU0HZ4d&H_D}nI1a7!8=k_; z6T1YABbST20Ah?*Iqu4TzSm)0-3`}xf1tPH1IarMpI4}8h)xZ1QLs7kQ4)uukf16&0e0lQG#JKF!dx%l zAUXOgBbt%O4-75n4VqU^r*dSWku8Jf&h$Ij1Fi{OtPz6%gni<81=GS%Q+6j_et+kB zCvv%_MX$t>U*Fpo5bqp(|G=Y)XS=JBPTeKMkm36Xumvvz|MMzzijZ-Mhk9+Ykf|Kw zTy7P-3E>&aWys~~EDRe?w)TFj?k6y-W~qH!i=C7n`q;lFylVApZUuD4__@^ENrJpjMblJ%k!|0YF0)Wyx$ek8@UY0SKLsi{X=jU!I z%G(q8Mfe4-V+D5;+{ToE^5Q72t7_c`@NnZ^ui3xeDox4EEvF6u#X`toVK!k!%yHYJ z6Si|)jqp&p9q~-7%b;-8Eve8<{-Wi^jfQ~?S@`?sR9#xfQV&Zlcatq95cT5)KT1xU&eU9t+c{8=mP}fA_6biQn+B=B@H&QgY1IRI#C6z(_>tAxLmFB^eg4-~pk_ z?W6K|X&|)mCP5U5M?m&5Y74;ql;ec&siRwUEO@jtuDTx$FS~Loep?9Z9t}loDgq^C z`e0s^aGTpU-gw+L(4VMLIK92St1EGpg32&|)K^yzEDr&-dJDw(((d}PW)qPmxEXb( z=q|Z<16#zcB(u|@?#1g;KwF}bsyYv48dly&K&ZmhYNcMfQ+a`zRXb}?^b>h4H+FU% zJZlHtWWQ$H^NNY}(&^;JD-*~^B$3Wo^}&Ea_`liP)iaKbmKvl3Ip`yAy(nz@6whq4TDTsS&cC z2MCDqPukC4&?3WTPVq5gdf^Al&e9TzY7kW;5X{@WO{&IgG~>hm$!K`fS_2Lyc2&r% z(p+FV70rJ2B{cF-3u5xb@?(9Do6_>c1^bmPQhZmYpwB(^Fzf4sA^XW52h4K_*&JNk zZj>pvd)ScfNa86*iKZ-Bb2a6GiIAMi>SoB==S=frY_~$EXIPqyGh_PT;^O?|DKm8P z+0w0{2KkPx3#o(^4NhxSf4xQ9&jk4xiy6N)4V2(AOF@ds;_E~AoUn<8SU_(%dmQx` z6#-#WtNRTgp>6S~9|asLYAtUJN9QF%d_YTW{^~ks>f{}0pKvSm_1F*g8VsXtH zE&K_v9FegT=fv*2ov$SwpKvTeV0_q|br4vWW&XN3%y4jW@0%_$8-^WWZZi*+P;2j_ zSNB~E9r|7j2BA?7Hsnhv!uVy&IruiY+n8lFb*uIo-*!u4f1T4)R=-jvDR((}t&pT1 zR`Q(skgh{0DMatLAW!sv+|u)sC-pq?1qk@PzytsSpgz8b0mW@Rs`*I2Oj7m;Q2-z4 zKg-%5K-unu??^bxB25N7c!L=q{sF>ThKE-*w(1*086mG8gSk4PvHU_Xq2J!tfu=v@(&U4j=d6H4dOilSib%c}Ec9{Sw4^=Uns{ld+aKu9A15)~+eE~Z z_OpwKDX)5xkMq>08@56GM_U?eN`C2~`v>5Y2@ zxsD~K4BTbCFhJn(>qLfA=Mpn6ietc?j^J!~U*6bcb3<$V39LJ9O`H^P$TsMH!h`_a zBON~K(j4c{TmRW*^Ec521S{ejjRkHwVe+$Yx?JyN{-q=>%0G}w#9mz``KmNaVbqftSLRj ztS{s=`p7{xK3~pHytVv$u?XyCE#sZ))5ncpkMmjefS;`&bI5A4oYgvuhu*(mIZ|23 zvQwEDVO=THAIml|Ws`T`NC!lf!02!gYMvk~R$5+Ao|u4zg+4dG@k5IUfiAnbm&2m| zLPw?F?lPW@60jcb%F`bKdTLCVg@?5_D}+3YvAVGGYwM$7VpK4?|7Ay|E1jnZfbj8u zt|HYLBI&^&1djm?_K~&9Rct#O@~w1GCL=<+02{=~s@0T_TLjP8*9n}P{kGlBw`-4_epf8c-N;76$_+ZLZZHf)gN3( zu0!K>4$2xxXqnCj?JCvS$;Wpe@-4KfG`%7Z=1p(JFpzvnnqONN_rJl$14cIQc&^5w zWqV%mygj&%wzgiapPPAo+)jG$GQ18w>)?mFHoHk9IDyfpNk+JxGktKpCB!%>^i0!? zL)LDHLF z(^N)*agwfeXJWLuQmA7IQJx;D@ujJzkiT?U<60g^rR2^gesj4Pf4c7sr`pC)bm-co zj#Eod?U!Uwdr-=Hnpmnlx5G~ZoLNrs%>l-h`qL{}Mx)VbGV*H3->Ev~JAU3ZFnltO zwiE*boX*%JAVSf%ln0?aDyS;sk2a;hG^OKcd6gFN`rx2D}uDz83WpCeCyQY3DippR4nx3(0*NgF5 z7IXs(XPa{p=jmS@7)*BHfc5CY{^7W5zt}+5qQ3yNFQKMfEwwkHf4xggQ;=wGS@xz60BN z>K1T)Zr-@OrF3@yxa7ocs!83Vt~(G32nU~%tq{cwchqk7)gv6gU=v0MVS!cQV1flu zZ6_ooR8M3cwol=usv$pL^*9?>5A6_Rr8f|~+B0kS1l7a|C2Wwa8GZZ)-omrjcN8#M zFpQNtne}n`b>`mLa2iX3_JItk+;b?sy~GehQG(BQtv6?Tp}B;lx+`U&PaR8rP=Ovt z;Xe50F%wYa*s`)UwWQx*7_Br^Lyf@QVQYeBSLI51jBEKW*FZoWUb&KC%^aguP&(-v zUDAwd5l{bm{?zN6dfMCAA`KJgPUssX5?z8`Atz3s_5^t(w~MFm&}KJnDj@q-YIC+{ z;e??0$_lyy1g#YHN#Q8~-!p&#hnFJU`vpK~M<{j23=M{Z^N7uiu-syQeIFqLDgTMK=@avZ*j>mw0nlLM;Ih} z4!Ct;$%NcO#=3I1W%wjq;Vc>~T)ck(vuN?s(9&-8<99Hm3ASM=B*^Yn>5u}O$|p)< z8{QpcwIbKatjg=0)4hf}`wBf4iRIbYh!F$Q5?%M|)^CyNZ7o;W5&{Oi&?wYh)2XX- z)g4izJ>HCkZ+lJ`Gz*eN8#f08`yw&CaK^{#yXB3eMGWp>JnC9*vr$GN9dl+K_fA(O zNcXHDw7{=EW;y#MISf;$rl%ggn)y0FXZ{c@oo=%s5L)Uz1{lRmAQ&0$6LZ$5jM*DTv)Ho9d!0t~b?mmIsxRc#jF;zKkDGvMVj3m6Yp zbyZp32w?0by9V|?6SrtKiO(I}t(|hbarnfoune886513=-rf?fkD7Oq;nD znKH5GY9HJ&kTXHd)h5}KgbV-G6;|=e-rThe5k>I?*Xd~`7=(wxWVgTWxb>rb`ORl3 zGu$3rS^QEp^Q6BQN6aFApnsAGTI8b?%vrL}AH@e)y%8B0r$vXtl!oW~o@`%}RVUNp z&TGuows+>~&zHC@$S7>}5Cc}rXRjcuA!xn?IQZ7a?!c=*+n@OSBe^*yZdK1|u#l(D zLzuNR14yFT^)EYMoDI275bZc)BZ@Uweq+H*>Nn=dEpc{? zcl4W@S`mEWdQ-C)Ly^0n_zc{f?&4@I@NV)KifvK0gxhG+d37U0Ew|RwY6diC_RJA} zsNf9>jFsMPd}4Hab{T^kBJ}Z)%1$5f{3jC%oHn0#?rWu+T5(KfsmykOz4_P~Mbfoa zWTz4?yhM&Ux;EhV9&@Aqkuz{sulmA?E*Cg{j2q8-P4t}@-T=}QSlo1@VM440@DG1| z?nmiRUL+>8!4X^K{P66t(o6fXdn<~o>p<|;)zBtkbm8P;bw5&X(Ab!=gTt+g#RdwJ ztmHqdA5)B7NRKP13+wBQH&1ZX_Bb>)9dXyQSt&7nPWDo-T2Ja0&eMV7rG`U@nHTCu zG9?UX!tA<#>$pk)G_;!@SJ0cUlto>E?-EhXT8aQMx=AVi-hBV}Mc&%uNhsQwieeJl zYk!6ZtW)p+Bwi~QmQVGX2Z9uc4=flAWLZ7>b{`{A@%vTP$X&y-NQp>LPlZSZ4u(Ad z=Kz$3#ID?jx?{YBvve8CmWL30$b-}Ntf{lWsu!YPx2#GSAb?6VgFnOfH~?;Qu&`ag zhQJPn*ixQSfHwoG%b0ytBJx_ekR{+Pjuc~A=_CSbYp1v_RN>fr)P|E3;wDT+O=If` zdAG0PQ-!|*@Jn3Ag)CY(pQSRATb(H`uk`HKI?H{jGqbbDts6duy_`xr7^s&NYOB*^ zAe3i5rTqcLp+tA2*q00zeYFg+FH_?)gFsLWI!v5U0db_*6J`8*XSbiJJd)eeV>)|Y zEyDishiC`7dn6StVSGE=kl<184FeK!h_Nq}DJA zOu>JXMJxoWx38O7z~7!L;a*YBZ{7X`o9lnzArf2(gwq7gwQZZlR+82X4;bDXtYS4# zo!uBK^kP{VPz6puhdohEL|;ejQ@`GT27b9eR30*pn{#RHFe-pfQ z_7t6W)7wja{mTEdArOK5itr2g+4lU8sbZdiiUcybyGv(D7zbYo@F?jee(H~4$A<7N z@QeHZ_n|I8orps1{k{6GUtq$LM2Y0%PtEI>2=JT*0 z?m>UBWy~KjSOM8tjQUL?+ zcfh46QgKBw>o1P3tASXhWKu!KGQM&7Z4lZby8UqoOjw$N%{AU!B*l%Gp}>AdLZeRK z#roF+Am~%<$NO2evDmnhl($V0NCI?JU!XhRB`&TlP26e{$mdkz1l!ReS&$lhMP2oD zhwIbj3Tkz>Hh6DHeBb@&MYzEDsthy-aUj6MsLK84B@oJlU8gb8MpTZ!eTGcXG)6@i zjw}qlxFDO2$#G)%NOaBFaIn(&h9LHK|L<1mV6OxQVKGplLND$8>ta#G!(#^d#Sw7> zBwGhzAJo1IeO!q=_p8_)HyjkGNxH)Sxho|6${_L5To}<6fLFE4r`8XJjh+Re3o#lnx^HE#h!ne2@YLOfbgyOsI^(>otki zI-DK`w-QcLIv2xB^5)Q=@k$=h2&{E5X=?=ZQn7UliSX`)tCi-4#JbugDU55b;hTQk zMEt%o*Ga)6o|~Y#LGHgmJoV+-o zO8!Q8YoHo^chBTyf=n4&k);pFIY`i$B$9s}A^a7Bn)tUSvuIsO^642H3UI6Op;oY0 z55{cO3aFmoc@U0yqHDg{V_X9@1n|t?UmpM&K+9)7#4TT=UQF22!|w9ijm?BZ2EHmX zDoSCv&G2J@9VG{>FPFp=Mim`V_+aJl|GZ#tp@<_^0sZGiHlp2$Nf36yLrcMz!=Fx8 zw+q9>0a{2ue?lbQ)UzC}br4|)pSa{wpI@h{&Z4zo2npxR2YI9=41%437z>w`nDqx| z58OT*8yA*1d&)~{r1)rZf42Y2SV5oG}jt66OFjyhZAuiSp>U)w0CeML<$;Cu(Fq9pan z4I-vh;alY_J_utm#t+bx?|JI3mBe*Ta*!MXLwkEG$uQv~3L5qe4@dN07Z%@%pZRh~xUpaXgOB{1I~J+ut7K z7}Ah9j2Pi?hQS6Ljd%B2@vP0!qT(e3b;;Jx=L>yS|DxnG)KDZ~aAqM;Mepx}p!)`a z8z1%@VQJt=_E++IixLLE=wHn5f5|Tn(-WQeKQgx1GCzbz_p3L0WyDg zZ1*}s;>`UE8F{Kq(05Q_i+(-19BGO%ivbieT5-kAUgCrK;0T1_U?X{G!gBz>(3Qpa z|MrmxTd%+KaU3x)51re=f%GBl99qaGLmTU0z>zRf?ABKIvRS7IKWPytbr2t7o_^KbBEe*?@Cb(T|)8vjpyR`FX{1*^k|nq^$-&-_?^ z5%A}Hy~l!FGKmon+D%aQFv(A)e53Z~HI;|>sxK_4{NRQ^^3r28<1o;#p2=-TPQiXE zZzeB!VE^&x@80tib`lr@aRL8$DqnFtAaJnwF!|Rb`D}<{44(kXjk|ax5Lc$NU7ETK z@3#NTeSDJjZ_)ZIU^rkLG*c@*cKlQk0GeTlt#^?P{penS5aT|;_iJLDtWN|A(Y>mdz?A8-+3lcwTRO>8WD46Yte=fLurX@V(U zd|8xCM8vooSwFf+U)6>F3I>(C$yav!-a|DR+{i008( z1{3Ns)_oTQLR}t1Heu8LBnC5wn6Cu<0L3Qc`|T*AES5g)XEgmJB)9MW*?lL0ASvwl z&iiL!k%DZNln4Mily%P-jsZS;UNcYGq;HiN3U|!m!2ID24hlRrQ29`erZO(+tEi1q zVV{Mn8-5d2zaoAEEV7sZ^l}wV9)v)FSeKUk?HGg{7<_zl&txrBMIhuvS*W=utZ=a+%(kN$F>ga0A1Lb9h&MgfMmxw`cb;29RWyk32AK$;zdz)RiOU3aOB1TQtoy2iR;7d_I zc(c=0@ZwTdPyFjq0wlznh5rR1b@^W+5)=g@fq`k=K?a_qo=jd3VD#VbBv{NLL5%M zB2hMJFh(foNDlmYBC8;=cj{pI6?LTjl^-vV*z!=Hrn zqweKss*JzBYSWtKgQtkPbN!k%J6}=fQ*Yjja6-v)K9AUC|E>K7o))nenNKTe`DuBU zym|A6a3vuh;Ui=Z$L`TUy!qF4#u$X8X%)qPt0GwG5>Qot3P6)Lbm1F7i4?nxV{AGM zdya&&_@0t2M>Zikw5bdX=dj1|`iR!@B_0CHQbPFJ+;h^$(c?~VJCJ;qiG{_ouTwDr z?K-ZE=+}VnuJu|tfk&bC$po)}TFZv8Tb!FhvGD3IyamXBDTu!RhCsNAC8|umW99IJ zW)k;s0m>rL6Pe6?Q zSDWPz!^+@wNA{au#cCNlJK@j++tT3LhZ$2`?et&b7iuGUgK>yoZz;NO_|-dT7b&By zyPc4Z^7}+Kk}9AY*dS)-q9zF4%|PP+$0H-SK|EActWj+CTx-B(;gAvberInAL9&+= zF?^I%(EM$SR{N{}H4*!)u{smCJKmO=^*#m_aN1!Y@B(DDo6XQh1GZ~nOT!X`$ZKR9 z#Qk~@kcZ9)|9X}`C2L*lfz^Pjqkq=W)lkK037j8@?0)*&p}(iK5=_W}Foy8?z0Yc5 zz6cXen14y7G#*2a>D^Q+tzfHje)s?G^;yCPPyP%uA>RbX)~nGbK@4LjE3Sh$8Xt{% zxmDk>WnO0DwPfjCEBC3$0N!nMvNW1MEVDNpcy;Uyja<5dCZCwjaeYAr{YMI}>52F6 zUQhb!uukkp!KZL}^^Sv5DDfrE2|&QXnL~GDq;R+Nxk&!&0CJ~!)((xzf0EZ zRpvG3`IY2OmYz?CbsV-fCsp`AOEyGLaMuam zG{r~!VSP>^XO>n{y?$WF98#m1@2h7Rtb*ss*E*q{d!DTfto?_CdVsFkDf zaqFwE?mU#=6d4tzkXA2@h>A8nP@}^2f$A5L4DBsm?8TehUOvtL)Sc!= zxd-*h*RsWVTlK@v(LdKl?T>a5YTUTS&CR3lz=(Kt{xgw%?%N)XKscj%T~sN0M%?*a zm;R0}-Y$JFJDCsMlogU#TO>~_OC#<5_s7tMQxder^7t5#o56`1e?_Q~Qp)eINAvVC zxB_%QyLRrBC+}8=m~;YC&;X6$>b-K8!-m5QC_3&IHcFgMRqI=W?S?p@j)*ks-K|}3 zFI(k%rg~aYR?Htw;GpngKi92U-?`K4?@t1Y?Vx~wk(O8WVCQ>#dlh)QOLVz^Y|!SX zmZj-fC;h2Q|NF?XQZjRB89=}!MURN0*&Vtq&c*ZY|d@0Y@ zFV`&3cL7{KCbKX~t$sb-(}>uwp#GH!CEWrl!XS-0I|vbQFou&vxdlh#t!6o7X(Wh# zMu99M9YELzw370?Ce%Z_1kMIp#eB)rPTD7PYvOJ$@KBIkGoNm}!>VXPCxq)zt&zyB zmn}&q>%4pFs<+jvO3i6H0%c<2*B%7Gk>oWZs;8$1?2xe3VKfR#@gp_vV0%nce8fJ} z{-tU{4daK*4Wlvk4L-mX16nY zJ>tz0yVCLxedA|kiFg+Pr*c7SgHlj%>V zcw=G_gvL#tm~Oh^#|3J1WS50uHxVRJF=KZ6G%-?ze~FGU^2a-6A*~Eu^=LXii!i4) zx+cE2=9%(Nm-Y_5`UJt?kF?3l_E0^JLoq#;4T}wL6(#4b+Eh~MG5+in!>iaF?J_Sq z^BH@MqA3qq3VMwvFdvGGOP694)Zj;&(Ei)I$dLxZK8QIT9!^$;)maUs@uXSjy#NWp zXE*p=n;cXV*ySyFxLpBPX~?LqfC3Nk+2U|5XNTiOT+tpp3}Gt5bX%E@jt(TP20FkX ziETP|_?swzJ$}4Bi0Z~O8%bDMO-)Tn>GJwE3}w8%epJ@AxHq;?J5bt+^U3%3XKcj> zWsLB&`1y)A2ed*amQ#;2K#0XvrMhi&cl`J}*mXhv2=aNRH%vyJ++-b;FSB?qff_>9 zmU5Ttzx@_wbQ3U@V~>cG6m7@wZxn8%gyo(XB(Lh%l|3KdMaiG^A(YTy)T+_^1MX@m ziq4SfT&(YRk7TDf0U>Kn>?I6E5sSl(;gg}++~niur%^@w*cZ6$ekWpv9u)}|Qxby; zrEVADr88rEapd}9 zF>}49Ko}PAnrs9t-@CQ^ML7w{$=6Eqvd1EWuRbQFT2C&WE3=dO*A>f=0E0kDN%pk}0-Yni81klFOpXkJ`o8N$zSO2OA&|=rgXKU3hH)7x;3T0XFJMO|-SHWRiHDSmG z88&SA0?W-wJd(V6>2#R1Ks(OU6JQ{Z*$Cv#Xc>ENQxJ_wO%9{#Mv`fP855%I}eWljpd-u5L5PUwPlA z(Q0O6&&A5hN=*$7c2kp5Sm*3J6u!vBQM@YMH~z1@xdHtOnOiY^dPC$LH zH;kiMXd!zq`LFju4IpG;tWHQFttlcVMk`ZajN&Z{Z&arkD}+TkoR!|Lyy?E;zn>IC z2l1)#E{CJ(n6~rso=ATeiqYME%BKSo2=-QIO_eU=!tTK_;VdN5+0D85&cSI(At z$?qXT#o8^oa+ik(!wlB{s@-&BGcq#Z(uDjGu%?Id_XimNH42?;3slL_zR!ZspTz2H zadAMVPZ+IpxP4vL9o?)gbdUWQJs*{pUy$7RQ_3V`x0Rh|+)4eD`Gk$cy!T_|~^VJQnJFqTJso1`S+KR=9Ro;VH2 zOjznPgFY$Y;V3L~MxQ_4cyE0=^D&zHlrg@1a@C15U1WCT5@cuz62T1e;5V?)a26nG7ejpqoN*RjY@1I(>Snv3mea13L#;DNjxnr z4K*%J%GuATr6Go6NQvFLeS0s0eKybev`Lk(Q8x)+U6dYf-yVO)SO%z?y-*w55$+KR z`;5sAR;*v~$kVZ0p^L|kS>njUx?4vF=oN2&VK?wior(Obba#rpd2{ZgRW{OeKP0<| zl6O~2%&!0M7c>3@FHVS!&n1|i?Z(6#K&S#FjtohLsSm#u?>=H!z-Iy*8emX6_$W3m zAH!6_zzI5L`LujI#F=mHMG9%HdoB#>!ifbXJlr7Mpp{ohQ!X*rNO)OOa}_2eSStyI z7mOzH;)(K~g?7&h=F7?DhFzj|n1v8+Fk9KW$^S&@NDs7=jPdsJLGq#KXh$1qg9cMN!QICXNh$K*1_1#NaC%UtB~O@(~2Jc}4)hA=YQQQOQI94ZMXT zuCS3v;i${~VlJTeA$DhnrJrY6`X&^w$>M@6(+^~-6|M+cU!iriJ?^(|_}kpMkMurj z_F#PAwijpQqI7J-v;PK)I#HXC=kPd@h=kEXG-GOlXI#*NCr26)-!F^jaKqDIsle(T zat&(gK#gtO%dcoV##+IX%0=rlUTsV)Px>H7aDC8)C4JagULhtWWhiK$Icd<$jo!Tx zkbFQuz@0mHz%m9~9+2r$wBssdV5R!T*r4sDpJ2C(VY5%VaJJBy1e4#34sHtL?YPOp z!bhW7{x4r44=8Dh#oHth&Gd{uzW=lrO@i=}Pjix$yF8913K3c3dzJ$p&DD>vTrn75 zqb9T}Y`sA`xg@!Pl@DM7!sj7cKc=tGY(UbiAAK8PXoy4h1*ll~*}snJLWY&0=dysns| zf04p#Za@dsbk}MrSlWVUA|jnokXeud2x5?`PVRhvE*vo@G}Wh5g-nV9fN4P zHOmoB5$0@)sI?W+w7{I#6Xj2u{~=Y?Zw={jJo#&LEu|@dX6TmBHvx<&xTh@c8dM9PvFKgEKmRJvYO1# zfJAocbmu-yX_W_T4hV0M#;}*4m%-(%(-omVTf`i8NX@YFxqye0Vfo01k~pSNB@9@J zV=nL`F;6v4ljY8lTi1e_J!0g7c+4jf;2UNtFJA?EO@Z8GeV3)3M4{m^XHtArjiryO z_5c1+cN05{0_ivrVmbLJtQ=9B0VvDJ5K!+{cylzI|4oBRp~%m!Pf+K?_6XXPanQKFqR2 z{P~zi1ZrE>NvqwIcw4thF{=C*ZnihHUC`v#Y{7=iv8UH7Lb;y z=%%O=WJw*~1j(>x_z#P2TSxww)bN$hrk}yDTh`6|geaxtUb{@D5eBl6Rqk8prkFLFy9zP7I5tJQ7R zOTGsta!bPgz^t77Fwi1oc(gN6bbf__zky(OHK?CLw+bIh%((X(-zs-ra}%J7qO zAjn59$7lx@Ydk?$gIo(PK`EMLxgF2u#yUwpK1&3eq>5EFvQ*-zt>~m10z?`5)|?Zg zKO3@yMfs$Tq+Nc?v3yZgPmBu6R`2q14f-sf08=juXXhzILU{#Mtbl}OW%X<+K2pbH z$Aib}HlR+0Q-OS%NZ*aK&5ur-n+G!q_7FWd1g>Uvqu4vd+;E!o2+6t?ueS2NtTGw6 zVLvbbkFI|l!-gkMVg*m`21eu!wB)iJ@(tv6-1pCumJW56c^o)U0pU~HTUUqmtP&?C zXQ&^J0nCt3TgyG>K-n0w{u$(Ck6`%^R1mO1U8ucr%Q`Z$(D@b{InM1(=Q&>J{{Os( z_s9-}ZzaFB00#%zj2gfS5OJI=k6Ge*vDfA(=2@ZDFcQ@mK^cPX?+N^-v*?Q_9cIVs$I)uiy7R;o)ugG$IJ&UOpRz^msO-`wAUHS0D%2>R$Ri%x8zqNxS z`MAqF)4VHoZ&q4#|$Pp*7an{e|4je#Z?w!CX?326a4j?W-7RtaPlbgjoXmX$az;J%7H>ef=W@vqL7>p$4Si-(D_xvTr{> zGB8C2baIs>xfm~#6@1=Z&GtR##5od-K?LAhtyu%|K^6KaDkcGnA*y-f+LrW~`S)kp z*)0a^RjFelOAhSi*nNTH#s2@iVF@#6Qo(&Nq{yFr79uRN{m6FROi7>d2%)otEkWV| zU(`9Da)ei0yo*cWeO?Wq0-E(3m4{?O6Pmzlwp(su9QO*4w@E@j<(9qYD8$Q8@LqHo z+P1oY2F!k~xtBYrVbDy>KB`?gcaM5v9Q#ZQ{a4aoAehi6mhvYiNB< z!QA5=YVkDDbAtKsZ`W>i^y%*}@JY_k7kI1seJeLLs|3j&G+04vHUbiaCLE{Te6e^I z!TuNfTW5v6PMdZRRAV+H{C^m>%&`5+U;Ra%N2J_HvB`OtI zu)@$H=@>QQy4M3!q;3Zjyk4Rqj^nX+9(^t;uwgU2+dN}8OF9dOQCOH-+=6zpU-aR7 znekO#&lU!M9OZ4{za!^x@?hlJAAg5yA2}nJe^Q`J4ba%O`=sL4s}Xl;0k>7mPz2w= z5dl(zGF}ADLEn88ah%-TdG)xW`h|8|-E7cSLK1koKK|9K6ZicX9ij3?iPnh~P!~Kh zJ;QkgUf&)d*73L-=36pm*qWM}o-nU)>di4&c>{0myYUNJIwHTo$|2fu$m`hZf?BXk z1m%p*81&V?Q?(3P7}H|Sz7?Tg$t8(BfsGfv+P>)t-D!iI8D%lHZ4=Xf`p1gz9#T3n zy$O4*%bt+^;zUX|e7Og0{u3Up6#`F_344Z4b_b9!DmGve+91`yv^eG3FU(!Mz-8hzz?U{y zX!58C%qoVZfU@O481CTeH)cR4ek13_JiLcETW!ov9K}MusXf+`up@YF9eqkJo)iG}Mgs4v8tRDBiBb=dPrDFfya*?_Oe7U~cce#T*1( z0JO3~L?78qL2AhK&y$+%wG+ET-?ar;E9Mx%UwzxGzoxDi{NOieKMU`IYY?Jj&2y!k%d%4t zI%-J==-wmGm^I1V-fvLE-f%f22-~ETuVIq^A@=NU+vb(t$Gag-EQ7-2Bs&GCt9ePz zJum&rT3$|0^1G?Hb5}iC@9XXvjhw?59C7Twm`A&um`qR5mJzlp_epiVO29ydQi~_G z`jPfOG1RaYS^G_B|Gk20J5!IXdS`+Y)34c`{K*@&g;B2$;aUa_8+@ya$QbJ>z6r#4 zNVkAmhGa27V`nhL$Ut=q!)xD7imhCj&jt+ChE@ z6V|%EVBOPlbjyiD1vX-?ZeMU0pNDRWyMFx%N&?;V@{fKSdFuQ&tjxLAzqrAC_dz9h zRGs)#0yAHXm4MM@hK1 zZ?A;M=cONYVSc*`NPUd+!~N_20jbU-l{_ zArXpav$FlpSK9CUeSbd3 z@jH(1Ki{w8{l|S@bdA^bd_BhbIM4I(^h&6dsp7el3=+io*6FFJ*lKOf^$actVQ7Ld zI?W&dcy(Zr8y7qKqqu|VWnT8;i+F8q^%OKBEDAE-DD~2MCn#?6(vOz`4Rp6P`+xyf z2mvUzpBbJdUlr#Q6B-!~_tnc}-y|QB@Gj!s3BgL2zZ;7DV;M+9z-;0|dfz{4xZ8)) zMk7LUBOIRqzZ0gXJv*kbYmcDt*b30Z(`@X=*onyjaH z%S%cINGw3IW{x42rcLQPd1(z*i0n>gcfGWE&mInOofX=#PbIJ(pm=tcyZ)7JyH6Q) zyNIctV|M;EV#TKP=xMk_k;lwtd2dPfMOD>V?!#daCCrzcNl6gyc%%vW>4F+?7IgHuNI#Q0Er)cEscBXb#|C1stJrX^ zZ!u%oBva)(j?$JHm5gU6swB=X#Q)#FciwM(#A!FX-}?wj@pnRrr_}7Mz6_6UYhX6T zI?k}FG4$^I+dB*$ZEVCUFhLO&jh#xm@3_V3?La6dQvB-`n>H2^wri>8)B*~gUcJJT z=as_sj?Q}!0j4(gh-g`^SI=@^mGSrSj_wxLC?C}1J0~nOk|xx6*gE&IjYLI3^1kf5 zZ_ee=$)d)oJRs%Gb;`MC4}~I3cB7hiSJ!lH^n$$zC>FECCceWMVZ(|+L{4n(Xyc@; z7GPIgy*lK*>j2PBGFiGIerpu3NV)EdVj~VU6-lo>2kCASJ{9&88jZx!_H^^4Ojp~o z<;!f2?;XCL*Y*Z)$X8RF<8@!IF=D)IUn?KtGb$v(yDh`SwCaZQpQz+(&*xvkW`KD& z78RVrD4X>>f-j{rDrbTU{i11f#YG%rtBuY!v#56)_KZ?K(N-MyQ5trGAs~2gJ(u2V zyo1H#ITRBmS~G!Otm`&Zyob*q&h|htd=}9mM}b}U%2Mw zT5k+W4EVTin2CGKEv-)_3m$o$#ye{&?UoUdu7vpfCSH}Ua$PPYJXzp&k-N5OYQo`t z(=C7k3WumTtOgtm7DfZ7frnI$-+Sz42wtvUVlcm(h3jUA)D=(PGEBc$Xho7}NKc^Y z8=xNQctZC^r2=Zj$0%*~-?(`>i%EeZeD=UGly!B_U1HK4;aiG zP>q=ZNP8J--zwzg%bqZRw*QGQ?T_K|>kD2c6D`G5M8p=0)7o*0htGC%rXOY2v~NO2 znO)tCO30B_(G8|sIo|C5U)Cih34sw1;RFi{V3a>4#V{3J1aBV&c=Bz zp7m$TrQ;%hfm>^Wg=5oaCU$<6}tyH{^C6>v4a zZhK=PRKrsva=n&^=YE03^O1!&4ZRd!TgA0&!+JBL6}opXxyFBdT!IJ4^fld?*Qw1G<2s^Ax1~fG{S6o!dbhGQ zeUH1Mfgk^5%EVEw@Proy!XvpnGHw{`qc%dvy02asdx@xPEd%fn{?}Y zD@PxKn#Z9RItzr;QpJ<_e$fCMJHlQqaRr zB8qe@cg}FX)|?gQleX`aBeuG+Tq#NOPcidNaH{V63<_Am0xc1nt}(oxhu#;bccIr`c3HZ0G{JmoT(Q0n^Hj95cEfNz~?5I0Zp381;# zw;flx_AQ2%Xood4pC~UY!=zXzBY!8?9w}V!Gt(m&Ih&_EKel?;(z}U^3B~|9r}dzd zgWem?wn-O@tErD3nrG0JC3$ffI;PX*sI{>XN|IdSLm2KIsUDShs5 z5tCw4%DNHsDUBd#cV1K&rZS!~C@Lxf^iR4S+gk121rTiSvHUVcDeRF% zfiokSf`QhT1^1D`r~GHZW&^ViX5e)IGhtTf&{ZQ4dAcE{2aTA|3-y`4cj!M>tXNUv zhmsN$+f7RuNKZ|k_7L{{FfPC-5d9MqA9OKKcJUAI|GlkC2|{mDa_-UnV*ZHtm-Vnd zF{{#~prEtJW#Woe><5;6VaqKT4;+9E<2-+~FTT%`n+o?b5(SI2tg2+lGUWib-s^jS zt@IUzSVNto#jJT9HP5Gw-5rT_51}}gR-jkecD$ZRb9W;9Qw3wnR~(bo%A18c#D!H2 zLokhv^l!)_>3e-=)1`B^JzpQaV8sXY=AU&ud!z)zCC)lbGHr9e@L?D!{UwL0{+bVu z=SX8Ye0)4y+bMq_@F`3ePBMtaE_iFWA>Td2>&8i4jr)74peT_l6j-!}AB9n?t5yR` z)vSZ&k?!+7IWe-`#7Z^sEr|GbUs|^$j=)FY3Xfuu{^=D0Ve?m=6=HoKsX1yNR{OPV ztRVKr+Z8L1_eq32kH0z6?C|UGZBf+}BXYQ6%D(L2(j_}{>9AvlDa(^4&$yzXwd3wy znr+jmoL^(vM5yk4gaCrS2wWZ26^||?bgYheJS5lqt-~_2#R?pbqxIRY^(j4ZPE-_& zukAl#_oThO9R==8_zf+bH@2vPu*{&G|9;-MYd-J~f@9-~t{Gd6diW4LepvA}43z`oq+2fQvGgNgL;eLv8B$cOBOoc~RRkr2$7Ms| zH3zJWJ-60r-n=h+$Y#ppmfYYJ<-I}{L0O^_{W?WIFyHNh9rv1&M;F&#GQ%9XUfsYK zI`3<+&$d0X3W9I6##WfASy`1nCaI}pRmP^Dgds;33^mqWD=uQXT8)j;c59d|j6jZV zTW9uS2*!cM^p!`CeFl?CPY)v9$;b}G2TbGy_ZEXL8EU4SS zPl{P5D42l!XU5++vwNA0OcsnoY`rdpso!C=vC3!ryfK&9E6b|kY;oI#%}7up;=$V3 z>TOZH6?ctJZ1O@D1bZ@Y@w&sQC5$zjjuy9-&Jm#;nUzr|3TXpS#c+pCpEZ#VSS28 ziI*?uRX?ChbYfkPf)op>MO)AK01xsEYh%1gqQvmyo>TY+;Y0pn-Sk!#vEJ{Tom!mK{W?L&lw1x=cV;mTRVDg^>xbfiNfy=X%2edE~DDJmW(R z^!Q<6fw5>K#w+8q*NY!>)Pv!%fUGh8IVGLnk_gD#pK&SPJK7v&CESsBvP(nhN@F0PP%b-dPt4)8CD04lEE)07B zSgWY6lq}CM*cFCSts8TvutKb5m0gVSId-B>?d^1E;uSGmEibtDiON@6 zQ{{5($ne=gsc0n}U~ek=4Gq(y6{-BV+wK^e4l|NZkJ-F?lMNf(62od=MX>vB{_`~7 z+z@4D@H>^0p>ot?e$5Lge=#awx_EJ=m4+FJeVD48E!%~fzEPi^_MCPk3t(9xdeTAK zeOM}4HKk7g@o_N+mVzg7KKso=kh*3 zd)`jq*C5tjL0YR=w+*QJb;=G9EXb^dE+ff_HBSK;@cRPluY8{%**K%HsEQ~ya#xD^ zStlV;fzx@qJKTw<-UWRhLf3UYn#)nmTO_XUZ;+@2yG8@v7D^lJex0%P_*enw&p&h< z&qxfSFd|cE?o>9QGCjOmdp?cL-g%v)oNN!v2E3`dp%anAogG?8@tR>^xWhX8(eZ`|V??Q;$-mhx-V_u_nZ>Xf zOy1af(E*!$B6+`TiMMb)Oi8_ADHrPothgyToWB$eH2NPR)%weq{5B^)XIu<}k#&db z#SN4QlUXo0L4lE0IHz_Nn(iF{7`}j@j}5c{3~YDWaQy_iV?m5aOccqQ6xhUUL|(AS zCww4DZMa3}+VKnV$2|lNHSBMH_s7L%SCskfV%IZ#M?or!iOj zbyxjHB7d!(16v35lP0G=Kt8?IPG-utnt#>co;4-U#+KjNFX&G`}vFcSZisX$RC6T%SV0W(|bpj`LtbBL7or9%j7W1;(#n2pO;v zua=YWPihU{qn|k9A7TJ%b5U!NKUgTszIy*gRXsq~-VrUkYT2^=!1}IxOVfc)!t+*A zYy(A>qPZwRg87jA7b~uD20SSYzaT*{(a@;E-LN@p2Z(!^PS1j)1a~ioxv~5riMQT| zGx0InpGTAF9#l9SHxCE|aZuW<2+-qZUtv4*{CUfyDiJuYz4}Z2?19mc2F5p&frP>bvT_Vo!7K>*dwD^(J~e`ZsUz_C6DoTRnFS|GuvM zp=9wn`i!4C$D#tN9M0%@X|#S9!?=*}@bFhUD-na!_S}hrZU=*l>2jqR0gZixp9qKy&O4(P>c@8zpM86eYm)Lraqfici zRa4xjTHr1VJ0xGmMMa8!zDtTP*vQ;lyO8dCjQZ+~1}p5~H&&R*UjueCQy`82^OBp(6o4KB34kE~2J#tjhR#9kfWW3W zX*szE02H8ur&zNh4qI>mh@#{m!fo0L*ti88hGuQU!KabvwTQL1*k%fk0x$MWGsSd# z5D*V;Yr+gaG}1W3^4=fgO#a3^X9rwNz&A`GxG{%nV%8lo!jT0s@wW0Y=DHn*niJj2 zt~u4OtllEqjnVIJC}WA8X>Dzow>|TrW9Gqj7^X3pd`y5OKp2x}cP8AtNkc;e31XaP zt+8-Y`!c!Yh^F)&4s8?lT-s>d3WaDt>?={dU@!EVQNugE20P=!1-2*hpP=mus);Dd zK+1tMW1;r;0ck-9V#^EV{r>A$=_w@A!@c>_!m$#A2a~MgzP+lLPlIDKTl<;G{ytTd z?D1tiwPuZ}mg)yi`uC9&op$Z&EA-hH-n{>fgy$>kLo1lS6L+YCU4Ke}AUizn9Jc`q zU9B8KO9?dz%C#*r@$>&z+)JKDbj;X~lax<##^r~Jcr?B`4Gj(0Py#~4*IuOuQ5#_k z1^fu{x;mp3qv*UUjzb5MC$I^6(O;gI9Z*st^tNPAVXMh zh*#;=U4o81#Hx4mK5Fz#CJkyQrpQ$cTb-bte0B7s5YHByURREd$S4|ApV_41Y)^ zy~*s%e%?5*p7UqZHH6&clHa=1UoJ81$I{se_}L7l+c4Qz-d}gNPO+i%In6vuDk@Hx zMkn=K*Iw>AwX;qa2f;Y2{6#?N!H_fGxoXPoCO?^5VCjQ8jfz7$z8oS1HMNq>(U&hD z9ALX5MUtdc_sT6g)FN-kpR;pq)qL=!CH=0Sv0K#F^JhvA=mG3UwGLz))~b-SDD+{4d5=hG6mW*3P=D7DSAoQ zo!+d<<#516ZFKjkwTr8pK0T};Ryi+SoEP9!?ILgi5H~#2uFU4400d=X0(0CC*?~q1i_y`SWyJ?;A?aNG)se7c_^=-=9Ms(K%y@J>HJ2x0Nh+^N`U{yp|X79B`Sjk%2 zi%8F-m`a=kyoMH+FmRX@iykSd76`^cvG-rtew=;94zquKZ+^2Puso^_!-KRB^}RU=MuQ_zr^8F~E9Z-;lhKDXP`v+F6+NPeDs zi{x6C*|Fy^MXzY;*nxbs{2RY;*Po-`>fmYMRYi~cmS{HyOrtL`ehCK$XwQP(11?<( zHxAm18hL zk%KpKj2i@ZoRI|orJY8u09MO24*)O`QWw-ISU-U)0a=LvhL zPo?3zHnaPgqs;^9C0Q;4g}N(arzQgSQOSXs2)wMvEgRAESpEoyeo|J9j$Yyn9iLlK zp*PeGZH-nRQaOz%J`-G42mgh#^A-wA&+)nbuKReHX>2_nedT-^>Tzw}{P~v0-fUsk zp)s4(Ni|qS4!m&TO#V@Xv9Z?0hC!P5c{*mlUWtlgd~$GfVXgvqmXN%zo`pxkTaO1e zfj4;lo(cY2;=H2`K30h_;k{d0YYIyj=uqGzvh?6M65lh_dFYgIsjWEIjeCSU)BQtj z(!yv*pF;=xz44O4}vw0bg|42eJ|pxni1Ty~7K=(&rjYp={Ww6e>ufzOCpw_)~C zUO}R$L`4Uip5UZfVw!k?=YxPPPp(ydO|w8b=$!$VS78%R<;Nky-e9n5<(Bj8s3Ail z&c6as3rWpYkKGQuAr}%%q%f1eAe?>!Un0~x{6vgQ#3mN7Y|3`q91&*E!sS2$XgBR> zR+a7E=+whiYYDBhaVs@*=_7`JX%zfai-881c?^Rq!!U@^sQmHzC)q4;bU54Gug>TG zsGya}-e3t>ub%F-#B}5_>T(sQwN4RTTXzOe2mg;ZTw9W&Ge8TlP247XvvC=YgM6_6 zNOfI`S?T-tN`agdb><`9j4Cqm89J7UvU+^c{1avC2V&}l?L_3mbWX_n$xP}lefGOl zdHyK5S4uxEdZ5C7%mw@*+&jpR#|ekRF{Q|qnB^K6Orlh-yt@Z74n^Wql_g5Md*^(nH70LtVK?T z9@hXycNo^g@kDTHxkP&|?tJ`57-UOY(ffwkb{mLXY`(EV8MQP9xoPkq_x$Q}mJ2kz zu+5TpSD^HxD)e%|AlVTna1vscxkcBR-%^g+3#eO*c5NYFoC3fZwo!SzrKpw7Vn%@b zyu7>;Z=-F#rs_Ai)6>84!@K7Y(IH(ovA@S3m{nZ3LRc8P)LIm{1Dd!^M8rb4?dvaa zUiIo(aPP*=E3)5v2Uk9hxUu#MbtQ{}pc>~Yx$rOtr(IW<)#;Ke5-*^?>==-t^(!o4 z(586dtyHYkk{uSt&Z+3O)arX{cvCJ|D$%TUk88vgr?sdHir9fcaCC*DjZ!+%6=dvN z%N{73E4X6CV0m7pvVHK4W~wHM7}`(J!Lm{-%U=3J%S1Z~vhZ0SA0jovcPiuvOK4P- z5vr^)V$cAM*qM#RJoR?qixQEjP**`cthU<43*K~uf)??DsVBnhH9L4n&rg611R+WX z2)71LPGiUhwgiqN=6^6DCfK^wm|$Y0A{2HWhcXH`&Qy1LAvpi@w^e33rAgYKh#8?o zKX&Q-dGAXrCmH*;Yigcx|A?x-adh6gD=n8WWRa$lBm2!`VhZhVtu?k<&pEm{3AJ_Y z`SR|Y2T2!fAH0HnYzTzBAW$eDwikHmv?Ffh^k}2i)Rw{>H-xk>KKzILq>K<}LnmwA zTvAX%H)e#c_2>YGkII$fu)phQytohWe0hYyJP}etHS>6wW(#=I z)(xz89aoFbm{(52+fVcJwT)6m<0JWI!Es))?RShzXNJeet?YVB__K|$%L4E}kcNSwc4If`RPm#<^ zkjXEV?nBMixHX`NQ?DjfryGhDKm`Mff)`rPTbMuB!iQvS`OfK%_3@>9RdrZwj1DJ% zQ#J0(Fq@& z?c-~S&bARL?S=~aoN_iPx>=d;h_UloRxz4zUzL*g z$dNto3kxCO*Ewx)2S^Ry2D7h?9q2M?CNUV1-02Y0Y}}w7A;QD4LyQDk6}bK?%=*W$W7Ms!gh(l+T;IVnGP@xAQL z%+T#L>J07bKni*|IX%OwE8KpR4SZSFFDOTuYdX;6nA0$In>ZDTng%fD2J&Fr#Rz6I z0?PGqbsX&>64wRvu-SUi(xuFn*7d22T`yj03Q#-ZAHca=LZ;(XD^X~#UAK_xJKoV> zTD35a$9!1zBa=m}{SKjy=s%D2OSMysPFWzm`&d2&{dDYxc##*D5mZ)HRUJxPG_`HU zC0KtH1r=b1IWoP9nwlE3!ZRG?ec)A7xXEI|jIA%L8Dt414}|?0#y-{{h2q8LS*L@pj^36c4hRc z0i-OBWA<~vOdY~K*)Q!Tp`X18dUC}Ar?Z34#8%SI7$h%Pu14-o(4c<3P3(c}=3af~ z3!OD2TpUBB*v&~^_jf^Ak;W#Zu}NaH?~W6`{%ZdrG%;Df2N7Oj5W6qKf}w%lD*xR1U1`R0;}S%Nf3~V>xSrBze$!Emo~~2w-Zt7q zBiFsiNaHzA?(YXp;ju~s`zY!PaP_XHvXs4d;^TzE*&Oh2kE}6^k{70xoq5Nk3 z7=`8^dxw0!dZA4N1IjdZ27Z6UfVi@r53DW!w`ENJkf+{*F9j0gMz}#PBzD#vRRf7~ zCC(V`4~0gvz%D=0MODUN;&)xHVI;fle~hcrrlhACw0qCHPFQ)w^JSd!GL(e%HgxvHNs!vvNgo>EemW-xe(kvqT?ucKF z5-L4f9%Q?mYk2*PBXA(`!v-7RzUiCI?CL|?9cmLROdRPFxwUCxLh8Ti<-=Yu}j_>vzY-=q4wl9@mc#!ZH~6KE_z& zvP<%GElY+w0dy#;G;r}4ee$jZ3|b}c&^pQCym{*O^3U(}=q zUaOe#h9rn_mv2O8j^(ED`=ShR>U-;q5eKkc6d^q?tO2Y%J8;F9%{GBS>E;sJv1 z0<^-Qb&yUlQHVaA&@}ie^1%Xd;lk3>Fl=XIWhEUXCs)QPc|cdi?@NHEFb74EKi#P` zd*$+F+U~WAX9gPE!5#JUr8pt>apQ&z0s*|aFYnZD3i+?AEXAsxp!cH9qsIR*kdESB`c$R&ckb zp}t}*BQV)9JG8w$tz0?GUp9OzDxSw5-z_Sa@te_ErX2iuFpt2-NV93i!~EkOr3+*q zR5$_#0UDj5xx>8q%zqR@JJP#4eBfPz=Wom;ta(74RL+9jO=J`YM)1u@#}8@l}`}yGS})Sy_E&alg&L9f{#vuR_@R+QZTJot z4WI_*EU1F0L*L|Ir$YmvmLqoxQvsb2+#c{w!MrJ!0V^aaRK|CS07&bGfFPqkc;Ou~yBWuhplmn_NV~X7(qoS&W zTC|;vAEGT=5&T+jfQ9Wi&x2QjZw!y&6o&;rcktS+{vF#a2K6OAV-QaHX_wh8cV%vt zKbv4*|HQ~oLZQQx^~V`2)^}$v{>@w?mfwx_7meq)5m$E*!D(wmV8}*w=X7%t&?#sV4dInu1staC)1(j7(j1bzq_Tr5n>BUqLQ{ zlVH?H`-r3X$yojqF#~U4svEK)UT$t;%P2lw z=HyLK;{_XI7cz|l_Jz^%Jfl%VldS`~DBj0anL6kmp3}(Kmw9G|C!@D!Jjc{h<`$rX zL6dN!dn&{ssG#7AlneV9PesyA%g!%3$+^9&{L3vpvxgF+M;Il_NVl^fPDLN~06Yz~ zaL4FFjq#pAH+~9+zG|e(ePIw$SIQltS*2+gniqHgvIRZyIjr-4UT@D^h zBHyz=QAV)XvAaVQAXW@=Kbp#d`z{BWdJ;>o5XW;Gfg@v$1^31e$2=yl#>Kq{U{-w3M!&DNeG?8Cu{mo7 z_4{=snW>evzRmZ7V`6yO+1C=fNpJ5h5PMYT1))ehd%lQe*8B!KZS9RC>~1-b++A<2 zTn*w-S?thLSzv=X$592ZUZ_dsIB(v(_Hrs4;5z*ML~WN56H^E_ea)f93k)*JsO?}e zL#_UklG}gBz^-+nPQYpVF*mQLyPhXCSdFvWo)vGC>}N4qPUFlFFOQyUJ`0OqENL+A^n|}~ zh1W$WNaxW44Qy5M3--<1+=BbOrSx~Ycht8i1Iz3jp}-TdOjFc?xZm2>v0nW%!pL^} z?q+?$ZDjR}v(GQxSUuFBGxTp+&3i!kmyG2%3(<5AOyZi6PEgBEO}?K!7{a17MTWB$ zvRB*dz%-Nm&;9-BPHQw$=g-K<$;k-{ZoV};n>RiB2B!G-mAU-|PxxF!3rYGIuAa`W zLC=ZXfjv2j_P%I7s#W;%wB-v0KefQ;Xv zFm&qAX%f9=(ak{Mw8{ARDg{XJmZptY&tw59WBOR>-1!Ckv}?S=koUw9rWi(+42_ot z2R-(*kuMVJG?;Y}+bg98K_O9rq3vNaiK8xsqg=S|LevP6?_>(2Hg2mPbY`S%k6+igzk zHpFj>5EMP++_gjn`0OG2)J2QR;$ECY&Vj$^sNA}B>-hOS_i-vXeAGhFdFL_fKBLN< z@DXbt;5dgWVHV{gnn8jD;2|ejNWzv>e-tM}%S&frX@_dGWN&#x*1@R)5g9pP5FyCR zGox7;Awl02x6yS^#=f=-7ccgJaJmc6!OEEF*u7^g&%Q%Lgdx{qi%5d!z_o*N_I2nY z1Y&T>L6BN0C%4#5q)`1c;Sq=;V%A0m!abl*gl7X;IGCVpy8(B0H-`R=vprScItg9G zrZ_`%NWsE@Kg;4ZGD6ne*}%^FTd|$JKg(a+UwT4d$hT=jN3@1qZqoK(8&T<0>AAR4 zqlUQfVGUCe3(b(Md^gQ3y5frdW}o+S$Smzdh=nVgy^W0xf=Q!;lnJ=j7=6QUaDieq zyvALggIOpvvTIYN(^W?h*JdZWrK~f0dV1hS*i{GUm97pwQhYD}f?lh9okqg4(DV*S zE+|ro&f{9HN^rxW6REx1AEx?%daVHiDIqv?i$#K;d@(;3`^+1`P~lijnF(V(sLoc) zEj7f98I4#+08Ja@kcdN>`mUSq6sMpNOKr|HDOReg_X)TpOXRE)efss%C^%Jt>c9)4 z)c(-BJh_z(kc`kQCyBe7iFopu3%&2Y`b<4%FJkB}Nzl$WZQ2CQwyTvu z8|oV%tWQxA8yFY>QkaTC>fcrN_%ZBMauIJZcg8WpW#5$>ZiROrA0KZP3V<1tFBA)d z3TwuM`VoMWF)E%C#-g!Sw9!R{s~h%l5+FuxdU#5u(3_OS@l#VBIhZ{i1y3L@j*niT z5fyUPv4_)GUwkc5M@D3bs3CQ5A|GeIL$|Mdt7U!#``ZvG#baWgNuYC(!@`-FIvWd1 z%Pb@iw5B@WK<-6G_pFO!&CewYx)Q;QQG#ZBkg)Jn$*SuisqIfUa4cn{5BSMWeZTi^ z)1%v)xuyrkOZw){p}?+$W_GSUT#jF0!OLTPLpZZ)*01ogY~YQ|cK{YUcW$VF;O|V0 z^EFXW)Jgj!A^3hj-~#%37t1v_7{9eyVD)fsj)i9d`@*taA z%pNF?VeLVO54W5L1X5R?(o%Leb?#Vn`m|_zQVXBu;m2iV+dl6IwYADG(cXV#{jjPe z?jUoTToiB!t}WR*!JsRM%=2ixAC)4srIA%LD}Z7Oig!4Ck+fC%YN&zN`W-(6IRd6a zKHPWfy$0c5t8rg3>7(<_PzGQU-Zfj79!b%t4E}DeJ!dDz@=Jj9I}u~wa};AlMn}RJ zud{o8_dt33G4@Q&J$veLzwiemGo6!P0t(Z%9XmK~rX8FkAlp|0_hCkSnVxWb5OjRx z^KKFHlzc%7BSWL|Eu0pPsRwhYn`d^13ezBjm)2hpl|@d5ByMtQ%Dp;#ma<>% zXAPsh_2`wco@EzL+YHgD%AwfRy-I+UmW&~m-}@QLLJ~2 zU9YV}SRs(9D$N7jt8#+?S$=cS8re4Qewf87tCxQ|RxN!r*40TZd8Ju=^|w$uXS{u^ zm6$Ih_rQMtG;}Fo6CvoeDO=FO8=SzK=KaGb?yoP_;%Q^f@#P+au~(Hfwy^s2Z&FoG z+w|))vp(Sb;pHUpVLOlfi9`%)Vder_&y2;qL~jr?$8gL6kJs6Y`>cWXRWdVf(NFNXW{h{iNx^p{Pc0&qw4jY znD^FbUDxAvJ5~OTF8mi24=XSZz(f#+(gdhxB?o^)6%`e{pUu9%zbyRT*=jjHi;Llm zEAd#X|MG=DaPsMw9_91|T`_NdxA{$chH-F5#1K$5Ecpye|D15`_m8feL$IjI9zDWV z=1zfcNZz8U-eVq^k>p{?uI#7eAi8~g-=p(0md^}XzVb{a{PfELXYh%gPn=C|gqse* zzNlJN-bR-nlCQe}rdu^L6|HziFpf|&ZMT(k9K2SlFy~MP-lactL|!e`HdFfqA>tK@ zck1STZqDv|y^=To2JbqRx;eYH1&?`F@(gR7$FsswokH=u6(JZ-wbx5`uT;$%UJN7q zZ_k45^dka4Z1iDIN56+@_nhmOn&QWt&-Ss$tp(xbKA*bAeR^Pj- zNcWlzFM$6FXbTj-LqS*hlv$U;nA8S>GIZzztIB;NhAyfu7r=d?@BQ1=v^ z`q2%R|M|ldMYat-aef>h9E5vmWwGDMIcJV@ZDaY0OsPs>%yI*YGcy%5(;lH#||A}+5b-xbcY~9JsqRZBld>O2EN&4Psdm-&nykB>dz(axzSZxy zaeLo$G6hdbEJ<$fq#~XS4GopQr(}tLIx}+Y z-`;J(M4qW+1b$w}@lmx1xXDa<46~CwUky)_Zy(wdb8FgD;-Xm5oiCQOr?$qOe#h(b z;R6_s$6OdmMTaI%H@sS#vg6h1A`Z1hE%jrosWv1`1QIVW7_+#pXGIRuBsGIV!G2t z8dA$zccq>~QM+#+QZi$@!Dx3lmUK!7@8R0*iLQSh1#I~-NKks{`j4xGUvPX1{14w7 ziR8Iu;>LeC5+ssY@XY^viJu4j|6Qm*@4Np)CrUK14+s~alrPyN5>Kja;OoMhKjQ=5 zgZNE5`aia@`)&nLEeCX1Tv#jdyO2`|^z?rKF_Nm6T}fIz7543npHF z|K-5D+pp_pPj=-$93fV~;%6!#FKwn@wZHBT=iCD=C*5+=X4-399lL4f9vS29Pft{kxsvNDSL6=h@YbVF^7HA!hbw+%Ee_u|35v_t@Pl>s}Jzbey(wy z9{=&;p6@&BndY9-&g1Qmm+K4s`8w0bf4r+4rK9bHE^IP%1g h=VaUe&nKOtqj|cFHB>@2op`=&TXt+tQ!(@Y{{Sf0gqr{W literal 0 HcmV?d00001 diff --git a/docs/images/Diagram3BeSLabProjectModelOnboardingWorkflow.png b/docs/images/Diagram3BeSLabProjectModelOnboardingWorkflow.png new file mode 100644 index 0000000000000000000000000000000000000000..16211dd1e50a04056b898b2a4a20b0fb1c7e82b8 GIT binary patch literal 54615 zcmd?Rby$___BJ|IkP;9n5eY>^kx-UI3Og9ZH(>p9gK}=4P0r>931Q(^02bn zS?Sw2I9gk=7}{DpwYSi~W$u|H)g1oy_lOg49hc}ORT-sk;%BQn@@DPoay9ZF<=@xR z)EqobrbemtG(?KUP-Y~`g)b>cJYP2OIF|Zz$rY<`KYFfow)nYijj=pICaNnhG$Uk5 z_Z!8y#h#KzM6GpF;870XXrxn3X(#2BN73ijoZvg*{l#GFvwV{l@8E1?=#4TCCy}FQ zcAf^~H07`4b8a5kCx&^8yyrD|?|0VGH(hm(898(e8>plGrf`OvUT4DW{v}S?pvdoE zE(-f7Ctj3bVKeu2MYc*cy~ijOn0YCJSJ7hjGC7e`s9m!xwRCRWn$U?#@qwD7uydX$!;~@%pI*4 zw?09x8|TzDUg2G!S0eu(gkpwN0@j zTI6^~F{NavLl7>VoElc2)>+a&x^4Et$ZG1n1E!H@HSYeU7cQBjk_jqji@r*q+c?{J zZiFKvtjHD5O74Zc!mCGxy(Zr%jKj`bES)owXKFY>K7_r*E`>rI%PIuSYP(kR_=~sa z%CS5xySY8y__XJI7!&&~DhIw*^l$1L4;`Gp$JP4XD>H$2ROQ_Rj!;Mb+RNWX%g-Ni zj{e~C`jT_9*7&WT$Udp1>TswN#*)4iG5^Y!l_&4hi9gVjv&no7$>eR!psdYm>`03p zOJ0f&Yv`SPNF+FSDc+%rdzd!w!2>Pn1H4FvMqHQcJ+{12&+dz}H)_JWLn=p?q#_`xB2+S>JOeQPl`?21k=c~!t!22 zNf>Jji$N0)%A|{5D_PZv1??@aE=(a_Y{nFc@5c`f$1=R8QmN@P>496 zuom??UGo=z6#?_zTeUP(7^_O9$>#l_CY#^&bE%=I>W z*(|#Tc?re9I^65YS5&3!y~lSy}Vo3#zsii_9p8&rPWQ{HTo3h!vSC^A0uouwzd1j+xZ3 z&cv@rKwWiDSpP^Y$D~`MHPIrh*^Sy$`T14(Ttj$atE;O$X>tqy_zlGb5kJjRn}1%) z*BSZqw=ae+`r+0j{amlFKJevs1FSzkz`Ej|;5(u4^RDcK-jg%pdPTxcBM=|f;^lYq zo;<QL?p31+tNyX(a^7F^yFY5EyocXoILU-yNM$hAtqJP21 z{>fa~t-p4B8oTF#;k926+w#((=K;BUPwmgkBHmp1G1Mgg=;wdDp_Bd;oFM=6aj!}I z;rk?MnVFZ?KGAHWP&NCNR(ixdwhpM-i}P|>-^w3+6W?AQ8yg+n^h8v$DcnN{sef=7 zeTxUTbM0!Bte?Msdz@gLNx`0@-l<=|#&h&>bE$N~YtoNASGP7-_k@#iVkpArz0a>3 zm)DZxTl+Ym>z!lkXOQ^to~h!*yxx3&j{9uqCC?jg@RgomAl_j9x?`WIbrh<}{d$VT zOlW&@O<$dhiwg+}$*g9A)!WNgAe{AnEfNWNE+uMe$FzGbr1SIFC#RZmB5ltM+(let z(c)TcTlfZnWKT0(6q0TBFf6-zQs}{Cg+A*G@2gbD*fD2hxqYHTcbn{FFnp%!9UF8m z9!v8a5%Ew&+ac~;+6bPE!bUVYb}Wc{c^$FV9;~-cQ-D*=}SyCRi7((q^j2*(x=3h7ZERV7^f;A5ge_Wg{#NKlD8B`O?nQ;pgJw8e0gbTZ?qSsG>`*TVGwpF0pfVCd9+rKiXf}qEsge5_=$_TfTBa zkE+1-=Q6F7XmIpG$seX(`VvpKrmn z<=GqC{D^G25~fvIZUi^izjhI0AUJ^9ZMMVvsIX@1#r@Y;;n_pTj*hl#0|Eki&b*Ik zoa;#=JwiHuYYHw3L>)BKg~;PL%yrZE%Wm}EGHjBLWJ@t_4KE5@QV;mi=}wo z%7}}#>3`jRMP1^_u#zv$&GMSr9nV~t0(ti&GfsVlMfX@L9w=gd_~T3DP5qP1$tfvY zaDVEBCOI0#7r5=dM&33(L#J|UKGlF?+YgVtyR4^Yq{v*fP6>&8^Y-n%YL}^J4E;Hp zX*G!)<2YD|8UHU_{+5>!B;+d<4<_p|H8|W+R)>MS70xS1^I3V_^{Ay0LqkJz|83jn zqoZ1Wg32*`u58NOmi^i46%OVL{W&zAn+oWq$W+b}*!Xh$^XJcT9_!E2(ioI6odvgQ z;j~H-f7JCpERK&CDh*66IXXJp9F6nZn>*Z|*j`&3Dl{e36ywd)spg?tooak;E{;Cj z^TQB)L&Np;^%poSI(rM%c=dxds&3D5yGW!{Wy7X-7sa+0?&V^xL}UL9?l(LL*;u~0 z<>ea31r-1r0_^M#utZ$8&d4gLyZ!bzN72QG{s&d`Mq$nf06C7kbCpKhIS`G!wO zNXV$9>o!O4cCT`4V}sZGs0wwj$c5n|BASwI;zKyI=4{lx<9SsCVs-6@B1BoDGJ6_Q z)6AslsuKj}^Tg{&k|e_J)znOlY%(6ZuRaEm1mbt^%C~(`sov_>R8UZGwzd|IC~I!M z=SC)Tme*l6zTMb%qK4|+IX1_6q+{!eQ>Xd1M;}^6IvssDMMy$Qnqf)fwWGg<$C;&? zmuh}XhU_p!uNh%A%4(h{c&K2aMIW~gOqm9InY%@U9b`0EsI zy`T})sdn4yN|NZQEy~u#M|`MzC$%(G7@(4)Rjz2AK%r@6WtAcsX7(!WO_6+po8IDJ zf%Qm<=V~2RQc{w(w)T)zXFGZ=9d9#+nuSdcTrqoJ20!re<6Spgs>ye@H5qCGMqtWG^U<;g zF+7gx>*|$GIeVNhSqw18l2yBG?$hU@D%pEqetyl6Md zra8dOZ-nhPFfbT}*#A)18QuBm^#X*;>ewH0vp;gA&(rj%I19fw<>j zk$F#tz`nF+dIRqyqEUo&|LrZq`GGv|nU0f##4&0-)&9rKiU!RGg5PImN-YO$zBj+L zz++Z=zIQB+D2W#=eNN8WU+QZZpOA2(yL9*&o;OP$#MuE(I^dwY%+&OBu{qykuw9$lMhote8*RCtXR0YQ2{cinwwE-g+`S+1cs zQS5mo*8%G=6C-0_CQ&0J?DgG*lhe7Xc{&|}$5nfG?&q`e6garS8P3#Iz=enFoOrym zUylvE%LiJXfmH)1O|A zSk!E88S`s_BSz!;{UtgdX@z<|f6OBM;K2hd_V@4K=W17qQ$^l+c-7i&x+M&fXb+PT zGZI2(XdOb1j*hNxB{bb;tU}CNmeY3J<69HHTbcK?K&5IAFGbH{wSRH0aeKkU??50UE`=?+tIR@IUIZp zQ$GtH3ed%RHTeZ4U0q#9J+)RiYpOXKjYoGCIYcUr1>+2;3jD{A*-cb_xTD@A-ERc; zRPt$@9J@=yPqH0*3mmM9?kyM`I*}I3SGtwT__){8AhA@PPF)$_sPWv7^;o|jRnmPB zlKV|ZM`vwq&5A9J8Oe70w)sg3ZyD`n5B`edv5AhWR6GvxDD$4wF4;_#ocWcNW56x@ zySo{FE%CySqquB!QY1;;%1f+Ay0uUt-}1{m_fbl6{L|mQiBjedBpUKMEuPnO-u)AdkIDMEblU80_|F_%!u;x3dCb8~a{ zxJuWJR4?tdf@*a+(a4~nGbrYhv4DxXPVaB8aE*%E*s!$8gg}0ca>kY_A=Yd++GT7b zx)4jergr|^&lDbyI}@g=)5T$8Y}{2h^Zonma1Mo2;YZ1b^(T<)ZD28+%4JvjZuAyWV@+;p{#=jpawE6{4!^I0t+Agr0>FvBmO*fXyagTES z=lf%(yi%nOaBd-*YOdotK{Ozp+{1(agO8ma2~`j-y1!Z~XMK2msPwz*L^+oH5SLip za*K^mi%rM-2M4$3b|hwv?CR@S&feR8H0{KlhVRx@69)^ zLj7$0^2JEd%L1?Ed7Sr=Yn?A9KtJvWQ%{C%VkCl?&0D1?L>q^91kOf(KbJpKBc04% z``zrYG8CavMY3eO*AD%SaJ zpX+p(>R=wr=xdu+z($(KxOdH0Pp5BMjc!EfdJR=LT3WY8aahil1Kt=GcPEN-#gz&S z`1r(%X^UOaNlxJ)X7B}(Rv@Z;0vqvd0E zpUnzI`8rEx`?3bGXguQ2YiD!XjLzE6EH}`9sMO+Cy61Bp`{e!V^XHtMxAXIFHcT-0 z4OO{5gl@~s?Ao+Dpa&?Hz3fHpbWP!c7FBN)g4ne4AC&*~_+Jd>do#Max}eZ@=jBuI zN1%lEfh+i$c5NlfSi;}01zki!RUk=GUu9sBxO;a8GQ~#M$B!Rf#5itiICB=@tGVOWPN!=PO_%G8WhUsJ<41Pzoq(7DR0RLOzdv!@e!;w{b7FmAAcSwddA2L5n7&j$LF6(W-SNutQ3!L- zbWm=sgZBR3LY_Jvf0k03?0l0y)<%~E&EbOXanvot)77)jS!>cqJ&lvg2R=MHMb4@t zjm}%1dz&ZR`Kk6eh8ZV-QO(1^Qt zij0_8)SCl3p}Gq>9cdL0#mU1Bn}RYFQ(9=U?o=AD-861_15m3Qd%m61HV8Yon0dn< zog&ZCBy3&laZP=p)bDY$JCkh;*?|2ix|*Y&oR8%Zw#pi+qcj^QaGaBdZB41^vhXbE zCS~-mB+Z`EW+7p~#kq+oOgmTab-1@xRIvA1y5Yv9zS~96XL}?GNVW2WoL{0T25ccG zu$wIQoXmQ-D8aIRbFSxlPZ;lY!bu zlGiymEp4Xk!8fyR(H@emjsxgj=h#Y3+M-gVB1&w=_F&VLof~f;A*SxCUM!KmEme`} z1>NGQ(`V$Fj+4~O?Wb!Gmu#(=SM+9i?uFf1ic2LIJldhN)DLi2{aRPyxB!SVnx%~W zHXc4c6{po8{Eb;5)c(S(1IU}u&dpu;)z0a#W|#Il1v)pQ4^=v^KqpIofCY-`}chEGY_8h6>-+k5Y^M70-S z`Z=b8iKP=Co$an2a(WLrNHicVE4FWwylc zz1SUoTfOF^gc*NJw!C`2Ufp9tfo2V}d7&9e&Gc2-7}}D)#hVw+>d@PKE&bZ_AvP*z zs$=WmH*ZLa^Ez>td(aFP%uG#lEuCxVku0$gZBIW^5a_n)~EQiR)}afY;%c z>Vh2o>d~y_aeCLdudi?VJ+*Rs<4-TB<|-t;^GLn=DNT564gKO?Axk|_L#9@gjq3$+ zsEWqJe{VJ$rsFw1a?}_lH z_^%y^_<71qXJRrNK}F|y%92-P0sL4|05n9`4<0Kp4b)*#yZB^YaE!D1Q2^vw#j3*R zx(kFf0@Cihj`MFSB3t&xEW&chE13IaaR}rJE)r_j^wA}Mj+@Mo-#LYJ1MrcN7TaBI z-3`bWB3h~7U`9(%FMf|+s^PWy;JviVSFYUM*GFcG#JMluDPiK?2&8ACyL@>zTQ-`z zz_cS4aN9gqI7Vekp-hM3Oq6Z)7TLaUunU|&HmYNQc)etzCDEVP=> zZpsp$)5G-@>h|+2w&)u?w#3VQVg%{%<;#~v)p2n&)2Vy9oVYU~HHr5%GjUIzJPFNv z!|>dm5Ds(=RoSIA$s3$x$yf5^uh+$$xAc9jbrLm7j<|L}!ck>X@LWVgBWidZ&Zg5` zxADq&b+65iAQ=$OG=P9cN~~#s(SpuIRdoQ;>U-rX5kE%a;gR{iEHoINC$6CFezOTc zLMc@`A(9xHzwx?j;R|1(743EE7rAX!(VR&$DbEy9*c41Tkf9V{k_)@tH=ZZrY)!i9 ztD26D-kK1Uxc4@;>Gax5~s^G0Ld;0<1((D zf4R75HLTa*k8kn((qB2!=1mx{U!Z}j`@@~pNe2O-SIphg$ryc=7@k@SCtMy+V2Oe6 zpe7-4*l)Lfv8O2z?y6=8Od?CTh*-X69b-c)=C{925AHtXVd}!cVoUOA?6&r~yyUNv z&GLTvzqGe81Px#c!DKuD;xr@@>zO7{K3iOrPo~$arg`mfFKy74MSy@`FTVN(Z)L3d-n!B6Z zReJgY*dnn44;f=<-jS5~avm=ws9nFu9Um~Xh4W18uCuS`z2QB+lvz?3&S^ai2*DHh zv|&_LRTc1Hjh{X#9TF1}B`nMQZGU(~+;I67JkuK~8uNgLzYj4N;bzY^vioV94fD=2lwn;%`aG^n3Re73tsiewBsHSa0WD$q(=y>mE`O zym}YD{jTN_(3(@XE^jhKa?00QwHUTWGU-kMoO}<&&|oEQvE_h??gJzqXo|ycYNj zdW(#Y>FztetjL5y^7qxA#|<-$^9--fRXh;9)sMkYjyJVZSS=Y;qK-m&8W&QQT1;r>608cxVR#&rUD#P)}(e{ zEQru?n*&D9#>S@qc>i9)y?sG+BYzKXvol=8FIN~D$p;~>>$yd0xm$a@Ukm+Nx1UdbqwzUvB<#qC0DCFvE=;wUl7kiB2od5RAkx=0P4Gzbicr_ zy*LJ%@760Gm3Rgu1B^QcvbQgwpZrF#Jkg>`zNB5bT~sJS=`6-8mPK=abiDcKN_ddV+);#-T;sn?lx9lS!FPw%Xe1# z#>#zXI_r@YaYEzZh(waOe{l=xhvhS|mcvEYD+`(+>x)K^qF!GG9QQ0J$cSbv^$xxa z2}$cfA|F3Lv@`cxH`A)2r7o&w_QN$!Olt&gPrVhWl*5CAS+k5)6|QeoL0ezMtrPIC zeH-^a_H4B0s)9mYkjK)Q68u6pxO=i8KqgrSP#9Io7u4-6z4YD4ONB}dk zW`CJ?@7pKYF7KlanhM1^0sMn;_m#eE_1By?`6B&;i$)>!JbjA2Rp>i6HwUTHxV2(q zw>F|&bUSSm4%+7Yysq%L&74)w_gDBsz>dt_?2W@b8$<*IcfBYff3m>$f`4yh7a8L& znU(s!vD-NMIC1i3V+}V^nV6VBITAk1pl@Vkd{eoy*Eo`+7dAQV`{36;DtfmuP^0Av zXq6&!I~G}4S0wL|OG{1y?k-ecK04e7_OefN01Xa$!gc&|j_X2BDQbC)l8j6|K;pG_)ZWKWpR%~3<3Gy-?`R&!5SO%u?Y@`dKcj z^&_RWf7^7Hugsp*_oTVQShx-Rg$$Yf?z%BI#)`^e<=dAp6AlqY zEp|a(5YwHV@(Y?*Gz-_H!;{>p^$Wz+TUUF-n)sdXdFS`W$>+!DmHI04w37h-O2N6Z zaO2X$g?{FWGs_dTwHV&*MP{Xr3;o7%9QmvbZ-6*WY*4A?Pf%_Vyp?k2b3c?4F}3v7 z<+kiq+m3^>uD_OslreBxNfQ~KZ`?p`aO_>a-LCD7i-%{~o1SpUdUu*o>A z!hElQHZrKqy@%&0LV``-UmV-OmSJxJaVdgTx4(3p{O9AmAiKxwybMG?YfpDK;QN7@ zIPV(CFvjVyASa`V*H#^#*Xu?6#^~Gju*fhO)sb@FJ8>X)}4i& zRT0z!+QLFku47}SqcA|sc|tpO`#DzNv>E=2VNTNFXY8dB@A({RlGd4b8S#nhkDa?o zvO>JBb4~MF-@Z{la$C^GG0&N~fwE7NoN?102+F`!Kj;g^M)KYBp(&Nv z?{b309ir~t)+zeA!u_iP{kX>rbVYuW_V(`qN4wj8f5s5&0&z;(j-NxZAkx@`F7Ji5 zfxcs5V~DV^SmSU1*1jKW(}pge+K)AY15ofKKjU(5$(Ogc8d_VQj|qL)8~@T$ZPUlP zU&jDU&?E8B|kD6Yk!E#ogNlfPA^P@OBE zFeea3wur~zORmVYz3%oS(iDm^<+*c-p5H{OD-Za+*L(nxd$EaVriY@>`PHlbPS76V z6)Vv1DC0K$@7;k^frorcUtieOQ4kQBn3%MREy8MRkD*Z~J*ti*Jz9!v^b3Sl8RE~+ zIKML;p?d_%u1dDr8d^o(JG39iyB;p5qYNF=JjT)p$#7-sbMG~w0v-(j7ze9)_) z;MDFCYfYZ>sI7DU+aiI}xptG2lPu2O4wCN9u4}B+*Hk334rj?%80Z|JYuNQaL#pZ! zy_oPdS$*Q($j>E8LJ&`s6SffH4!zkl8+|oPSj%?-klzk&dBJ`D&RhKBe*?a@DRCQd%2Ci|NGya4% zIiP^dGaP>C`b%m-$LN+zsGf2X~ z9_`RnzDn2-Hw|gO6m$QO2kS9=t)MhIIhILA#IUufJS1mqN0%)83+zG#lNi@j-M5$9 z1j4Wg8r#}(;LpZ;+s{}!A?25Wwcx0@?zF@B?BdXNh!%x#)CA2{Ae`{DQd;j(7~jAp zHDqx*yn5Eh^%8kBj<}LNHUjZbxV>fEoBHl)#A7YHtLJ4tUqT?hVBWdme(ZXd0&&K^ zE>e%3J^+EZN&Y>1@o+}i2ywF+)6}=?&Bc?54_cvx@3-TyUY__s`+wF2B`#9<`T0Tl zcZDR6MR1W@zy1ke+5!|LA7Jgqs&fv}BDKyYIA!)oQ$k~6Vj?2aY^x0?>-~tCuFAz8 zdNeS$$Y zTE5f>7Z(@2bp^()WOeT-fw|3=PpAjNqM^Rtp-)6yya@OH3@fb6pt76ZASL8_qo+LuO~> ztA*&PGm|7ZfzV@VRv+5$Xm}n3P}a@W6_B!AZ9QaFtBD#kgAQDE@QW8Of`UdXomn}$ zMKd4HUb3EBTH^QIbJ!|JcQXLQkVxb^PHPbnkyo!@_bF>^zJX$<@Jz(7<-KvMnjzFT z;795k8o)5}`R&`cz)fykz}H20{WUc;j`O|Gf`h4U>iPWWJCe{$@00=v!Kzgj%FjNU zU@$kg(IF_epX@|K6Ne^4v&UA8eCWPSpL|R7+ve&RS&dbMsjQ_ASR^RQ%Xg+LBtb8i zk4g{?0NwScm^+KS4FRC|ZF|C-=Iq%IH7mkdAi{EhTcm_vnHCuUlE9MpeqX%CL>Ac8Iq)k%65?D6CnK5ESCY#hD0f-A z%$$~*>gMJKjmo-g>#@%1i|1I$KLp*3dL@cLyv4IuK^<+ZUZ$g`_fr9XjUp^GGm?Os z@7}u%nxw=#Jnm#N6SX^2c>VV_yey1vA3-b9%_cMJJVtc>{LVsN?fB5zvHT-Qgb$WS z?`VKL#MO2*WUrzU9uc7mt1m9@Us2$g^i_FTJ-uvHcpoXaO+R>PYcnZCKyh1WA2d;( zm7?@_k51W7e*fnJb|%NESP$k4|GcU6*n~h4YtTMU^IJk2!S1P>ulJ~A4TSK(X?`p& zu2KT$kt)~13M>;a3_#IYnV6iJ*#^b8P#NNAd9WZUFVFVw-H*U4;8SAe*>?a%y7}B9 z$TZf~pVLG)glI9;Z4U}+ru%GnN-HQjt-Q<@c-*u)EIt(af6t6Wcf|p-`JbUkv@Mp$ z3j?g!NsZPlh6yinf1m~m>f5J~%28KmKL*&PD_4?%?W9|t9W8$dHm>54QP9hPUxGXAy`WzR_XT$9%rcYH*%q_5^po6QhjJFydU5iTdazAjXUg3=A|dG|Y%i z@B_*j#2@~>*`z?@JsY+3P*8Xji0rrKl~J33!Mliu7=M6vB?sI(zm)YIcT{#|3ZBiyjYGFnG3?cKeTJTJb@Ag-xeHiM=-PjJy*V; zs|!uKOcXl~RDJ@2)S=y%bP^=`39n*eWcJs#w`~XW_2uQ|rKN+Gm#d3P;EWHGbpulj z=Sh)D5%e7JYu%NQ=&An_d7D(~fx%d_JLxbt_%ZgnVadm&uBrIplJY5MBEjPmUO#bZ ze=H0P4g*=L9RmZ~G{-ww?zxlZCnT=6W8NhHZGlVfHlf>Tu=M?`?D$ci;_f^YpJM$7QQ%T)!-msyy0r(n&(}CeR|$ z(H9SKZCLNG=Pq6xg~#gcMIQ3tfA_upTV8zJd@Tjsd!9fW z?y1<_L}o!HDyyjQfAR#lW-Nc({6AFad%hN7K)mel?J1T|&CLw~L>r@I`a^kN*DIC; z8vi+F*o|Q>wNSivjK6Ol;k$wp&0i)a1n=A#65Gp4{_h(@xF#njV_;%}v$$aIYwWb7DL_C2;$#Y`TzCsN7#r7#LoJ$7gW5dBR{~03qe|g&f}jxePY!p zdRlC1YC1DLJytw723f+etU>Wy6^o;3TNFoy_|h#+;>F;h@`tA2>Mmy9UW`Bm4Ry=f zOw=3#emFzHX7u&Lqi4^ap*8SaZKxPeiRezBIll^ICwT4WW3zhoQ?%9N&RX`*EM?`@ zw15dz(oL_*$w@CVGSZ?IDzPBs5NK|Y*0+-R(bDGO!A6I3UTGLD`3HyJY6|w{B(U0n z-u{@qyQjx-B>K)nf0P~C=P7&d-eB1SI?IsY;FP&+C#e`nO|C93Rl7gl0fM4)(Vi!0 z3vmn{HY~Y1NV&1|Eu@D@eZ;=Q%e><)^Aa@SULdJ~U+frsz;cmnXiFhT$iu*-4Gjav zPqFCBgajPN<2a8lPw~R1ww_ffJ5c|HmAaz^fHno715Dz4VfI}62rTab5R%+dPVk_O z>mrbuZL8M&hebH96nC~}F#8ut+zXSFmi{ufU`_vr?0YkM=r*jUMy=N&5S+z53((2; zFol!Z+uKL6o3pvDf6vZlvgj35S76bpQiExLXT%Ktetu(s)hZe3=nTO<2~@(Djt+7z zG7=KNT84oA=HF3I4R9>JaQhO3^84sc2XZ;kwH4s=8NNIlF-bvOl$9=!Y(NXNIe&8E z6xh&gM$2w7cfPFrrJv3>0cy1p&X;tjhEy-cTA|-?8np_PXYYIWZJQ<6{+LpFsc=5n zOvz^iK?Cibc#bRM{Os&Ven%=^r=XCK0W!vIJ`uMqFm|LSC#PFlGyM6{iK8%2pFZ8x z)CAmuU32KA`OOLta$$W_{D9sDQn4Ros}c&pQb)UiY(NzQ4(sxGb9ECQ(lD6abP3kX z#bxKUoB#zeaZin>yAItQmsQ%fS4oM9!%%k4oqH7>ojtnXh+mmRUATq!Y+Jl3gl3}9 zRL=Ujel5un#kb1htzaXxFht(cPJ8Aa{8c;IFPz852_Xy#EMKNv;;7=?!e z9jpVv0^=Rx5)u;P;>%-|18(l!wcf{IcL-bj;Iee4x|4UMO4RgmOa&N!urM&-Fv>F{ zt@!GJz;%TZG%q^x&!R@lW_Gmw^)VqqSNz;{nb{1!w>R~D4R$9M(0&t0 zVq){jV6O3}At9#0AR8oH&)7R^0$tE0c(VdL)QLQgIJ&FCaZi;5e|1E6`FJ=eaVSv{ zp`r2Cw-(7)g4TvP_LZP4iw8qI42vrk7>J=npc_f?O#l=R(%W@M;YxhlFccruz)yXB z9Q^z-jN#(J7lJ8n`xg^Z@e~0=x=5#AQJ)H26$J$ay}(VKO8YeV1cMa_q0|6?!#LIl z4TOUEz?jfo0e2zVv1!Kphlb*G+c7m*19)|lkMjV@({S7Q#3p(TTfn|HG9!WgUHA_s zECo-tW_wFZ;&mpO!y)owiiRdMj(nb)nz~#;ck|{d)HCHLc{f;)XLRr7bBP!?!D43! zeBXNR+~l(4jM~=im9XG*T~97~*_*At0Ueb|D>4n*Bz)U*V}gwpTIam>R!e0hWMuqFd^mpoufIQ7emSj-OL%VR&EFxe}*om z_vaJezkeTkG1%ks)rbF$Txi+On4+#cCh|O-(uI>gk!W0NEvSyNk%#VR;li9x-ffhT;PsxtyHb z*7M;Can3YB@DBXAf85}%?bid(d3%`r++wi9eD55Dlu@g%*IGNQJU>#QFL}SI5lWkR zOKezJinS4#iJ-91d1m=lw5;-7ykq}F=MY%O#Y^s`0sOr-x-i^n<6`-OHSEtIPrww#rLBY|jB-Tk8`4k+EDFd5Un_pCM|a=^%`<|T&f!6|VPu`bBOP|NvSNy%(TMNq z2D;YCl2xqm5PpwdY+p)yzU^dJJbX7JSddq7sxEpytyhf`Poa62Btb2`{h-Y`%dk(PaYy zmAO8cA_9#C`-20g)6Sc#!V$oy~gMxzKz%O`}i&X^%Fn+jg+CHnvoSv>(VBnWq zfPvLyS^DxT+>Pzs63YSE5s{IO$lDT!Ph*5W+n>1jU-(np+{nbFX0uyrPlch_@DssO z2NO@KLXtShUQz>Ze`5cOG&Fhps9J)5QgS|L(pA<_C?`k99G&Vt5Z_I9PUHRI$F8KS z;Naq}Z*Fd`uV>09hyWUN{9|L#{J4)1nNp^Cr#7a6h&2JZZdL|SjOVPvA6NWT0?wW%u z#=;`g>C_+aI)!}L6qv8+15tm*^J$;FBvK%_DoW)Y{?VIUJ{3*r6{#cpUya897nw~W z32_KPV5-D}&UXPgaUOS_fisXyR>CMC;05Lxt2?~BydWiqq>bg|=i7aLMW0uDv^}9a%l12M5LPO6oBFz|(8=dwrSmIUrUjLi$$!qohedOq#2Gu>r0_$uvud}T6bw);w zN+)Jb0q>&&0NG}j7#Pw3W`Ro;4F$v<4gHtCgIms`70id-kjvI#Km_eP1%d$v>l{zH zi4AW+1yxd11Osj31z=b50a`*C9j*yB*!a`;|C=(z8TU0CdOr=Ei@E-Pb9zpcC9eSn znNuo*n41TF190m?ii5!jaLBa|XBb0^)O(JcTtZGxQZg|BY0{gk{qD%vFMxUES_#z^ z1Q?cX()||TRn3DX)|5Gl&#^2m@Z(nnm5X5#Y+M$oQ=lZ+O}?B**+Dji=E+poC*d;M z?1}u|xvqP>rwSAzxDI;O;j@LltWPb}nk5QWy!R0P5qNsyzXh_(%a>76l36fm_L-VR zqo{d>px;0WKlIhB#Ia}nu;}Jtd)KpJ0LM{^Q6yD1re)Zi5Zp8KY2`XDlYU?oA8E2C z86i05Gx-Oe@}hvpTa}E7yR}YB8Y(LN=)o)-Te$ekm%<~!x&ZyAs13b(Iw6dB2x|go ztXx2H36G3PZwacIf)pK_S!X;Eo%mo`u)&D%$(vPLh}-plXL2Dd0F+%4^*7V(&(*e6 zLk}#i)jU;%sy-(B7R{gKqWLpwYHm9rPctbZgI3PKHY}WY>_0#-ux*071XOQB)CL{& zaIkr|nUF9uC}7c>USBV=Ri23sCs}Y=5u-4-!4M81#|&*Vij0y{isKA34CZdm_bq@_ zYAjcff?Z%t+4$ozhWwL%K!=MINE3Fe!A^kDOiW*Z%zz{fn2bX+CFcaVuK-O=Pfzy& zaukg9z#`=Xhhka`GDjn%O-RV znT3R@6^pR=cv=Was4FVlf2=EfYB^Iseu(R@%*|1pKcDXT&#RRo?sfd%5k&d6eK6cw zxc9{Kj1};-E)tEqzdg6GkR8A;g2eSTuss+^U ztSMjw`JX=iKd@Aoqj@D?F&OTKrhYTax(9+PIr)m`4Ik}i4^Mo-{5#VZLd$0V@Zs@h znxJxq;&kzVP7<3TP!sT?0GO(!)O;5jnh&nwl8cm-`+cgq8FIbzoe83F7QvI(2dof) zEk_uYV0N^Ua90DGzJ~Ne?w`OpjM}_-`jp#wIU4AeCiJ}7`tHUInEJ)>U^Wl9;7C4K z5EIBaGAVB((}O@AV_q39ey(E!7StjSz@$(O-lKedPrBu5d@wRHf^jJukjz8Wa#?vD3eHm)dx;Lpd4Gj#yP20g4FXES(ik`St zu(e%*0qH^~1n<-zvM$(zgH@KsDphNz2#VzumbbcCi{)X4`bAcjCCqTvUq?cB_-$t9 z(|GzN)m$xoJY>53*sFK%q*^DyD+f${7`qjzPxY$(i7(iH-#S88Hbo^R^FAmnLk&=C zcE{>8tXPpJPo07i2gCAn<={5fU-I|EWp;6O1+NxNitKXafU4R_~V))%vY7-rR)s1=ivQA($h4I=oG>QYs zAf2|W~XlH&yTd!&b0<@BV$zlFWP4UuvX7GXjDv z7cZ|SG$g-kF~52VDD}d(R_5m=r(4j|G-HTA)U?yc6u6F}XQC&b7}h^O|1eiDp#YTXrNWx(g`nNz#%Z4~F%;Eqj7M2YB2NpnfgQf^?#en&@(C9#$)@!!8x9il5)L14a|ys^z_E?8WTv)7T;jf8|I-+%Bl@Ao_c{b z4NW^L&F1$pD6;;tHH24H@hzeH#~#@Ec41J^{@oG-%U0xvD>FSdHU`cfO%0%#_n<_n z^U7?S6CzbRlWW1y2|_bC`i-QerNLu2bQ))JAOgi-g(5@7tO2Hpr=<))q2__(7G8ydME1gbz-&Gk4uqC|xfujFO3Zt%Ub%AR z&K>mv50bWgUIN*hQM9N2t*R1UKIKF7-M8dV^}~5-n4{lox`nhvDD0HXCir{JcVWyF zrph~OPKdzNm!$h(rE^}1LZdrRHOq((_0cq|Hw93LF8k0RDd}$vnZ|Y5!))h7ji-8o zNGtknAF#;od(fZ4_*y!7)iO7Cotf{M|47nL&mhD@pBh1(Xqax^}pK-AUyagrF@4A{`F}iJ_pAiXWkc;i*%yf}UJNYdw&MQ%w_^LFB zgp^d7F8h%D6cT`taV)Wb<<6GBUR88ha*mGM&M`Q3qTCZnd-0j~hq*WQvcvcE$| zJHW}rzsN-^L*eQ8us3gzKdk|(!)f3j0aXoV`bm#^;G8Xe`_=;v8W5C&FW%`67nufy z11L=t_yRiPPgHUttc8|_hK4rnd&gmVDn33QTs^=d=r}J^@-Xt;+p;m?JQsAe8D6&d zm%Zq5GeS=?91j$sb`T6aFJ%5(!#BVb!ifgH92`^gs^g9D;wZU1G1g37{l~yY3}mY- zjl7D8a0ZqDUPO_}oU$T&Jq1*6EUenqdOS)lo8G){*M`h|dw$QJuJ-zn6hI9BIl~G_ z3(kOa43BcH-#4^jVtpOpw)@vdSm%g|S9VW7=S#xz|NT70YTc8QqXD@A)DH9u7q(0g zFKpMQ8Udz&n+XOq;MEpWTx#DbWNtqBEh3sRKYg+wy>K1!5xi{({pN=%F17#a01@ZO zZzjMVb=SgG!0No`sIna<69nIg& zjf)@YuIb>(p8l^VGGX}Rm2UF>`7VZ@Nyt}`MW6Af{LK;hMV8NZs`#tX&C!3Eav%eq zF4uGV^TQSrhs3)ub5oq*`pXo9PT#^TZ)5%+-}?A4yi!2+?afKB>{+x59<7BiYnGUC z-ulaiC;&pPZjl+0W(|OI0MLn`sRHL^Lt6p@E!4$s5eo~(>Wbmm@Nn@@PCvd-6i*j+ z2qcMbB@_eYMo&*ar@6aCPdf-Lo@W?9P1) zlr{)E>7T|u^vMdvL$B=kFgUk6GeIiKU@j;qKoY{O35|3nYk9u?tAPahs26JBMQEcy z4N>Jf>wd8I$=qHJ4;+_k8yl@19i~gRHM^-`z|*LJSCIJ0-y&-4J?d|-L^Ss78O8%2KrThj90Jz2w4hz%r%Pm`u1;z zR`m8&6|-ldC!NjxJz?IcKk>%jypdU3qCnF?f&@EfbXb_<(SfT)g132;EFLntYG>*> zECF8*kL&ss>x|`qXaUbXXd;Kn8rMti!~2SC#;Y>aP>b{PAl{plFoM&|sjt*l7i9;A zVCVr97!ILXhE8elz43EYHI<53r#|=>k9O9+RiHq_2J@a`T~f*IeovAjOOS?q+*$}? zGqWXVJdp*_-GHz1@n`28esEb0#@pCdi|QnZ@aKSqSW+^uB4x>?0Uz-K=l4_4tSMDE zk0zASX8o-`RrTj3@Vopr)dtqM#^uUeU3*$YldAaoZRkM>F(mqOL{FZ8g87 z6J;7?bPLo_1>W{kPtOJrtcwX22Rmy}4v;j8IP4Fm?rJo*wWX*gn06V(v)0o3{r2APeviH1cm44^$2wMV-`DjW&hs;!&d+n`Z}0N( zkaEf0p4|}~ajxTpukZX+MRoosU;#OAGqz7oO{GB<=wc>^Z(I;W6T6*=9l&jdq$V8( z1e$CErZzBwCR^kut8aRh_|`ZQ2S5hrGq^rnbR}A%=~~_K`0)oYZ{a!m85&;bz8;)i zSyR4R!P61*;iQGPl0qF%%6L3Wdb%Sm_y)8L7k6uFFjgpN6nA%tO# zZip%^6qpcs%1E3J3EA)9(4vBJ6l^5xV=H=s&!-95Vvj=~$MZ)CE>ViSr8m6CGHqub z(8ligSlP;rT!K0ViIXs{laZ03TBWHzU*%OU2B5tH)VBWlQ{}l&9PI3bk8+5jEo5f$47nryvDRG$=14{<+~12`0rEsQ`Su!TjOmdDnabWz6_1sr;Q>nVXV3Lg z6|zUa)w}G!mFXPbAmpm1O!b3%w^zvaR5X@E9^>rHj83AIT5okEpSUqlU5G_nL(1RM zZz9PF{)Ye^XC;q&k!4=9HeQ|!4A#yW_``j@y%}ykh%V}Qgf5#cnU*an!Yog}7wZwP zvS3g3o!+Aj0QJ#$7j3oMW0Ya$^y2ahKoa@(c;~1hzrRa%Zf6Yz!rk9(sXx@ie#qvx#^+PGy&1xK4z%Vm9q$faDdXGgx0Gy1XsB6@z?EC z75couIOY(7kpI5tjYc6X&d6lTD9;9v4ca#C{CS3NalV$8mRMr2$qG!;60pV5%89tp zYwfK3c4?33z2%fa4SzD| zi=P+;62=IYf)j&+oZQ^N0FftZv?g31H*-PO-5`pXJ#WlmvhtL@wg-K7J%5aJPcOG=3wFWJn>DvGzswdGjpY_nHY z?^4pk(?3M9f84+QMK9PzPv_K?X3vi7gbW&|xXSkJ`Nru!Qv|vE4N@T7itum0ntnrx zZm$7OvN1%z=1V9bo?&8o`em1G0u7x)FcEU#8g~Bt(aLWe#wFLU-|`$*(L3h6Hd$xA2XCOTTx&I!eP9)V^&1C8X3+e2DQw4Ge=~-9L5@+HRWu60!l3X`;}!_^E#Jl z2;;E}N6+MimsiwY)Zx#6DOz3rG18*c(Ev(#V5OJ7$*;1CakxQ-l&Qa-8R0MEE`Xui zx-d5(eg0+f4I;l&OY(M>yUckk#UVeDmUUnV@h7gt#KeHHe^^&%@Fuf6pmCrOj; zuNRE4wbhO^c%hN%gTJg@O&%WT%(iCDnpMgu7@^X;NT63iu^ubkNWvTby3>iONba&p zKwuyR1%=aUpljH}b?#ReFXkf7zYxvH$XIuDS=Zjbm!3qSmii{(`7#K6P9ixX0V1+J z`_}&W-a;3`cQGb|c zek%@9-D)Z+DM8eYpZ^ty?Sa=f3~rtB_N{XvOMlI)0kQL6>beWaF>HDK_;FK{&Nue( zh+qCWn`@t&t*VI{ch8t5N%*L`ANo_wbAIv&ZE-()vx+k`&P`FmNc+jL-Y@K z&(8uFRoO3oD!$dPzG-{dL$fM&QUh0%G0Xx#Yx|#-FrMF?zA}>j$UmMbYTq%oVoHCH z5Pm|W{>Oeq@sA_D*js`Wvzb5t51-M`k{A{6FTRow0bnTya=)**VddrJ1u4#*NjKCc z06JSLEEB=U0WmC-fV35siI(zZDcepGH7_Jyt;IKzC8!E(Iya`K;1nNP_4e&sBDc$> zRrDSi;?I8ZQS>0@MsG^>Mmamc@64^b2M_#EEX}svlKH*(6f>sNFUoYKrln0ru1>jH z4?5D;0a}iALuRj=;wajBKP5hS0e!9KIRKkPUnt`o+e4!J)w7IycyPQ4O_Q~Olo?Z^f{E?EitESz3yM$P3~ZK>XYTOtI{UdHMOpxcZXCRqV^ga^2)$z$zn>9 zH`kK<&QC|lH&c+vY?Y6CGmKjb9bo8I#Z3il0RIa}f{Bf-43G(P1osvNMa3$#p9Bl_ zJeNTOg#i2wA_I<4GP$Yu~< zR>)&OMzOMGG#1|GQp&oV85o-J<-&%-6S@QOms60)U^0G5)+E42l zLmz)9YMFgYyq1#4YXe3`x%n|l!&_>N^`I~+UI)1SNb zE*S)06^KTf4}`?e>W_Uyl&GW(`jQ0us)fLov%r1BJh1Z0P`0SI2`*4w%sabgTUX3; zwf&6=7a}8-wkJMyfmi2VlCFNhHRl(iH`fhtGHm(6*ls^1BlOXZV_OOJ#XS8S*43*O zZSF6*7A&ZaMDV2ntYP7Qd2Tkxzvf)>#kty9I0rlCj<$W9WN7K=O1)Uk_v8?ylg@#s zX+bn-~_FUjyLPI(ioFiq%G4*Y-Vx4BQ?<5+wZOjG}XB^UOpMg__zM z2{1W&7rUUUYglu7SJKs@-E;MVuAkZ(w2ecNwN~o#avhc!mJjl%nN|3aSWlrGu3AU^ zk&d(^l=4mQmU@@et6O}}MBn`68VR3GW9nwJ7`2VV_D9z~3~L~aI(GGp*N?#phK212_DW;D>4BFGNqNiW zzrJPAj03t}>s!cjgUx$k+>+$~QaSSG8$Y3|8%c~j?4BXhJjF-uPmSu70?mP32B^5K zqMivfVG0rw=NhmBiP*WBCmImr;ylF0GZB4Wxl3_rT#ahblW7zOoluL$Le8-P(hclp zqvJIjRiHss+i}hAQ51w+z{w2($p?eu+Nk(Q31DlJXCFEVV?16Y11JE^-6ts8ays>+ z$EtRkq8F$xb*<9xIAp3==z~~rtOPOy;X&B`M_JVUtGcRjee@h*%yO&f{>!sGsA()b zFobd%93;wF;ndJ`=h(VCVFCc4e(>Ny6!ZDVz&gP7XK)>?HM^wsuDLC>s|7_py-p%| z2Z=4h#p%XbD7oHspUh%{DT{Cdq0ooO;3S{~749`_^r*Gr{Aq}jz-l&kQP^Nx8+!HX zRUr9B9Gdcts%lABqw(|wOHKVOGFt1kjfYf9$)#0*(dVy6rouC=B&923`@TPRAtPB+ zDZlsnmU{OINy*>5nX4;m=R6L={Lgnb61GZSUghtcpO~Q%##Pj|O(^Oxw$nBA z(;{Mw`A^UT1C6)$+p4AHLrGmXSjP{T1)wMYNaX0Nj=Hlc+lN|!zDZLZ+9T}VyZEm> z>jnG`f)-(e%vyX0``xE%kLfL4wqjvbyVD|{kjSmP4(W-wb(LH`D&HfI3`4G7Uv_`7?`8T4iy|3W$a(s_%u7+QU&%CxBR}w{a+-`p$@sT3d)8;`RWY}WB}Dm1B@J@SJKjtGTDU<*0RhYW&+VvV_FZaro7C6X}$QYvi!5+F_kNGqqRZ2lc%1ET*K%OJFzU%JY zPvTJ$A6oud*_sv`{};C=e&{c5BJwxCSV&du_@R4HCXOmBGpy+R{GZo@($RnWN-s4w z-cxD}q*wYR*F2kJ`uhu_=}`G$YwS7$4ElqK87G6eVs?MC;-10+{ZuxfMqo zy<19Qq_D-f~Wm<~&R0G1tJzKBP!y-qSfBfJ-A4V}k zV&nH98t0TrR9qZ87uR=0YFGxD!t0}eFnNQt^)@PC)J(rG9Gd%j=w=_(81_LyXk`E+ z>&2Cnx^~6|6TPEIhB6LwJEy2kUxuE+k8lvmq>?`Ny&nZ`1uy3k)w)g?S5Osv?yg=y zl~=O->k?h%_uQ}ldgl{Q`a{+mq{`>x3U<)EgE|8-rH5Yj;SM5P*05zk*wKDBDUYBR zu)}ghK~-WWdM3m%vmHr+?7Xdb&qC_aE_vUt>*@JU$E>I^AG;OB?zX4g|X&>Z_HqZ-DBtCI)Z`5nqgeWcazO z^izY2ZVR@l4j@cITF-I;icc;@Z~bK=@`Mfo*NDy=aE?5uiE|T8JeWb}+tSS(xjaW0 z{&sE?OVqw}8d*!YG z22f%`SokM7TrkTS7=)Vf!kKChL za~Ags!=82;`VgnQDa&huqDS8xF#}0lU{bKdg>%&^&1l|U@J5-6`qR)b`}3n?zWFv{ zbKW818W=-wQA9z`WfRaUaO1DH@Q)q->WiekIDf{Mw;3VanKh-3?#X!| zsG9{Eg;HS!+xz1iGK|C=(f@{Z=K3hh@mVICAXZD33win(kZBPy7B(8j2}~n+spq%O z5(a4$Cg0#EgdI-%K3IXq6#0#hhq%k#yLH2wAZN;lx~L5jMNy+GYWdGjQ?qz|?s6?J zWs`bd?~|$GBG78H@#=QIfQKVYw3$^HnHLd=^{w%iNw(ubb+`n@$L=ah%pi(;KF@Z06sl$rH8u*4$zI%*EU zd#0${{zQ{>kzaje%S^%@`0N>u5cU_~0}SJVAgxH_&%&e=-%J&#aSsA;3m)u2(8cj> zdYSjnJ_mjVY%#g``txj&?Kga9N_u@P58%v$K~BZqR>v55w5wOGvb=H7X2SkhE|cR{ z2sW^kZC803h!(h)vJfGH^yMC3tTK(m6ABMt=_KlB(vk8ryQ3mF6jPe}70FM53- zQ>Df*c!!B-a}VgM8-r=bPty!(l`FrWSnN=ExhkzXRK>M%t<;|dClm*%QjrH(V$la< zO98RYIM7}K1p!+a&BoOfF{Z&L6Q0X2Zq@!3jx9voSBPA|6W7ODIqU;e*Q ztvv0lXCWuqQQGwVwRZnm|0H*NProNQlHIResq3}^ z$(@v21JHQ#QoOF-%?#pGMFflRp=^X19C9y8~ z%IHP0$V)RRdq>aSU;-)ag#uE~?pB^7oQwP^`_jIpT4BrrZZ%euB$7}9&k^cH{?tI( zj;#y!$4E-$cAQyT&o8#T{#Wgg|K%-;`xC!yq@VxPQ}wrQzdVumeUfi*;;D}o$(Qpt zi0Y3X&Fhl%E z@XGfNl|U^G4O<|m;;*#J&*Mgn;x786z-;-^Lmu2R>3i=3CtT!1D0)87(bk?raLq}S zpMu(HmqhX>;(=dNQadAqg+#0)$#v= zT~c=Ug4~H&X{Y>R<2Ydm$Wb4PmyN#KcfQQEQ&vXC#5gg-;|WCP+$X*~L(9C4flvlO z(4{S*6L#8@SF{?T48~WGF%NZy9!K_z^(J=(`W2m(?wtk%^+$Uf(HUS|W_AT{(Pz~r zH}Q!30jSeIqrp+J7ZgR!R#q-zQDWD&VVt>o_0w+2jRsC#Rh5whjeQy9erO)-#L<_5 zziESlVQ#pAS#R#E9Gip*=mZ!PssS1{<-m*EPIl=tvpF#~e5qC0eaF}0^+04W5-Q}N z0X*jr!PB9?vnD!HU6gF4fOaw*n%(nLn_ykUTt?hp88R%fkf9i404ajLkX3X%UH`kg zc+ZD_{W9njkt#rB(h~8T_`mEC*g!c%HyR{vJpokhMZUI0(__hMAeyHO_w}ztlQ-~r zxA~Y6b1Zt{)8O<^pGG2z{t>j5S=lFp%GEFM`Ed_5ccUNz4*o8p0h&ebo(yOc+f>!K zvJn2H!WS7l`|s@0~vxOEhy{g z=Pv$?vueg_nXo!D&Q4#sHByozpl-Y?^p&^L9s*VW10T2{p>A?~K;eAH#gHenm>MFV z`gmu=>h`NP+uwJghse0u^f^yI&JgnUSu<0)o?L!WRk()LrEr}bNzBU&6yJR_Mv6xCDPYpVSov18#ln|_ z_uQEy)CFM7BCle3J5bmH;lmt3>0+00#DYa%#e>eVdy*p0kFeq6swVgdcn?{Ut9c9# z@%n9AIhme*Z}F`|2NCIywoMBFgs>J;=%(cC70bgKK#Hn+fJ1)({xSoo zor2pO6tIrg>zNyQCk^vZ?HYxtIXDa3ZY+)dw+Mas|iJmJF6z$8GEz!bTQCTqT#?DM^ zqT?66Qv2BmulJdqgSZR?DusT97&?{J*G0vl?%d1ZkZIec zMm@&UK%Tp^nh>=Zp!RGEQ81jjxGwY3^s*Hh-&KDWK zkc}T1J15eq8l>BAybgdQ@HgE-_YXW3>LVqrHM|DA!W%{>ltR7&45H5XDs2kr9`qZU z>-P@@MOz;{9eE~+&t{E>FRGWY{uJ|y5Bg{gW4XUOzr2#_DN(b|fOn*FklXq2^qZr^ z7(?^~?2^yX4O=-j#Sa7a=0@xOLh{a6mAuHj8;sS-VaN1I1WNx0i1xOe$K+G&2Sw+T z!KI}HTt4ID`06U};hh7-Q?)Ej-?%}equkYntKYQ#NSv*lkSN%?`+O4bl+vsdgvf-*ZF0ezgY@LY$7>I< zV^zChB?6LB*J`;+)@n)SaL9tgoySuNyT_N=i}?iH7OBGUzb^z#=PGp*)Ix zarfvmf%m6ae(`rnm6PIi&9#OkH;Uh=l7GI0g@7GtSjEfZ$PXU>2dG&=neSY@Yj8|# zR8>{=^|3hHS4FI(ktKfzO#k?_p9^k0G$eWd`Z~W8eq5Z=pX&c#Kfn=#RoCO@!^xN! zg)S71r1_$Xu9DJ*G;DZDj1`OPz~DpKo3`-M6yBgjOq3ToIg4X1#N-exUWZAn51i~X z;AG&V!8ngr_(Zj=j(gk@thf(s1Mm$3Jmf8U{mX9KU8==74je^-x@n#5AYfP1zladC6Z~Wr?mt2^rtHvI1VjlF!?ddL9j@xl6I(*`do{*_z!`MjOc_crU z79PCY(dB%p7J#24LtahNZpXpMQ`>{-d|=Hx!zR{-eTm6v`D0DCshxn1kZID-UTKS= zHNYD%4+t0fEcT?;bqAfwI*Gf5y*l@n+}M&8WvBEiYfuF0SeNBVSoTv0a&2_c9WHrhkr(0y&iz>WAJI# z23G;X0#--R7i6Cb8lgC`fK`z%d9Nj3QlJP&v#2XniJ+BRUbyZT zE0Wbv^#KxUn3;Ly{N3^`hwJCTyMD&0Ymp>luu{P@k1>i@`W-Z`;+M-0AG8#xv2n8# zEPGlmDG%)3FXK+>u2M374$ic*Vmv&1QHJK!b_6$+(mUSEFBY-emHy$SXbRTryv}DxM8DA3J+V)gBKR0-Du; zs~Imh`ykaP-`E?2vB2-}ohEpk$BETjt06fM-Jm$V0c5Sia$TS0_M0>5Cx+rb&AC2| zzj16*G_^W^6qQB@`$524hJk!);mfS*y%au&f0F=4oujQcCz#gnd4-HP;1!jIvUB=1v}Rb~ir|!()T; zua(1?PK(1O6P2qtiY07N`KEgZ%>^9Xu+pcpJ>#Xq@hrpcl)AgJumu>$IC~+c2nQ|S zOIqF|8FabGm%MLb*Gi}}+9=0J$IWOI-gA%{f&$N$pVC{1}%T? zIhwhhn=2jnrK^tdkYWW^3Ne7vX`Fz`r&M$YWj{!eU*3wLyI8>+8RA8;JWx$RRKp*O zNGDCIqXs#bcvIIR$YXEXSrh7O(A7wt)}6DG5<#_(lbv4H;96?+r?0xrY{NHkDo6FB zaq@k8ZWG=4PtyA*H6lnP{ZI{6W#c=H2yWAV3+{K>4AkUJQ_>n^F5ZVWJ@C~$SHf}F zx3hhfh1q6a-cudPdL~55>gwjywukw*^Ey-lfuih;a|n937&^X$w;LgC`#7?-W1=yK`Ai2U%bqhlgZ{>F2DHAR)&o4d`In#K z#ttw4x4WW9-8ioqe+%uI3C3(LcWzV7{)=WqmwxE0aDN|rxcqXH;T|lkiJ5%#h6aKY z&Vrs{B1SpOUZA=MipBBMW`uIPU32IwCnICCtQfLU3hsfCm@s>IG$3lFrP6TSNNZ~= z1PUi`JM3u7z5!v0OxN}O=OdBa^YCNKPYp@ksNzRe>SPg)-57STsm7x#=#70+`2Rl1}x28X(+1lU>+o<%8)cwjm>WlEB=c8r{t8Bl%n0WXrP?N zh&x#u6f*GsX3{<@StJO*|n6gVXdKoxyR;=5fgE)aAwlMe*tP z@^8;Hr{3t@?lMxkRrk~N@&*<3!F8^T!R2u~tF=?!?UgHJ-dJ&fh3$~UMBFm_wDt}G zVrn#2pxV*lwN&z+WX!QvJAYX;6eZ?m<>r2Vb#1%iY0xRSyuLj4-4YmKk12iEwp1j( zz$LEG{IbYu8b2{da}?wX+qzu|y52ecxJIG#m_-o&_K-UC{JcPBwoo4(c`c$*TWeY2 zrj!2!4s!aZYZZVHvKLdK2=c+qs=ib*F|3T@`h}HoM9vxxd;(7Qj=M-n>a*kW^bF-O!PcQ;-XV5Bc=|nlsm|iO#>XESU-c@Ud|YH z^c+#9Ps73*Z&i2fXoD-v{F*J?JAIvZTDM}Rfd{ohkwc|_&0Ok({m6D8E6aTVOgNk1 zh1wd=q(odj>NDS{4hhCk3%C~0LD%Fv02Dv~y$AVXfaMHZN+5{gtw=3e(QvZ^JCO*GK+X`#ME&X{okY5s*107q7xr=V zOH{1L>d5$2y$OMe7}iJmciIHXNIY)n2ZzD`rOLWm!ny(GeSm$o=Z{u*Pu-R{^1FWp zN&R!MhEOuupp-g}*%b#CvM%lT0}Wc_J|lE1e*$~|tna^9om1o`DVe@z7yM<7@jH!i z&?+JCCxlzv$E`)yqx_$OmL~VA<3~uPcU^6MS#JNq!&C%?{c7Qlcl^e;{D0;HS@xlD zgGd(h#S#kZX-h!a{M(m2`x_4-pc#V}qNwok+5|8+OWbH#enQ*RCa?F2kQD!;xi%>S z$^aF#Gmc;kX9D~L$XF;}nL88Q5l?UVdV`~PZd^udLrF3x z>F&WjzkX3pO;*ByIRFEGnK;N6o) zf+&r~IbJC#sfDf#DpLRIt*1{g{OYThIlt}en;(y_hL0AB)4XP6>Hc>^u73XI4!Yb{ zb+7O9=QXQWpWQ`C`kc8m-~H0BcH3Fg*Lw*9)q{;xwTvZe>#x_G<=Tr2Qd>woRweX? zYqtODR{Nn5{(rL9{!jP;&+b4_1Zc2C6ZvHb5oRwq-HSRD&^KZxQVQ!EP?VwH=GQuW z7dSF1;rNskaWOYC2Ps5Pd?kcq`8MFR?J;+&#g<@(t#dq z1%x&M1XH=@3Id7+`0xir^fongeSk((}%ew0XWhMJ0*iAlMO_m<;ngs6Ri3JnN3 zN;JtjGM3JX z3{@Qf>jq3>v-fCv*)^N}IX!rHcYy!X)vdc}3w1y2%c?J&Q!`dL%6(qq0wc3ZTuWcV zxiARHlG>Rf_Xe~I{qnTi@fflyIfT6)Mbl*kO94Ck6y!5!mU?odA$NqBjA-ch-X*zY zwgBV;KnA2Z>6nb$Yx5K%yg@E*Ze8a0D)j162?^%-(+LSHR>}W_4i*+VED|^D+X2c$ zSS>>YrJDA#;nlCfSwY^j3;7|wirbOBiaki;-f@PQ4r zgQ#T?J9|U&LR_2|ywx>tX&Y7}D_wm6MJdO+UFOnz8?)}9pzOGPyuxPxOJWS-;WOvY zZxWvgjy_es`CiAfwm2ZA&zC?rDq;+dzz*svCT@Q#gZ zHgsII36wF&I6Q%}mq-auY~0SUMRjoB^fztP0Gg(zp3>q zLO{0GZeX{9GJ<>bwG4DMG%{p?gl;h3s9_E|t#F% zxerEVyLorTWrPuPvfuG2{X4ei3hE53wrwn{nCVC8++-9VKF6rQgmL`tJL3&vo?kIY zM>+^6!RU2ph*OS%7SS|GyY83w7zJkkAf1C&`X;dkTNP-Du})a+`{XEL?F5e z6T6T?4h1NN=>XQc2~5q3`Y>B=)%~lRn`s+aDv$Bj_$VoiJnx%>vajTRApAh3B3q)9 z9Zn?9qac<32we$XTO%RjI$COcOO;t*Yp%nI7qx9lovC|2Il9ooDscz-qYdkEFllXW z@};BuFJ9~kjKM&Rn5`*j$NgzV!`{wYjZ|Oz45q?H%bR*W|I~~MC07h^L)~moNA~kV zOsy{!ugW^L)cTri@0aZh_Gf`w7I`;>t2Idj5DV-C`&}mxz}kFGPFT3UD%0ftt~!O4 z)RRh*SGfo12U;5au@MpM<1c>1T5N;s@N>%G!kg-|D3Ha0tTS1gbU&g>j<4p5r#gfh$4{ zodQ&I&WO!VzMz)2D7x%B76jCpM0`a)u)71oKU_2Jy9z76Yh zRqGC}p8$+>J|aT)^WMna*ta?DhJ2bXuRyOQ#m;c-YgDa!q?DV=qaanjBJHIEC~-Ds zX4@_=it_*BVtzXbA%^;(y273ovQn&KctfflPsDG+!EOx8G9&>|pPJW$iX47r3DF-i zBCs9WAbVt5y92cS3naeY)R)@FZ9d$}iP(OOW2y2vTrS&IsO&-#9Ir7u$@~jkWyM`Il@RI1fS4lGuINfpQ?~z_F?sef3 zF$lWVNDtgfQ!B9A=u^6z?|mGyJJaivdvU2R2uJO(0-n!}Nitfq+Seugp8Q({Q!Jx6 zZHR+N?E4d|)e)d1?!f;vL7`8sKohO+8>!ic@(VA$g^Sq=g;xyHxQMW=+y2OcFL>bD=7dtyZ0~P$s&dyS(u)2=w*fk_*3=6&}iu{mDh-Zn} z3hq~Lur!!}hoAfY9mfx3^~Rl?;+3?9Cw^HBSbwMm(Q^wk%`IqN@4RyKKCD@QBB6eLz-K0ZDu+(#Y;|4X-me*YjRx8%d72U4A$}3f2h`V_09iy^g~#<__)E}o9iDQoZsaG zh6^}$8=v+A)5aOee@zx)OhOvSHZyVbKpffouNbeRZXX6Ef-TX1w30cbBnOD!wmC(2 z!OAXbyV!vZI-61XRz^vOzFtoHoH5@@I<}~YC2Jn3S9}`g=H}pYKvJSSRek{`Hi;g` zjm9``a0`X+=b=lFj+@oA$3Qz8HC5GmL)!COrp!UY7#SJSd!;1bmlUH|N*DS2uSRld zcOFL(|B+nfelL@h+1aroM!^q=i{-{Q-gD6xE*$zY zWU#6!MxXP&S`ZFJ^8wR2MLJB>I!*QA;@b=F_TJ6}7;2VVX(3Ra!vqHS;u>Z){k!@n zok_QQ7L#)ro)j^Fy;TLzNnIU5pEM>Y({(Io%^c6Lity}9!5#a9{Rwv@fm-m0@Z_X zBH%|FIE2HJV*f%%j02ZU->lm_66$$P#88xnL+WjX^Vypf@Ud zO9aMBodP9EB+*J%jgmhCcOV_9Nm3C>O0q+jDcr%R-=CuJh#zj+)fl6$C=J1H>ppb%wLH9l= z$}qDzk$A-Aa=bMkn;6A4Mn5`=HgDA?r#g5b@^*m$c0i6g>FY3>5~C4GKrZ0rfuQ9t-=SUpmx<0&DC+<)>wtV^~;q&-b+MUbX*k8YVXZ z(2NxOkm%#fE4YJo-7arz{@_%ncVE?wmB?!KX7b6t1T3ZjRsXJ*X_%$X)LbGcJlY!DUp?n*xjaeEn3*IU_#;6Dti5MTAe>G|6p12h6ch#c^Q5K+Sq_dWDg&Q1~Ai4;4uw5DObiFXl) zF2H*TA(7bF=$AHb+46=poHne)XMU^S+*cUEgVw{UeVaLBxg-YN23=E%{L7E zP4P2pme@Yg~sVObL7a)4_EN>Obbk1aq#}8q45U7mTwOf^lam$ z(I1Y=$T{R9By2mm^~i?9!8pzkclV6U*jNV?@v8Ele$ku)X_OM$-i7*^m)KF83@2D)#=z{$#_dR5@XA>6 zGfTv&AABr=rl6{CJve&j!rQQctd;wYgZRsr)YL#QP7Gg zLZpmB(Xtbh79BWPhMyG!R9unfyWJ6zGBnV$En1Rcmp{!U>lqI*ia!~Vo&c0=R(V!Fi#UMent7=KWm(f_h;O!Gq@$@ft)L3It`r z`)vT-ZiO1{S)EtW0geXhB#Hs%(yx8NbTi*^MVy^JEO+fd@>sc1pXXSgnkew<8yMyI zu8Gg-Gt-(AUzo}^6;ww2`%Z&8hK8UXanjIhWdcZ5uL-9*5DJLGU=o`pQ>Q$PW^B58 zVfSl#-c5E88t?g$7GW$$zGn)#rT> zhc%;pXIaT^VIcyWJB&c}1e1F2Z6Pd=%U8N@w%}hCy(vF&W;7uwPaI&2sAxmsI|X(n zvQvv)f_dLh#O|_kh8=W0M%lux2uXEwuhjbW%?Es7<-FMd4Aen5L@gH}R0Rgk;RHa@ z;D*Ag@!{RVSMZGf=|S~u`2-8K6-tLb5`e_zwC$%%O@(%!C3J=UbEHkbJwr??6xLhLog=q}r>z55`d zR>eZ?I`*LmOH=-YMqv@y`(xV&&Bk7x@AYv)MvZe@;S5@)Wkk$kDswDmaecM$+wfTx z2g$47}4@Wm--Y_!GXV^?v1a`L~#CH$r=Cgc*8<*iA17-AqNEnP}1VNQ;iQvE*VAV@7y zdLsC3OQt;<9#9@`cVzGKixQg(sFAvQ==1j7u#;jk_B%v01vUVA19^HekEm9$h-DNn z<{bm<{CzbuTg}A023BmH6^mUfu){~|jKqj}kdx>0>F#pHv7b~{J~@n0M)sKCRY!3kW=g-S&U>2>%VV4C zDX-QEh_-aCP4n&x18kM>V%I}*VV*_Xk+SOIsG@AovuT)o{DnKdu~Wvc-(P8c8YajX~zA{YQytq-F~>;_$jsXrhv@D9bHPMUqOTN%NhGV8a+erOGf z=m7Lr?RXg3p(xz+lc5)E;rsUO+nM6^R-KG+F1og4g;~fPx~ZzWd^WhovVC1luVM&V z9fO+!+PDN{XJ5Fp*jo%-|r77v#aMmtt^IUFA#(MBq)t`;{xie>ob4V*j*yg(x z%O=WH!C~=rT8EdWent0Kf-FLd3tX_0AY9Dwv-c|^$^gw|vYygda|}GMfKP?Qq=sR8 zM(5}rYu8z4_q)7K=%wY9Bn<`;|WR%3q4E7>|9rJz@~63`YW zN&KoNQ7c2wa2Ni-*-ylwg$8&GFU=>o z@)4ZSsJB}~J56!MVS&*u&4}?`WCh)tt-falquT_X#edOBqYkQb&c6|4h!Y)w8%V|h zrT{y`21WPtUp~B)MC82bS9WY?2%9kP@J*V}yOk4VemxSeStjq${A!!o<@?ZP`_7DG z>x@nG)QMA)ihI)XrcHkJPI$GT(cVEA*}_;U;S6kEK2yDk_V4)6SD%qQ?Ih`Z{9s6n z-s#ODsR#xC<07)r-T(S=OtqjE0655s*Y`sJaD#qY^>*oCS>{d&eq znuFB;_V9wP8AB`pnC8kt1Py7`y;|~S@?Vv`C1tI{lFuo6_Stdbge7vq7V-Zr3efc& z`R~GHbH5oYdDcW4G2|~_@?MjyNB8d@iGSo6{ps}iznBH{Kgl~9vB#^P%b$T4BR@t+ ze+v$}v!rU+<0=`cnYOm@51Z`0c>hhim&=k!$4({u8I$vsc{Jzoy`>~2Nyh7cdT#fS zcX`UcB9VqDZQK4ZdG~1DOYnGK`+klu5ccTI5HIn(oP>z^(ZJU-0$u7c`Z`I2VxxtJ&0#zia- zt)}8R4<)oF0=dK~DJeYY<<;ZfF)=8P-W9s&%cpfuN5w^5Ohk)z#j=UcFm@|)M>0Rn z!A(BgMLsD+md9$jgLg&caYcdG0ESg~zlxAlz>~KbmY_UAAtCqit5CRuw|UpA28ibl zRDA|HHp9$OiIw}H4v#s}(6Va-=3nCvJu>W}ht~rmOYKC2S46thE0;*0Uq(+~=RWMl zWx3r_!@}~eQbM+EF8g>PHifO>b4RQSPB~xvu%{>BY~3gYkNuw(td_L)ugT zDxCHEph1bc46u|E*+=w1(zp>NBi^)< z;E3VaZF-N351>}yf*dWmx7$_!=#$GEsxQ3Rac|F~fNk5?P|z+PUveO;Q>km6hjoPg z>n>G+wQDb-3WZ%ETO>nu0G1S%0b+Cq;L)F9GZ58a4j8d@y+2asvij)UeK<3Do<7<}HPBt}cB!Y>?%u_W z^QS1Oe8^>6TzT9%+@MpMt;c@^tR|s|#Nei2jPXIOb9LM0sPq>&+RRtZy z)w;)btPYpdN&Gi-<Nr%LhZvVg2JMGPdr03zP{?c?=@4{s|C zCeELnt0|lxtzm%rhIs&?uQ+JYGeA`^RebV$LHmQzMlU3=qx649Xl5`@7Bbt)93tKP z-Bj+j?_qQ+H`p$r=j(@d`7=ms_mkg}+tU)z;i93Z3sL(9Lk2#H8N_ki+z58mR9Thi zV9&M0JE)4@Aabz(V&J&DU4_A@SxL{+=7)C!0u{+Phh-xx&ZNZeTZtTwm1-EWM@7G? z^w^}cLi~9o|DfK=q)#2jh${eZO%R&gMwAN#uz(rX65886cYJ*mn&6lXy=fjI0IP}G zjK4{yplI-5zJ#WhYWtK5m@erWq#>MGg~FF!MwKF8Va$~qS- z{&nM*4Oe@3^zQDsN#Fm8Z*ahTX>uNlg%BD*Y1f>?z)+~Fsp(wY`X&Z~&_NVz8x?mh z;MSA7&9V?*J*Rdv*Csiy3ZrMCf0BMh`+er=Ng^kZkpKdOg@?fQWonw`+JR>BV}1dF z6^13Zj8CKJP3}gNdYx@k*RFtoc&>mmVui(;@5hERLK?Hb!I3PIk@=;@ z=^5R?Gs&6>0Sf0itUarso~h^xUYhZgxx@PN=RV5P%xkjGt(;w9elSvK@7gy@$Gt90 zc!&q;7z^tmnA#fn!NUA>H6F1P{OQtwqo`z7$Q|q{D82)5{uNq%)H*qcr$Ixw&9Ry1 zgQKbNtralqn%E}iH4hNMgjYFcv2^q4n<5*4!Dr6h`$!FZ|qw|p^xY<%mu(T_#xQv*fE7z!n!Y_46qHtWkU!AP}p4< zg)@3>^bpV1XZJB~X0La|eB(uj;}A4Z(XH4U`$|w00LpEc>*=Rd2A^JJpr`*1qdk(H z7}?p&?H(~-{{}buYuJ$txKXWPy(R4@CU+s`@F~02^=!IYZSN#$C#WXp?2)w;(+^3o z7(6z+?kDAix>F!;DLO7F_&av2SbzB$hgSlk5Ss{6G{w)KsyImV3{eW;Ff5XCU-^yB zqUm$+lEC285 zMgfF|^gz|QO}7qvj3hyzP6$~h2A^WtLGB;(qHAqu>=y;yjndUodfRG-AC`R;Fw;Fa zUe|Q2do+wby|1)~^qRGC$4%FJj~DK8^ecv+OFrPsxtCp@qkq7BiT!fC!ZOVvo-2Nj z;+J>xXQkX5oy&;z_a}8eH5m(QK!_z~FYS-b3#0iYt0_@SE7TZ7_q3vl+o%5mMoD2F zwuSqy)&jH7n9myDD{m9|9{V9}e+CHW;;Qj*$KjZ~)!Y11d>!VU){kkPP0C{=)TS3q zA+q<^7My#p^5)}{M;R_dE!Z?-C<}<}d$VHQZQO^4(mP4jQIur4E4RkZ#QFyK@x+T5 zJs94`C3aTQt?k~oWx}@?XR*QIq1<`RCBfpB7xb9?zN#zIGEU?uvBrno|> zkSqC+!r|^|>VAwl5_vtZ&)b`p`1eR}FSuS`2jm(%R3>#~$=fr@lXnhvZt}mmZ-OG1 zlBy?XudJc+GHVvW@E4)`Rvo8wxNun6Izk|wrSj|XGoJ5qC}yE|JiS0fpA9=5Jh(pf zqXt-Dj)`as$ObW_O;VsF#=ChYZ2mh=x^o}n(!3bTq^k?vuE7PjYbmXt?Y1^3#=%EGKSq39GR{@vl#45e!X4G_$3y<+vM2XgZp$-2zl3i5!J+t7N~c#&(0!pB6C-g zl&jG^{^LkB_r)&3x2T#1bLVt@(Af5H)ocg9uhO;wTos%%1FfqTkA30oOBlW)G zei7$9R6?v4i2sxFm{WEY5^IganCNo9kDXq}mVP^NkXnf9jY4C+orsQAoP%vgUXr`q z=he9~{4dWU3K|jsYul5nOnjp3wtlCU9go@1lbLWs%2&gSXck}nzrz!^h+DLN}4Dt9zg@A;r2~> z4oJVo5l{yy3l2wtHI-UJ1nl9*J6r;MRbp&kc%Kj3gPy1WfcAnLA`g%JnSo-buCHSz|~Uat9G z%Ve)`t69%PK@(oGhoe=i)mDCkzeJ)`H@b4qjOmTUJbpnzQ;dQ|HFRms4f%!i@@O_^ ztpWqx=PVP4X1CrrO`KP`7wRhJ6V?dkoVz>|Jn`fZ3j6S(p`o4JKBrB?=4rEbt6C_x zU0I;=Ik!9%Pt5ovbBEuf-FaE5cYV9I38Sm1nsxFgd{pzud zRi7dw+#{yBczt!nH(#F>X^DfwA4d)xtvFFV@91?g5eBcp1fQ*MQupr*xpI2y0pdc% zuT1CdpXoN;ow}lf?^RpH{SlI~MEvKDeMdsV0y2*Ggd)}u6TT#4*6m(p^B(TIQPy@r zLBWPe*;G$9T~^lZJEiEXcgL51d0XGYVEs*vzS5-7oXIQ%a5c0PENjigHL`DIRz}FZ zc@j6D8Fs_ItIq)X1Nj0P3(W?xx-q7SVA88?@ z@vvvzo;uWVpXSbF(bdiVZ2cZHn&)L!3(^QyUp(8kvzhNC9euQ7${6xu_sxg~UAZ3? zU^}FK^Byj|xI?RlmliAbt`&v&;~3f-wPV)S+*fj?^q=j1mhy7hnXYLcTpiud5cqL5kxxIBVML?GZlN6-vLB~Mt+75Yd%kG7J8CIV%KxG4|Me-6EHRdBk(4Du zlp-oJ6CuX(7|IrskZf5>X~ZOzk`O6N+o)_M>y&*7Nu`p=k|m-nAmU>2tGd~aWCw&NW;aViHx%lL3agoi{Ol+bx#?+nTYs?w( z9m<6_x=UEcbCVPTG{m$6WXUdYYnpQXufK_j-p_9XO0oony3Xi$F!Xt`9gf&w1FWK2N?2lb!p#UZVWtgzo+utS z&5`16FSEK*Rk&$e9rX+!d;K;f7s;0|%cKqy`Vyu?esYLx&_T1@j)Wk-)q>jkduloD zm&MnXfYgiV3ebs{u$6q^L*?}bjPUe@H5oj7qB!(+o%r%NIv3@7`Wh^{bYpE{&0ysZ z%N#?+W?q*cak8PS>b^z2s$91w)%{a~Io?;lc$CMd zU)JwF=-@kyNJ?*1VueKB;x3Nb?ag6F1hs}3pQAn;X*~^Vhc>PUqci1feBBYy@KQ{; ztD|>YcZaQpSf%oitcHdL?CL+BCpJ8F4#nQh@rdQ02{j$@@iyAMJ1^(245jn_ZimdC zH8kAY`*;{eSu9oNVGO3(f5wtadSK+^lTy19$uk#!kp@r9sBNW5z5B7!UNS?`=NTbp zIkx;`Hjt3!9~`7#D6EzuB5BiOi8RQS(Vc9bb-ou|zp!+jX_Yo{dAhWn$6a6t?(%UG zT9U@B?4!=!=bZL+P26PTluB$2nzDIUmA`VdSvQg^HGPd3M^3i!wYpgEv39ecoSSci zPV7GKJU+zB5Z=kzsAe-l+cX%papXa%yG(OMR28Ww3rTbfl7ABOGov`0!!Evswy=by z($AqVKeXLAuWEan<;nG?w*=eyh0jqN4?VeZ?b^BG2X^&#V@2&p>jNUk>l?${twjw; zZsR*WrBzvd>tn=eBGdZ$JsaNjz%XjG%QO&9Vd8ZIaS`{S)l(s(5TQg-zE+zK#vBZ`X-o=@+2%CX#yPSL2TiqPv;Uhoe1q zog3c0IVF=~6gaUlC-^(yBMEC8ODD6DoI3)Y&0VXFo}RN~qo@q_%1wEyPZ^8G#PujA zu3APZt;}qx-fMuqAze83(6EYNw!ksrHjv5o9A|P&S^UUBhjAwSw!r+MT59CVPth#T zdJlf%m+hit(`6F4IB6VFV`ip!o8Zj-Omg95P}JpbGVgR_8;gt1{!TvsTVRFS1D^?YZHv`o zg_nOfDM`ULZVH?kk9!XDmOGO9_xnFbf@1;dI^5yN>T9&56%E?3z6IZ`;v-=MW(YMOLWLC6%uwA z-*hQ?SWxxgAR=x=YB{!#YHvgh4SC)UV9GOLj$Ui-A!*;#mo zjT>u5u3!og*R*JG{!(Iryejnx@Kma06}7`)dze9F=(`LG_uOXprk$_T=&e?%!AZtM zXJIw9mvd_rp%qbpxCk|e4f`eGHFMZeNn86kz*DebykMdarf!YM89TuqNIc4|exU3x zsp*rZa~CxCA_RA!P>8SWp1pHlUG}<8h@XeYaMtr=FTezIFh+t;dkz3J$*lp@gfo?v z)%HxnJX+~o8)S?x8(AI3dv+xjM>JdS+V-hj%`tW3!5Bl^r=eQnzBmA;xO}s=woak( zW)!~=E`Tqe=ohO zAA++Ni8!m+YV$(#O)~H+4XvA92dgx=&@xU z9*7f=8nB33vf*9+U8kp46B4EXqdBQ3!=-xu!c{0_GeaK!g zt9)dvS^FDd(+A8Jcu79M%yV6=E?hBc1!oLDy*>rNxxK61&ty01OydB28}F8QseNO8 z$u7;^*sJ745FF&5_R1nytMeuz)H~45%8caAd$eK6<~=T7Rr=i`?&SfM^hfcOw1+@w zU^=+(meb~oB@dS>mfX`n4Az1+0waQa;?|_QWtV?cVtr~+;9+-t1_G99PhWF=RRP;{ z%L8t1(RB*S4fBrIz>F!Vey&SN%-SEvL)dpi1$Tn=5*uTUakNQdTG6G%#4|mFVdczi z`fPYKE3jfRI+^)q_JXv@Zr_vWf$|nBAMpn|)=HP< zy4J6lG-VkzYk*U|);qVt7(h!z2YKraM0X-DTc7jH{SK382}MZ8Gep~@z#|0cbF6alHFzE|a(3>a4Q=ze#1f5x6`o8!gy(sP_v2TVhY zRsEVo*Y-$h31xWkUL&W$FMN4~3Ni1rIVpFH`OVk*^v&~SKSx3ZRxS2&P5%KNi!qUl zvEc#z-2G&-sl$K;>Kduwh=(R$zkY!>+EwPLa{|UO{eu!$2MLE$EO<^fsLPU5Q*(@k zl5~KhVOP2aYm7S#l+p;VbMkg}4njXw5i0V!3#O)+3eh^sE(KSE+U0w(G>cKl+Q2R1 zE99WCg&>HZTsnWS1t2fnxwX+qkIrY7kAJ>)1Edi2UeWSRz80So|bi+Dy#CnR$m>9we%sXA=@}d0C6fjcSSD;G?y+;Lq z0uvek)KHH$T>l(p!k-#N-0yM5sa*!U`z(*=@b_)|=LU)Hb|xl7BfAbop(GVOa%_3* zx0pe)3|B(pB+&;9)~oBJ1_uXeS$mHnMEv%FK&|12^W-;Wo&)o9lU`GI@=p{%udKJV zC=3u7c!-UIm3%BtUDh5Y9qixLS#1ojRa}?M{^SYaOTo}4r#%J%rZ^Mped>h+whl)5 z2p(j@x@=afYe15*`;h~B9EzuW@)0cde&QBmir#B>Nz2%j|2I!MI*O&9{FNE%!D+?w zUVQV}ppK^}v@<*p@b=5RmW@&n(46QTPcbA{O!$4Yfzcjvj+#zMnC*zkEb3K|_!12r9vE04p1%K4c#zcBgww0jSMrild- zxbaiQ|Gl&N#>Ofk>j&+vICP+gP}E+j<+o&7S{(R77$la00s{P6PEzl|?T3iANUrxU z!p0PR-BHnu4M8F^rvi^h*Qi78SP)89OlkS#z~*&BK;2KLP=4NOTrt^<*#%!QMGXz% zJZn6;zOZW0fY0#65-~n&2z@k0lM21w`+<}+B}8-ZP%mkc%`bfD#Ah`!LXXZK*5OcW zW=vh}0X-7(Fxk|--cKr}n4ceNcs(q0v9`8`hhKl)>3_GD(ob5kQQ`gLEHxNOLf&{U zQyfXIo{zI*4=vH1{ps=3-&0anhK2dHCS|1rp~lsE(ky(f5py=T9RfY{R~fLAdH?KB z(8Y5ve$?*1%1U;(Hi#M!3*F0PS9A4jyQN_CXBBrzzBo%3T7Ply0)nwZFsJeSh8aJ5 zSkEfXEfbVe*uk6mDNpVuvs|FoT#2yRLoLC=lAB^aEI<}owsQJwu<6t1IXM01cRP!9;@*FE=7{aDjI=+2>My6(x;rO38l^NVyA5`Zr zLt?*=9ykaX|FT?X$kcDWl`QUJl&CWLO}xdGUu5BCU;75}SVbw=0JkH`;jLC&0>k_o znRjZhqTI4d%a6S0c74>jg>^qvq|Kp77J4u;G6M1e6u&8{_aiudFxvGcGvwYJRvUm* z-?84a@)Hvit-O8rH5W!BC8pFRZ6|qkdB8B(vQQw|E#s0J=6x(8VrgNLhDJ1sR?IXh zwrRzfk|iX{;=7-|8f~Di23b@lTFSJpQ|+I>W&Z#Ewg;BTP3M}sClN)wnA8na^ZvfR z)(5u!5TpD&S2yfNT&_$sW^^H;1_PY{_SmQD@Rp%@(87BeoGxj8#wSmnL?{BqjkM*M z=sLr~QHbX7BGu{kCxAN%p4&GJx;i_~%@wAJEL zOqS8sg*Pe7+2X^9$`q;`U;zBJWeMP(yo)9Dg$tEAO^^Nob}O10{|2>rm_q_sN1J7* z?w=o}cCZP5BSj?!GZsD_YW{#N-l^>MfjNfg!k16q{>h=3-YJ_?I(XyHC#+1^;(gvq z24*{(EPTbB;vKq?W?A3oS$o5UyPTl;@>t>4TOc=s^EgvNr^+*yZNhvDKk<#RtD^1G z9^z6#vK;8^V@iZath~hMXZhz{^R{SOnjeVt*bGKHOKF|_0)3}DF5Ug-W-2XNi-n7z z_)8Yz2=hlZ9Ix~?cEyDY5tc( z6MH}Vod2`;9^-xAG2Rb{4=Rf5UhBH%HRt@rTp=n-GFTWS7zhLcOHNi&4S_(*K_HOh zE+fO=YzFlWz;7%rQaUaV>>WHFnVGvFWX$Z$oJ?HI9#WZlP+7XTI5-P&aymRRv2%HB z`-tO#y{&6sHzfjr+GeGp4_(%2$**}Y-cD@A@( z_8gUquDO8IeEDYGjVIPmV)|KrHGgzAG54cWXBp_FC}~xy_qkmGbHNVOrV( z88zVx1ZlSg zG?k)Err&v1yYtql$KSXYy_CJOgcO*@S%V{fwU4egRrgtF!zaYi{u#IY&g7eq$UXLC zm4u5VeM#kt$WKFz6|3%fI$433 zb?cnz!0q)P)T)W4ckMcML)&n4>vrzykLcWbb1zh#9ba>aYr9L>`4x}H~hRa)wI%*!jQ zGmhmDj_Z+9W?@c~9bzZaivIHAbEV!1L(hn>+_`p!wEEhZ&?>(3buns^qwvzh(n-O* zke8+5m!2lr5WR>9vKgk1Wit>lXfJr8--qE6gWG?-?0Q|zKpZ-c+*X@m!xxK*_)kcp zQ$ze3;xR(W#5Z1#Inn>f*9SRrRp^TExd-)u%--*>B#JTVEr~R|DGe){; z?ZFqFQl}dcpJR_XMXJ@0`XA*5e-0NRf0g7Y$B0OgxNq}#QvL3ZPRB@pd{pl-%VF!n zGgb6bdTXo!ZMCGAmu_%W7{psD1-XT6ewXv)JuR!dsTZX!eT71cDqwemo!Jb|6$PCW?l5!dQ6|zp;7kznTojE z%QB*`4b&;tKI~D4BM${`-LnYQHv87rh_5cWn(=0GNeJhLYyKWSKK;*NW~o<*K(@t@ zr|Ii1{;IcblZ4s3iE0kM(fUy#?DXpOkvLlVl$4p3f77#tx{V_X`Bw?FbM-NH6ROIe z)aJW8i~akM>Cq)W(3HI0?Vfy@aLXf2@i4JR-Ju}$T_O+NgSP=hAwz5XSuYGDe$k~= zEf}y4o=%K0XP;s$ZD4D9nSUN$3KOzx#ZWlZ)QK>BzOuMWkr^Lo=?ZU4=b6$^MzUDG+=`CRC zeT3@mi)!~|a#DzRudQFf$q&aVwmCcI=Nq>^yO+f`dRE5#du}WpkEVw`w=VWr89lqc zv-VZ#<8xl}P>1QmU15AV)b8f~+Bs{NrXSg(54h!5YjQ3ziFzs~YH{jO;ZZmFB8fiK zdg_=xoq<63A><^*HQWt1(mcHIr6xW~Yz2_srAl=o#*DfX>_^7Igo=+Ng({BUjv|F5 zrK&sdShHVKTvtV~{n`ReNm+1lpn~i}E*kz$#kwnpihg%ueA3;l*ETiWG|h#aUEF+T z#dg;U^BWqzdH5)6D&|@+$X;a2KfeV0sapR0^TqGR%CE=K|M?ew5^d&?ZvXLxjg;d3 zk8cnNfoIok56sNW=ouN&;R}f>Lp59a!G{<1UdP{E z8nVLw_Vaz)7~mIBMnxbJE<;aG- zBQYmt!32IkHB77yUaB9t|Hmb+!X;k7C7wTjzO=FeKY&lq&!3p{E)ls(Qbs0L;aE+j zAv5!aE*b(sH8(f?l%Q>*G0x8gW#*DS6Pa`f->JX9yo(T%=p7bA)IQX}J2&7Hkg*wP z!~E{Vq2ZX#J*Hw|RL#=4i_xY?MZk${fh<9V2|t2_9vdxnhe{qLn0rSECq9-*m5ut+ z979wn(NmtM)Hv{IetrR6oitQ9xk!@4?&QJUa&b%vQOFK>vK?VS@?BGp~VS&*8$XMFh?Y!=m=F?Z$V%aT?IRWw8NET`-Aq4YV3 zDO9!ZG!6_mQQyI>;5ghQ);oDT6!_CQ$8qKbo6B`>F-$u)S+-ldacUoFW_kG1<(RWSkX9mNiTXhdU zMr09$nY?>;<;QaGSA|Q9%gY>wO)sz84rECsau_W1Zp{x6Y(@y0z&#)gC3%UDP04p# z=^Mku&X2NJJt*dyYMPmF+T_M)x<|_lPCxse|5!>i;?S>i`1Yk#FP3iG>qPp!gDeu} z{a}nbxe(JeOlJKC7v^QO`T6-_=KZD4Xxifmj+4XfUq63*{*im<1y7DC?kB+?(J~ZQ zu&_!OXz1wZI5@Ua>|5qpiNAjk-qn@gmLQf`S6`-egrZ zo?^aj0lCwy@IXs=xNl(?b;|H?BFsO}wtXXmgXa{)LmXdeAO{OtSm%F&j~6*V`WhV_ zoycj#q1F}rA)FL;=WwFNW@G7X06PDpv5X@pY{NH?bd$Kv;2#sy)645#HG6*z=P!7; zHkj)*vf%I|w8QCe+AZwOc~~ypis!R`Zi%i5`2t<2fk7}bQtGpg>?YHW(5R@Wfoz%L zB&B*WkKM&29t*uXe_h z)#|1BAzZJBAvxgV3*sO1L6mRorjtvouRG@C<-K_{9>bcWuBN6oR$-F-b8kpl^vS`a znI?~wzBGuv2U?xx-rbFFY$she#-bauOcHA!jdL5f`4O_~!OfX>Mp4T|QsjPF`1;k# ztp9UIG_4GN_LG|%b@TP8(_QK3d-*vzIpP6mn={QR1nZM~mz^(88KNoJl6!YjNYb%4 z-+85P{-g2A?WP}nm1aE!N*Wr&d5S5L zqfTgjvGNG6m3y0U9vfp7NGNDiE<=jzVl{NhIo7KXt@PUu86w(SU+uR?juv|#c z4@)ZWZuq?2`s=)Y<<(UztX#LFNYR5E%{lSX_wIcP!DGa?nw1JCE#nZ7e2P$d*R5)< z;JGhHBr)7Hq%a|4&x`*(DhogH#ro@;-X|^tvNTqbVy|`ZSi>;f<$p^9!F;E7^-Brw z-rcQ{B!5{34_T%!DDST2bG&Pod_ErWs#DS?dTea0E0%HA@*c5>`%b{M+no{n|JRe4(uC<@-GmL41>|S2hVdV9_ zhJcQr;_Q-vYz7pmnR&OA}})~&UhcKrH*xuZsxO+4?SR3Y4P2Ochl zJq~^&e)r6+(ei+C;*D*wkIdLYN7(y!@5UlXYsd4`BIxn>i`g0olkA%JwOsEJz0F9KVi-enMY!TT_aBrO)g%#0AB=D?9S`M7GSejsnHVn~WC?Nn2Pj1Fcbs z1T5>9X_B!NTPcxK*0O6D?HwHkZfAr$en=>ma-X~Fdv9;LuqD+ItknppPrk9OF=CP~ zehyLHeac~_-^x9Ya|v1C3ad;K``U;bQg?XoH~Dy$Xiwdcklxz^p7$NM!_lB-GxHJG zy!W@Hi{@2(_qb*Db!CBHKD0M|vHq4-k*Af)kBve8jFgg5cJQk1l9%JgbN%bu(cGuJ$;gMXKm?VPl4EoIlxH(JLfBl9}{ z=>cKQdtY66g0o+B-db&i3*InGk<*IRT- zhb8ZmJ?1X+bj#+_xy zdZW>0P0iAB6@t9C`^S$T--Zj{^PNiO4dp8jZ4~%Agk-iR@HqV5ia4p8i;Igdb;nyt zW<0285H$bvQZ?^hQWy~@N#EOxaydC!@67n5tA$KP7#+`g$!aK1vp_}MyKu1i$zj9e zZ$-)@%w;kQq`a2>rT6&{ViaPblk7kHoGxa>u8Lb4Grh*W&qYoB)ZC^ces_xKyA!*D zP+yvY0;SWO+pKqff(w-DGs?63ZjYQbk739;qQ-td5q?LL)nJO<52n z$4?taQTkjr=%!?qShg?J;8|a>8az_cVh%pK6z`aj`vaN>E>-{2vYLH?>DHIGLH5goo`L`|oNq-+!~=eK`Hm z#~@;Pzs37h?Mi$V#tAR+O=CpO!ADA8rm{5g8lxD^N|Qt=vaOZ_GzVssa5z$+35ZxY z$)B~YorXqmw(8q8+I>Q!$=P{A%vG zgYEI+=Z8dOV@Vem-tZ@0g}ve!?w26>2R#mMxI~q77P7bJqPNM&$Y?`J8}sOZc_HM! z(fCmBZK)|YsZswoj%Vxs68OO}0mNTu$F4_n?q6>StJJ3AN`#ew6S`5$CR-4fvk@eq zbIEqbG3E_ZJy+7KE$$yxtf-_r`n>YZNWpA6(lR_vwWBR_`}MG{Hj zb2JaFP314;gRSW&d#eLZL$DKpn8epfNaUBexVZKXhm^(4^8b?OBQ0A#Hh3NHR?l7Z zIhw_?v7_Zit>4NTv$C=*rIb*3(UdjA*GnP{+3nb_gc_pcW)#v=n7 zc#X1i&%_qR$jjXHnEA-|FHw9@>=rZ%1!|1WB^M>cN+eb#za&3A(AIBk`2PL7IDgCK zm(;Txc#2b@WtFf*sNuZmBu@SGMB$Nn)s_zS9vCyp_!gCLO3XR`mB`V41DK)DU1y?EHH92Kv%Z zMgHmb^GTJGwRg|2LN%Rf_4TznTDbvu)@$WnG{cYGT}$MdhR4M|-Moua_0IR-Jc`zs zsj*2sXtb9k6Lx)}g|b1pw&ehsJ#wAZpMz4!B^X0F{dQ^LDq)AK{?*1%qF-;9giXe9 z-QSb#kUHSy%Xbu>?K0AT&z#RGac{x?j%%1+R}*|CprQ48@8_vC4j-nwP&8uZ+`l;Uk@es;1Cc`FBZ1y-9>z`=N=NYe_z@J`kVH>=x7m;Gk_QUo+vlr|H^o?c`3-$tHqOh^me7Fljg5HIZb%jE#*0vatf zYCZ4epPd3SV^i5*{$4KDpB#Y1)g}|{Bdod*_1uMFpJTkEewrf=oEDq$!lS+iEjGk) zdR~mbEin)?$cR5_fy_%YH_?BhO|=)QIa;^=yy9hv>qT^Vwq`@aYlRCoM4r6`FMeAO zjb&^D1qtydQ_%mfp@Mq5`f|(FXaCrJv|Pg3kZw126aq2Z0|I>f7dN;T=H3QuEXA{G z`<-`4rq+pXgPL`-lmd^}@d>sjY839TqF0wafu@RwhbL?z zj4B#q2fv=De)tEYhld9piu{kgy}kEA*NT@;yi`qM82Id_-~)+krn1|4B`5E8-B;(e zDsaD@;rOzV@?nxpa8std9n{$I@o_lCD>j#LE*a#QbUex+-j#c+K4q`C$d3@9Q~U0j zaEvF{>X&l#E-283bfD;ce%wQ2{+zL{Y2KF0s1n1Kqt3H3JS7WVYk?DAnfQWfBIC*A zdIH@Hb#!FUr&@hm-}L8Oj((P>vTL)p)b!q6l$+UjQo^il^nxPLUTnI{`!KOLG${Ve zFP-nyyf1aU%s|-n=RZh_aCs8GM>ojGegb^PFYWsppPok{;4s&pDRDfQW$C-qr~@s^ zVPfmg=hze;i_y^D7})65JDEj&vv^nYe2aFw{Gh=lom0q|H)WV%=q28vBA6+Pin} zE-Wmx950i$#9+(yOOa@aq#6k<#`@>i%_eu+BOGLN7WUbGFvj>G@qd4QZQq8ptLQ!I z)HBw%y~I=Ap=nc!U&HR)lw^M*dg#sjp5;}$YPqOr2b$_)MGURg_)Z@{%)9x(@Hi|P zzP%YaywCGKpWhf4^DHB)sNwE&j75yl==9p#rGHuQu1Z}>eYqvSHbLE0M>m{HFP0}@ z5r6$i|MifQl;7?i-VWf^u^y<|c4M#SeQUyZLPwh#$7K$cd9WItn?1d1$3Ge*#_))U z{DgG-DLExY;c6PR>}al4ku-++O5}1%p*hI+s2mv*J$-0tX#+kit-N}o4-nITBMWYFgv0;e^S*vTD<;~~K+81wCG zq!32|tUt$qgPbH&68^n89~+uhq&Dj4(9x<->9Qx6rrN*V9xk_CEXKxj zz$+7Dc6H(pA4SQeu^#_cznx9|#d~jpCufW*R7A^3l09sz2{zI9WGJ1bK<58H`qD`w^-1_UxzGgy((p!?f>VaJm zPR%_wz3KwH>4puRatgbuNV}J4mA?})j$-d@EC-7gVOJyqF@fp0{iMr)pPfCN<)Z$U zJZl)wlDfKH*f1{Rc6a0g{{T^C3zZ-ED6^&Z`}WPZ+_v;3%0u<(tiqkib?HeXXbKT{ zvZ;lNqJffwESD}_f>uZginq?fy(DfaMI3&s>4sZtDtnZVy;}+#@`w!GGXaZ*e!JqV znVvK0`|~R$rOy$y!E=|@Wy_3_{E1|`OZblJzn_$i^L(W=dH!Fk*^w+;`w@NNk&*d= zCFxo`(sUSk0C{V)#abiu$`<(S$uklOGwD)x}if7!(=k- zM!Q(^zjI2!pc3;$_jD()D?H7N0Z1gu!eTv?r}$|PvStFScEr0oTU51!UTu7*ovqu= zhZM!xbrg(R=|@9K1ThIAz(QHK2jgzM9F`z&Dx-$uzxu(P^3sdG-0%J$Dh-=GRgu$g zdnczcaTjj4Lpv?Lm31}x2(w%vNzkG%6?ox_>+1|Ph0_};0**8x?p-nTkPViJ6X z%<6&56f+Je1D3_B_jn6#JsMMCF5(zupB_9roK@D9@Xo{y$P+S;aZ#D{_hgepl2ex- z;N5e%lN|=!ZS0oG`Oo7ErhdV2`{MhUn7i*!MmeBE&7kTL5nseAT?EQZ8jt0Y##v&9 zELu!P7;gzaR`tA&=g!<)Ad#T~t`c$~g%0Tgq2O2C#Q!cr!zGt@13P*aF&8B(6=Rl# zub!hTja;T#OnB=QZc6NM$~iMLGxGKcQ?qJLBCo&@=>#655|clh`h6U%bF$xRMZ>lF znsBcXYLb5m)eM@11|PW$eE#~B58s}u;MTBpc}s2J$!#?Xz7L)0ko{6?_aSXW-_-K1}l)e zUe7TIre-%{t4r!$5$Dt&gIHtEN$KeA_UhHH%Eivpv&{i;K&s{A$?lz=|5Lk@Y}rQB!K2hM?>gq}}eW z69A0`^m_iNYDf%G0_rKAPIATlukQ|R?yU`tE2t5Ls8D)eA?16NaX)K3nt$pJ?*t2n zx|0((vu{Tzfqm;4UvEu$^Feaf{bwWPMn=;q?%z9z#`(QFg_$Ncc3S|sP z*+Z+ciE?>sPl?M@g-mz(HjTYQHb1)%FmXNit`i6Qmj&M{Sw)j0*wm4CZcVoP^>anc zibFdQJMdl9C)(?=mZ1Z*yQB!R>xIFU_hL*#d3$8rs*^1~@+J%l^X@CMm2O+jovjy_ z4|ii8j*9&wxM~SvG=m=A(8%HLSFU4;87VIi4;kK9K+dg$*3a$3#*5=g*|I*O32+O7=?49PTZw#0VT zfhF8pA1yC0l)!zgs|2{{t}OZ+p;*R9x)x{hKCt=xLh_+^tK&rVb|!!5^b5qshiD9etW|x8|F5D$m>kYNrQ|Y2onC1^oGGqrNmH5L5O!Q>XDx3UgyRNzkDh@cfmwYyKi$Wa zAzGWDB8;xoar=R@lT(3P>(AXVy(}p@0%PP5o|;0&#A*!Ets2V8)tTl-nH2B1cf5xbTSH0p$6C3&z{45m|Cw8noR6>$IvUt2JzDL{3WzlD6lOxf;e*69rN8n z2VDHwoGGLEWu1UtnOX6l;Q~Gk&8&5XKJlqZzivPviB>3@9&bV(2p7oDZFeqOV4!zU zi#e|cKBS0#DXIQ~;*V?=XSR#4-md!rYnpe+s+BUx$$FtZBvhaWAHekfwV*$$?3V5G zha=R)Xat3rbyu{r=AF0qhK8v}-Z1-o&rWqrEiU z+xzzrGw7EZ3SD%%KE6t{qbEC}S)@UIX)wi2?SB>FQTrl>1{m~9ObRhB4#U31XKoK>3-`j#t z;eJQ#i-I1*Ih@~XWCAL-;^h?k!lz@l4=pT;^DJI@1SVYV4j1O-RrR&P&aU<14KLK{ zSZ#Qu9x0lk3iS>E42u;1Dd?};4d2Q-!ia{98*C@}oc8@MU41DBscVBq&SuJ-a`F*@ zciJ0SmNwMu7S`&@999Hxq@+-a^|HK&JIO)0zH$9Jx6e;^sF={z1>c*Zxp#`|r&+8u zfR!%vSbj!)z&zaqqcde;Fe-ZtDZH@&3L}2@8tU(fDJGj9nZ4f7S(KS7@hRc0)zC6= z_K7=T9|rG^YFqm5b}{na>d#X2zI>MsvkS^#NZt+6KRS4(o+)LnT+0NMHl2AuH_4Ug%(b7D@*g^E72$Tj`@3kM$VZ7%E?LAUH;#5(*WmO4ZzsBHY86OUYD0LMuv?{&%N@>X-3^ik*_mY5WV!_Q`_i-mQsV3b zG%*-ApSCAW496KtodWY4!W5nNta~PHro#I3?b8x#wJ5V!RJ&-5_5S|;-SMoE#5~f> zN@#k+8LSOxH3d%-B6GJ}PVJyhhCD+v+}Dr3N%teToi5pQ?~krNi_KZABQ8t#LwHu; zcK4z#1If?*KapQ+DNd;n-TMrh_@}P#;%!1w-eQr)$r`lMsf4Bgklw#j5UfYI)Izg= zB`BY#gvOnS)@Zf?Po_im35!e6l`B{Fuv44=?AntWe}HV;@!`Ymlhy2Wn*#0fnd0)6 zBEgXDxE6g18N2x+1F_Q;G!4wj0m25JQYN)&`G?s?Z8q~7qM&becFG>8UyJEs_K(l> z>Q}F*(I(x0`6?MnE3RBp>d_aYC1Ke6OR@n#m;pj`q^2L&Db z=l-Y>i2Yf0KK!CwTosBbd?m}EP?7Ljw%z9P0TvEer%I>j(O}TwFS>}ck}1&h6F3aI zBY;$T@~yOX@V;Hg{`25PqUAcEoA~Xfj)n`>!30Eye7$yFhtpb6SXh{b#(ym^Q#{nJq?hMLyBO0``1M|E6HWe_^OmxQ(WPo12dFT~2jMs;Mj z&53x9`99OpeyQCr)n&9ZUOyD~8?WsJ|HcC3@$KVRk>Pu`L2e6=lKh?aihh`663X0x zRXW9FeN=Yum08T&bcsREIR?W+>e@G|ImOrmHw$FVGSVE@$TKcLB8RmK-Tzj;VopQb z7o^Bj{t)A6K@*$es=7%N7G86k%ly<+h-&t21=BwXDNF~O0O1JurLJO|umzuFf z8N!httR0vot~~r(GRnyg>SXMQpeQUXoV-OQ)$O zcf}wvBdUKEJQQ(B5oCffsj2sPc$&c{dA+y8}haS)}?%e$Y> zpAR;=+3(xjzKA%nXxZA0k5vNTDY|z3hLtckcgzR2!52c=t3RZq9xf1?9#&BH*FjDCpuJxwmkVp{~qfT{wIlPX^LUjTnYHzQ1wj7EQZVQ8X@#sygc-DyiPZ3 zi$+w?cK<+w57{*JC)-_kTprg*(qIli^cH5z>m-ecYP!q2ARB2J{p8hZ3cv$R)q4)}F-W=yGI)hX27jEQ7V z(p$TPQCmvLGuTUQV>Oen)3}lTH&z0=BsE=pl7T3CjHFJKK-6QCDrHC85io3NdnY9( z%9M?RxN)9DwE(#&h0oTs@s-_O`=T!L)5Gl*AIo|$0)31i2Zd{du+pgkX_NmXq`!8m z;=xByQwd5nML_e*a>cBbqGMoRE>i$i+73jez_J7?r)c3)P!itg)mWcU5@|=vUUCne zO446vmX1ld^VqIojp5*$ttg0+rj#FX9DyBg&{9&uwr4_GztLbb%CSjAS>Qe_E_jlM zIn*D9qF2$ZE}q~aDc6*l_*6~5e_EV7VK8(Ph`nV6gWzY>NiuYKrpzI;cM7xU)VS_( zb$rxaW}sgqG6t^vqy|f(dY!53W+zj90)EAC4ZbiSa-yfkaXDrZ>2V^5Qro5)i{I{F z@!aHkoOat=kDZw>nEv}q;LcBk6En8snx<|>=wXh2zAj00JwELBLoXA|u|kW<$>`fd zMY6Z&U7M#L*3r)x$}fE_aE&@k2RI<&%021_!6I$*`MoVbOV(HoeRz%Xh8BpYJg=7F zL)7&Kh8wr6FWeVLYFO6`5z5iRLz3$ty!e1NQC)DhSv!k{O{P<0tr@*z=&=+Z%c#7Y zd;7!A?3~a0QL9y-?I<$}6C(SK$=XP*_s|hcq@!G=a{W$vSwJa1RQ+^G*=t?`&xW*7 zWdo=(BUFD7e44{f;W4)?%g3lr`X0n2OxHWl&VSo?W^O;L#dIoR9`&1xr+#OBWL0$y z!4AIA?+rZA%tHDb1y*|2>qjqCxyjN~(ebuH@all+EsXOq1{i@ypPSfhEQEtujn{5U zr)7PY@vrwWClNN+c;~3hY}+(#zw|fB>FLPM!hJNs-!vb-pvQriIsJQY;~@UwR%PD_ z6rAIqWBB7q{&9u;1>wl!GBXuxP*S}{xmDhpQ(i{=XCsS(2fXZvMQvG|{ zNBC)`nj<9*P^b!wtFECU{(r4!+1vfAIhbEaD4Fw;d1e!B;%;t+i-ZK%l>kom4r5Pl zBn{N5kI_81YHh5>M>WW|4W7`pQ#{o{kj@Wz^hdLzD`ZmI%2$sk#>MdhA=847z?!VJ zrv#a>)#uC|<)#8uvaZ}kof(8Y7cc&h->1X`)0?762o~h6uboMkndb;@{zM})DsRR$ zJrrm2Yu;HCS?!Duczl!Wx2wj-$ET)}!56BZpL940cubaov1#)3)9p-JRC8k6wo%c` z6n`0LN)qK!8V6VQz|cSydFOF)zxR!gumoBR;eNLQF7Ef6N52Q$uZh4!oMqLu)hq8T z29S1$WciI{GVUWpkeN|_V$xZt;|Ne8Paqf^{2o1;MJk?0C?brBqU_ot?$jdOQPt3n zh-Lfos2uK~RwLb;LyV8LplH2EN=CGCP)+-hKea>JxtxQ!!xNRNC_d+R*%IYt8&YM3 zH+o4R3NMnM!JP&qVdQD#Ib2!dISVSm6#q6P+Me(6saA7LP)OWq-E zL&c5?-xM~!MV4^|v4K2@HHN!Nh={z?jSxfW8plV)4)){oyFx}qI_cJCEpP`9F?K13 z^fhfiJA&eA9Fh-OOcnEGG8`mZ1fIYhzBk)`BMyEHh}T#D?*jclS|I9ycBsCf+`UUA z%yrwI0pECbKx%3#xQNz!=pFLwE*x;sMfZXh{~b-3_V5Fw!Y2nCh3wy>@g!@b6BGHt zZr+>1UrY}=vpaP8eXm4|3p*sPdk%F#168f(BtsGCvOVMd*8h@MA@ic5BAB9qvYLni zTHtf4U@Z29{UhD?T-U~lQmz5XSoiP4oq9l0PjBMFWImYn0=%if%DP0w#OwmI`t7%y zRfbc2S3<(beg4vnvBly{-PZ`=<-WAyi<_mZz3`F)x3#>qG~j4rLOnewaZR*cn*~FT ziJ95zXlEW=^bT-m7nn~dy8C{uo#=xPm@RKeRcxG>Kg}yBQrlaDiUvH5AawRmJiw_B zhy8-db7`_1$XZ-nq^X&fjMS5AA>`or@NcmtL_D~4N1Yl!JzD4 zSO!~t3~VlH72Fia=)Rj1w>&ae@1As@Twlg&z*-*wW2o*t$oqvgV5+E0#C%_TLuja< zlm#pug&Ku1ZyYHF#eGO!P->@~dd4aqthuib7eax~n4DX8usjUA@N}AVUSYdZSRxzk00IE2I&O_>){r&?n*gOdz*P*5l(C3df17x zD{XCU?e2aAY}Tq7oEX><1>X^NrT4|JhxYr1pGfq8^ZDdp^S8KLtQG%xe!30(Js4LX z1Naz!VCPhw;te}VO-+5_o?QqOfsK^lFpWfFDf`S8^!zylNNN+m!`z)Bxmt1pg8kao zvv5r+(0o8dA}@-1`BHYJC|!Us9#mP7E*m!AOfm&ey;*~G0AuDZm^SaF@Rfp&49~Bw z2<&J((8{@m-#B7iP}(a0zEntLUD-4@a&p>*g;+g;DGg@rveXmQga(`U-apkFQ=C`( zsa@|_fQ{U{ylEHXNug-&>({S=34pDBz)8fRe}jl9-oW zIy59i^;^1_ub~E0LsUy;%QNyQerSy!!x{^ne>3_;LO^f}eCi$hbNAl|Vp;Si=LVO* zQ{s2YTl`T4+z^GBPt%)r86}mR+PCgN2gvb2=e&R=ZOMNM(yJlZ9)VkDw(AT?)rH{> zaF1~h0jqTe#w{j}?OT@pexj-`lah!D2@}%NO6y#&r|?>Fn}52YX0bONFQKaU)RX6hVipG+t?+TM5`6ch=`?qc}D?ET$==X>${^q9LJKzABSR8*S}iT}JXBh%odF($cCT%R{AoJRmIzKwPL1xHh) z85R<946?s&z3}dDiqDT1_4W0`mroTjcV|F@?_gmnYcz|L-Wsb2*pfe6b#!&*YX)EMu(_7F4#&`l#=v;BSHjYbA9I^iz_i8JOt7Ay+<2 z1$i8xyKx>=5w~w&*oA}|fP?z6@|lQ0o+GEcgi|%tla`e=Z0jjGYgzcsWv(tw$-cOa zO3438DSV3FYwC=$b`p+fe3uODwx;Ugbiz4b>J=)`4Lu6PA}xsANEE%X)k!NXoKofl z<`Ug1bI66V-ek&++v6bOXd8KJI&L-u1_l-_eX4+jN*K>tmIsEw=^Qz{WBzLgYePZr zx(R%K^zwu1x`Ht+{vQiN^l}#r*;uojqOxkgN=qXrBl~o_rl_vPM`^lu;8i8~L#TRD z0s{3LUD^5g-hdWGYwrLfMEtfB8uuAFIqi2ByG%?>)(Pt0nR4dXKV@~as8V(!h~^PQ zw_clRJ|(qpdK=-riP~kGD(2gAF-TU?&h_8}ug#ZxjlLGaEY#R;i{dWdzHGwrwjIjr zeX`yBQNHuZMC8<m*k@0*t|9 z{vhF8nB0MUZ8rN{TSuo3ET2DrdYPO4gp|ReT}C$Tr{@I2FQ9GD`u_6%b$%x7w)OBi zWc;jm7d~i07XPbjtoG9lBRei|4)Nb=;#cqp+FKHf`FKI+KVG4nmLY2&;5nKpfqw98 z8g>d2!|sGlIoCz@$nhb_PB7&^rQ21}H(~%JIuaaw8SE8J+EwO?Zxri|-}(c$`o>wt zEgqT>U?eKH*I;;qa=Iud^_JArj9qXbuyApGUmeK))oiT_OM?covge*NK$i}x`0WX_L5JRR@%lR8cAT>CDtUe;IkMY*}1AVItQghk5D%R4VW zzzUt-P;ZAN5^EH9JD&@HS0&85tShgK>)@E0|k=Cb1l965Iuh0}bCN zh_^uzKkP41rQOfJTfNGE+NnA`4C)}{^FANpG4KDhLcY8pT82Pva8h0;b^^O1XzD$! z(!Ds=UU2&^1e@yifzL6|eoL3HvRXq0p&&z#qS2xeG>=6}$ldh#iQAOpM`*Z?)M|0N z0_@5mxFFl;A43?_+D_)3->ysmbobt3PjZPN z5jz}zpXvak$fJO-@nRgw$eMTtg7m%edBQWOP}rcWoo1vQ3!0ZQo+2XYm>i>xR?iib# zdW&N;1zr&7xZ86c&Z(R>> zK;s6f^yN(xX@cdX22Y{O_>g zWqe{{V#tVQ-EjlAyFXGZbJY_dSP}pJCjFwKqg8?ZJ#G_M@&#q5XLk3z2YJz z{;Q|alK#Ix_Ai9N|N9F<^9``oEL%5t7mws`Q!z5GKo{p#h`+DJsF+;+uFO}hcaRMSKCcqQnZ_vTq=Z!bBF3czuK223zk=FvoT*EdJ} z4pykRFlP>(Nga*kYu@pxZ(fzlm+)LKA!H-;NW#UyddkbH@2ik zUFhJN^nyG9x7aWOe}?oa28K)mR;?y*2m?+kYy!js>g=3NBT@~YMITwquyd%b#s3UP zrEHjiEVTol%S`hVYrY}!EviaEx;d2djGF0-jgL?|y9k|6mt(LEfa zF46z?)}pfsp20f=BBg3!x)924dwRQ$tT7-uMM4DqYHrmqCXqx8q zFpdO`FN<(qRY9ulXCRpyKobBTSxyZ6Qb2&2qB$_Le$jWyTsTbBT&nD$mb;(;2G`t% zhpciDbp0gYw0L=6w!T6RWROBwn*NXpA&@3rLc&S;4Z*TM=Co-}shOcv*sQfSQambp zIQ2dP#;JBYX(REuSTUwQfD1(kFqP05NZFxtdLJVxKlk?LDh-Ghmkl}nA5c1LmCdNd z3xJ_@z{&LvCY-?UYMFgAPCe`}2%G!$4`bTa)8elTH1Ws?O!2?vv2=(%LPJVm@)sa; zDM+`F-p6`C*`I;Tz2Oe(0%-m6va*&?wH`eJg6#P2bVipMq%*x}!a~W6B>D)m zycD>&-=XIR;H34dJ?k`B0|Rjr_3v3wvqffx%DmiM7+Tnn!vYIT)-KfXkL~Rj;QK;K zhGiUMFo1dhXcUI>KlT~aIhg3{>)Y9J#OLSb!J7r*M3rGw|1)2eWQw=^K;-k#WHU}p zKF-XeHC<6MYZ2ya#Rcy$qfN!=0aHD4X)}> zpFROL-q?85a11Wr7sNb)BgA}q(}?zkp4TlrT8{vA+ls zQRqh@F6Lfo4&RM1Ypnh(dZ-WePj?;|Ii}yb4A}`XD2Xy#=w(20Pnv zqmiz8fh@rQP+aGO6rgtmRGqGen%dw6yo?|iWxrqpA(mWt)`K*ws;bs5UZ8NXJh-&d zK*125jy#32p2iasL(z5f^q+d`c)^~(gXHd4_owO{vrjN-1;s=}ya1wsRmb$!K7A-J zPKVtA);|F+<9`)8Bt9<^9f1Vg+1UYfQ%wI?+*v5X%d6qM?(6u+ldH^w@qrI!kzwHa zz!?V z|3-3jbmnHy1qOZtE5**Dt-m>3X3z+&Ux$yj0UV4#m?un}xih^HYoxIIfC^rJ5gHlk zdxi$P1Obi2!*1AA2N`l;U;suKfm>-Y38BN;?QH=RJx~L*r-BcpMRt2v(r9@kMBv|( z@g*-rIwZgFzBM=U@i_BfhI3FNkEf=HW%gWA7Ct=m^+qV zI~-w*_gOJh>v5C1Q9XFXoAs>h* z_qIIQs$YSq*Y@Sn9xfp~HlKZpf?jY2q?1Y)bRJ(979hibp`iqFsHEgGR~`;XA#fBQ z+1mhP4!trEteM5|ev2sOvBN#s=yK@xL%)?__UH;<5LSNynd|fdQ&StP2YOOUjc;4e z_siiO0Tq-a<}jwmMn|^@W4E*5_<#`*-FY~)1sCsh(Z6!KX`o6~=WdlrF|b*&LN6x* z@X}+mX7osYi&~8t(T4N)f>C^Q{>#qfgaks3I2b?jf^!ep=z*B8coQTHFk$mdVs>|R zt%27E{;4nr<{-Pex}b~7-i2Mhn7Ql*vP~b}PC&1az*IK-91yKER17dC7DiL`n$N;b zUcY|*-TU{GH8zY^T47#Qk=W9a6hMfMKn;a%Ap#0#<2dAOBS8G-qWuuTdI8 z4^l))PJT9SkzV1n?hYJnF(BVu`S`fFIC%3&XHN~OgUdB2ylTEI&))a;-tK6&ag0K_ z0L*2tfe8YLOKY#L(uo4w@3I4-v8tfseX&l3Y=%t&Fg)BWO2f*^N<(7`fgWRoi~HZK z)zmsO5vSo)i+AHW>pI9JjSoIzZ(dt7Z1wSmRap;`UJ6croDL1q##FufFAb_12(x4G z^Ofm4ioO6Z72km~$SF=vnCSy}@u$d~hGAZn_OrL0B2HG*TO@NApLTY37C=!3S)ErJ>el-q?20Lwh((O=G6jE}(kkC$=2 zh<)glp^s@oI(o_3`jcBgpblaX5@P{yoE6tj;?3icjgkL-L``A%MH-)a)3rh-hRz0t zk>n}%0_6X#bP18DgM;{z0dsMCwNSBu+HX=sFMojWLtDK3cY5bV_+EV2#j3&W$;w`y zY`Th#U8Yeuc=3{mR~xZCYIc_pR5E`jVqWCUMJ4zZ<&1r-`{!7>GL&ePvm^~#vMGg-w4{_uOM6R3Y1ySM5=|);jVm;ShW0M)J!sG8b>hCizP~T7 z>wb>kb3D&;9KZXo`?&AwIB-UO_qJq0^3*ayLV#tqnkHimlhv7WZd-vgg;1s}-@zey^H&Om|mOdP&XXgIsca-H@GM^;0gn*jQp@Y=cZoacl@kxJt zfs{c_a@;9hocbjxU@(dVkNXR1UA5&`b2WN+_QO3eP(6rhLT|n63QoO}hSog)QvGq+ zXJ1zAx_a2=myGA0UCge2cg1C{)W};P(P~>AmE4N=EL8Thf2~yc*ZaMQ06=hpTcYHH zQJe%g0#$AIKmwwuV2||R67@Q+@>hRmgg$ZS&NtvAb2|r-hf#q<1VXD9`r&D{W?Mn9 zE`6xNv-L44hGkKew>i;FK1xpfc<{Alo_wAhcboyW*YAx8s zTSX?G?Ca*pn4FwMi+1>s&dP!WZK`F2q`zq-BsB#|Q1Y2xqTG*Mk&F#vC1yXw&Gc)-zvUyu_J<@cHQ307Nf zlmxtyVqzz!2Km*dzLALeceZXYr6!Vfo&vA{)>dl%-ODQmsSChn zD&1~5#B3eNv2Oc#|E(9co}J~jX?CK^1XL2EP(#CioQI(>;4OD>Ji3Ood~+`Pvi}H~QUpVj;;=59HWU-Lo1~@$R5-!_-eI zK+UX#;t}WjI#J7k5{-bvmAIh0k<#`z!74wh?8d7#fcmX=SY**x zCy6f3>U+y_`98OGgEMjo3Nrr}|pM~n7Zt-+I4Gcl(BkpKwq=iAU~KI^ss$8W3f0m%)qSf5u3fz< z0t8e(aQiL#DM~7|56h``96k&^SBEidR>j4|HvUXf?o|Ej3w?j3e*9?%GosD7sjaP@ znVpTJ=vXajE_f$EHrPM!G~U{2L>tn)L+e+<$DbA}YVx+%mg6`~-zJW=pT>4r#rWmX z4V77Iw^8!(n)rA`;rgso+&i(B=bFSiv>6APw(9&!{`s#%6+MRu>M{;MN&x@aM*i7v z&im0JOs1(Z*&KZrO?7AKxsSinlKxaoCQ%<|yvcW^hH*!(bM~)vouG?DK+q`A-dszUlt0bW!styG9}z35<{TGV#av z0wnD$f!3Rw09vl8QMG+}CW~?Si4q`EKoZZNKTpod9PX@)F&>C4|bqt zRtOLqz;W2Abtbf!K+XY)tc_74H8eD!$bPz}EJV{_+YBs{{fpK1c=)q5Ry~W|oR`(X?>hK7E`L6=c2XA22lymraqvDl?0b(P8CU*En zyijE|GGPL*&c~MJTDR=m0_;d=9D+k0^|EUiL`y zfg|y@eH<6iV?}(eF)J9L8(E+?@8r_|RGUcH`ch7s7Djdojv;db zUd0;9_Y;q4Z`{-9(8m-ka>wdq3&rwf$NdjlZxE{O7j+4h)9OV;A}v?=(AR zug2}q=wgzn4%~dUfLhb#%)Et*?`bb`I8Ec9abk(?YdViv0*@Fi&&4!Hgp&!^gq32&)UvGI0>rXG|j3v6;LF2ybN*Yj9jUKpEeJR+b^$NTC z{zHeR@CS_M8Tl*c?7t8ow&ktS4O+&M>>-*Pp45TMZ*i!f5#zluJBC-@?a~7EMLK%Q z%J*G~zE7)g&4vvIfVZnmp$t2D(zopdxI4B_w*e&}&M1AnGZOti`uuD#^)JF_8*O$D z7dVx$e?~RvHR_p_D_2fWkY=juHB;Vq@1d!WC%uiQwrME09`eVU-ZklpSBuvR2f_Ut zH%#y;kXY4&&w&)DO4!-o!8x{f$Tn-DoJT(i#QMd`si~woO~Ais<*VX0L!~fq^|ivn zn#Ge#Ck^WlFBVudy6xcHkK6a&YRbIHVd=8*aEM3@&&BhL+GpSV*uU`Yx|^#^Hklq= zbh$s2sskYQ9UmWEiRv{bU)#|Xu9y|Ps2Hs2nvEOfCOV%y0~790ze!Y7X~yuPj>1S% z+N>TIy+BSRvMD%zVV#M#q7l%qFq&(B&-qGTdRbW+S{mp8hd>Aff+=%MtJJASS)OG! zL^^MW-Js_IarJSP^p3Y05*yl|; zv`YUP2-1t0V@vacYuu-jO&+B8C8AG2_NeJw)B}E!4ye`f&X#I~K7OnNy(8dp^jDC% z*88LnhC%gVZYvtkE}W`MEL4f08!8LT-CN$u&I{k|mGL5T-H`=v+^NI;&<%krfblgL+nTR7%wZt^sMg(dF7E>Iyzkt(b0fXALJ9o@+XuE&8eDx|I6G zaa#OYZmWd4>6Alu7^+HBRjw_Zv-19D-m8i$_cfeqyt9_!^B!l#PGLZNxC!kc_k?x_jzi9#V$~PZQ!}J@ z``*1oojlGSpO%8r(kRx;M zWURYMOZIjOD;_@ltosDYbs=?gF2EuQ*yo#+b4Tsd$H#4(Dn-T%G*M*%S5udjbsu1q zUB6)i{k$cI)zl2@tv_XR@)W~(ov=sD>~a2KE*^U$p(Cd)to z^5Vq{lvC*23grm^^Z0REbxUl|=*NzoIC0(mg-{i1)?HBM55xrWw{G1EhNT%-fQ^2f zRXok<^f5KHo*`QS!0~|+074<2Kz;sHqYTZIs_I60I!E<_?!-nzT^$`vRCtw|s%od? zjPoZfEUfVwfJ=GFp1~`Z@#WmDM&Wp!r=up4JZsp!N$<=5#Ur!C419hIMbL(Fds2)8OoDSV{7um5hW{T@3$>FEJ)?3n4cL;9xnC>LQ$ zItO~KkqJ3eCtsOAwRFJFc;UkH#5oK`?xgGubt;DrvAa~{K)bN)y zYxS_U9%$Ut^IX0!b`Of{Vy`rHV^rSLJ!%7;kPS=O4M!!XKY7x=KLuSgKz@S);gn5v z-E;NW+1SFIuCb>cHZX`xmP@@i`ap81M6r=+IqbaLlhmn+e=r1G0 zk}Z4ul5=M!3uexh-*DL35K7tpozIr4douFCPa0P*5gz##xR7pb(nF-K4W-4UVi_}$AoSaI;2F0vb z-wnNzoVocR;7K4DV&@8%Pi;uk=ArPs$!qslU3S06??qxFU>7Icc;EuvXbfJ=Ma>86 z?4}@VjAQ9}F#KASDCXxM3HNuXTH`l;Gi^shA}C>OTazSNn%UD!^$iR#N`N2+ohFRb za@e=yy6^yp&uVHS#jQ#w*m{#`+VsT4_3PJnQcrXCvBE(aA3Sv)VWMc^i}G(o_fz;F zng*=DeEA|ZH^fPEakt-81HJSTNn3N&Ul{E3C{VDv+rZE;FE^J(Uw0!Ew{7RlDrkMG;UhA0P$-tP<}$;5ZnOpp>;r{rE;FxS-8{v*u37 znNOWM1*iy8NG+|0pI=_B?yZdHlawTaT$|tB>=~Kh!`9;9;DEtFb;#Ewjm>pv6R#)i zYByHwf~D~RF2B>?0h@L&CQ1N5sz>k!&s6)q6_{+7mzUQ#Nt&4;C6SmaH_YZ|3|L4( zk?|lRV!gClQ~Y4*QRIf z7^l9t=X2kB@@3R>ty9O34*|+svwF4b6SQ|V9cE>)fPx}5>#fp9_?ra1UD}dm9YgIH$&}h#9`)RI z01ZSiTF71sGn||wX*<}!H{m*|7QH+)<(l}_Kh~HWzP<27WP5O+GlZ)U*VE$2bCVRw zw%dHfBk^3c?2!}#%r>8ELmY!U-dt`R+5;A4= zlp)U`>iUr}`|OKr#mrysb?se9_LtmT4K8#T=Q)Q@J1*4eZzYf@$fGsr4nOT2|9>>um2ckOyhgbDIU#{|Cw zC=592wx6Hh#mMR0^Lvf^+M%Mgwc|aT@c1hR7H~54;@8&rUmwl?{J@5H?-&EnO2UMm89f zqrt?1DP-C`V2%9m)&y4L3~P&v*t8+e<|wE`k3!&x+3{;&z$CmE2+QDbNujE1hIK0I zG#4jlrm2BJ7iqeSlpnCI*qSBaW;I&f6|JWx2F{G{c2#!u@W9A2_90@bN~6bq8vedF zJ*hE=JYOk&EMxeTc8SdL)Vl|f#R$eG5mUH^goK5Kznx{v5_MpTB-C2~gR-;tPBo)^ zfJ**^ii*myW9FaV&`zZme(NYw!BoBFt0f*O5U^9?!`2dW7jI;c6J8dqa{TyRNNliS z;55d3s2*)uSy@1+K@89aXc7`g(8@Q7RY z0Z=(Cyy;MwyZeKli)rHMd0%aRn+_5*f^fpnOdc*SsFXysYDztP^DcewVg#T7L>I%J z+)>ssQPR%3LgzER^r*A-t6?*EP%fY;l#y{xue1t}H5d-9>3+DJ+-6>>XN&MtQ>lLT zT-u@}9aK?cj6qu)9u0yG}_$CsgnG`)>$ZsV<*lXlNK+-#m3rL2!Xpak}s% z&SH7Ltp~)3;fqL*>}k0SN;S2K!>Ky5KHtB)WF&n=azJRNRg|PRuj(R)pg*l(2F9X* z1RSfbt03AL<5$ij9AYe0I`x1f5$?T_8|bk#n{l7F)8xZM;zrC>r*NgDsmF>rp)1iU z+*|Jlc8bNPqh6NiRi;6YMB(k%Z!^%>&m04UNw^f3E@ER_rpM0113!SHsizo`0x|QI zwkq*HxX72!)s&Svtc@C^stAPqERbB%-N(fvW?j591R09M8?T^i6EuW~pU}@~X=%Ym zfLgRLX_a^oi_zCZmipKt8ei5=)Qxz^aBW_t6K?{D-895W#S)F>iXMN51_wI%%ZZgr zYHG_+7X*ocq=w0(!{5Pb{8huAmzDcun8<8=&x;eHqT~XIp$+&92ZQXcp}o6zx3?MB zB(Dgvz`B@;c3QAY+zAp4%!Gmps~{SP@P-)Wgma%T%gq5n}BQ#!UmDhj-r#u3WXMR0Ooe+RbLbfC5^2SABWdxrFvvY$Z`ln zon}UyJOu+-;*}S)ffOAgFd3rdq3IJcSt()Y@6dP}7Xro(R1X#sFpS1Co^QFjo`}tw# zw$|3xPSQvD6uC*eF5W;=u!_KdsEEiKUS7h~CzAsB0`14vem{g)fR_S@pkL1*67Vul zRIeW-JmF)jqGv{4Zwolv-4h>D>2!q7h|E26u`whf;-I+3v15yh(ktofbQ^ZJLt8lg zH8^VsaWL1#%Kq860{e;eLoE4H$H-G^YPAB61Mcv}jM60PoKjIi-Z*yaOc^t?uK@6e zq{9soUt(ND1*l3iFvso2u{&q7N{=<)#%^_v)U8l#8ed@iMb#AZPBS56=pecD8E8yY z!I|eUHE!WlU0s%5WH9VVod#0g)YNokX#o*y0n`WEmIT7#^z@!uUO-vf*jzt7Ec%wC z$2}6ynFgN8eUmi_pX(97jybf_drVmqb)+b=O93k z!{R1d`J+z*OBk50@RnF9&bTi#fh3CWMgSv(2tdz1Nv+k*Zu@%t*s&!Aevz@Un1QTq zVew*^_^cmf%bm|Jb%3j7R+r73>a8^}GLpjh7(CDEPb4p0b3DapLI0cbx)0*w25=jz zf>-yp8?D(%oHSj`IZSFXETJivzt<=08Qf;(`eI=7Oe^DW>4HJ`BdV%V4sYB8vfSG5 z%rm%L@}u}(FJ_Zg2h;~bQH&z4_I;uCTS_NWc&FvtWp4?BfGvT@S-*yVK&?D}90N&1 z6aCb0*(erM&l|NriU-6x(txWqzf5Q~E-9Z~y2@85#^EaeQ9^S|$_$8HplOkBoR zjtrkE7sua_IQlb@cknZ=y(=%|de;q^excH3WHd#y?r#i4(=9uH1f{T>g^FI+t zKP`tp&|E)1`adukyH!_di;~-H0v7&s`~Kg$wD^ROkkggXXb5yu-_iYOxfU1IcS2w+ z1@?RDM~}A9})95kiZj=%AZM#n@;rf?|QIAkpWm82Op2=_PEH|K*Lht5-5 zVy;_~-`%^yPIwuE?D$u#&_t~RzP@o1(g_rkr&Gs=qu@{hdY2uqc3;ZD7VchIfi&%T z@A4?@aBL-lFcEi2!T1z3$|UoSThskOXmPY}+O(-L85m`9vNZ~%tKO|{C~iJ>4PD>x zLI|7$#xj<8WyNRO7}~`Ey%G{4#(Or(ojn`oC=;GkN}FDadexPM$Q_%$m?stQQ(RJ7 z>VP?4pi9{L6nWgOhu~>+b0Nw$m#V5N6hv^Gwik3h`7cdRwy)}k^PUT8H;`-pb)Hu0 zXrN2N+*3T0glmwSGy{#wk~wf77y726;$jRk09l^kFk#tq2^zQV?rxAHfQ8XrO2IK3 zBUXu9Kmhsdka@U|EH~QVg%rvn3`jPeK~std0_SQvM*B#Bd^n;>6SaMlfc$g>_y~>_ z$JWQZJT?KuPx6HV2j1BK5=0nu0|<}`5i9=A?-(d_@86BVMduV1G3(}nrse~|HRW4W z0K+hnEx9@etcf9hsZ@}Bm4+hy9{A=`M4v%TE_>)u^wXz$hK9>9`WPCm7jq$NzJ2>P z3`uM9QG4a1UYKduK)1ltn@;QKS>BykwM(smFjqUCJNIPRvx#4H0)Rj|fWg>PFW%P= zpQ@j16$R+~AwNGRGLkjN7-P0oRRcusd1Z>15APr*fx{Hep><(Xyzox**ak8Pj$atJ zcN<1~&7GuKhILk63{S*JSGfQZ(*W={ekOEM4#2j(65PGL2}dwd<=X@oj5v)LY9&sz zk}Tpu%$DxREb1fdRRZYRiLo z`57h`$M?d11<8g|j4DeG`b$p_j}or~vvdqDx2wPYe%SqXciSqPm!2I-BwV2Gfln&o z8pucRML{Zxj3fXKAc7&VS(l zfK|%)k;Qm5c}ME?=|#1`$kDl~>w(<(iU2DPft6O2E(pQ;Zqyaiol2zb@RnmjN&~_v z*md)RrFn`f_thnQZPa)>hVTO8>cm6h{QUe(bHF<0<<%mi!1BDM3Qc@cgmK0Fv;a$| zDVJ-Aw{Ua~!}rb325f_hmj9fnx7zsQ9dnQ9)u9`J>yq4vTkD3EDp zn5tn)M5E!}lsd+00J=fFj21a-pgeu}1!nu4nus`$t~fDX1mrB%gu4s+0TeDBDaLP5 zB(ZNg^=L+2BEFig^FlmxYK^a;R_6VPhzN8x-b=R?p=rg0OQLx@I`t8Mjgy<(5%uK7 z$am3{Z-zHi^y*^}!mW$dKFq%PGBMLKEUdJ=e8N7R2sO>lzD|t7_@N%U1ai#_BRT?j zB&!8 z0-%DfbYer2+Ln}_o|HhJYKVntm?ch2$jbE9#jr4PO9cx^OOqlZ-Y+q~NCpyfQ*432 z6qD0C0SGh!!-Gt^ELuf3_0lEv8?h{}xIo<@UJk;>sx-SK!MPOty+9yR=x~w5VuQG$ zA?Ze$MQh)cGt~0NmRDofgpdmc`QWK;-9X1eW-yRy&N%841H5%dux{&{j=je=D+S;tfk4RDcD+Fp!$>n_O6`Gez2#bYAoAYHBw3un!lqk44 zH@;V~=W+<4&U^UI^qDuTUr$JTmWhgr`uO-HB_>{PLaB+M(&)s*L?|I}>{ihRVl3i& zOqQC*2QJ}nKtG$mz$Guev$M0ky&cFtu-N(*x-b_?zxY;@_}HgU*C8P@BxHwO#gCGb zfFv8&U{`Jw1FHcf1O?nuDSK-O6Ut&WV%3U|Rw(?U&>(fPNMr1pLPd5QqRGF%8*snh3>7iHVV4 zN*XFt0qUef>L_?tS^iB&bHhi&QQ2;-x)p>pXf$-%rl23^<3n7KaAN~PoCCJ%-4e8% zvsrjL<|z5qy&P@LiXN2qgMIzupLOa9Wy{w_53$%jX3ixd69=J6&jPJo^%lByR{{ju zD&7YUUmWw*(8%E4XAVG}1Sjwdt@2rlO?~Uhzw~rRrwmfR>p!FfYDh zxYL3*NSnhXw{AW^3{V8gsZ$SzYw#d^14sOghXI^z=H+daa1A{O@E+|I{U!zBM@GQ&;eMRY&{chPy#4D+%Z!%NTRR_x zC9*C*p;(4)#*~n=p<rbkMk>A~R=vN?-D7FuYc1ZAD;RSC}8L%}R(||p( zc}(If|4Q*ZYLEJtb&Z@g;)mw(<-j~;Tqp7NKsZE-@Vldn)GC}s;Ts=7jSb}N*|SwV zb!pe^r8IC34n&RFh<>q6LnDS)x)qvkPh~0!4~plx(6PgL03`|Z9rRNaoOIvz zTd69?;2Y3uadA}-xHytOQoo&H+8a=3JUWC%27MY)XHaymBm}Oxbvbdw=f;g^s4#ED ztjV{&eu?c*2mUucJokipY!U<-hAH+lh1iHulEZ{^J-GX!IQc{Lxp#UoWMXWHE<&F0 z7pvi$!sJgif9te5cn?s#We^Ht3XiyD5FJCB^G$S2*{>8ywtWY`rcl!S&tdhac=Fi}asEx4*hVT}nuQ06 zh>Ehav-ede74$zyg-{jz;4;J|#Kj#ES3GjW^lR&(o|6)hsi~xW) z$+1z5myZtwG^dtN24w{-EhO6iQDrR8N5$o}MDPqDUObC=ir-V#VAS+Y-n;Z1GVCVJ zdZ>(t$HeUcMoBqmDq_!F#iafhtn?2)Tw#9-w4hVssRXd7`xA!b1lex#d6?~SOgN9c zECvWU(eA|~4IzmsVs}jKq254NdQXJ~g&X~>f2%Bps|WC5I4~rVs#2_CT?r0~FUUF+ z5EC;1VKl`rCTfr|QQs`}3W~wUj~=BK@dNJyTqmU3#7N;WaWTD;ucWLD-Wmi-_&1J1 zT-q2^rDQ8!T3GlD#4q+(;H3j5z&Q|SUK|Q7ftSC-cWLRovkeTvOq41<&JbwH* zhLuPK7nsyNtHc&k4+*wto%ODz?(TeYzL@#o4`Bx)_yYrLD=Lz)GyuR5PY57;V}lZD z{O)ijAo`)6YEfR^uMaHfZB3--UP1HFUWVm`PD1%;l@BGZ+xDY|@l_JA=$75As0 zJm_;ANr_D#j}TitbNz$$WERgg^DKputABzdP(N)XG?#?5A4SbF4vxxn??s5N*6QiI zaN|(F#L>;#5BEbuvVQBk{R`&! zvxDh>B$of~R;J{x>D@!v-Nuwsyrv%Pl^Jbc0RVFq>>O87gD?$NypZ7F@8AeEe=3dD zxayQ-lp|Y>p}S(>1fsTD3xa2m2LK5L z28*S?cme7|%AS}6W{46Z`SP$k%%U9Z{(p-3+rnVa+}L_% z5g_&Sp@kPVP)IE4_&Weq0mu!N=_hV*ezy@cznC82H&iPJ6%=@c^^d`a2K&g1xxW$= zHfm!)8&0(cYKMsu$t5{jj2N!$%`KTZ1-%b)4`_|J*7irE_JbN?rq_z}mHzxNSd)I_ zOT%v^1iyDGQZRyCA!UuvXww1c1q2H5<&APbz#Yj?8P9OG487kFTXTW-<-JO%w3Wz7 zE%T0g=X^y@d^2sb?NG#Gu!zKbAw;48nm7ea2mLPy6jzp27-t=!b{J-nfB<_$aF|Mo zidsRSGrn&IrjjX>kxl&usX9re+?~{-Rgekn+O_LNY@y}L%JPzuK`>}G2(Ow>EFXs` zu(Cr(pztb2tcX<1Wj<(qdp4>1~;itBP}9wf;0{AG!U6z@XDn$5Edxvf%W5x=0Pe>s_@_; z;gR88ZWe_vE~jNIwXmqD(@>;FAU+RNPXBmUth*4Q@9XGZWn5)55c_!&D}|UC13HZT z+U)bgEv>B(Q5_K%Nr`r@R4Enh{s{djY5MhBNC~BzG1$kAM;3C|9rFA-i4gd+kt0ju zf$uiAv^Xr@G2@abJ^7g#Pr#PQsga&W7I7;~myONf!C>@?m{KPp>;SzIF50~*)}hA$ z6<@;e@k&&#hPsB|OU1?XFg{?US+Q09Ww=ZEi9m=nYn`O|B`rEU)-UlrU4>Be;XCr+ znbw{kcIZ;6kBE((K>{2zkJLs-DFw-)I|C~(@KLyLaC`GLpQuVQK#~LpJA3#P?L18w zNs$dOG&Cd?Ow7?hR6wKV-%g?A28hl;JOT_ZI?PqQ3l=_` z_#PfG_~glxZ_>8EzXG}i$Q%uf6(*XvfkiUd_x2bM>q+yP(hr=%pDPoYe_+;%H3pX% zSZBr-&K!Rl5wV4C898FTaZnydQ?P{1^H;B`Owu9Mdh}>@KXZr3x2jUlsU=ZXCn?P# z>FWiEu^mvbdFZZdudNo|DU{bta3O+|v$NPo(H$rvT~4gNPPmZ z8oXrhS*QkJR|x}tPM$nzYda40#rCNX9x{RkUirIL2!BCqB!7QP3q+pfGp_VULY8Z+ zG9Mw@3Q&K*-@#tzWMx@QQt;;p$4PHcVm*7&WB6hrn04kE{Gn$1Ex}(h9jvf&<@ic? z&)l5=i6ZEdyQtJD%rksH)75P~??z`cp7;~k)!qvn8FV@FVjZ}^;Mrm^BfDk5s+2OS z?3HYlJm#xKv>!cpt{t=EMk6(**7s9WNVI)pThSWA=-f|u?%|K2giV6S;Es)(so?)Q*yc>A)Rg_9t|5)o*+IgUy`lH8nOVH$E*A(H zxCGMX-(GX5>iJpsf%6&F@M*Wi!qEcYy@`!~*5mB@<7CKS0=a&KjS~zOT7HzmU~o9$ z9#vGlJrF9sB1kG+4VB5MQ+}3{*p`WpLy&I$Gffxbu{mx0j02ukM_pgR%?SFTx%F7ASg8McgiN zegOe?Q52voIe!bj8lcZhvFJ)f7;lfC*LIB8{o&SUA^->`pfEXY#+ck8F>qH&{bdWI z52ZvCZiWz2KB3iuZ34qKh}{3B=UAZY`FEjKrSZ7X`C%NmM6L}6C;3G8D=lNL9n+JDg#)Mn)Vn`d?&C79;qEWc4vB-I{umpXjMz~0G76)DH+0; zf8c;y^2z$UFjs#!ri1TFt`xn{{0@{JAp}R+OhY%X0t%6TvJR#up8Z7Z(Ql`W*n0~@ zxk2h1Oz{I&L4Bc|(mP$0p%xEaB1CqGDpa%+L*g7FPxWvbWm%Cbt;PrSOb75zy|@OK zObNGN;7I+jPJLG_i5msijTAZxd8`|pmU;g>EZ#MLhx+ldq|UA`K&fBxmcc$T2-VFN z^=7*N(<~l1>A8BWoSf_HnlT1T8V0_9uyVq8K>7%u+we83z7;_KkxV0D;8ZmfOYbZM> z2aTZnI)=G(Kjh{L+7~iYhT-2iAJ#Jh8Tr)&Xcgz9qM_(BixcnfUx>|Rg<*ZqcYzVB zuEd_#*U126^TM?w0qH}%e|=qhWqcbT&r-BcgdY%n@@GCE;eQereHXiQKkONtzhv`i z$QhyJ2S;C%W@ptvOX>5uO=w8r1HgXyEqaJDK7m&pj|Xp^7m-#(*{_7z<^M}@L?OBJ zKLyNxO92z|pY=xmceC+X>PjMp_9P>%C^Z-|1YA=+PCJ+bZ=y`NeOn0guuOOYHRA;~ zZ0Pz?ZczAQ{gT^jFs|0%`k^!b@VCw!2$~>Vn}zvK5OG$`s_Xu0HOd)V>0sXIc~(~! z!z>&Ag&?ty-rT|dnzDBrm+;RRzDzD6I{4o}pKlpeH@PU}mZ-;*&SH*IuubcIjN0vC zHit3wZ`g+=4gNEfZM%UFa@+U6MwhDpjaww;I+%}h6>n62z8ZR^U=YD&#eb9Y- zySvYQr$#BQx4HXi^vSqTG|D)O8m+&JvN4V@g4Cll3J@*w<;yV~jYQx`7LcTCVf#IE zHmYZPGs@dNJ{`ZL7at2{AgDn2Mj6Fpo;>lzR|J6D*wh5sHb!?qB8Yj*&{!1^u92nN zZY@il{PJPa6KeywmplIP^i+F!A#6g2$4+bK&PyL!I7N+?I&}<4yvj9{mfO61`NhC( zn>O`emfM!0o79rR=4{*9F3&oDc)3Us^Ny{I+SEI=2Nyn!r1A>UI-oR*%3!v=XZ{kk zvq(Vz4h>22$17b=qoX&iUk}N9kqX{zz}fiJuCA{6%U(dXf9ux5;v~~KC)$q8qwtR( z*|c`;=xb)j1#E1{>^F{a?qgAWs20l@$oPgzWbFd34*KPsv|DB^-(u_b={VKC!nj9~ zR2PM*)A#CrOgp8lJeJ9-fJpfGTOV59$OkLdglD_P>BAj7fyWjU4f)fC<;xoY+&f~}c%|UPZHu>YGu|nx-gJeG znp9kiTs;SA7I;$Mr&_>~mf61k;;QzOMaQW!IA>`*6eQN${0pD0|i6hOShM& zSQ$?~W@1?&L>svD`K&)bTaOt1Xe7Sm=01J$WHWmPDMnneP;Uj-X&36an~qeWN0zfv zt$gUSM2*&D_A=R5j8rFAH5iy@x371l5u!bDWBxN4=ZgK(RG-$~m_v2*ldMM!wb&&u zUNu^(D3*TV?ONt+na=mAH;}#TSB#Ara?WhpG~`|oTGP{yGZ@K#sY_y;6;IQWdq8`Y zWS07_dv@tOnMM3Cayiq-MJHuM$nGo)=ye#QmjCYd9VEt}V7ND&!EvSt0YYGgm9z-4 z@mxQF#YRjmHBRX44zo;CBROM`EY2Ky_|ICoMde7rfRwAMPML8uo31jLoxw%^A%wv> z&WCxJcmqU4U|b>8C}z?keiAkpz>$USaqlI~Oar-w{Rh>?NsHm5C~XkR{4sj*AeXPG zu{zXC@P9+oB_{`s-ZLAeAfKn-I`&19VNJAF$gI*(-eV0q2a2bb7|Gec@M4 zKCGma!vwce0TTqy#}IFhLLYxxfnsn!wFk5|*59Ya}j0AR`9^Y5)HH3JSVC7;eDU_n0J!G)90i z2&C2Agn`)IQa1Ffn&v-S@r>(al2M?#BybaCK34F;DTMivX$bZ#tAJP=mkoI_BGOlF z+h$Yr=z!mlgTCPi5he&r2$JOT0D%+Hfz}Hb1oQ|~H}H~w_ZA{T1+un^*MOqMw6f== zrKR~hAdO|#tXYUVOYhau(9&w!lvMK^X^LePMMXq_m@=k&@$rF7eAa{*ZqY4Uil+8` ziQ_t%Y_dYU4F)I-OJ2;v@|wxoEs%&MA^a@@W@ctuXU;%jkMdDjbo#SQ>z9@fepwD* ze7H&3T?4C^i&bMi%aUKuFD^j%gfRwifWSZ@e7z8g~yckQG_DkxkjL*@J?}Mnl*|S?M$~*mLxRz*PnCFLriog(8_dt z-&{-(>n{$T-pb3nXC}_2d%d%>^KDWG5+%-tp%?|1!Yd&`jM0OgqHtsHZPH+JWw_1u zISl!ActN?zzo3%(=gzr$d4ZU<-0P2h0F#-nE2Y(R7n8Chg)F(DK!BQlYygpEV{1?Y zaEN2OXy^gE)N|pjzr#l)*w~KrPIX4ce({-H-^)W+g13DWrtq#_{pj)I>?SfCUo)x?%%uj z_=VB+TBM$juc^Y+vV3(S2m9__=*(ke_njXWL{w5kU0q#&J1X<7XFRFQ z8OZHcMc*n=IAb6Q@V^TkW@crF7NW6IwR3O5sXYZ(Y>|@?-9?3$u`Cz8_KPK7VNmTt9kVm zH=5rSX+>!fPK5%?muIwG&?GT$-!_8NMbS0j(Pq=%)>jLUPs>Q70&Q=0#ShQ@^A8st zj~;Sy#JL04K`Zr+Hj`TH4{-~&9nfqfQ|LKfeRqJ7m7Yu$DzsbvsIM5A8ZY?Ix9)p~ zHaYL+?L}*teqY{wtB!TaeO;o%kpA;M|549#tmIoKx0FoTSwQYqp=Cuj*4j;*gxNC> zL*1gHVqlaOgy5y{7*`cxUy>!9?$C!jHn9mnqj z9r#7O!(g;XqnIp#fZ#aiXN%4FoZ>t>EGC3R z(v$tWv~sn!IBbm{j1vUvUyBwHE8rai8FC21)H`L5kisS+`CQfeTRwe z0rgaCAcR+~?BpMN>)cacMYW9S&+8%-$*HA?KttjvCPMm(Ahbds(REJnLWkm(0?M0V zxO;p8qZ*KejbKJ#8ji>nEGsH0Nr18#N9uhk79ESLDAwSdLMZl8W5VPuC#M>(Grudl z;Hh$O**Rzt@N6bgB>GAc)$qyKQ-KeDu7SH-zE|22q${;9)33LuSGEld%kc@mv>)4& za$g{Q^o^AP>9e> zapm(XQbKlpC|bAR(8s)18_51q_eTv7aTLtVx|>iYN6{F>ZI5;{m38&xU%QqVQ9Buy zBeYdiw7^f;y>@b$Rn5(S013UK)nyeVCnpE9=+xAJ+KA~*$I>fxUrBoNnTmoP3=gt> zUo(CPCR5Xws)KwT5=^@d0$m}oL?L>)R{Pw!wf>D=!=m!4`wq?Kc?08|=6UVDGv0#I z(i#S}`C2*9my1{yD)ZjluSFK`; zT<3;ba`o!VJTN<~1>gf(wzU=qyPWGBOS)Ap}21H`rls zz=N=`7BJ$DNDWnrI%$d!efc1X`y+zAg35vSlsqe{QxfoW$3-Qh^C1__e|1(z2WFgh zKD|Dj;GEmO&mPpmWWZzJFLUzbl9~OdcI~3ED~I;Lqqbt%^ACu+yG~LiIXdj-syp-T zepF~R*H+ArH$u$z$A$FyU^U=~eV?^|oEns7tiLGZY|D4+6Y?scgwLk;RFDeKT@K6VKbQHXJcn=K1aZ z;EBBfnm9e6xIiU=ER24rloN&_Zwrz?a|{Kn{DsL;Q%f8kI%Pem;h_W}zN4HZQ1th< zs6kvvQIU~aqWw@%9}hlwW_h;T6ZAaBnz~<~lgdn4j~qREW+`=fVd3fVV-LL~JJIo3 z)!FQemw&7y887-yA8Ui*&ufD_59dzSHKXO62 zQcThKA5c&bO+1eg%CgnR7SaqPSGJv<@d|Xs#!F=Oi6o{XAMo|-*W;pB4prR1Bhp*> z{jHdKO+89a?wb=sKQO!#TwL7+AdjHzi1)GySt(PP3#s87(ay+x8XeX)wA+9FIKNIVwB6pn{d~&bMnX6tY_-5yL`NFZ0Kf zr%1~JgP5U+B|S9-qJluGl2aoOFwCzCtu-ENTXXa5*|Yoe*m0W-<72UM)GiHqczb(a zzkX0&zLn(irgI*~T|z>w#88W(>a%Mlzdb>K&3(*@-zOC_QXi z?ka6{7kU;s*j;Isad8$zO4{_34=w*IrI3>+)zo7n;g*Xh;57J&^|u90WM0s@gq0OVDaiFYU7KGtaAcn zt}kNWuUgFFp1PC)Au4k*E`!+(dzb&QK{}u$x!r!WA9O0pV(6`>-jA}jL{+6(HR)2d zn~0P#WO$OPWxm7k{~cv}cjMNt^Jg*8t)nH|DvbNZE7AAU9c3ij4-EkK{eXY~j9V~!uu65Llgeus*}uO!0wvVwh||o7dYUa#Zu||F zT~6M9aXI;KTN{b86T>>LdwR}iU|^U(f2dYIxV58`DpZE-r*1uA1%CbP`$aw<*lHqR zF_o(AD2}l*rdmnejy&4g zvrm(lccj!YQj_ZqUn#+qho3j^sbZUOD9i=kLlwO9kNfQr-g^jL7u>c1%_$@9x-`YS(UgmS;(jRC~2?vojKE`2V#VisP(xFhzi0b zgei`e!Qjzw&SZB2ejvsS-~Jdu1~{q&}Ha?<@UvKd#UVa{khAJgh?xpzzkqy$Z}`bg%Mp_ z`&kq4XupXux$n$cg$zb|p)J+pPeRV%e*qk5QrZAFIE=OUq>g9MFe7{p>RAbKasT<+ zgd%AKxsHFcdFWIAg@kDB`T>N*(d?_gyKnqHMj}IZX*bwzI@+&k7H<69bmsX(o+zLA z;<%_XhKt^RJ_hxUt35mY8Yp8ypm=!FF(oA@^hcAUaD7aS^hujE?AW!-rS3EIBFHyD z2>|~p8k$y5q?3Vpdj+z{E(MxwXN$9(%q4=x<|^sDp5A?cJdkcw z%(AmPeYydmfl*c>jte|$cffI?6n%;f4&R#11XsCtFP$_$Kfg{vjx}9=lbVhFn!VXV z@zq+oClk-#S2xtxha+FWj$yp5s=HPi-ke)VfWjz-ra$w8!+*@7#qQ}0j1a+SpK{@NS=sQec5>7B{49_ z>_I7z3PK?OYyxP+id|O`(|IE)9%GcZmfZrUS(lFS3By|i1x*V>WV#Dpy?SM7!Sx-k z8vd{JT@!C$&VKlKovmfhN<(%=$kx)%Dl-|Cm1K`> zN@$@ZN=Zmo*;{0j$fiVORzl|e_~dj>=lebNJ@YLhi^k@^xWSE*VF51EYFtf}41Q;zXIfn5Xn1uHonRdo5zk&L|h zAJa@XAYvAWuoYl+>OZ&8QBm<(Ox@1cr^i@d77zuzS(=ZpPZC0Shr+oo*qeT$f0}w1 zr;=WQtMoWR7uZ&tGfdh_{v zqvy}hY6%cBT&CgYP*qnqFgikmQ+D=^H2RA~50mC`) zV99LCD>T2`Gq+_UFB2?z{apL~)^CFxRApE3*$=>1HwFQJc-cYVVB3D?b(BMQ<-TQz zL}KZi!^nC}4o74q#tIQ@0<2vU7|ZqTY1K{^f7?aHhii8_=LBNod<_h_fF9)Ca`;~W zDF2tYDDWe6!`Q^vGBCj3WEdzZM$FhsTHH|!fG|&h$dNA%dN5WOmVb7xJX1cDFqN#Dhhol}7;m z#x8Zi<---aP*`1~Lbx(#=J4V!i3{s@m;*zLv=-;Yu`9PTmqS)+r;uuCalI0n* zrF;xZb&kd!U4|Bl$C?)S97pOf@?fKc#elFys!mshyrW!(&; zk_(uq%jNx!5IiI(%*e>ep*2C(s5kBH{+pk+`tv zYL*nqC-$%OQTYY+bGezgAVGk~0hIP+1Hr@aF|*V5@?z!A9rSi<6pr$){{;n(9YlzbI%Ci*Hck{RO%A$1TN7lN&~47+TL9-nr`E{j%#Xk!IZ( z>p!>aoBE(^g9g$5z|dbY8^5e@@ALBWSM>ecpO6y1|F6D4Q9vDu9$CW;%D`U` zRR3r)`To^6qYL_1U+4e37k3l+YxD5_#AH@#+cry>fB{+*ot}6IfFa4C@Gb{7CD>|V zhK*wf$z`B6c4O?b2wvpv>bl2?iIEt)C@Ga-*Q?o1;`X3-HGz=E`MnAF-4kox`+uwB zbAlirxHVYoccY?etq3xc0nR$3OmWn|gjm%)$3|VTKL**RR%G&NV4GPi^8|kPpr63D z&JYwZl!Z+vFg-4uc}MLIZ;)q5YJ+=z%)NVx<2I-Y(RhGLj$I1opkK;i(~7w={5hWG zcLBdG%F)o>(j#{ep4lvq6pE3zRf8^JtyFh7Amuy4zqQU9cb!r$#{paE=E3-2Ot# z%M(egZEWz)uC}U~Y*cCyTV`CAzl~(Y!RKc{yy8cAd|ZMIL44| z9WYpUsgJ9tV-*ir(9zO*lWgTm4JQ)9$hQzqYG?|9161t84cH=)12J)A`>n-=ISjb3 zaKSG)-HO22L}e%?EqzOGc&fu17XDosr>|@DVVZ~G)_-(TE?y8rU%Grbw=Y@8MqW=La0j} zJ1jFl(LY8de1%hP78;k48E8I1D?5R)zf1wb1QEyg^@*}j?$8Ot$v2J&Ro)q1y&aPV z3^$*rq#UxI&dM$yLz3YIJpOr-ixvXNGfF$dzC0HG#sV9mWnyOQ2DqV4a#Vt@nJzCU zA$oc3HhAfLsNfv;FDx^S?jtbE*gU@@dTMr@V9Lj-?EVK1y7P_b==yGq+t9y!{bH5$ zz$11Fw#Lr&7{QK=SajFbF)%a7dz`y~nh6<=eHAF#;hA!_E0FL4V(yuH9nC53!s)e< zXOU@XOaOSwGhHkYs6~2KVAH17o;aYP1cIi_&FcQDni?pl8f9E8Uc+#Q{wIK+F^VE* zWz1$qrhkw$a3T~W#la1VfB~i9DP0?zl*P1yg1cV{8un)`dU@b!e4fIq0hhJGE|@Y! zU%gr!l0P!AU>a>jXeGJ{nVYpI&p(NYDRTUBN5dH4#e3^nWJc&SIq zFdl9AmdCfh+u64gI$p_ypqUT7aOx;EfVh1~D8KW?m$b+Nvas8?&wOnn>7s?i8`T}OS6x|22~3kD)+=DI{_!M7o-h)1{EI93 zsXh<6|3B+M6I~XjYmhk_%eYjwUol8;)T76?HH<;N55x_tWUr% znp>PM45^=1PP0N$v1Z$6khPVIzDx zIC9nn-{P{LY5cmry>JH{p}eW~vjZ*GyjI%!KNNqznIZY0`~-CaaWY%LMoUd?)JC>q zWpy>WSp!g~x>|ptJ4Oz4x8?UQ&lpA|U>1S4zLpITSZiA{#6kwPoKOD-=a*x<0V)E? z6vDg=;0QBbv+cKKagmgQko7f(T%biT3#_iHnzU~+jh<7G?M`u#9QvVs{LOHUN#A+s z;R);fXQ`Eg-IC(I3+zCJqr4Oe} zZstTLKip^^KE#2(e*5<3ep}1VtgHEG$Jxcr8RpW#*2@B->P1G~+EEe20tb#Nzfx8% zmyuLB_+x}5y`->=RaK zw#tJ!auK229kGm?&t^H;Tfe1P4gx8#?O!S5{_*i6(DvbCTN(_x*ABbELj_yS0HROf z_=Aq!ettQP75DILOV6bRRAX)FuN*!F0S8nIV*Uhg#EEcFbn-@@ceFm-K5li*flc(( zZo-HJBu+{yDrxumEYsEzKJt@!M)xCie@HohGmd?NL5(ovaad&|Gw3e>a?V3n-`Q{b z2hT4`PU0>|gL*jxWl$tUMy^wBW@AxZC$g3cTK7BA(OiUzRs^scp`vX{!m1?58$K_h zqex;~y8Wctlq;8X`22EBTxy4!`11Ff_@FhufeYeazooV~)6ZY`n>FPUVd$e>)%9NK zhn(}*L*g?gF!e^5$H9!ifPn8<_J7r$NvzZ>SFRu-;rD0)7L56h3uY~f&%s=C&pZ1@ z(4Kxi;uflIIFzXAznGbt1<=9{)1(A&hzJ$(PJ%cuyCLWDI(GJ?!uMu#cp%^J`W)m) z55j>)PN6qEi^>H2J+_TGmA*ezpT8b8H^*Yy55y5XWV4K0u&BoPFUSpBLReH32L=;` z{KMVa5I8&>Ew$s!jxK)vu68HuxiyKk1>oW(a@9!M4K`rJdpWMT&_?6NwZr=a zFgT=z*6?!VKZ}y+YwOEkFy*9NrYsh}i~v!DDFha0r;GOM(v@$av%^|UQlZJ&m^wWQTlYBlz+EZtACx!2LOjpj+30H~toY5Q2gd?vwS#e28K>aqL)` z2jjL6I5ZyScRsb{I{*?h_FYK-+F$F#tp7U9874HuNpTCE@=fx`Ni z?^+To3rpo9&B~SUI$YJU0x?d-3%$p_X7N;)O^~q%r$aU;Em4xum5aYTu#KA`ICdG& zmz0&&?b*YE^ddVu@ttiHUNK@cL>sk5f6d|wB8VNp+y{Fyr5vcr$h0T-APvbysxX>g z)5!=WY~jU=L{t1zb4BOIHj@#p_}yQ>p97~Bf}J=TuX1-Tsmr@J6J?cN`<<}nCjuC8 zkwJ3g5hCG|-~Irx%EcQiGN^xd896JtS3Fo9qnC2(4>xT-+oOJhQg4V zT(mF#e|wAabFlhhU=0z;9-;ij*;SVDf_NR zshG6}1qEUDN0_*xqUEv98_Sgv%60Ot6DErI-Mwo{1T)06B1CQ~LVxd`Jp^gR;w!$E z54e)o2BxN_1nN2$6hPpy&k_<2g!Es_WF;mhUPg#DB(T`yCM)C@8?`S520D#CdlR%R z1Las6Ps-6-)Z}q&Q{8_nvL~A$D*6Ktu8Xt9R0n|0htbJgJD_6ZQAR|F5f58k<{@g5IYQ3FlrJ_15ZL_`*dtT?7{$IPEZKf$FMQ{bwR`|9CD z;B&l!;#d3Nf-DYFGnmVL`vkJOJSML83f5DQBHWF-6=e@J1WcxK0z{fb$S#ko-Py8D zUVf=ssL;a7YGB)#WDPA;~iJi<-Sp&Z0~7o>(evQF0|on2XXw8#q!PXMfM zIWc2AIU{Jzxjm9&L9=at+EiHB+QnCWtAy|W&+RDE4GfQQcTlOf9nT2JWR{%6Ok51i zb(C>{M(BX3VUGSoBSZjt^;SB}I7s`uA9;xQFha zE(5yN&+SHuH%ZVrByR`Z=0}PB;lqdN!A5Vr4Lf)4l#|oz88Kd$-ye1Yn%I}!V7!WVYpYV6Zm7bk?KkFS~)X6IHdf{a4WC{e?IaR5h75~<>H7RYBm7|RX2tFl@ z5s1YZ2aoXZkQ|StMSuZ){F{Y@%=n)sCr?RfJJ|UV7m@yE3yCZ4FBekIM3+Qc~pv}xjMBTax zS5a{xi8((SmJ$z615lc9TtUti85xPa0B(uJtZfT0#+RElH2{yygKzlDU)m+fnr=~e zQK1X@5)StF$feoxTZ}GRnwo269ATY-blze%YHDg=LX(S_yF5RWkrP@`$H~?<0UX(l z&^XP%K6(({45)x=XWgCyfOYG;A}Kzci0`@t0Tmk|GzQY9T~U4+l>8&Mi5&t%8v45hdsHyk)k( z0X@h3m*}PUqnHm9oM>h~U67o+3q?qNS@PVgeL}ziQe_$opXQ*VcT0czUvj3j#v$w1 z)-wcq1NmJ41YD?(+XmRQ|$;J)z^lEcHjjw2mbUQvAOrQfIlA!H`wlHd9@k|G&FY()< z-w5%(u*-~@Nd0%`TU*Lj>N(78y+AK1GWTBX1Glyo*g^O4KVg=IR>`XLAo zhe0p86&1CB8+@mWdE7YfEx3V2MMaf8lK|KW!lx662GG^*TxCfZkIX?fG<;+8Q6!)c z0{@Ik$rIJyDUG2?OnVDMhcGRN(e@W(o?K$Er>I95+RH@dp1Mcl@J7GgG0BL;xpL77 z$W6_y#y<}nKD##3?e?SMoY?=hd38$8Wwb2Bg5)+F=|-4|bP+}aiSu9V=1ourFVSr_ zd)8KYoLG&BNK$f-isG>fxW@IjnMI>TO8OM;PQ$U|*wXqgh#K!LWhp!vH7h5KKITn8 zlUyXz80bL9wDoD8Ey9{xb}fx^VV$|Aj{^-SfR`r{X(i@Rlj4>>`v#oE)~A8YDI z&y~DHT7-(t{&dGkpX^Rzj{kMe#c5%9fiO)l+TktfYMlJ=A+U%Ia&l1|ICbD}38nIAyT+1bHU`09;5W0a<%~kb>qT6LNsFgve1WNJQXJ#;qKM8O_f$AsFL36L>=J32aMii8=Ah z-y6obM@Duy{~-?^D!h$@r*`B3I7@t^k>j5i57*z37TdOM|JkU=x#I=Mt#o1+@HnmV zzuqaQ&Jkly2&6P$$@@C|6JyBjXO$A`_k0L(!=j6XT`}6rU&49F z$fuUF2uqYkhZuE9kU&H%+u^`(to&a7&vO%OCmNk%qZPk|e>Y85PXV}%qLQb^mZME*p9T% ztSKh_)4{#OH#~ptNQ5iFe*xVO^Gxt`F&vV0Z#eiL=3e$UP$|NLsW2nsweCbaU}rF` zt*m_Oisd(x9U}i*r=*8%91#KL=H{S{vD=90tVKRI5#B+-w-lg*3KX@{sWMOPCDYO5xkJ<%}I>vfYJKb^$ z+TbHI>CH87i2HV%=}(Wdv?5y)7M{%i=+bN|9A;reTATR|5hizCKUYFI_mShTuknlD zw+CMxapVdL7eB?iZv5*jyj)RDd&;NtKYPke$YY1jA7y}~+l_jazwWt?VYX*b=!ySm z!Ui$N1IKP=yyM~Kzg+vM1tdcmZK;3V)cxXGe{%2p#pV5Erg+M;pIlVQ>NoA>Ki|in zUE==vOZ{wXCy>&qp!RaxZyMdT+E(0r@7MmO@BTk}JI*VUK(SmnoSX}QHJ8YdiIsJ> zlxuMU^k?B+6jn4Y4@Qd9D$csUYuHS1=R)y1B6RBfp&cUgUta6)X3Pjbxx{2dWw(0% z>#%_Qe5Pbv>%Iu;(92wl9LGiq*~^T+X4cYLPN5yJz>96*vG6RLsNvFr$tN&Vrbj#8 z$T=CZxkQXyO`{lYD!i=7J0fH>r6n>)-KINOHc@}ng-5kP@Z-WhpA8L%C*C|wpP%UI zjyNe~B&Z-*u;_3of611?zqv<3GNa9*dRyk|b?YKe5El$R$?TqO3~@hYMV8xIdMe~~ z=gKIyxx|PCUkj^IeCl=D-HeV0D?I{JNOzDf&aUx1xYWURv{Mk*9dK}o;jDfQbH%*tCPS?U1C2|H_66*vC@CckVW8oY zrFEI;EZUc#rrLb&+p4?wxLqX~3uMw0T&K%i9ZUx^T-R;siDI#99U-CM-oimize-j~ zIA}tAr1(6E&|}s$8WsHq9sRr}x>RPyY7#zot@_e+>t54my?Fd^gHbv?`^9)WZdvsS z%3|S?rWA^L+Pnuaq~r*ff6KD6#9`IjT(QI|hl4c^W_|~%9qxVZx~1q}yVHi~{wvQ3 z;bK10Qp$s+oU)P=*AfmNzM#A4W44L1XTQ&QUDB2wIT2jfj%_`@RSst491?Ry#QzVz zl-OA-t8U}BF!C7aeu6C?tZ~cpTeXk!ZShK(7T&jSpHsrp2am-MC;-vB4{){s6VK$=7Q1=Y4T zYQKb}yMCj-z30}L`>ldWLku9BiD0(b@cYKG!wYRmciApdG2WyzFj-UyqRu<@mBx}n zIsK)dyHXcu0|nm-?6a;GroK3}ol&yxW6kqNt$p)ncFwKSJX_zE8o>1d~fOZXz@i4Gq-B+eEGwETjtx6|u;CD$XU1)J? zB7%$8cE`B)gJq zRQSf+dMLg2M+kfB<)bN{T4epYcqxNo(ZI!wQ&07(oO>AQ3eOZu%9pI-wyiX2LbfVx zdgS3L>%CWcQwNzIdmpN&Yc$ap0p~HhS&0GMI;J%Q&==rL_5)>+ZdakK21nL zz(WR$F#VlCMEQMwsY>@x?Ps4pGjCMNF~iY(wmAWLd}hpcI*If?Mz4yuiBn!TRtZ&8 z-A%{qEY%*u*27OzNtdV6XIp$oG~t{i1Bs@h6UJ#U&Nv+=dU%yb+>v0%qj8*{p^L~Q zj7v9fevBgU7#}|(zo83+fNnEA1TiTvSoEwov?9FG29!yZ-~`KOlXg3_h>!vh?ZxQ1 zHtwyB(~A_{b1&Akws>gYmzLzsV^PcVI$avcXQX?<4)sWv(sqkrfx-roX z9`#^GMbV#1giyeN6@w2^c7w7>iIgsB`CMKB4y}Jq=2k|IjJBfboL415#by#uXg(WW5Ij^Cw?j7R)inD~MUq zP2cA=0TZUopH{}v(g!OzdZv&<1oI5=@aOb`)#t=RFf#AMiK>OfSG?wsjcqECz8t&2 zpyAAGJJ`S@Jc7$wJQqwJC+R1`t?oM|+VMg~O31r)2EdD=g-;3%RWlqJ==Kdm$aqm1 z^PNFxMXuJe=c|WbtR>r_Qpg-`xZ?q>vWgX(HYe`{BSl{}2&0o>cn1*Tc5zcwhs=SB z;6@Dz`@FD(m1lES4CP)kq^?M#=CI(tPjP+3C?N3DnlJ?mKVK?3yTseb8PpQY3h<2( z=?vaWj&+GtY1q#=Xq+?)Ok+P;2QsLJ7|9>2hUh58Q;~h!Un{h3ydo{d_;ILnk5c3v zo3tZ=oNLMHIfGQ00%I8}ikQ4f&5rq;+Tkqq@jB<;8uw0%KEvT%9eV@InJNNFsC8C^ z2nVy;l>PaJo$DO&=8+xG`(k*+vzaleR%M9F6s-^;dxG&e9wwYi4VehLu98-9{F}!| zDJ;(7t!jwVd~zHRW9eTD>9Kzvpn2kVyYa`(k~}{9mBbF!}Mwwvki%+-%-VyQVFLk&ut~c8ZW65UJ=Qye;6?eY>*fkBkL! znBH8|uu=~nl-bxRk}F(9&g(2(+3m;7X7JV-`uj-$?8&!_d36P|QhX!M?T9;ttOW`S zb$4?1bQPUvAa)F1E!YpHuf=tHes=HPhGl>P0@Ze$!EQ#<$g3rpARRUJy1 z08(po)ra9EMOf>4saW3is~Sm~9&!6KrE^JkNNKC5Jh@>mFhN*a+CDtuhQ^y%nzPsf zh!bNBBi)diB!vv2Er&H%C?CnR(z9{Y(bv_biH%pQPF-nx75I$&*VjkQd;q1}IV;?UwO985C%W-4D|kRjqx)VEUBc~x8|T9<5R=- zi2=%pbpfG8larHpLkeNhg$hYHsUL<{f{Bx^O1mWKBj%dhjj`_whbO)+Zq%Wi<4F*t zx11{8Um{MrInAP%a(VM1`yyKMf^^8luqd>)x}Jf@X#c~op3olUc>?!9!#GfGPO6Sf zVtL0YqfvHzMyt#nQ?gm)9gyn7^cFC8%0yyve{f{#T9 z#Cy^Fc}|ynr5Vn$Enj=`a|5%LdL^G)Py}4+=4lLdc!?Ux6H>Iw3|TMV?OngCK5W~G z-YITRtqq~w)q2-}_Y|h7a8Z^%AUSSM+4-Jw>l#h%B3>$<^;NQkHI#Mnl$F|(+>@Ip z?yb&R$Z9L+IqAjWmwGkpDrUJ~L0WCs9ulhXo>7VBl70*-DQwF{l+t$_4tnha|&1iX@ z_r^VUSP&wfn|RJA3>D+e6&%K!)Gth9se<(*gGfm53vlRxSaw{qc*wbqv`PLoYlv~{ zb4xbe68Eu6!Y<$cS&_ys(xRt;BZ0l}-Ni6x6~FXkWV3oYu)I4B>>f@+B;OR>-3w-S zw2P#%C11MGDWz3@E{j-06iPcltVg6OgD9<+*To2Bus%0gOZ?%!yf1Ym=|eq*OW-#Y zUpjU3Zpq1ktKs1kRF^t?*~HBo;AF?!VO*!wN`IK_RgS|roiy!KPwvX)5^UvwNycTW z&g!7ubo&GrzDe~S#k_HCRyfr@uiMlX0q!D##dZNKew6Fn$xgCK`YqnHe(I-dL2X+G zaL)!w=T!<(w{B5+9uH&7m7ld!SJ6_`uf8($%8lQr<5nQ?a*ZNe7TmX$Ea#RHhgMyy zlDfNuAKOt;nl|9z$JT^xSkdFLB&Q23??QqKMU(alr-NXUgUuKxN+B#(N3b89;h7EG3ngDzbn%^T7ftBZGv{imGh``R)&Y2+<;9(=7B)T9#a)Z zu^>mXCO@Izm^=mT6&EH~uN4asyXWtLsRoz&iX%t9@=?}&-v$&|1+HV%H|h~8Su|NL zOz!j8P=BENh019mv6IH&5OMcw_-{E~o~N$O^jg0Rb`pL^CP7P zQg$m*28z}TiFt`_Q4(D%N9op{707Az{9HhUA%%Vt3=yRK1irNe3p1Wp(Ejt~zl!)g z8G8X9p0~|f1~>Zw_CGoP>{_g^20@Q~{Mnf)`tbEr&)#{@h~2a;ixj;Qig30eXmmh) zDl)^P#^HYqcJl!$!6K6wC)v0}dn{(l-k`5&{9vfCT|djl2zAQqdnW;kW5aGK6!MMl z!m$8`W~FlJelXxxPLI!A-ypDUqg9rWZfeMwoW8L|+CGG)RAbV(e;{DnP z8i)i>+CMk;X~B(qU2ZY5aX6@(3zZJ6U|T-gPx|rjQWf&*a`N8W(#@`i>aD%$$&23`EjN~TyUnzT+B;#*p0IM`QEeL|Y7wX1G?~e0 z`1upxH!0LJd4eXO`BY!eo!@f#I3J-7eFeLr!v}}R;BOg`(KqN%`!zUw)fG|c_Pw++ zjJwzK__Q*eyxtphDKtoxUMX6_>b`%ZB|GoNR?l^3!B!3C*~hW>m`~ttl9D4oIB9+tME(Y0@3P zkXa3KVUZM%4WxVeEhi|aMt&Qfv24lS|I}S*|n9TOfz(|gIbXX=nr$)1Qg!iq&E>>zltNXp0GL}%zR$h zi`K_8?DHC0`$FE5NTaf?5fZXeE8dbFi7^)C$snu(M(1}lH8Qy2e(b7I`=qE%dbU%lD~R}n=4A|Qg|mfcEY>6q(rHKq~?LJOBLC==L}*8_;2J{ zw58#7NiZui(&3%x^`=kwAlANorq8Vivc*;oBA;N72{8%jfh`8-xY-6tj3P2ddkX}_ z&99%&IP$HHjym|NO0SXyRq7tX{=M-&MchH>O&p`UvO1QJ^}zDhGEZLtff7Sj8z0HJ zO|lkK#k+fKN@*btyV_BYt@0SXLs0?KAH&z8<-B#exT!&)n4q?S+|J=ft!@lhf$l~ zhOt1HJVLNSaniuk9S8wK63<4ZOGF-Tt-fXkbyyuac1#@3 z2@-n%dz$ zi9@S7gpo!#UnGdwXp2v{bWQ~K2UepOY8Dkf6QU;tg}J|j20TX0CD$!moha{Ydf3RP zkKG)e23sC34P9$pV05%wqiIYZ>89P|yFqcCmDxISjZn`3PW3c@o{i;NEA7NeOG?;o zP+cpYewsU$b2d3!E%{C=p}N2K{@uHiQd;>ZR#h{3V(SAsaM1mEvG`iK;yqKBVe~;$ zzPfy!cvwUPWjjg!V@ql`Zkp@QIXc6A$t`VzHMb;=r1UcHAr&kOV~9LPRfEb-WwK~; z5B&yH`5&A6eG!RshCI}lg(Jw>AD2YB6%+65d2V^)o27DV0yNXijnJlcj9&_tZ$0L^ zUdrVAOHM^;iIM5ljiHyo^U(Iw-T#CWXL1*_p~5B~3k7$scYYv{2eeZ^sK!fAySgeo zc9%+P@bJsTcySSDFR`FYyT#jWGA`}TFY*(nf4K`oTZ=HiqC37RT=%yKG!9;Qd`!i7 zOR(U^6;q<&DosLaOjqc<(`gL?Hs<(|4d)l#jF=-0K+*6i`LMaH=E-R z^HC}oC2nD}*s`;v>J+B?aa2pEWJeIA z7h6E@dRVVeql^vyI@Z;3ZhvytmpU07d`{`d_@u6o@!xu!fkq#X*H4Itx23msXY}Sx zo0!3$KXc|IlG>yI&E&UlRSZn1B9FWjk|N5ot5w);%Owdgxo(GrsR=PvUAuH&GOjaF z>uBH`_nRA%N||}GJSh*P6_(X03H>g9|QG#o8{ zlG@fm``$Gld-u%1glbq=jnax69q3ciN2$H*#cqc625muEeLqNI4qURRsHi8LHWTpg z%7@^NkammOrvQY*SC$-(P#+SA;pyT^cR_)HgHn2iI9dXoJjYa>OE!>C!vI^!=WZGy zVj}+|4%>zI*AKqG94)6XtyL(f`@(Ta0fXe#VGCdG+BM6;RUEP#_o3M%3~?nYE1#&B zeyzF&4fjQsi;*At``v&!CUj1%^A$gBh%+B0r$#@cbR1uf&)`FnS;Q3`l6VFmCELwed>1o@?gCOu5JATHnoHakbs{ledA`DYWDxJSSiH(B!<% zjSAW_*4g$C06|PIO!!=p_BpJIzs{n{VmZ}6FfcXz=AirHL@7PYrn?{PS+z+T_&}mY zq6EJ9tJ?jpPTMaaGQ;(Xi09%|e@YNojRcI}#(C8|2$_j@+=$aD1{XiR@lDi)b*b~V z$<(U0@IB!hay~Ajw-oQ1g?%0iUsc+A)FD5OVBgw1056MC4B$a7z=;xC>>6%R!?ALPLiI2UU)nn$Ui8t3jR^maM#JR4T*Q+NycIp1q}Q zVe7m0$3kcFp&RY=d$~i_P(6!O(9CAqC#q9!Rhh!><>ervls3A(2mnCu4aj-e`U`po zcWvHZWI=~ntlj+nyidOO-p7jv(=yjQ1A7kSrtAI?rwS8C z%Q_w5M9pG|Kk~@1_v)Uv4J?dwvsr>L>T}&_?d4vHxu9XM^MnQth*KIt&=ERlhbqHW za?Y^q#IrLncV9@fyDnd(?)!=89$|F^fg17@qD+Vb!e`G7qaldAb;}8|khkxJR^}(b zrv}nzhOK*_OrkD>VjyxdoLKQoszHZTv?3YakSL%=D! zB&l3eBG^k^a8S+OO4*EqQ+Q)%+WL|AV=O%sO2uLpDi?1m6^ZY2Tft`1adtfruxwbZ z7rX78=_QHX;%p)R>WkT)7)b`cR_BJsH#>ouS~kVeW(YO&8kUr^*TmoF7Zmf4C<&H0 zd}V{_O3cvVzXGvYE~OsR?QJ?~Wfpc}c-96Nnl_uTp3lLf48H8KARfZnPczbu`y=GPTD1d^UR>)pGu}mX zohA<~Ow{LL(WAB0#_9A{%q!Yd*XfB{bxQTU5DeCsHSNLp02xVzn9ewv>pCFnr@;~G zqBPPRLNdnSDCKfey0>|}$oQ2yk#SWS^NjIU^#6}P3n4Y;+k zk67te&hQ?}>za39evSeiJdg0;FMz~1QJmWYy;2cfs`YD2kHgFwC_+GAc}%%bqT9yb zI*O6+40ehVjUqZdHIlBKH^ocHNCo$PU(S_t(UR7jo%0Y1`{Z^PX9Kl9xNjdD$2%8^F!LS=T9GvRlD8Ml$_|(H&;={PIiR4yI>#mHzZ#gKs@AI#1+MvLVgDnA~CY zrgQ3BMs6thM0U#c%_(eh^t(byd6Pl7_DFP*TH6#WkpQM0U~|%sSfX}La0PIJFr40_ zAYS>Y#ycCX)*LhMc+M60s#=?Ig4S@9gZkkYFMcH+0T079G@nj^VAlIpSQ{vB@U_jM z)kb6E@e~}!qkx;6AlQ*lxLQr+TFE^T^P$y&QEznKQtGlpG6Ld*BWG%Wt zQot}#stjTg!+i0XWru{$SD55AKRL0^mF5nqKmpEQ+jM&MrB4-H;g%|cAId(i^Oy}L z;$evpKYhgB{`owO{z?wnho7M6d0bn70Qr(^1|jY+Js`KeMWEYWAF^M@u zV$kV{ZCpcUx+RE$(u6g6S7gSDgpY5Y(l<3jX93fuIQEJSAeCa8M!5X#=Tx zdL4htVTn97QG_gjIj%UnQhJNPEtt^J`5HRf_=gS_psX;wPO!{&WsubjZhJnu>%QG0 z`y{Q@a|eOdJO?cr?~@5A>${9TL&>?7hX>FX6^=z8Wph}m&I4txaw!+|&n}GRv>R?(bZiO8wR5tL7W6u@8dAZF1seUW2x>w4r8gi zP6I4Di-2%mCu-F%m~!#x__&Kvp8tY!VH>?QjhsxqDafVV6jsW5baVvls(XXHv4(BB zHR}7`=urKaCNAIj@G~Kbv+-v?3nq-f8eR*nIN4#z0 z7Z7Q1EbzdZvSZBj3{|i7LL^R;kvd0MMZ1hiJ5jcfshNlDEGA&6VTShNTkDjpryf3f zD!#&k6`=RQbQ{T`?g{rVdW#W*a~jT0hLsAp8y6!P;K>nNV$P>I_% z!LA^+KWioL+zV2se^?ZJoSg@vi*~h5u(2k5+7ytsc#9lu#K>=hXL0Hv9KeX#s?FVmds>bJ#*Fg{+xGk5VQqCuX+`A0o^Cx^Pz%TOL1PM!%k z2o!EEzB(9hTiCX1_u6~=XHnxs@0i;Z%BEa6+LQPR?sdng9fW&6i{jwToB zmkZOBmPw%yC{Ocxxg$XRM6dM4l#SnC_|V-y9TvhOloC}_Cv|UcSfBWL0vy<|O6m8R z$g1#?bp?ivL;mBf*MB}%=|MIdi*fBu0w2gO49O3ZS44xD&MkyDIAzk1=xj7ihi>qeeIfGa%dD=tJ|VSC-3S#nDA$QP&S4`XBV}bODe~IeynXT? za-HVS&YPs(YIvM1{31Pq34D$go#JW^r7uUHy!F`7_`1S@+h^G&=g`HQSWhut^TZeh z+1C5^q(}>+6NY7F{`C zLGMr<`kodT1e+ZYp1cfmU@3CwE8PBmdSaEenj`zkA|4BKa^HBI%W3&)Wwt85oxx+K zhzq>!BXg)#2uWs8BuA_v>9?u^g?$uOHJq2;-y`Lk?lof>|**5WzwA zrTq39vrhPg+`?Op-9h%HAiu>4ZTC~}>rHG(>|K%?CRDPb@dCsvKNH+Y*lqEwVxGF8 z6FRHi=zae^&pByN0hVr$B{$wd=_x&*%hC~tMb=#XzT2YuhDC3UfLt|1n?;$$GXO-7 zV_w>qX~9(E0r#a9kEGlqr?HJ*Y{ei}10GBprv-{)Z>$S!I2bTmyHiQD0b8(^ftvD0YA)x@QF^6QIJ4eoZa_LC0k38I zcrSZ`n6ArWN;)AR3@^|Vz1+3DQbAr@8jF{!>8`Kl*EL~c1dLemmJUF7@FnnER^8K~ ztrO*3h@nHBW~iYiN*kYm(2|x!t%E+phANS68JkLJX-mk(Wzrp*WZFic(Lbc&wfsz+ z@JvQb$in`7CN2EB(>N>t`_=J#18GtkWUwGp%*bDnuxy`S825N{0OYkpzzVTZ$F2KF z*cG>)YyR>fEt}XkmOURDT;i+y0ReMY{tAc><8ba~?Q4GdB5?-xTfr>lg z((Yr%fwxL9ux6F8*tGO;9?}g$Fs%E`Jy)8&5XYdFL!G|u1mtMX&%QaZSTTd!-SX5x zsG4et1+g9&ZO$5GN69!0eE3jZk3=YJd_Eg8DdiHG@>Iuk2$AyJwmnHnnSkaiMUH~Q)Q}s^P>Lk%P#)!8CM$_Kb`6z%O&SygzkrWz6cRt)rMpG@kNb4@ zC8;eTxrkVjlwS^Was;W^+NRkuLhwBTqB7Y&Bc8Ip+Zk#NCvFWR;+z$ z9hs)d`XHZCPI5CeA>Ml^(z~^vwBS_HpJyCu$@{GPYF5KWjHlqG)~ljC>g(q)=_o4gzpjh1 zOVXlQN_@OI#xaIB0Ba^3j`dsArmgWXq~nx#cZFa~mseVvWl>N&ML`pyB!{7)Az@`n z^9G{z@g99-W+Yq}j}lOC3}znN9(JxPUk_)BvzU3LT`B9n*C08EsW|Dgh8`S(%Hbbs zZpGd<(s1^`xT+oYMyRo+_1}C_WuGnlL@>UMsRSagWTv>nuB_ISD~?y`c4`}ibPKS^ z*Y}8*i{OvR{5IFu-jke2FbFL^W>-opS;V01jiL|wx`YbX!CIBUed|+BeETfmO#m2a zXe?wlZ>EX^D{Omg>*D>QgrHNbNuNMf^4moGnSzcz-kvRxPA#X+|EC9w^PX!x*XJ#w z&r`xhXi9}eg1?uyyHk=#sxy4Ia|}yg6nUFd<4)zNeZ=SyDR1ZZKG-Wzkxu3r<3&FDY(YRRi1w8h#KOU#y2j@jya>?G-?$krtcXwM%8HMw8 z_8jQFF!HP(GN-rQ?+&E!fUdxg62SgAzOvkY5fU6`CQ+#N+A+0WtC8dCCC!t*RLCg zone=AUY-0E!ivZ>hht2eup124KRBfFT9Ng{jaar>=7y4~1I5eL!%jtYzzBTBX>{SY zBs?QWBn9k`7_G9momOWcDK29z+hnZY7hrb_@O_p5{n?J-Z(_vuJW1@i#1&J)zKouF zg52yvy9js1Y+BBuh9~IKV;hz2VLqF&RVRVoK2>*E6^YFBajxm&j#a}soPS}I-ok4( z9x*p@w#i3}{9#}~=?GyS2jvV7eIq{yR9NggU0VfcnJbZzlKx+Q=X3$~`i z&I4s3ARmav-U5dhovsWM!d3~gT&NDK&`hgL53M(jY9n4>{#a&DiuZ9Szb`eGTbEQG%0szjei#yUw&=B=Q*lB(Nx0K z+WP_tSXMXK_^K$1FDEZMEhhcj(t)&W?UIpl;yMk#V+kzL3|d>ctO;&ORpaeDk3?| z(tFs{)&I(ty8&kefXl)Ew&sZ6X2RSITdQT5s6KHa$<5mj)%(enM40__s_>13O{kyJ zog}Wy-%2%N6;wFk#akDE6Z-yTL4wi>e}xt87)*Cq<(xBgiXHnC5|dZl^g3C)GLDJl z9`lN{zdodj10O>F^M|1JhrQra%yHKEDQ5M0QA5pueQ^JC`%YF z@o+~zFZppbe|}I1u4WNe6GC`KfBqZM>M1$*=l>D@W8(oJ-9P;e6kn?x|Kq3L`7BYy Y&id1CEH#NGNK5vp9#BbEGW7bt089dZga7~l literal 0 HcmV?d00001 diff --git a/docs/images/Diagram5BeSLabVulnerabilityTrackingWorkflow.png b/docs/images/Diagram5BeSLabVulnerabilityTrackingWorkflow.png new file mode 100644 index 0000000000000000000000000000000000000000..2409df3b06670dcc72c6abe9c0b04656f716dc13 GIT binary patch literal 58150 zcmb5W1yq$=+b+CF7u_WdB1of1cMFJsNJ=ZxA>Az<79j`-(k-AMDJjw=Arb--f^^rp zaliYm^NsU=zhjT#X0e`{&z$$X>NY}MO%V_KGByH%z`La+r-?wI!vCTrBQO41L??I# zf3dsB>$;dbIC|PXv~WQvKD2-M*wp3W0|qls21^$gM`sZp9!FbKdly$bTW)g)JGb61 z^aup{3o9*Mm%l$ppul-NQrC10@3Jcr`c4}Uc;1pG(;1+4Ag+5Ep0{r;bxo&J#pua* z%&Yh}Qj+zazCBqNzL62&A$j64%>E!**!SbH%l_)`wC(1j$3@TRPr^G?Ly0w6oo-t3 zzcycNFA{&9IHAE}mqU?aRaoO0fU{EYn9bEy(5ky+DM0+ult!u6tKuaUmQ&JikF2&+ zC7g7(Q-|b^h-h!URuRV)kYRUJd7Y1Ey^DVfU+KQN#tzw~y9y-8KM09M6W<=CV zBT*3}Jv53P_A0&@R~^{qXO}yYF5iFmSe4AK zK)O71(b?_#BZ`M;P6#xdUCdi(W|a$$^NKkkYr;{J1JAhX@QSE-CZCr-ZNe}lcq?0z zOCW>iN@_nW*!;810Y5AutlVC_lSC)$y^F*|Zt6>E32W;&IozakB2r5)Shv{%K9*_X zdX8Xuc*}IsRNh?Cw~}H$Z@WqQRCZnn<^AOtc{hwHzC}$BEB+M*pJk~g>Xw+xugQvR zT#7!K5$4JIC~iG*_K9G4G%BQS+#&IiGpI$lg|n}QGo`#n#8RH2_4mgTG%{-M_V~VQ zZhWjcN_*;2ywaUhr@TGq5+aiKP7Guo#BA=+bBFIe9q50hxyY5J9^0wp6)UQ!a6GPW zjN;Ph#?G50{=TN4iQ6xY+*X$Q`zA=vOH{prd$pXMm!z{uHlkW8iAzjkR!U zVeSt9FEp$@$6n%06861aPpdidTPWl5t%{Q?V>I9Kw!L$~`8>C)ze>L$_2Nq@nKj-3 z-$b>{gVbqr15C75H>__7Xxd7|m#9SSgygk*O*9i24EdA0A23#~M~cy98ti7DzBs?8 z_lPDh$mqCT=A`4fiXxNXb16RL+`CHWWe@u8c+5^@E_>-x{9N@zrJT#etnZsB^7E_9=C&)s*@hb-Z1VHr&WcGqTMS!zQ7My|h#P});Nv9&S} zZ})%v_oG%;XV&TWyP>NtFLBE4?QBOsxC^YjjC!^#XIXF_-BH(m{JQ;^VE7Yy=$f_W z;jrEFmbqK)FJvbVToA|BkAsAfS&Iuv)O@4QgC&2HFR2@=*tjGG&%YhjLr9$L*c+Qs zjxiChxIQ}^;^4eal2am`NTImycWXk1Kt(H8x`;%K!O9^QZ!lZ4^ZcDlOx#DF@e>3h z0C7uBTFb*|^|j~yd-CTU(zmtB)V0Tbw4^jhe1=tT_b*<%$>Aj1)?_(AUVLTf;MNP3 z6&^cjF0PxK`!8l17BuaziCOD0SuZsF(7Za^kh!?O85_5OFVso z;btpO=Oh?Z=A?u`Dn1%1xHmO5HP;c>=(Sr=-Gjb57Af}mnmsep;0bzwqosDqeZ4~M zVlIRC;ne&L1do{-s{^BS;|O_koaO)1L{&4uE6DD5uU=*N(^wHC|i$%;-%o!sPhZxPASh> z?-Vp*qcYgCAddsk0~qXY*iBU8Q44I8TB8Ke8XW2bl~Kcqeh7GadeYI+`M6qgBYusR zmKxQIyr1e)Cfq}XS3JomA#oOXiS8i%{E&X31i^5mQ=qjR!J0-`K^$TT7bA54+}&NI zTh1gS$&W}6Kf70;C2cm>9%H5*REBeLdOEmdk->+O=UC*YzCJ#!s_3RX7gI}I^X^?{ zX69r>05%!B&&H=qW>GemvrZ=+^f3 z(9qD_+#E9#)5+=SdR?3hVQgS}y0M3chpp{ukzR!*)>Ru>RP|V?r8{bBdm9_!v9W0q zzFul-y)ZFaRps)_tVh@f=}?@i#y9h zuSHxVqoZ3%^(GZ2>8~Ij611N+G&Fectr7_mqMQEsT5J#z5dp8U#%1|gbxbvZ65$o(37@6_l+2e5NW9S!!$RZ6vq&M8~hJ}Ttp`o!hQT1!QV)4bbyY`dSj6c~JF$w6zTvxOb zrYauYf$19*94spx$x-{{mD{RobIch#h=~DL$&S>%dth>p*R#j*hsFbO5K-$_W{!fCiX6S zlW7}!0l7h)$7Y#nOToQD0gGzyn`S$Xex^9o)z^2#(U>I_omc$%&WpXsC@}@z{`%wHUtx^1ze*eZmiig< zG0dB&ZdmNVc=?~78GNwk8f>_B?b^2w4jrSvzt{2@yvIdrAIMT<7I*p~CsFw#A&%Dh z@#86vIlSnl#{)Ia<3k|VTYQsLVKW-=AjEu?`pj@k`zaYF~ikU9M-Yu~L- zR%_<;eM^pufe1Cg&Cp}l$}4kUH`=>r5M*>)XyWcnUL4eyybd~VRSm3w9n?S^3T{{{ zb?_8hjEp$ZJe@(!`Rpt5}vsLd@SFr1V5xmNN3t zrMv>AYTectbf^XGLo6~j+^0Ol#t&l$qdo^*@i|(~Jt-tr5y3ab8jgJ!p(okS*7^PW z>zMDEnVAQoS*s2>BR1w%T$C8h=o?jcc|8^D5`GTrlisC}-+8pmn&yG}Iz5|D$$vRJ zk@R${oEeqx1{2#A7MAkLPh1)B)_0Z$(9&Vc(26^IyD6{VutPfR;q6`M@X2AKGT--j z?R|VTG!a*JCRAdtg+h0^nVHw)QivzGRPSuZ-|bKP(+{1W z9`A489z0;;GWNo@CVcj;q5^|?*k*TSBu{Gp_jj_>uL%}Ekps^C8PYzyy@YP}8~wyf zMC0PDaoIDtwK))Ym-&-;O@qvIgEI56I*Je%8>z9+W?O^rangV;B7xiRG7*u}2gJjf zra(=Uej_=|7ppakX>WUc#iWD90nxMm!?S0ga)oXbJkujN(bAvcL)8}WSeSL9{Vk07+Vh2pg zhfr>ucu~63G(XOx?IJdpR8TCwn;Sb3Bqe4$#@n`|)&*N^^5)uyX@&Cv{gV4NLEjH= zBYYmlDO3qpk+-3u^m7=OIxutd7}X_ZkL1a!8W|bE*dIm(5J;YE2u}NCC9SNkt=Tak z2JfmrkB{G&4Woa@e?9B!YD_yU4u;1t3)D)hvXe)~hXcWhSncDS+LMSFTNR~2>_t!`DNr$pVuik!T zvhl6X(;4^6;NYOi@WtB0L6<7^sc(1<+d3uX(yw2l&OcQxOp%ONuU(4>W5s<=@3r(M zJRGTod+8=20&0mg<{l=F5Fl(QbKfT?<4MX1UQSm$iZik?pDgYv>dlEwTd&`zOZQQV zYZhQ6kGp*H%lGfJctKxVCM{tf@gi$l(55I%(q9GO*tA4vHl8UTbw}bbq+af=j?7av z=_XyoTMDI`LS44^<{h!HsM|WRMU{Cn&5jt85)%_Y;i%xw!6t-%u?fu*e0pn=>bf!W zX>#)ZnP$${W+C6Bo!OSKagGgKJGJ7r$CV3-42e9(62KK$iXZr3^D?PzW@IHz#f*P& zNT2#9gi3DF&Z(&Tt;Ix9&Q5FW*}3>AxdAS&^<&ATdMU~Qb89Aj*MQ#g+;Pl)f=|kX zfLcNlg4k{Ykh$)E<};w5X)?_7N*R@d%tjmrH>BosYXnKH%QEWsDj&y#O6#%|1 z>7)qt)zT%t=ikl!{8=e@#3_V?YHkcz0=GaDO@a_2B<_1>uyJ4phB4?$$2YS3kx+LKZ<;B8z1*PKRf-K{$vvNNgS^R6G(hU&ro|U z^1~vij2T!_CSh`Na#~v2zqn6`lA|MUrlj~8%PJk*3gNBWw_P(k8bi>4m3^*pnrnY` z(*_flvj0!5$f%8z$MVLcxSU8$L7Pa2&v10XE)j%GONZ(HXEh%_xTgr%NdPGZ8crkX zrrP~ry-2@GnO_)D-CsRfy;Qy9h^R*C4Dbc&O3K8_nhWS35b(k7sBxQJ2s6s10O}^H z8R8!Te;)34x#a*;^zqN06jpl%8ZsfY`>3&u_J4-#2maFh+1c6n`1lXZ=JG(5CO##! zRbpbq4}lBlC>56}$%qk)vLEm~oEk|Th8|FTIxNV^8U6c&5VJ{q=E{!hSTDS^7cfRe zP&&Uuc&aegEic1N{H`47(%c zfbtmU6+~=r7f<8KW(R$gc2GQuPGAe1#^T~Mpm!Y3#Ysl~*T<-+s6buhK^-XlqX#&X zI`E{l7v%b^j+Fy*#!=WM^86@Q5GXUloB6U#PYFTuTKOeA87XP_*XAo%uE@#D!*)>u ze9zc-ccdpp&=g?aUZ3PSr^QXhr+a1{cGC@~H~PeGxGbrwxT&hBi25E?THXv>@UA~Q z`c?6$Pusxna3QhxwJ5dNWv;<%6lC=D^lNB7aMf3=oRWH6j$}g7mMj<2iDE}*XB`2* z^{{1YIFSK7&A&iDsbI;Qcp#)v+O!8w6g)<-Q39nch@rZn(5*%3?|*JK{AH{Ds#@w; zk=~7}hrl0Ck9O}Gphu3XlQWSaT$#7CoU;~KIogQB7;P~=Cd9_FoKgiI04=as*2q#2 z-y1WJWPew;`_({fl2gCZvMrK~(|5Kx6iT-HudjB4Z*PUqO#2;kMKdeL&f7%gynPG8 zP2FZYwYc}*{6e7yJw?VmC<3eBYblmtN9;-B%W{BmIo_ZC=*rO*P+pvpVgOV<#i1ej zN(562KB3C|o@MjV#A^03G{2f1b&H!)7UV&i?O%p+_4|MDhnnGpWGC-+3+4_MWNe z3M*@c3xH}uO9A^yWY5ONhR5P-_hIjAIWr?bc!iyRcBf0yQ++Kl>{_LfMvxBu2K`0> zwfr6MukgCDdhKF;+n1<5US3`@4uqd$>BQN4(9*nr*9h26Fc1j%!Ypn!3L~K3`v(u{ z1|Bk8;!j9I@;oW&^WgIGvg@y}^5{A{-vZO$O&u!#is%N?j_lyjDQVT|{+N-GBIxi0 z!EZmAG+iYt;1fC}WyV*TF6v%#6u!c*f@H;sIvP2H?Jvo2yW>AzJZ11#U?+_m%{cc8 zwI7;$nxiyP9s*sh^Etd;@xfu*h#e7L;nVT-C=0~q&_LY_At?TEGYIgRnM_#XlPQ?(@T3ZFp0*$eM=Gd3MH4BN-~_lS2jiI zPb)PNf2v0rJr_>dyguDXUv&x?FNtWJH^S5^`u8}82qtQVr9F!D^RZ!+71TpMkEBm! zt)@tWz>@4N^IQHFsDP8{0Vh)&@2#0Dn4{=^bh(CE=8mI|iBH2uhVbLTSlRl*QMz%0 zTa4hh>^Er+!GbsL?&S38>k~Zce}H}Tp6eS+If<86Frq%H?ixidV-9ThNv{9=`Srcs zx8Y%}wUis52?+_y9&|pNoScMGU`o@oI_Rd3jT5lvv%3<}z0%nM7%nPUMls!M?s zkFLLxXvaNzDk>^$z82+^Y9M&KOmPBD%tEppYv~e%a7{V-t6W?-m-{B9it&Okx#wY z7;Ohxv=2`&2ngCmx84ya z?+s)xFSQ)IY4df%R;=Fd^ayU3{U^GVkY4v7$V3cu{dKUW|LaEEQ8zYP2r5#@Sns6C zrJ4m2pe<%(WI)*^UM@EH@bTlvsW?O`EY9Qg#tzElQ;p-796BJ(fL6($fMwpZ(mdOk<;F)UV`88+J~wtP1XIUbRIJ(sU}`tB7(}_r1@A8Ub|Y4 z6wrQf2wcm#C+yTYjEZoof0zk%x3qrmm6;l1n6-;i%wt3HY?DAD>U#UX&FAqylJ zx|xzJg|W9j-M2>^9v$uC?*2$R`OPSPJ8H&KYLv*0Aa8h!e2*17VFwE)EWkiWOLB7J zJ{ks@ZO^tv_u_H3F3P2Sz)?kMyY3I(kYcIP!GZGmFcXU!ScaHwtC!3)={)C&_JWi< zA0O>3w}cVc_+u9;@brPG8A~t8O-Ys1KqKbCD=3&)KV>d#@$D0$-s`ct!LVNCtIvIX zJX3u&RDeI?(N!h`{E!xp;t@h3ZARG5oX@Y`z6?6ZUywM+sa)EU`3rV;o?{^Iz~RYu zUz^=^%WFu{VDzQ|tC50{1TF(Pn_B^!tDxPrgX#u`M4?V;WJ<(i#7_}sg=oNw9~?{2 z{%t45#Je0q2}-04=6wu&W__%bP&ifRmoL}^1Qf;SjA$jz+FcB*Xt3j5az2lbCp=1F zZRT_&u8s^9j6$XWgsZOqtPdMlm82&N5`Pj+ty!m<`QrOO1o-&)Ku_eaW`5hmH$&%0 z?1W}I2Z-ncXsen4hKNZ>ZlNJjs?llCet*&_VqV3BgYXXz51&4L3W^Q;-n2Z?-lbF& zZj=sQUAmWLhDwNVZ&Fgyw{PEqOdSn!@7DPm(<-qLViM7dNGzLIY!2Z9xj%e$s=gLr zGC=9_@^ULHE0|LK27v)(HyqzM)i@0}Ezcqx(S(ANBL3h$VOTe*H*LsKr9C{V)6>&Q zW)U+obC2gT=LTC)_u{-#`Ap5VVpK@_$0mGu5a8$!AT0XaGQHNl9Jylj*@2;|?b) z)~~wEYtjVB`a*hcC#7yB!Z3kNK4~s2EG!Q6P+0d+GRT|>@%sRG%aP1(0GhV#O5mdR z-O+$q1SdC zJ4%cjx%IiEN~O3~CiEM0uC;JzzrAc!@3q^Ve1p^QEiF~s*ut3xePu=l!np6XsE$zA zX{JQTrtnHl`litg)T+!|XxLatBw_IaCEOc$B2#sqcPq&)z*&F_52)M?>Kgc-+{O*v zf@|Xyxv+P9`t<3|n>T%8+ucybw2rUcx^?S9$T_cLU}R)uXD@&s0Ko$7kDMZT1K@st zX&?*k2?V+e3rW(yVO%+Z6Glhgi^uJAJmY%ZcC6)1^tD4k3>B3}juH|QfDS(<-odm{ zz%L2Xtd=q#uB!6k5!Zb<@xg)M5~YYs9!s{~U|pS=e8KF@r{G+**Ix$ZC!U&ia)Xh% zu_EHS0`QG;F&1kFu(*Wxo~>&d$V%COAG_;Aqe9i*^ycT`AN?humC8qv%UJEl9o0qm zY4n{&@1p{l8>@E8vgE>@zu4CP@e1Z2{G?gzNm=~)bFYoUSgPJ1)L$^6vI^&9%t#cl z!TbPG0IUSb$MeWKH`t$iI_m1gbaZrpN9_I@bvDmZh*5~9M0uSAqF+1e1>{c=0vz2+ z1oB!7(15k!{JXF^Y=(01h|MHyf~=`)Yo++m5iw214Vv_7rI!k%Z{X8QoP^buJs!rm zoK;f1;Jy5*boobHR2UvLfZ{4ZE8)r5=C`)DB9rmNQvo$+K9C6DYR^v=Cr>3Y5;tu| z59h}00?h)Hh;$(*vkHrz;qeP%Txu+tK+gRY_|%9n**$SaGB&+2eWtvW<^!7D$vzLB zGK-#90OTUI@hs5PYMK*P^u?k}FCBp+z;lvfz$;v=k=6c3BJ`7f@*SwfV~0y*FmIX} zkc@QVA=Cp@4X~IK6p}1Q3dp8g`{{^G4*ITKdLHo~w#fn&FAt2N=Uj{+Z~4pu^@HBt zUWK2J(tX|jA|p(gF5&ktxJXyP<~35bzxj1dxbYYf1u5eh zcpeKWlrj$i4r;uS39a|ue^)w@GbB*D!@d!jFH3+)f-FiRHS6~U>&Id~npSkLYSd`X zIOYzXT4-cjTN{Yo#}@{f!W{3V#iDzKUs=A;<83S4MP<*M@Ql zhGVHlysdcH(AFZ-jsYz?N0H72+?^`R{zy(R_bZT5@;cJ}185nZ_x-N$=6C?UA6S65 z*N$5G3iP06X##qQXd;rv-2C6Tll71xM_H-y8nKYj(G*iUvC*EL%O zt2fN)?Bo!(XyEHNdufP>Q1HO1Svc67BN_mgCR!qZN?a6Yeg_PiI@voWg{CS|Uf??c z`sQ8p-T&?m$nhEy@uf(ol#Up*Nd+N~gW0gB7mE@&PDo&}qtJ2}oZO~0Onw!?7s}m8i0!?qaJD;;wRK8!X?BS@#t}_!uF@{a=!fR@; zxZrr)Tu}NuL$&$bt^36HX)F@*&{p<9(!i-zGX0Kn*T5+_GsBLtkTXVv;l;LSx+Q(; z%H&fGf?a)3GnE|DDMR=72Htz_Ne6vUSMG0$yYYD_}8`k6-RX*`madrLU%yE zW!OtnbBdY0cmZ9Aj8aOYjZ)2MG&Rqbzg9)ZGZq!X28=oH_4?5UU+;veN-L7V3#%r& z#WH9g54YOH^m%YzUY^xZ4xgxqY!o?{*UnO4A5bal4xDD9*(|i%prN2KOV~CmB{&4} zyyLGUcM8nr3s6>8zTVqy!HbLgi&sd7GPL%5@0&w+UV|bd7xv8#-aV)T-Qns?atgS( zZ(L520Ocyg3!`PA(aCMJoHNbT|P8`(?YEYoirbfu`74yE}jk|lgUmc4vqM~}pP z0F~sXQp*Q}1O%_4fWZvc{eZWM}sxotmyWjA

CNYez1QHY|!!fC0ReydHgV`q+n-|I$rDX$|?$ez8)xz*EkX^Ci?{U)9UW&{&Yvk z(>NpH)o`&NCd9BIXhk3M(&;t$)I>$$CwWPn%03q9VKY_?o)enw2%jP=+*`8;`++OQZtgtxlj$ zG%N2!+bW6j-}G4J+L)lIXo~+$p_|b@8Z2qgvl`g+zm^)uon`uA1qFYcCCwnLsi~nP z$Uj%O^-TixB*P1p!H%BStTi0q=9MYGW4klI`hQN;Hs?$}K0U4VY`(JL*CwfW zjXZutuxepUKB092Y-eo_$btcpWXIr`w?;!h@|T$F#(p~4|bDJw(zEH&H=>lCJo*joQIVCnXb;uVQ}iPXLOy81EvIh3uUe?~5; zQjCpl33Oa7)t*qtEb-e$RIMFg*wZm}tSjG2QM=~T;Pq$f%{V;jOMB>@-%*zu5)uOT zUi`(pqro@uY&*Df>3}<_#3^4JZLyWgX|Z*A<5Pbi+NBF!fj{v`I3&}#e0U>R8AGbn zmy*(O7cA<#+;iP0gkr^sBnqETxJY1z{2&+^H}ax*vH6)f&IG@;QJIh0@eA2|tL1AEEs6oIy@)k05BV8eOD^VWT37^^l9=MxQTFzHfQ zKUD^|>W$&1ZHa>!v=B8myi6=6in@4l5!nu#!M9kLUP9#WbG{q4%3O?UG@9%B6m8Z3 z)EUtE@H&1NaxgQa4H+04Ps8}FkcB$s<>s3b9m|EiQOC6^BY(*R`(hla_ z{cCE@VIe8&GLx}rw7ky=spz~{`OZcTh6zz*Wn>6N-Y6imnz@DaTD>f^f`12)JG#3o zo;qpf?LpG&;44^AXG>AR1tR(C(^2Ms53uE(7o9rWBV9#q0tsKcBHqimz}ZU^N=yg?AZ}GiMRZ3_?(@1+CFQz>?A40#akWFzVYFj z5MeM#9xDE&d2O~9G|kWG`PkoO#|X*2%}pG9~}Rb zl)_!?HqtXDCMJ)f59lrKmG6Cp`_PE_xEW)>0-`Vbpta;=}*W^4^>Jj0P=}v=={)*azqY|S#BnIKev{4c zg?4H1ulUsOpunmBl18wa%^3P7ru`Bg0a^O-8?p8(ZFfJ?Erx%tKuf}|{M%R{-Mt}CQeR90nAY&_co(WUr$ z&>*aKw7-6*F9a*7n!Yz(Qqq1>DEiu6P0dPwax)I01O!{oBFbM@qpjYv)Kr>fo;Dzd z=!6`QaeA7NKu%2^ML7uAy}>>y=7%F{QvmMU+}w_i4n;Y+gX81E#CJ@{p!gq)ixhNp zu}hMG#0KxPb$SWqfz`;TCQy~bEKN%A?@7u3l|J&%$fZ4V-B&JTfN$N-Z9>!wc+7Q&C;}FSBv==g%kA1Sn0puwprZYm@z*wA@ExVdbm8LFGrF&MYk4YxMK&#`>2O z0&z+-R8)JOlco6`h>HDyH<9+Yr}%>oB9*oWeU5H!Al8-ryH1i?TPsQu0Fxsk1*RWeG&vch`z9cTmoPBC z`^MiQe2A7xSb_`-F^Ei4egO%^)ey+^LCFpIFNH+j6k-gS5o}D3GSy5p#P(Q=AyJXS z;qRWHH~qZO;8ayrEiIQ;Mhe^P&^06ioSWrm^Bi@Ys5RW;5n}=%#6b=c0#Vg&Yp)<= z`Gv$$Lx_EnOpU{y`3vN7sdF+iz-_qB$F~Xh_Cp|u&A&-ww!~4t8X}o&kW95rdhy}~ z7_1sQthUH%j#Tmz4ts_#VCot?1i2OHcTu04^d{})(bDN^ zr#VdL%Cy9YlzHH>;LcuT=>!QwxDaqeOH3P{+_DU+$#Y1F?k*20LUMQw zap?(lly;^IBTCsVGjsF&Z9)M&8cKUk{fI$OHm_n45KNbwhk;P?4Fw-pki7V>6C4~J zodKrL9O3)i)01snKaS#PQe6(0rhrSoHEWB6qzq{>``+sK5a_8hGc*1D{g2W-Er3~f z$9jIaIYk5Ngk480Ezp_oZ*M(^C%=e3)f(NT{9DF|g?IcPGRBt}YC)~>^?G zUD9Uo0ERQ|xky{FXs>Q+XJCo(| zP|BTOqdX!aM{ppRmGNmBUYvFU`9!SMzQ=ApYg6^d?;dtJb}Gct#qeKF?URSWHc)Ux zSUgy&s;hKt(~=08|BD>=0h3SG=*!ySbu-T-&A>5vPPtEm8&3~uuu&s#*v;)$+2+0j7Slbsump;;UeB#91Q6y;t&clMKByG0DDuCAZ??DaF7cm(sE5P3=^Uzg*Sv z%;NcFr=U2oEhN)LAiF@jcmkXvP>gX$vthl0m04szu{9n$kw8Q<(_53=Z{uk-8<~Fs z*qaCZ=FJ~%N%u0GOoq4F#G}6_v0*Hsj$N_v?gbG5gf!!PO%`|eeF|eAJ|3R9@k3ff zv|Hi5LN_p!EY>HgIMR2s9GH(P_}kwgJ$pqOt!tgq2vUK|}os`Y_Yw8-;k&wel52t!!#Y(EO69$6Jpv*)X*sK5Pu1@{)XWF`@?>~1txYwQTeOv9<&)U(QupRUzgJht7 zLs{0xht+6EB?F^UC@Oxcs@;DGO>=5r(|=TyRA}LWE}!9^9=!U?S))+K*T*Zu?7n>d z+$2Z$8UhT-Ah@)6@G>!>dOmyp{P6e6*qfv@8Ud@pEBySV3k>gU5;LTr6VXQqpMr)a zx@i+i!aJ0AMmIsJ2sv3H<_*ldS4eJF$!ii;>A3uZ^d91ZfI;&O)F8$l`c&mR%KE1D z6HFgRpe!U~%|F^#Z8-idTCCyCX(f<9P=rwGqHxpt5IupC6#8a#Yp|K@?jiEX)YKGq zwj{b!D6)~uei_66_Do5qz#F`BA5J&;p41eQ;!elX2s8O^YRo{E9>Nq2ey1O+XSvzX z!-g6TOmE%%g1vl8&uA7l586Losm|#y-h7P#8kJYKtt$zaYhI8}G$%LBFD_=iFNl`k zU^`;e^$dVr-Dy6XA$%)<_ckYHC8^w>k3MmVva$jqkh9`5Z4LoT2OVjh!v)AnxfFa&H4n0<0OunfzD;G#3ijo=@>P$C0!#?2@UC~S7nI0fx{W02v1JVtHb zWvn2!%S#eVa!blf>SpxJoKMg*c67_lhS#|3p5I5&P!3qD$2Uc=7Iq#5|7YL{3mt~*F?a9c(2tarIuh0 z%m1gN`4t6zg>QIgQtC4UN*NOb0igJ%0=#a1l`-_@SA@0)7q_26PIv?q z{qV2X0cl=XlppCtGAvp6;c=t>wkQkWZG>w+g?`4L>VenRP8-#%)jtEg2L46{d8x~n zkGgO4L2rRPU$^lUOM%gEI+r6UJUH|X|s}^9dTb``h26R8Ha1-)~XVBFkZ-X^E zH&Ac3fe1FR(TB@$3@~vbGJ8n6C@X(~ z76?y)e2QB!^7WcRw;Q6B!M=uwo32MK@?Q^t!^(QY?pvNl7L=rO$Hdp7?vcV;z}5{0 zKg0}hpl1!k9E2DkY%uh~kI}`Qfi6V)on>ljE+8#2Okg}fKfh}Lrk%-&g2^%tf{DRj zFq-}~b<~9RMkW!ng2_Gzhy>7R2+-TSJ(}nSSx#PHz?vet_9%XWNa?0xAsi@Ye`1KHB3m>6H60Tu7w@veU9?ezl#FU@yP?}5Qbm*ps)hB4?}+c}5A z{+uFIx<8ug252{4`@c^Cuw#X8*hVg2vdLS6tkbZ9o!@M=L;Wr}!2_^GesuA@5-*vG zl{pmheK7?2xwF$_SOhN@q`Md(jPPCJbZ4lwRZbewn<{)4s04Sm5VO0xdpO52yLgE{ zLjAFt8a{hJ^uhUAy&W-0_O#pOMnN|LqFvf>WSuVIOU`}&b98kMOjC0!KNkzq3G2hH z1u814I)2h!XvEqm#r+iJs7c1IHCF3hnmI?=%=p$59ilqN6E>ySatPOd{fZjv5rp?w z0v&Bd+L}DiE|axzxB`~JBDvby+M4lX37<3gh=0~3ul=HJs$s?SJsL4KR=_UrFaM2Y zz|-puIO#95oF&drwv|lSM&CVD+4%@fWZqt0YOnaQ7-zsXM{+>7ipZw#Cuk_Io$1JRkQwb{n$Xd_K&w2o>teGQj_(*}o56KtOGy$N**2c;QFB6J&(qBQ0@FIX*MfI{8r-;_Td?gkOX12kgF!F<+*qiDKTZGf z{pDEY*)0NEk@=OCFFO13sWJ@h83b9QfJm=1KTzO+Cg!QBsZ~FDSk&;s+XQdLaUh$5 zFmODcK%&#?riX>AjU^9CSFkXliun?runsPU)IcQ}dc%(iHZSo7(}Q*$Jv!Cfyn>qixe z9Hn*5prrq6J=%>fn5aMbevzTECqfU1lSOH7CM4b|&rS2f&f;>5BV&Q~-}psSN+bg9 zsXbKGJl%^ns@t%}20g4how7yQL%WRsa>T5I2Ai9kQPI%&aE(8@}W zyAo68p1nPHP^?!8vv>&u;v}aPrX`Wt+mRVqQrU?C3$vk*9z8Puk_iz_Ag<%(=8A3n zrOg`Eud{YDA+x5M#49~e`tpd-%X7FX_6u`hG3?;Yr!@C5qQ^(bKSk|C4{}riJ)58P zmL?lJm73*$<7i0;*55e35*utKEk);6wcKdtOt@rOnVGySi>105g?V$N{*~d3)K4@h zxbK@7pPrmRvrSeKX7uOwXc|{W%ffXHwrP1-)ei8$l`IAvVCoe{*(1mpK3Zx_ zPm<+bv))|)xhbz+69R;Jn0*1B8=zd1_E^cJWG5QM{Of_2v6|u;WqFwuMpp*1IzXIG zB4VC~vR+XsqGtE~Bbo7dhAp^8LTtZU${2D~fq6eP=W!~;(Qw|Hzcn_lQYdIYDdlK8 zTJk!xlLy%Z(nk01Koj>?BJw+2!X++>*^Y;75SkIGqwxX$*AHigZjK8A(Y6yQu8=dx z1~MizEO{`nv4wxH`Kc6V!-*KQMkYfA?E)y`+$9IS#ba4o=FmpRjQ+|0WRBkFCu37R za^UbHysDZFydcuF_<#|2D-U$Z1BkuqiTuUhRvDckDr08G^y8*CJHswh{?o*wdd=$A zJmT74ZBq-62tq=7q30{kWTojpX8S?qb8I(fbD(k11Zqam(3>V6wG^Bd;i90RU}C~> z)B=I05hv`Y7|zzw%MeO~9ZGP=e=2OC9^4nmkOe&BODDuO^`wM-75XQywI}5fx2FI* zzv$)?Xk(!597Wxw;7zZsBUb#SKe<%Ai}vq5%T`@Ps~gUkm;3MDg#9NZ?nYcg1mJ6h8_0!~$HU zucwEsnEZKia)bw$uVe=&++R`;8ke+?w#|(op8N7gvhEik2XiJIfcOB;g|1mS&tt4y zfi}TCtnfAHB(C}n!($RwwbmJ(QxU1;GRUz3po{`E2fqAb9~W*0z9rV*-vrS@09U2M#Cb7A7>D%IFBpeWxB@3W>+AmTU$B1KM*JqV)Y{6Qa=O9&0q1f6dezga zvextAD9#{IG2tvtMMwuijFeZGzg#IQf?Xu)dV|o87u}1+EsVcYc@W9TETm=&d4;(%4DEbL0(T)%R!@^ zICrd2zu>7rXi~n<-PIwUl~{7_nB{=K2fzD>-uQtAAI1_OuZz~}6E> z^NPBzocQrR{No`8@1r-ryHA&+-MWFJ;z90xPbJpqE}O_NxlGiHwjZs0&^Pjgx1#C9 zFI!o%`nyGng%>mzq+()NkD}k(xnrE7C**4s6!2bZEw*{Ez>J8T=l{Ben%dsX9eJyI zc@pYn&a3S54jKx}nu(x}AaQZ$dAdL$PaV1YYCLy?IBk_&olm=Jo{~S*<+YO5%u_`= zY2EajHrfD_YF&RpCrJ96>#i%qvpv6<4PFjqNUgofh&)@ixq*}0=Qf(jrCys=R#~7M zf~Ats?jqIgCM5%`hR)(Nj^|z8Qc=a{cdB8_4TXM?{qqwMWc42b1u_|5ZUZ<;ls0lubXEp1F(1x(vu=hkpnV zT9K#1OZZ5`X9l5I8e)gWQvm}aX`YHZvn(>Z=uN8y2{iRN{RXUqid7*ONd-P1i)ENo zW|rN967TK_b6txs#wwspYY?c&6!zuv!YFWm!ChR?_AHx^mau|0UR?=M6sC7R7sbi$ zKB_ltur6O~nW=dn#iZ=dWgpB9fk7Jmb(~-R;*uCX)d*78zaKZh1c4rKN)c&B96%@T zRaO~idrwUTd!7ST@9~k?|MPMe6BiVwU&Hw=ibKdxJ}(W|G9w}z5JmTEG;7r}T{IMe zv$>_Uv`A4cgE8?Aw5=?}QOf=gWp5r%<=Xy@FUuU6=OR=x4NXSq^DI%Fd zh$5s^D#}hb+7BbuJim% z=YC5gcS~q0h!4AsqUBzr`;JrUxAq?U=|N$3vtm|ZZq@E7f8COzT<1WJBG?BnTS@Na zYp3{E@i8YH8#8M48f{E(Umqpv29+uUFPy=_d470a9@Ob@UcAS+R{8uvml3JPoJSqm z&X29*og3oTG)T2I1(F?KWdGL{+_5oBQ@wRve7Vh`~RPcK6L$y1OQr%QHk*+J1q&`m$BAm%Fh(r9CshSrHo_zB_6f@3y&P zZ<6MPW9jbqJQ+R^?`!$8?QX8DiI~aVlh=qx-K`)fFym4SnrkW9$MAi!<}>ZMdf!9k zKe!d!cZPo&y;ulymgnOI&$Ln5CzLlB^PruV`Wv@m>7=zcE&oZEPK&M^n=S%KTDBhF zKv$DXbmQriF>C11NL%fnpB|v3VPt`b_)jz5YWTZ-=ZTnKSeUu_i;c?3v!$phMj4al3fetjrxYcNmu+}56gofvW zqis)RXlS5_G0R4#$DFF%k9p#jVpq{?i6ug0pOP{$Fn|aY4G4I^K>t)b8ZNr!KVZjU zu}zPs_AvtM;GB1ZA1gRGSVt!k+*Y8XQn;WbZ69qaojpB&%(l=%z)5uUJBu!F7$E)s zcD4SKCI4gku%2_2rH{=Pmw!zw*Gx@$RxF;vNeDCULg#G52uvIiy{mW zOyyUAa}jd*((S>)PoV&7Cy9^@tP!<@_UZ3<9wt;}X!o>g^?!@=k&Xj9DxloIe?b7M zXM(_`(IP#4`ZPQ|9A&z=t1w*ve)u@!q|AC)S0s z)oS$fj2++nI~uBV_2Wm69w{9^)=Y@+FH&y*;&dODj*fErZ|5&|Z`?pCX+ZIVe!8xb zi-W@}=*W>TsE6l8>WboLK-LxP@Z7zf|9Sz-!+SNsQ^>7R4*Gt#2Uj@z5`a0zC9W;R4(z4 z(ymVwv~%SAc;KD|D~G4z0k}BOX)5yI8wb~|%r~H+Wm;JTAj2@ForK7vk_NPJLxY16 zX$iCFRMA*a@zSkYRr8$TGT0Xy4+yRqVLnDiM$b|nquqr8OXn^!dA^^2(vf5C0zBM| z43HQyEL>YjgwAC)g_i6!*`s**o^7#s8=>UBo3sb*`5s^q#>P{VT1ko< zNLyZjY(qUjC=v(R_sLCoynS%satxZvn)p)9(B(z+@Jy=S3ttaZJaM2Ep<_sVeE#Ct z(GEL%d&sE6%~vj(ZhawXOe%6=%^(m%OE549Y=XEcJNd?}bA5T}N=V7srIVH+AzOnc zqD+mcL0Hw67(Thj#S!jaizW9)FNZE(cv0iBW5@d=Y&UEf+`c_KHdwzp!u|{Gs92I9 z#1UL3B6m;rI-kFB3rEwYxiFI8rY-VU4 zi1ew1tv^LwDGShTJpwTUQ~~C?Q6ri1+6V4x`CPug5VO+r;lnyzp>O!gl9%A*o}Qb7 zA!Zc=!(ixzY(?iMti7D~;$iF^ zvCg(d#g;KP;d{ib?uuUXjX&hsbmIyhX6GU|%On(`@c7bQH0pqUXix9mZC;!5p`VGa zLbm}-g_)i{J-TWLfns|Pfbuq?%&Wo-z`Bu)p5X*yR>+|zVs61CMyo(E6SyFoF_Mx=ge@1xCum`nPpj}kS z+RJ)NZ?}iUds*~|)AJS$XKQe=lP34piH-sNjM+hNMpv0HQ^$6@ZHt)sPJp)>EyJ`h zgHe3NgIeqP)27Y58WKHhMvc!_85kKI>Mjt98gOuMs99}yhjoU`y7=frh|9jgj~{_v zy=-e!BCnr_YaBQav9if&avtfyV&FoddoIfmS&?s zNfA=pqnNi{=gu)2Q`_{A80=$3qlw@#MS)`)~IR$q|wlB#}d$TH)o^Fljr@0WrL4SSW10c5&^PJDA2 zOMDxtJG18lIAB;adEAB5rqzsWUHtq?V1>wN0$H|TBp7&<>KbPlkb?^hq*d@P7~!BX z+hO%UkkrFS?&6Sey{#=_nmy8V`87k^fR3x$*Vu;mb&s zp!Xr`#DEj|esP_Ki;hk$*1$V39B9PkW8beiQI?T zwt@Tnh8x}_`l_lmPfAAne$<#m#>qi06Do!vmt#1%Z7I$RSnp*r>bF_>5xNphl^ZE> z`egRMF8R&}vPGq3lNLkHI_e#TwW(j&^ZaPT`5yH;c_t{mb7y^t6OE09rOJV7@x#i} zzB+}b+7?9^P77)3ah8qo1_<$JGn^R6K1yXsO`>>-e2W9y;s~e3#1(0KkJb!oSI!(8 z^cu0g*iQ8LW%c1feV{<8f4^jmElZK(-WjY@c={&hYS~S-l#9t}C+s{`Vn%Jy!-|T_ z%6frZk7?eMm$%_n8pl?d(ZUY0;8RORFZvFdeeQDO1{=eRpCI53%T$y);ZfH3=i%XX zs=fyP)GSU*&lA^Q=9w#ftwesCcTZHO*NgihZ&PRI1wK5%b%vj=CgJ5QYzHdnRYXCn7rT-sz< zY>CEO^!LAgp2>b2N6#R(6e|2Ac;PDu`PVmsZMKO$F}ZV`wjmNX)BKvizQ)w61;-6P zI2k@vQx?Q>jkowd-!|128D}AK&!Vxfx;3p{Dk$>wA*zHc(ua0ENZQdLayZt)=fdVG zCMM+Yy(LW0$15#@)F-+dD{T`j#@|OuSzP;KF7P;FP>XDaxP;$k%-h2P%nTFRCE@B! zMDUyr3tvA^Hv7`0W9|HFiSQR~UteEJsJ)Bx~2YaN)G*WtU28Yu>8DeqrAe;)P?K>gP*VPbTWG@%kY9L#KC zU&E1_Ny)4pR?3`k-#n8>gbH;WYCtbWmYLS|X%rJQyTOch;J1@F5PEnT(rXrSSm|r^ z3JBLAQ91=V;@SwJB;XfPP)O2yOp+S^+{bGOz3EPM4|W*p+S8m=a!l z87!2Fn%cK7{hvSU^;Pp>dtHA6_W3U}=$#`=uL`a`3#huVVj6A>u$>YJxQQn+Ds78% zFS^g0CWO+{Zd$)Sfg2?Vm4e8gQljYzdDjs=;~%gdHPNXtk@DCtPXiDbP2Z` zDyhvNZgbsv zzC@Q?;9R$=sRrds!#UoE;GytDK;n2IbJjZYgebba5}-t=Cvs4c17}AqSa#YzyW8wX z*}5Dxo1JpO@6M6zkW3&VBBG$+3p5)##scpUNEuM@AeKN78iHOcHnSf>jjI?=zWZYp z-GB#)CNvGPsLcqLkhOz2DY0~5Iql2#Bo)__d#y=-v#W6{{MQ91!jOLv8X6iAVzE2t z7t0Wp%ZEAC$M_$R-@WMO>_S1r?pKcWe~@#ko37{qc}mtC>Am zOT5YNU%{z9-hMj)Y;8jtj^ZERIz^7J%jnIR^E^ue{aSMtN(f~dct&R+|Ch9tih9g! zex&thiOxT!(i*vW&~*qv5&QQ)2cJB-GC#=NYA9-mgwDB;4wpAI36Q!k{XG7g|J+;5 zw}rx1P*6~-$d>W=O*Z|pi=o$9&TTwBdnRV5rp4^HD@sKbQmlU)M{~RXNAToToK~`G zt`(jBbDk*j{tr*-MBtm29+dWTpgTTDn4A9{>oRU+V9@fOPLDridEsESXf}_2(bH+? z{{QA??~B+| zl7C_;vsR+=ACIcT9OHSvxWCxp@WL#!b>=54+Cs8MI$B5?wC5e%cEbLOqV$cXw3x>` zkCSjm?cB+>o|eq>Z)Il{byxo0hAj)fesSO7lym|*f8@v!l+4sc7yq&2G8iur3(ukx0@TC&h&9H$A>(O z?3(VA&`hD(Lov|HHD@`yDwPeGOUCuO_U@y`C;Y z1?D`jfWW=$+YIq2inW%AqNI)7Q6z&BbwFw&kVoTtzaU z!zAO_A$qSqs})qNvO0dgbMH~_eS07)1oLlmE!wgCLbm6|qG6O(xV^fJ>@63;pPE+4 ztUd8RxZSb#0sVt|10Jw0t7DhD5|!aaKW`n?;;elCPpXb};u}NJeb;EKx>#GGCX(v` z8FJoFf3$d)!Yg4343=ADI*+)txh6g?>U0q1-Wm5e*nlYOY;318 z++X!INJoP>(k#Mt-~Sy0MwFViM@`EQyl3(Q8D>22-pdjfk)z0r#9-mTBk z%)LaXz2}`$KuCG>OF1u6Im4@D1$VYvCzQ>CgVmMBit{OcfOB+U2AzB8emTykEn5yd zp}**BZ)Y#o@l_6-bwiPHBjl%h=^)b8G}P7S?ahlEb#$nj{e~JZ&BriAJ=|7;Fdc+r z7|j=M{=|BT^~MQ2d|ginhF4@`es0mD9NJOkL`c~(dyt9L;E>$T z*_;)m0TA5w(4XO0RMaN;{sL zsi66@h@ZE7lXHLQCd0D*P~~fe+tP+&b|Krgk;m%W+G2&vM|xFYz1flS6*^bMhV+5% zIY!aKwNWZMqNg*@n)xgg-P;ubPB>+~zM-)<+mLgM@*r-x_5GvQCZDdQq?IjgNrP8m zq(oV!i8771DW|K1ruRN63}=s1vjz5zBL3QSKJ2c;J{t{qMJ~9Rxi*Z1y*6pl3ZACh zQ~yHi&0A}KHt7vU@|Pv|gfn_D_#*?*%U8FO&q9rS3aCp^SUYwjLT%akl5 zZwG8k9(|Vowu2&-_M~ypBlCC8M1#gsSX5%wqej0?fUzABzu&%ndlSGRft&cyzKS$> zGS1$%b;bd5ycxN2*H#C?sLqg^+&jy6$X)sX|0)3H{)a$~Dp!`DWQ3Y$ai=b9@T+xP zB>bb@w@lWcZ_CIU^6D?AEB?zxDjt=R{G`9F=t$qS17;^y&n+1Kx}{p_Koeg`Ib!eD zB>pc)>yskSI57$e$F#cE;2dpiB3Dm8>VS0Haad*G%3+av$$V$>X8t3+wPc2!iIFk# z+_!R)>t2EuPN7?MhfCE{G3z_9DahQ@=6rm7S}PV!Rc3Q@CplrBoSz6n|9=1J*T(W- zk=b~+vm`g8&O;K%gUIL3d6~_(>@wA$<{tjRk{H*euBNsob5r&ia+uR@^c0Wji4+#pOpKR{zWPV_Qr;jtz@- z?T5G~sh!;>e*_H7i_kQ#+q|F7V-Bt*7XkWIvssy#*$nxcC{En{{gq|7;=Zr^4zI6U zS?N1gt*E7CZb;3cBzt8W``nDE0+C&>v*Ti8_J;Ogw@=?$Lkd%^uV0v)ESruqG%B8400jv_BH6T3%@6h*)F#Zz^gFBh>eGm0ChmZq*R z;`yBJwZlewBwEvFFnN!Yt&zXD7Z?pd13f2KpDyxUMQwTnsIS@7o8uk zUg|FM+4L??fN$)lVZ$xeatCt!3{#biLI=Zk=AD%<`Oi~IU(9GP=@h$1f;0;e?(yX# zQI|OEY)}@wl~z#jbE15yz>(S~2b5GY>ug_)wp6w4=&SjB$;!968|<;)39@coznmzE zxPMOp4lM4!7zo_Tpo6j(8Rjv<@vKJ9J!kJoPdAkF=7{W_^5d$N;y0$Fc2&Ex% z;#l4lqf5A3*)o8%-k3{FN%9*uP`Q^T?85D=`+6=Lr7v9h&uR0Kh+ca_u4QfVV81US z6m#CMPf)MPGQH0e=%;66!&7;wK9TFsoqT@DYX8An!xF#A9%XxoqLAEu(2T^9T4J#& z%BSHP>v8R7!kTPg#Xw5g%Jm$!_+&!@cE*x4+h=l_#-8gW<K5l|o#gBNo1L8J zV9k9nOcj`IF)U*eksdG9(@EYu{Bm!QuRO*0_A1pa32(;RVs=hl;(NpE@hiD#PnP|) zw?^M<+`n1hD|XhJA#c{uw0c^QV>Qk+L@L^dnGumNjxY5R1rB6swYHk68y22 zzWSY^%84(%ke9uEC@J=w>UMjG;~i^8jVA*2v9`i?PyAN1D~ZgVu5;a+z9v=0N3Y1X z)N5cH04z5}W8{YEg@0e7T5lu9seheD{sCz4^rnd+F0uOisjqGg^6-)ac@|iVTTxIG zA28qX>7Kip<)XIdvRbzXncv;#n^oK0S`m@v_Ta${(>s}66sv;L8FWKtG^y4%3i2F9 zB+xTom+Elpk6W#?l($z!Z_{RJj!8FTsT*C2Gzx#w0bmbgW~$F-%a0rf>0p#Y1CHoP zFEVf|$uL^|w$`}WW$Z!aE6cwQ?_G1iY>Cl6 zX8J;ucNS~fg;l&a&Zn==w_bbq3dPQJlm{l)6c8`IJ354;;KaGA>1nU)N6)gx6ylW; zAP2@N=37Ck-~`1}BL2C5W&?kp>lApxnYp>4UH+5f2e!BjUb;(it2B9ZR-wqjyTBp} zeIs}%Ph@Z_kAkV0e>6d6I>VZL`EqBO&%qn#TAqDoDQN!m;vx)N=<$*W_aZK1D1DR4 zh4>>6e{2GTD|42|mZE@H@ghSNoF0kugaces=AQfZpJGUg;@xp=I0_R)FP4AZnWRhbF5g&rAaHl*rPXo=%5e{@(QCrm06*w}& zwiLbhHksGTKh2*fMZBZg6YPNMza}199Z^z|)Dzs#quLnCW^tH_;<}>%DW9{VTbQna z@=-*957-6&r|OEoKVVQmz@4Mp-*J#U{ndFOYwCtdQrV=0;oBj+-{Fzdq}`bnOBvj& z%;OY_Zfpro>&zIr(%vYQ27noL0`jyXWv*{soZilL{_0=>&neM!TeLWZ9DV3`oS^m` z87^WHG)#n0t9rq)@g6siWm~J~_Yh+P`OTZ>O|O&FRwvN9U~7{5F&u4x+j+T)zKtc! zqodhch9d*=3=L0wKHXNC+c!w?hee%UQAbQNx&klNI$;+ZiJXi0oQ}c4i$mkE)K;$Q zv@(z0<|doPsoLFi5Y>sl)DjpY8Jy#|*u8ozO>3Ct$)i|{j7f4*FFXnA7Kswf!VmCOCbk^{j74nhI3|qGec|4=_kXq}m zl26ih)lSZL>Ebzshjn=6+nJW_Yvd9|bz#K-l3Ovb~~o_UQfVPsCD$%rCd<8E-ITWg|TicDGw~&>-nR5i9#yi%6=fdj@=0 zYIxZWaJm2ICBFWC30@r;XJPXgP;s0AgBHr$GwwQV{Lc^ie*ebX>cIc}N#~!}pt$~@ z7wvW<-lbHQX1xeoHXVJKePLfINAr2FjWI0$`7Eu(i$oqWi#&5yN6aFgs_KT>peldI zAbt4uXVv%q-~T(6;-_%ajm2V?rm>mqX5>miU^s2vtF642kIC;eU)N}wz`n<_ zQ<{hYY9k#Ci;A#MuRpGu({M$2tV}bXGKJ!wU$b@7sOa3L%=6Dr#77naHPi-p+?2aH zJ?w5r1U?-s{4$h3wQ*wAYT75;;>LZ=5>CkKEj~$9h}8J!I_iWrZ93SRp^L)iBNP9* zAiqH|UQtTJZ8M)^=>PsZ8IkE$SmY2%i7%DwN1u_?$;Z{R%2Uu|Lh0gpYs2Aff8UH) zX7!^$lN+zd5I$(M+6LTIH05PsmomM$Qu2UtLQRmf`%W96iaHLRf%L!c$VPIoFJ%1b z6gI0%%gT_8W>79z@Ug)&L*uf^!XczXqViijO_JR6K<7A>x$obfGk8a}0_h8nNep#0 zD3jM*R8T&MKKOA^cD2^l!;K#boVG9KWB$-io%fad|9ZFhW06Y%U&@AS{bV*g*KSHG zV0Lb2-$<({J@CNs#upg;rlwvm8elIh6y#AkwjUuwJMu}(A69;a0%Oesv;Bk6g8f23 zQXM5-jTmGccI=;*22x+{Ir5Ti~O@u*}ur(@G{rLQ$VO zfwaTHUCV^8%UI~!pkBeT-Ov;7W$AxvMs6e3ED*04mwI`M^w@7Q_r_PF!jG@Ad5rPd zK(Llvy&y;!yKA!3WKPl7V1AU&o`y3Al`cdH8q-4k(LFuY`GYMo0IzZ8-AF)yhMIOM z3I3lM8QXpLi&-K8cq4StJSh0K-t(%BOh_-E2oBe~;GSi3n_8vIy~ zSU+xIAZwYY(qAE*T1Ortm~igOJ`YTp3R*A?_u?gnI&HxM#1dOvQ9ee|?Y^+$T)*;+ zQJc73;qzAzI*S`9zuJ*p(EhdZG^C88SsUoO!tiR#8zIO?IwaDCPtz3GXeIw5*g6OV zSTC|g8WCow6YfyMUs26V56x zPr_N1g|2X#h(z!TApY-u_`-)Ul**h2VdEyyLtOnGRI!GSZ)|w@#BjQZb~m?g2>^ct zH^X6IKamvqO`F{BQ8g!HQ&9EtWga*UaK7I$;Re3gjUvK_3j@Bnw(9WoqYA?Kr>jsW zB57VrOUuI}H#yu(#DHWM)6~=i((rV2^a^Onk6XjNB;gQQ&B%zv*{8&$wFECF{8}`Y zl=DZ7Ui0v#)lOnVDTUxun{y7BTF|SnOtFC^O@3N=|Nc=uy{OU%LBmT>_>`8G!j%l+ zp7%QQp7W$qGW-Npy*II9QnV-$+yw!T%ojn!HEg7IA5^ypT6p|zyRtmWxo_XUH#au2 zonXm^O3OB zkvln%Lxt2qmpj{lRNJuxVs;UCS9SEUBQ@kq9{VH#a8c+REsa6 z@_sA5KVxZ1^!Yb@1L5Xz9c90M{>&{urw~Wk|LOq-ok?chGQBB%OLRj$wIjAh0?zJ_ zU@nOKi4-jS4lQXIjp}}yEC9v|uKRIW88&?*gY|-T z)!Ur18rYa3q@&8@Hm7tv6BvAoVD`gL($X9O@<#w82567yEJx(~Zi@nD%dB~M{T#p7 zHOY<czE#%YT*-4A+_@MT(l;8whVA_iRyHdr^PB0s(Vyw*_ENZc{i1u^QMF zeLX$lA>8Y$GsJA43lIG!Z3PY=!_A#OiPA8cn~0N(x$8$BEKh z#f&Zg7nm#*!3)`c%z~QuR-_d}-6&1!`RdjG3ez{oV* z#MA%o_h2m7&rm^p`*hKCv)WoaK)C~(i3y3g2ufO}sz;rQ_ zR#LQtsrD1Ugn)rq?lktCL6)Y|P^Q&<_Z#atYiYMvKoK7Q1~IBZWQLsb+co=cp9efv z7eOcoMdFZSnmcfI&ek-LwYVN(y2pD3(mP{5uQF^O`LFfA9{fxuLg9IGa9e6={HlK- z0Ywqv$L$Uwbn5-s0Sn>(tLQOSHYS0L!?c%DZ*+Ga6#YL$;W=7B5Su994G zp{K5XS8-BJ{9ec%R(W45Z_faKzA#Eq2{OH}s|$naGoE8vH=H%wAZqC6x25RRs|Jju zy6B*jUkJ4gRCKQIdTb@GNr;+cMkfjwDKkFi`CR|pi%m~C#s1i_&8|s2^|`y*AakUi zYAPu{vaM`A39~OOp{T?bu-QV2v`8V7@(XwPzKw(Zn;^QTc1O1SW*;2aaB)`a!Syn) zsk{b>0qmrDYypL(r}XO&cNt7}C|;9ws)1bco{dOP8>L)co!y$-j+*8rMMXt;64I&t zuT@9T=B*>=y?hoIGZY_+a&92Aj5_2g&TSjd9E(1^zU9F0cp#7()pSj9ys$xFkbai< z&ZyU0F}GYmHzlfCZ1tr)JkWji-|I3sa(H-{h`~+PA&%YTQ(G`(1NF7!>X2pZCD7qv zVMb_LNSa6WJ3$#MzCR<1p5$7JmJ&ylkR(jCc@E`|k5h!1*6#W8NyyX(d}FufuL=2~ z=9hzj25bD#OXJasTFt>35=~DkS(uE+018eOgF_7^Dr0;@7%y;l4?C0nlvW4BkW>42 zJQ$g82R@rUhtTN=tiOf9ufkr){TT87+)_mKN)D$SdX(~1h-KRes#%2>9!W zPRMtN`*MwD@H=th=pl-s{YpMX#V#sdR7dG_Mtrdf2ao5_wKq-a^nUmEy&S4 z{6d=WRK+jpl?z(;JI5q)uIMqZ*SPG(<15!>G85g7M+$lQ_m;VS;KT$|G?1{4!3gF^ zEb)!Du~aE9apX~TVf$4y4tk5hz?RQJN`Nk2I3&yHImsxj!4f|YnW;ytbHMW1uXH!} zjb74UJ$Bm9b!s@L^-w4P%eGDla+@s!&yHuJAqg7|S%@cUM^yXb!Z*3>RHdU1I0$6N zG3t6_Bi&Bym&ExoxZxT7#UWsE&^E#X@fBdp$0OmT5f^7|!inv)#Y?z}dd}u{IC1hS zr^reW=hVAqn4X%OEBt3ZmhYfzcbq=*#K*ayfi3>jpWg!P@PlA`BFY~^4jd$Oe*cbv zf|d)qYK;OMTkdUg!PbhDU@J}GEdr?uaK58*$#}DYXQD9D<s|({!6}{eo8vOV>p?D3KwZuBihwA`KmjrBAYF?TxjdRHkNreDW$79FxfOJF}Q<6>fS+D zSCJL3M_}*OCv+J0_*%I4aT-kvb1A;|{rA&utc$zcU1CL=&$5t-%z7klI}F{s+?4A( zIJ>ugPFL4}%CwGIN^JGLJ6jtKUj$6vja>M|^FrUG^<&^RZPX$s_EveE`!MD%6uVPA z|A}*%L|uk=GSk044F?a;^A+~HRwVzm0_7|h#uQjcA(|L0I4W-XnuRKjYP->@YQ;DD zykcbz$)<{WU(I(#mfo1|#~JJObD~m#@>3O=;?DJW{Y?klC}W*}9-aPRs=7umP;x+a z#5sA*`e#s15xCy|cUDwdGLidRf4`(*#G%}T%@$uneQSbqISmGGqc>wb&g9mH z$5;HvDpJDl>!mL(!U)$APw8{BHbBnmWR>)y+OahYAj`kRQx}8^%Z1aNVQjx|fmkF* z@t$M4o0@Ki5qEjZy@Lq?8s{BSDY;lsIY;=@#ctwC-EI4W2yM>aYdyueepADLR@g4E z?~_I%1Ds^g1R-*NR**tg31AQt6B8HFQ|ajF;LW!E)l-Ryiqg^1 z_1|A$k8Hn?nmRc!kiL|Al>i5gO+7q3a0DzUWl#;IK&7?neid6b6MdKjVyb!B* zcZ7@D7Z?z9A zL30mPbye?&ckkZqTsajlDzbreZ#&LaNJnV)Iy-;F5mMVnHDH77mf-M_k9h5uniPIX z&&sM3>B>-xU`8p%fdd3~lgHr2B#x28u)h$a8K5AEy{+?ODV3Lv)CIJ57_~(d4X_@U zRaWtWYs1kXBYFcuN>nvvA;TCXzqcP{V3>^c{jl^rb7l)s19DJgY5dj@8Te_|6i$v+gC4-@6r zlLYMugU`PK6w(yt4{_m(7THL5<-Y)w+})?(;pty06se+FTC=ytk^qpNV8{()Y#6YU znyDb$98@OBXa2ls=}VN5OG`^fql+c2??E~-zlNQCy@)WKH9#T3FPO$aq$Y@v(g4mN zYLb(kH8PKYV}7vk^G}YCzobfoX8^~Lmk@!%2tWx0xpf0o7}99&{h8B^cYaTV)BHiD z2tUPINH80LWl6t;O{cxB4GD?x)xhZfMZIeS97jhwahjrXK{RG;U!s>G;0>12WyHt% z2L!;dISO&kdn{U*U21hAEfH8Fd5vx_5xj*q3bFsIu$t-U44^ID#j+E@FL?;BdJ4lJ^d>MXbN*o6Nl71OREVz8co9F40$LGGl=st5*F&C55a0s9CxTSm3=vS%kY*6icb z$%{d^@Dl+~RvEj6C}cGNAwO8S1kso=xLj1O-%(7PCd&>Wjbrc$k^41gx}IZzMUhC! zL0m)6S75(CCf)*Wy6%yA&G|;_D%_m5;o-$|W4pdhV(1QFzB}!E8~hjY?ZgI0EDc{f z2%lT0xr{Ld?D^urA}o<*)M}U{zJYY>ww=m5?m{e2Y*g>CUhwvqcQ^9+^Oi%Mk|hlF zI2ik`_tMn&T}?t2Q4E!|=h?Wp;^lZpxz}#g8aJO`*FEWRWOi;&YIndnr3aTJ4y-LV z9DQp<1@eq%JTG#6`nXfzIY#l)OT^UE6=M^Ve6#c#MBfy`Q0OZl;fu%EtCqkYvIzX4 zpthmmS$jEV8bhM<6A_d)n~P12ckJMWXBYU=Kt2YhFxwzgCudpT77eNc4Am?2h|Wb) z;}DvPQ%j35HK30D20M=PF9PU@KL!F%J!OOD`bJpV7ut+u=B7UEv(H4OOa$c!sQZ6< zp7?w8*@oul&$T`xEL1O%)3R`0C&?@)EyIKB_<^ge?JJ17g!7<$@#{<6rIJ1SbT3_Z zSWvOLmz1%KdeU-xcFEBX_cUT14t)Fi6;?}rUf#2O{F)&tyxGHS*JiP+7r?0i)IsEnhh+fidG$=@uv3uwm2QM7@2^;eK5=y^qx&>&)0-sJJA*tF1gv4Kx$bO!icH&Le!PdOPD8&ikd65HDdTlo~ zf~*3iFGoDyant`JyTk{H|g<;$0UK6=rSjhJP5`rtr?*dO?TuJ;T@<^C6JC2?1$ z5Lj_{Yb2`6)y7BBrdiJ?K@ZN$<-cxAb>y!wwa)jw(Z7%&=FGeSmDRzft+E$5MA&sS%{9w<%@gZxMAw#)H@ezB)(LGt0 zUNtr%g^C!Xag~2p$X)C1lA<#Ii^N0-8+!Y)W2cuUFfa%RZrY!PoWIw-^DeK|QcR-~ zzO8W>g`?$p6T9pr^$ppH-55&-PwmVOgzrOuL!6LYfRQzym8wu#x+|Q z>1_-ZmAT_>aWZ2b6d-%q1XsWH=QYn=Pa8$+Cjac^_oH{nE3u+JR zHJ#_OwAIc&Pj-A*(fRUzed8sI{gy3HJlY-_NIW6%k0f4-+T_0Xtv6zas;(<++^D-` zI}D#T3KCj-=609;X7op>FK#WhH@4<{<+}_m9&~R!-G}+kP~5zHx!!N`k0fhsyR1a5 zjzDw)75LnPXTkG)9vGnDrfl$q#-zlW$bH09i<2a9qOhT~5EjS9Q?(e%3^Uw1mzrWi zXWBgvQS(6JRr5I2LI?9~&fO3xsb@ZJJ>1z9xbViN%p%azY`?WhAeZ}r!YD1PCORxx zCD$gNa-Tas?=f0??D(+q0Yq*6vuH~9mZ3*OV(F=?o2`Bx=Kf&|=wuwA?B*(?w5ZZC=H5|B6fz>BaL zh=F$@H?RE?Ikz7%tR-CMmjN7FN>U0O5yr6z$-RQYEG~cdInl^NuYLH9uejo38okkM992(t%)dz4MEx6O;M(5@n z_Hj-uow~~;qFBa)n!beX{lJsEU0trfx3Z#DfyCEQ-gx9g1^?TOw}tUep3)ju&OdYx z*zp3g;~||v7Y%)~qv}Xt@(s4NyFs8}`+nKnEM4&QVrDPzG{Sfaz820P?EH0#%6c9+ zs0V~SL(*>zAuh^hZSUjbM!im9IGwOF_BJ-$Ys(;yb1H009N%kGWZB}NIBp;j>tdRs zoX+K<>nAPc=4mH0>2p+UW4HBLwo}+K3&+#gT!Zz(WRjJR3bvag15f<5gU0J#hLS~S&>zCiw=B&XSw<$C+>n@7ss#rN5Cky1CBuC1F)J(kx@ zLp%^(X2_mf0;rJjrm34zQ>?%Le2Pa*fX8*EkFUb3D-40;3EXPvPve971iQrj5+dsu zy+yOnU`Bz^mh9GsyODgBm9Jf_ot>RQf8>_fXcoVU!4x#4=o%GWV~IF<37`qCEm8Z@ z#fyXE<9Q((B1%e+kW?r8rMqzZr2+-kt@n%1?k3@d6a_9kOm?gMTpZ$YozoPykKVF} zZi+&BKg9OC% z!|L19H_^W=viG8dDiBda(q#A5*;tTzaAiLFab%LVEhUa$n|wM?amcI(|nEjeyOjF3&x-J zJog49^3VHM7a!QafBGisv(pEAe+z686c961!st4y{tEie0f%h8lF9s4jAC&O?n5^2 zSv!hJBM00zEM__6n14QpFn67Qhy?45lwLtHFM0y>HXMx z2fVZN{E}=*Su@IW@o!=k?l2XKy=w8F-{Jn(ho3~@Rt>_$y$OU?x&_#Y!+g@KAD6ke zi`) zME!Jn)p(THrj?t8opBy_YX>>v71`V^5)atqOkcEW`Fxn)vxOjvm#2E-GG8@(evj=k zZ$%<&M;Ye9Am8e*-a^1QySVjaF{YWG0Be{r=YVM$33b)ruCQ-VS35SFdng!q#~(i? z_&Bh2#V7@x-dBB*&!?9j@%~lYZ&Fa$y%clMyXu@j$W~b4Q1?AWjxT4Xc8rhYfHSm} zxgS=oPocmG1>+8nzs>Is2Nr=SMqc5+x+09|+`HtbuC2TY$GwErU6y>EJ4l)egmVrv zz$2$GQVr}z3l!wzkv_oTTG^U zEZ?iTx|A@yTvb(7MdhkprI;WEGEIg=k8CujA;cg5PdLZ_q9f@Qfh2Be7YoTrM!S^e z_aF^4WRtyR7gu&;kVf~*P`1dI1fKBd#j96y)6*~mx@eY>s(!(j>N3@rMKvH!;3bth z`uZsBuey`ifr{XKX=yRTXrfZ8-+~w@eL%W8B6`=+C-g8neLZ7C7HJ9sP{~F;Vo5+E zRa5vHJHXGwH2Pnn5hy91^1ppxrvfs6kzdX^@^56s2u~~Or({wXELB7v=-+=Q07n(z ziewUq5!+r97HKNty|zPQyt1P5k9Y*{{eKaU$jU(ff7vz@#7zk?n+a^QI%x(Ub7J{DCKe=MOY^;lX}_J!6R#PDoI;_r1# zk`)jjhAy1_MOVX^Hl9J5xh7LS_7@#3*7s&iACG<8j>fHypUP=VOI+*K*6cd|$V`BN z>^$NX6&2WBKQe{OZW?JCY0IL>rlt>bhrpe5%jnY*JvXI2AOD)Zy}jDq>i|e1NAWLZ zNa===?veMi#@#cx^ay0=-$&XPQgZF6eUJJcYc=c!=Efd&HSr%sh&4sun$#373MPOX zREPT>7vq#6{(!;vnD24?0XzO+8e=Ic5pDZ_{2aM^p$KOEpFf8TBmz#?R$IO_9-N&S zZ_Javye(GV8_>km!)|Y1#P%IBL@G!>#56Vc6}^86FB9@+`=_SX@$k$8oS5o+Vr^{B zraoOoi6WMN3vfgz{5E|lslz}GB)i(1nF)T8rO|w%eV1dih{!EenP>qgKUA*Zbc_8y zQCKh}#}pGC`~1xToI8lg`5_{v`j`4+6=vIyBmEj>#EgBL!v;lwHGYt%Eox!1HvxOJ z8yaO;bRM0_yqK96YgKatH!|$l&|$kkuO=;FH!L<;_Yjq z09!hp+=u0gBgwlTuUdPuUi9v>VvFa%84;nl`puqV4^G!qR8-u%c)}j(osIZtdCx8Y zdX9-<$i{n0JcEv25GIBP5o0efR5AGokz$6+n?Q|m-N7IzvExjw=ykIV1|5J{-*8dv z9wWqA`9GW==CN;NP<%vRpd$X@!GrUk(ao|>Bp;G-cuabFoH=(+=jA$pC+oJ6`y_3sry71^w7gHTT-M=sr z$Kdh&M?_37xNt2JAek43YMZ4s_#Z%V^aa|dm^};NK$&gKxG!w{oRew}C=Y-Lkc2uE zQg1=(=7<il39JkQ1%QQU_$9(B6 zd@Bds4M-_09!J<6_wNoy>1^}TI(Iky;JWtV-d?*Vi2)B>U?W>qUd;)|L6oS|3>d6> z`=^%#IqgQX&y`KR_NPo2fxmIYZVI<e;NY%;l4 zTOwy&_vt6DuI_9IoZ7CR4tCvO+T{pc7$T7hk{HJyg<;sp2Nczd;0hOzibBqGh^@X~ z{Ukd(+iA_|J6PX&bP@^g%|$uwhX0h{G3@F7Hm@-ErUJWNTU)LZnKT^lGhpaVAzD+` z@wO)X*&D9u`ZY(>h6_ABW!mJ)P4oqN)t74g5YG+{hvQ{TH6}CkJZp30Z8&;Ak)$lt z(JN9lpA&W{jG@Y4{N1A|Kn;07S3H$VQHeD<$@%E;8Q*haWhxRTjV;`{L2~4KDQxNJ zIRga4N9`b_=hLiDq%g@m{=+ft<;5*EAg=fM4^ST#j0OZ;HLAYw>EiUE#Q^Mi-+hyB zxQOh&v^m zLDVjUsAPo$qLNZuQiqUeDMS5p>tCJNdYuYyCMHtcjtUTcB;Vg(z)hIo3aF}go0lnt z(vgBCZgnrdSAs`m>-9j1+=t_-O#0ckZqd-vKHPKL%s|oOpaK%{i0O-k#>cazZuMRb zbZL&KrVV`-bE%=x94*Hw+6Li4phcyk$y=X!PodPA1ZF>7J%uuoXLZVE8CmU%~JDVHC?%dnskKW z;3vPj%^e8i(B3L!NqPU&g&ZlUJ5sP$3bThnM^XLU^$sywrVnu~Zabr$zrAA$zHm=! zgZ|_>;E2e*C_{F9IhTvpBWMpW1V#Rc6Y7UN#(Q zN!1AA%9Hp$YXC;XFsIBU?3KAUsP-+MJ&w6&bprE#{8G+VfUKaK_K?ld&(<4BKv-t}}MYCJUwVlCm=O-Oad)E&skXJ>0JZr_-)9zFf zgvWbgVnR67t-ke;+&ITrj`QUbv*9*!XxzP;53kMFPa>9^)9em8M>rGr- zv^V3uct$=g&dJuu5ycCZEt(2K$1BzHVnJeiqzh_Hihl@a+q8>^BK%nVz)?|gaBxsj zQQ0J98L-@P_nu3M}~9zdNo{Mxu%x=~l1dA25LCxE6dK^gw_~(|;t~qpQ(LLuH(4w3q&z zVK+#$iwK5XhvdS^$<*Xzx7(rm=(%X@x%qkecv8!=jdqt-Me>N zShRsT%ctEbc*cU(o`avWk294Ef07(6By7lly9r6;H?$8f%G9*9NXxEVtF0_Ik};Aq za&M$)ziuAq`unVSiok<1@jj?%Pp)vLZ4bkp< zcD#ReT!b9P*&^JF{VI_jSh{$CXZSSqSdpH}Cv6 z(R>B0^8p|LS70tU2~8!+*;(u|ri%16A!)Z!|JB#m-^$MJdm6B7BJsCUKRgRtJyszt z?Q1v&03Je(%(085lx<1$E^M1e9 zo79v;4fOyTUMLy<4CsCs{ukPC3kQs(Mgl65t*{@FGJSE9?g|VH1do80tT{Bgi=>bp z?)p)wmI7S@r+NrM&~(^uTP&Qx8-9=XNIQ)ZU$9+g)KeQI0 zV0obMFoh`ZN6l3QA--3zW8MLgzUpyp_a4{tsEbjmM5bNZ8R~tX@ABiwUA`ST5x+$&U6v?xQNG6S zV)k>{mi>|Oxk&?_$ zI3AiVsOs$L={YeXA7%65M)YuQqDwGKvK%{m3Y2WOWI#|#Nev_7K6vzu$HZZrQK;1$ z41V_^=odAR`9{jiWgbB050}T{)CW}v(!ipGLfrn?(cHWYv=8==6p>B-pmhSi{meo{ z3BZndGC2kTD`S^%p|m2(egK~HtFeVv5@`XiMjZv30q^KdV#?|=nYCV%@V8*hy=_G~ zHZ;!Y$)WKaLMuEMwm8JQo0(8`U2sC#_HXGtI!cFfSK6nnwy?b?ElVdkm)-v*3jCm= zmRCt34hlf?#(x_)rT)lI5VMMNvuF_NLT>x?akU>4!12qp^)9L@K~;D0BIKN&+DB1( z4g12}6sDaZsAR`tRTvg70^(konVB7UeOD!M_s&1fOW&a5HPbT z{^Mikqrk5#eDfAmoANR_2y9RWmA{ASAZ%xtU9$f69jqu*0%0U~0Dd^t1fT93Ja%hY zpINN0y**JQn3bLVhVS<*|6a!1#?{f=F^{6cE=}j=vruX<>-l!?VJWmp(X)KH*||dgT229iZqu zWeMDXVkp}&3UNC1S-Pc-rv9>ec_ot% z|G0T6g&7&r0_(jqTulh%#gIu=NlBpBHDF}LBKMJ zUI($-@F;en#5vXt1?Gz2_Y!W;u(#t${BA!FCzK~@S7&EuEOh0b7tF?-e0;mEnTd{O z2+GUL|1K))<8haM1uo#4e6o&^iRxm@s6d&h-@SRx*8666nZ3 z3Nejm1g`CBvW_zpXjFM~TA2a2W;mNO=EDr$60>GtJ_$lF+M$3xaU~@Tks!&%snU&! zNqg@pxImqJ^`rrhi{$nD>b&HoOyi8%vAofB%;c2y&1-?DVA0SfQEuX~7AjSk)6tfnt0*#)tB}FbWMudvdG>Zlujk zxA>_;<&{>u20p|@@@`o1=?^2Rf7jB=qPh3BuRVM}Y4$i{hlhvfcfX#I`XfrVj!OGN z@|glxTSwy_{mLcSm*ShqebG{AP4`uTXXROUJZqq_W4{AIdfeU)*rT7z@_oi5reGIM z=5r~$XmM~DCoctz_ey-J(2wWYiDvf{Q#wgPW!$J^iT$cB%r1NHE$5Y8#22+?e%8t934lW4mQ%{73;kO?WHS1r*2_ z6kq5`3HxS&hvLaajm>MC_mUT{~u|#{ZO@DSn9+RMfp<&VI z4r)(dh#6nFj4!S)iP>$av{dMrYQ>h(595dNQ$>EjZ^(R*$OANvEaT;DPT%I*b`w+6 zEyu>Q^Zu%GoQ{cYUSJvf0Vz=+MSjD51u(F#*<$CUR*~E%;|<3^vl@o84#Zpw_l_+Q zre*ykMG5Cm72$c9BhPDwLC}P*Wv@b71;-{9^}#0s|+OgT%L& zDhgB}&u8@eW@KNux1~zpTd?>IfKwIMv7xVSmEJEP*z?{X4CmcQV(0 zEa8?u9VNf@Ui5_XC}b!x^sQH5afo-Fr%*S%g@M>-8GtFagnjL7UZcU!`GxqjHe|cm z{qts!#A)-yrQpF$ycZbGMiR~mC#$~WZ0haDaF~LFR9=V8-+FZ>k~f0T+=u&vP~Fm9 zB|_(DL)s&=-S_Q7JzAfoBDG5*+qlBlD_H+9bKEOIIpJ#ItAjC$s_q?2=f(gTOA z4qaSabh_&oajn}fV{>x{b8Vqb;bqqJLU$NoA+!tCd)vRLd~fpa(-PjmUEJmt}HtFf)q4TnGKcks}N%gA7CO7(K`8oKVa|&&@d=A!%cyGSyHDN4KGNn>T!tLaC@Z3(Pd2~FPZP}u{@zi!jtJQQ%<5q_z;T_yTemMk?B zMG21$D}2`@#ohZ^KBGgm>-^Sn0HUefGgbumaVTo&S96{CxfJAi``kI<|JkSOE&sUw^|lqW9^DLsn@aSsfC%C2a!fLC7rj&3`ntklm1WH>dW(n*1Xj32tx}?&uwki? zvxAMa@Ep|T<@TMXh12!#OET}NB#Oam|7kX&HWfe7e(*0%{TN|ZpHx2md5=$5j1&62 zRbiBT`h2#cb${9%`hE!r>npirTV)zcT_qcw5+#50%rKq*OiC6%FZf3!6Uu zcPP&aGL&b6Zcv)+tbiY*HRKr!6XA-c#&pj8$kdr`eG?r;Du88oToe%&RzQd4)z;p= zABQpQ;IK?vgJ-5%P5IbUs&xE|35OZQ{Ri+5RB(T!!<>JnV!rQ?AWh(_CVpbk;0p|K zjxdZxfNZvb#1;{LCDaUKgAnxrcw=B@=8n9`Wk!MiIpU}mHY{8!BaC@{HUf++K0ZD> z4YJi&iZ~+sz`vinPsrLvgq$Q3mT-qOPLJn&E!!@I+SN%W0ACOD@j{r|}6 z*CM?N)!5r)AKM!a==mpSoB5r1{-vo800-WjQHw^=lo}w2AD;0408iL)1(9rEN?;@ zm!@_j4(iqcPi&`vPf7Vu*j*9?kY)ok{%k|2FR=y_;^QB-w{y>O((JTS&QUH_ zzN_2>S-s*mLPQ%P2OAq?i92X(N8C*jj~j|`iK&l~h>ei_B2|n}#V|BHjATUZ{!8NH zG<5v20(58ZMwLOn{suT4AP>!eFXs_z5SLD^%R$MvF8gsYtl0byC3bM%O z>QPy(_v~;6n1Mf8M@x*|`l*vqT3Y&Y_?78F(bcg_OG}WG_~UhKy{pkvqNno7@{^P| zc*bECcUs$!!Q7;eKPt2nq7+5NQ_D%<{M*_BKU~SW7&I!l^l#BS&c8WuDHCp~sia_C zaIG73RwkLNcUn>W(2b}Cv@z~@98MfZ2kjFAKP^q{O)?{qa0JJ9rk1_@|Ljni| zzWoKUG4Kw@+}xy(k^1&awAT14{v!~OZj zkO7)pK>dg(3i7k>$$1n8c}G;#-ZKEz?iUzOj3nw(z|yWpJ~f;ObMpxOC9xmmeMFqZ z$P^j&z_mWTWvEKQAqpn{yb#duLa#%tak$%Y#e{!uweJMuEdn!Fp|nr*Z48A>fO{VH z&zsPK`7Jz7WslzZ6n=c-Y#sR z){6(Nam+8 zX$1%0tF7Hin|ox#fBGWbT}GyP!s|Qf-Hhi1M2?W-9S^e1=qpglex-o!Sc_ir6pO8~&A{4z3Kl=(UHKVnf`BF~FNUK7DyMn%nCt?Kp@U*j#GUi<#>&Nx6u{{H@{!Xd1)*k1i!L&>x6{#^W&ah@49K5z4ZM-n?2 z=(q`=@4}YIE-pMeFCh|JuWg9gturmoP9W5gw7MpAN92 zcMH)VUS~(oZG#CbgIAZIOtN`X5h&|jH78O1R{DcC%tHn5m zaKef`ekv}GgGQ^=;ty--u!M^2`3K;L$xW!GJmsdxU)@8nXXrhICIY6=Dmf%>9EjTQ zcH$*ZXl$OPU+>CM{*6`{P^Gf)dh82tsJegu&aH6EvPCbwg1vqnoH#^lH+Y1i7Q(bX|!nIx1J&L&RHtQ71G_T!e*HeV9BS zJ|@x(I(v2qp0s=PK;T0nm@$v96C5|RC!?~z%@s6Xn~RZW3-;)#ux}kbEEJojZK!R!GYHnt&(ca8d3shy z>F-YfG`lYqAMCpsbIHU`xp-^GDO*B8p;zPx4S6Sf#}i##Tviv$>MGrprB6J>BE33V zMF^(c;`@wz^&9ElFzK)baW^WMEc$A&Syb^QY zH|=(1W9ca1Rg*8XQ>sStnThz5OBePqlsx(jWEF?4L~Tj*m-^O7$9mq{s+$+^4isAo%w^NQ+rN64Uv@#E$DhRxbHP za@xM_w(`h|oo`%M3zU1jYkvlr|2wX`Re`oK&sgc*iq_E_DYb5knPzvV=&?s_ZO*TP z>(_6x8Q!be9)?`9m-o&MKx$BfE~CMt5{ue(nVoP)N4TtK8p0@$>JdIDgj~ zJ@E7UrDakLh@Q~J;J<&1n6cuR9y8Y2-~<^@g#~h6_?)Ac%GA)cj}jWC>x$)-l5RUb zOJ@l3E{&VwlDoMCKs@{u)YGhjYxSx&W~ZNyM6t{+ykY#U!;ybH0}yk}o2(^2G(u!f ztFM9KHXqj>_9$0ePn9E8w2h<&d;E-8wKRKp#oksn(?>i%$kkJOSznRZz@D+Nemde= zTh6Yt`k}>+r+92}#q|>^>t5e?(M%q(f@G4Ex$(?RL5j0Ycm%ko772mx{L0p`arpO82kZr9+DQ(3y>M`^PhBie37Znq``~N zMnKt_2$3tG}%+II!bd^pN zy3SPxyKE0~shm#FeD`+zOO8g`?@Ru?@5&*^z6~^7pSy4(J?Js62gi`(%Sv@FDtQ3A za25axyRf4|doR}5)~C|-Koh^2J)$b?SB6U)(p?N5bC(ky$1c((tc7MGtim$F)%4;P zL4_kw!GR;!#6WA9mwotKRL^U^c!`W@)aXmKNk+_<$6BZVw!cZqd9O$Jd_Uiyjqj;S zPK{f9$BHW>pHWo5#>OkV-x{Zq-y*d|XlboUj$&*c_f~6_F{6w<$N;^hTM3yoKZ&{|lZJ~TX zCAHhkxRdcl0d0lE=dC9qR(NzBmlxQAb9xN*I*o;Oo*=l$ojmoJhk2o?SLCe^6iu!6&# zrja!YlXu9zmH$ZVZ>FAXTkRj3Rgs#A#cxogf;Q!o7-!Vxh@nMqj9)-^j3$umj#pI= zYH>ts)S&@J^QtLL99yaIY57jTXuY+StpK~NTUIo|DA7dG758B@anngCF=tFDrehFF zvWvS(Pb1I4FHpuKD5csc&SZKzGF*#Jx`i=OI!XJGO%ts_>V@$4=LjyrZQGt^Iea*B zU^b+*B6arL!s3s#j}K<2Ft+gNrnjHJ^jwevjQ8^3AeT;|NVEWD`;SAaD%7+&>af8% zLNs9gV?#2BWW<0@+@>FCa%nk)6+J>)z|)x-8RgP(Sd54lb2u=Rd(SQNiP6#KoCRK% zh=G@8X2+HespxF0($bQ^56EsEFs?Kw3RCcCMn}_p?s>}~ahfVOI$X!5;BB((NF>Gl zP5!lOcffY9TICIV8~VDT<-Hs_rje=I1LDUy^cZAlGJLd6b*cPVv2;)cp~d&GvB~C_ zXj;c0NW<1ZuPxomE5DM5&|#SvS{V~ho0G-uO3;SePz7(2pfe}pc>k~dgM}$Z6&#Yg7bFYw>$hf>~k4)3v9D>6l>4`h0OTcwlWMfTB^lcRvCvIK2 z8Xd@l4{&0oy!^wbPj`5Ra}aLJXw4vVd4$(!e!aGNGlDf<_4M#VyrVTUJ3HIj0H?H@ zrOp-#6CrU$&%j`VX9pn^UcG{Y!yGjc%8`c#zu(x{X!~|pX!lNTTv<~M6f&h2rEK~s zhDjbdB09shqEC5bc4mf82!o6oTWg!5a`8c90jS`7Vx)SH6VzdQ9KAM`cs>iRA-0LO zpAh^E4Lc3>nG+0Y$R3X-CMK081MzNc5aN8BR4S+N5CIqsb`V7Zf~SCiAvc3#Hixl% zEdxz7btEM>f=JsNYbC@K{wcx(iqwtJ-+*XBw9^-8IAESv5>ERlBPFG~M)Elug=#Q7 zN6S-Oi$gXeqA-Rs;5vh5nu}{KIu`);kB&yCz9L^_;EPUjFkHn%TXz~}5?MG_f%o1J zj~0k<)@~E`d&guUAxEsC<~}npFaRIbBi?9^MR7L{wQ9EOTyn$>d|r0`it~%y7E~N+ z3@bF*uW#WYdX(XiC;j(pWTLaF2cyK(O^i0>5_gHm4iubs-C3zjQ4`u6lae{<=7d8X zv>$4KldCc~EX2swSCx@L&lJu~&VHER>dsgo%^(?_?qK|gnzoJ>-WYN;9^N>Eo`zG$ zXpPKB1Z98(@xTJgWpU{|qK;(9mCj24rbXpP1;Gkx$#j#VxaCaotQR(r<%GbDUX{@; z^5wj)WE_XFzq~v<55Ye$GUC;$;u~n54gl^s8*B)6W*8psRFn0^jx`HtN&E{! z$+%Phcc`o<;^N{A#e&>`rsTag-R$loa`>sn?D6U6yZsA9!Q+#ZJJixs;A76XZz#55 zSGavz0)6|=FwQcR)IhHWQgMoI!PZHN_19Mf@YUf-gJ;Ul$|^ro?#{_PfIJwb_8w7; z;Myy16|%M%FX{@h2;GK4DZ9n^YIUpQ2wOq3mmFuS-<(6ZWho+P9?a;s0$-X%ID+L@ zhHH~A^7NTi&+H_Z>X%Gd~o_ z=d(e$n)XNEt^HZIZI8;qe7QnMXyIc~srP>Ca|n0+@%dmFcM-4-6F9^(k_&l zi?4EvO@44)M%-St<7?^)dek`xQx;A|T+-KQ$~OAGlxBi#cBdvPS_C#Kzz=`w4*01p z!2YtuB!z!M#$x=?huKzEMTL~Ex$6J=_ zl0)nDzT>zqAdYRcMuj#XTkT#C5ExOSdLJ~6wMNwsk0#l)sE7gX0uhk?9AR0D`&bjT z4Z1QfhaNommE?*NcFywbVQ2NlzouJ{VsV|nj9oY5{FWdKpO}6zHB5vGg|nV#aX9H1 z=|$p6dAA65y=dg_T8Jme=uw_U4=O-OQ@JO_8stEGdbQuurQ%IGb?W&GCTGk`tb}Ga z&U&1jHwI*jkK)|x@|TqR`_$MLS>ei)UFMR>gA-N6HOEg{1hO!&GUCSLjn-T>%YK`S zh?a;pO_VH9NV%ddx2D2~uZ^0(lhE%)bKh<_!d3nTGh^LOAz&BBeIwoADVA^OSX@@U zgj&RF=Hzks>jMyC;(}3Nt{YZ$+}Z2ygr^DyaSlcC0hKHI_h85P0KtRGZg?L~pZHQx zLmRypkHqE$GR_N}D4fxki%V7$#t%osP-F96{vvc7tp zY)I(`;V%_Miii>}95U!P97da+{jE_UKV$^CBhueWU6)sf18AtD?=YHUS*NSm!={h; zqTuVh3hL;j1UWgWB6b>|I3Jt4i?*(;(cQqbeE7d#CmR9+5cy1%kcO$xC>mNtKElJ1 zr@Us3SxECKo+!a7B=Y3&!4Y-AVkSZOyX`ph_x0ro6S}=cub4>l2!_4QFDxu9F77?% zUeTvl_4Co2$p<`ARBeC%&Bo3iFrj%(n%LIlDtHc<)BWxnG&RK3mp8(eJIjl|Ud;QH z+uu@l@?}Y?1{^N|m=|51&{uT#ZDfDK{C(H3^FTZxQ=Hv9h}qfnEP5r6$S~M6{`Oc8 zsvcb%-raNnUOFE*MCPLLN05q^S(^9|ZBD}m;P##}z z5gv8Ip|wqfY&EZ@4z-kT=*P(!8*V76l?-2x51?GxP;X1SRA%TsT{az`^V=!eT+$UP zZ$N=2RPpiQG$m{ur_Y`(T&_=%CO%e7!rey>jkt15<~?l=z^Bw5&1SP1H#OE(s*L9z zD*`^`TI(tZtCQ2~@7f2SGYf?bZ}EC2eJCO_6rGUCy@yej@=so0sZb93_72l={B|&+ z)#&OUi+F;jzvB*4ayO}|^-fgXKp|j1MXzBCb&bFMpX)Fq@~p!~r89^6d@R=?mXl9u z)u!PCdzBEfnexuqp*eA1KCh{8^EbeKKv!4`v@)$uVZ5c(5NpLXa?65yByWqfw4P5K zVL8nD-8lN~=j|7w9CN8%ZC@py35`JAQMhsH5`t40!fje&v7fXFEqI(xCrA&3t00AB zGA!2GI7U zJiZUS-(@8TP#sa_*;Zr%;bz{!=+&8-nX-1ezF<vsLw{Uvw%*$9hOJ)x8rW7N63OUB9RLz!DjTMBT z*13ej;w8qdesHF75RGh!`>v7OeoL2;(g-*=RI#L1sN||qZK3AX6whl0(IJDeBuj0^S_{4hVKU~jUEHRLpkLf z{2VJ3SsN0<34W280|{b5@Yq`$KeSZy;pOD)tO*HlI}a&-(V~U%yKBHWpoY}CS$CX! z!^g0)&f9zaoxq5A;o}}TvhFdmn5n3=&Uzvf_6}DW^N$M&-RYym{8(;W z@iWJ4jP)sm)74WNZVp<`H^jxx8}sX$^IKP0TTyl7Y0|t1un|xbRcUUMP&mvqUe8~@ ziXC-T_7acYi4#8&xET0-bh~fvHU;dw&wBD*jxEg{`mw0lChGpPc?n3U*~KmLpG`)f zDc!m>5w$SaBj!F6(=Ie+SrkSp7F>q>@^_yp6j6PnTB*{dYXvsc__3pCj;P1u_zL+jk*HTtr8!ymrRodU7K6GS+E!wy`n2AW>MQ?(P5D7G1y$l*5B2l6 zh{sj#IA=tgL);C=n3WG^i9viyjy|Kbf;wBo{!s)D+(m(!X~HNmLZxjr7|+8=7MEx$ z&#v=w{mH#Cnu9T#J#t%UNwgIUQ}})X5Lp<=D2tl$aRjQ-hgb5?;};rXJ;5=$YKhlD zr?W@b4z=MHtN~ba%?yW#Vok$2BuEn3=*8$<}4tHWZQ|-!eWiNZip5 z7dPct{n4<{Xaof_Ep`&D%=m-^40m!dGfSS+k(S`2j|lhEG8bRRAwJ~PmbNOIGGGAb zKJr$|L1F`sbd0tUqoFiVX-9OVUXHP%{oSVp#QuNk(-4^RzwOhM6cx8uDH3fz!9yW` z?DTfVNd|O4OJ-2Y-??)Kv)9)VlyGF)eodi05tS6U3ZLB=%@PS?t|Nlb`VHK;|HZre zdYX@3+%+wh-El(tgG^3%bKtm@fb%U6j%L+tGqvHm( z!2Dd64Hc8tcFBz!kxH=~f}9vwVsQWN?%2LqG>S6t0-34PU*2ri)ci?yC881+X@9+Z@>ToMcYmYxae}jA zcxVVA+X)E?@6>g+aNboH5j(&>mi4JkG@LT<00by9AypT-O{h+ueAPHV!sJhnwJcAr zxL3Dp4h_dTXvbZnzH{>Xcg1RN{6?}fS2v_zj~|;>MRM#X#ta!IzRj8eBrqh4e_mdh zEG}0W4hjQJRfd&3zK9!kQHW5}O&H6$7^r9>9gGWkn8G)62@As#<%niaA%bII>u`0K zIq^EJqoadtO0PuQFh&y;?KLviXh=mdZtLjaVk*Oy)>=)};*TLK9C>y#yZjKha<|$$ zq+qCN`0;;x%k}P=vH1w=u1#u6|MAzG+S})YjLgiwST=xsA}yY+rA#X{f{(z41O5Yw z9@6I%9L9L+ec1jZfBH6y+{~Pu9LVqtR>9$N>o$ArhUeh|ndlwJa1yKz1v$A?#Yf*t z!+t2>^2y4gHdt@Q?vQe%J2^fjW$W>|vU~SHP9g|o|3^{qgDmIwRaxm)1?Tl1?C7w5 zyzW5D)#_|U8VfN6x(_D^BewR7^7Vujy1L|5KyZb_5L@kG1DJ zXgQSjJ0Ab~eA4hF%U>b5xRrff9an|SPws=33FR6|+xhI|V`xDFO|w5Ojh4E1Yj>%W z(_#hR_#L2}=xBS}dsdBnjCZ}J9dg6<>LJw)Bh9AbsgLR=j~YIntJx4B_4duto;|Kr z*RQ{ab4D0(B4DeLB!4aAxDgMlW9^AOZ+11C6RGP+5nBvu$fL-@Lq%zishM_mFQIQ( z&64^$jUSSUNZZ@JA{Djp)#6Iw$+Ui_R&&bYTO|8UGFZ+}1Fbc|a;hGOvN_tB z6m+HDu#qoZ-Y{N~Kuv|cTI|@5*N2~;Li2<=F;98x))gZH%YQn@Cp|cggHY+9+f_%G zOIo&7gu)ti%X)GWa*N&zZ|tIKJY1+IEXk-Ep|y&-wMSHCc(&~bY4jmKqp12+@7@%R zrHRHo5vpYjWe^y&35#MISk zt#=Zyf(B3Ya~S4h$+gNb%;0h1eh);d1*?bE*IX@d!r7rX=OFH~&LH}E{V42UZK#k1 zX;jVIbn%^V+%ovu!wdY9A6JTdWYtTlhHX2awZ(?5-&>!$*fe}3( zlO6;vdy{PG&R3tvt5oNAbi9`{o=YdOVBH!gbHrX~#mTfRL#E~P`fj=UPm=m+Qd_x_ zexBcc@chTtw-X%W>#w`MU$xNkMA_B79M4iVgo-e8{xTRgVASx!dCY1MCf2UVHCnh)~38+xQ z$Vt_BI2716Hd#%*33$ufK2-Nv5Xl48Sauj#R3XRjnewvishtQju|~dWt$P>LfLc#g zu024!m0a|M=l5xBEr(9i%^T7KOxt|LX9o*={h_E;u{ZK+YliPqCv_K_0a?#**GRsHgu<+hG)W z+(j{fQoEVL7nBcUaw3Mu7w090)sSOh$~QkJcJto#<7{7WJA`Gl^3riGMo4)ak?1$n zx+yuuEc_+BN6t<#-TV9bDYrCD#s*WBc_eL8GCuHiETGcRx7S0FRd_?wxc#0`oHHvB zHd>xEXz{APuW3qTxHME)q{9E`l1kXg8L92VH`ygiYPTN@WMC8Oma0lP;(y_omWukd zgm{T`Wp0N2wSLFnaH^hA8aW_+AAp1FLabW1jbIsKqw|H!$F+#2r+d2_fN_)%*VzNp zUV}U@&8WUF&KT|%)pzN3J=m&(uR-`$ySE%AAd=76#%KIcm%*V=+&6wdt*YTQjXd~2 z5?DSt>(&sxs((LxxU+S;zPh)5kB1^o9^TnwG}{tEFu4jU0{+^w8sTe2c2d+{l{J>)?@}C}C@2f~1La8k!>j0eX zGtAt0Xl`LXsY}#z+>v*qqwqz#e2YnsjHKx8g&yaML1o;QxISAOo8HY|tE18(dU#Go zh!Nr!%d=kj3iOi0H)Dnv$M9I@+F*ipyz=|*f-W?rIT=e`d!_lMnO9%mm`Iuh%b6Q5 zbGPHkyxHgD`t0-XuiQdm>Hg+)VqRZ9q&qhBMP$<3+OV)gyAc$07|U=OVK4f;26SBZ zRt;@wQYsp)e(PZ*g>k^z*s-uq&pv7E-?T~1hhO4;*IDcRd_L3k>#=OUSma6WTg~s! zC+ut0m3EQk*tTzA?w*vpBaQA=Kxd7oPk`GiOZreNw-uWUM(9XMN@A8#a$g^+`LzA_ zj(mvxbRZiIX5JDIH*YCNAu_%~|2sz@x<+*D&9X49)I}fqxis&p5bEDb@wX)_rWdjia4`W`q)GHx3BmOfq877CvNQ2P|1X= zfxo_x3U!FZ{0?o5dj0?d(aV5C*k=~Ne_u}tYi|eQb*(0Jr%S3Pb`O~!9URV%$I%3- z%<>Fyy~6?5r1rj+v3RTcUm5##Lt0SM8Rlg$(XuTRr(e3nE?i)nn?<%xK_>-c^_SI! z)x!^LiwT}O>0GL<=(>X4{qLY_ci1%J!9>oj@Oc&ekqJe4hW&raG`Z@N&X+ zahmg*(&DGl8YCkf3;=2*!WP|U68AvV$;z69kfR$LozbfCIlh}za`%g+hgy3kEnN$9{atw4M? z$52(>;NXl|Ew^DI4O6&%1vG7NVwqFN>4z6J;uU||Dpgc_qBPX9de!`TTg22hIb7(g zRnH~537n~9Vig`D@;EsCiJ@S=u6(fH&;RZ{2g5JYJmF_i64yH|FYJDt0>5xSkQFdv zg_rE4^JOXYvBHgK2A`2t@}-4cTk*p*l5PMmFm%Y&$HxcU)y(Dt(cP;D>iqVqsXCl3 zcx#QCU!^W_g`_NBxT9Gd6%XM``+g)^04>F?|EvG7O$Cyym)1r^zMak%YIGIN2;+2x zU+ZJxF2X$7?&xWb6tV?T*>Fx#Sy>r(+aS{<1>Wo1W-v$n{rx!iJD|S483z4ASt?qGb6i7cZ5iaRU}M_0&_TQl zMa-cC$3W>ndm?}r{9(oDi9krrZHChIA3f3b8VX@E04}QjSLcH!0d-I`@fuZ&|9S~A z8rtyGwdg1zD&y)yH2t}huy_w$DsjE5_=7_dWoQgMz-;NsBF+de@sb>!DMZ5vECl6& zdGVqW&31^9GXH*AV`F`Mo-M-I)%_2+!9_LVt`68W+^SV?Z6k&td`z8gZ;s51{V7n$)spKHW@ z68YB2Mt5%`|1xP($B1w9-O%}94&aS~ENw-fZfo*KrvLm1AUX(G9ryTl<~5@_TtB_` zdd#VN3BH|?S1+atkzX?n2sUO{Hue{abvLy1uaa2LgNr3uO%c~aAG^Q712+Jldi$J$ zxDNS>>~Z#Rju?toG2>erS@K8P8xB%&;v>I^aiW&tJBe4Amsb$wYWO9uxfS(sr|~nc z6I&y8wk4yS<$`tUQS;*3w!-s(f|Me literal 0 HcmV?d00001 From bcd9736ea8af20024578e51f2a8d135d91cd6d41 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 11:06:05 +0530 Subject: [PATCH 06/30] Create AISecurityLabUserGuide.md Added draft User Guide for AI Security Lab powered by BeSLab --- AISecurityLabUserGuide.md | 851 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 851 insertions(+) create mode 100644 AISecurityLabUserGuide.md diff --git a/AISecurityLabUserGuide.md b/AISecurityLabUserGuide.md new file mode 100644 index 0000000..01458c2 --- /dev/null +++ b/AISecurityLabUserGuide.md @@ -0,0 +1,851 @@ +# **User Guide: Establishing and Operating an AI Security Lab with the Be-Secure BeSLab Blueprint** + +## **1\. Introduction to the BeSLab AI Security Lab** + +### **1.1 Purpose and Need** + +In the contemporary digital landscape, organizations increasingly rely on Open Source Software (OSS) and Artificial Intelligence (AI) / Machine Learning (ML) models to drive innovation and operational efficiency. However, this reliance introduces significant security risks stemming from vulnerabilities within these third-party components and the unique attack surfaces presented by AI models themselves. Managing these risks requires a structured, proactive approach. Establishing a dedicated AI Security Lab provides the CISO's organization with the in-house capability to systematically assess, manage, and mitigate the security risks associated with OSS and AI artifacts used or considered by the enterprise. + +### **1.2 The Be-Secure Philosophy and BeSLab Blueprint** + +The Be-Secure initiative aims to empower organizations and the broader community to fortify open source artifacts – including software projects, ML models, and training datasets – against potential vulnerabilities.1 The BeSLab blueprint emerges from this philosophy, offering a design for an open-source security lab. It is not a single software product but rather an architectural pattern and a collection of tools and processes designed to create a comprehensive security assessment environment.1 A key goal is to provide application security and security operations teams with complete control and transparency over the assessment process for these critical components.1 + +### **1.3 Value Proposition for the CISO** + +Implementing a BeSLab instance offers tangible benefits for the CISO's organization: + +* **Standardized Assurance:** Establishes consistent, repeatable processes for security assessments of OSS projects and AI models. +* **Centralized Visibility:** Provides a single pane of glass (via BeSLighthouse) for tracking Projects of Interest (OSSPoI), Models of Interest (OSSMoI), and associated Vulnerabilities of Interest (OSSVoI).1 +* **Reduced Risk Exposure:** Proactively identifies and facilitates the mitigation of vulnerabilities in critical dependencies before they can be exploited. +* **Cost Efficiency:** Potentially reduces the overall cost of risk assessment compared to ad-hoc external engagements or manual reviews, especially as the number of tracked assets grows.1 +* **Internal Attestation:** Enables the generation of internal attestations or designations like Trusted and Verified Open Source Software (TAVOSS) for artifacts that pass the lab's scrutiny, providing a measure of internal assurance.1 + +### **1.4 Scope of this Guide** + +This document provides a comprehensive user guide for setting up, configuring, and operating a *private* AI Security Lab based on the BeSLab blueprint within an enterprise environment. It specifically focuses on the 'Lite Mode' deployment, which integrates essential components onto a single host, and details the integration with GitLab Community Edition (CE) as the code collaboration platform. The guide covers the full lifecycle: architecture, prerequisites, installation, onboarding of users, projects, models, and tools, operational workflows for various security assessments, reporting (OSARs), governance (RACI), and configuration of default components. + +## **2\. BeSLab Architecture and Components** + +### **2.1 Blueprint Overview** + +Understanding the BeSLab architecture requires recognizing it as a *blueprint* – a template defining how various components interact to form a functional security lab.1 It leverages existing open-source tools and defines specific Be-Secure utilities and data structures to create a cohesive system for assessing and managing the security of open source artifacts. The architecture is designed for flexibility, allowing organizations to tailor the lab's capabilities to their specific needs. + +### **2.2 Core Components** + +A typical private BeSLab instance, as described in this guide, comprises the following core components: + +* **Git-based Source Code Management (SCM) Platform (e.g., GitLab CE):** This is the backbone of the BeSLab instance. It hosts critical datastore repositories containing configurations, asset definitions (OSSPoI, OSSMoI), assessment playbooks, environment definitions, and assessment results (OSARs).1 The choice of GitLab CE provides a robust, self-hosted platform with features supporting collaboration, version control, and potentially CI/CD integration for automating assessment workflows. + * This Git-centric design inherently supports a **GitOps workflow** for managing the lab itself. All configurations and operational state definitions reside in Git repositories. Changes to the lab's setup, tracked assets, assessment playbooks, or environments are managed through Git commits, providing version history, auditability, and the ability to roll back changes. This approach enhances manageability, reproducibility, and disaster recovery capabilities for the lab infrastructure. +* **Datastore Repositories:** Specific Git repositories within the SCM platform are designated for storing different types of lab data. Common examples include: + * BeSEnvironment: Stores definitions and scripts for creating assessment environments. + * BeSPlaybook: Contains the scripts and configurations defining assessment workflows. + * BeSAssessment: Archives the generated Open Source Assessment Reports (OSARs) and associated metadata. + * Asset Stores (e.g., besecure-assets-store): Repositories holding lists and details of tracked OSSPoI, OSSMoI, etc..2 The specific structure and naming convention are important for tools like BeSLighthouse to locate and interpret the data correctly.2 +* **BeSLighthouse:** A web-based dashboard application that serves as the primary user interface for visualizing the lab's data.1 It reads information directly from the designated Git datastore repositories and presents visualizations of tracked assets (PoI, MoI), associated vulnerabilities (VoI), assessment status, and links to detailed reports.2 Its reliance on the Git backend reinforces the GitOps model, as the dashboard reflects the state defined in the repositories. +* **BLIman (BeSLab Lifecycle Management):** A command-line interface (CLI) utility specifically designed for deploying, configuring, and managing the lifecycle of a BeSLab instance.1 It utilizes a configuration file (genesis.yaml) to define the lab's parameters and provides commands like bli load (to load configuration), bli initmode (to set the deployment mode, e.g., 'lite'), and bli launchlab (to orchestrate the installation of components like GitLab CE and BeSLighthouse).1 + * Proficiency with CLI tools is essential for administrators managing the BeSLab instance. The reliance on BLIman for core management tasks means that automation efforts, operational runbooks, and troubleshooting will heavily involve executing and scripting these commands. +* **BeSman (BeS Environment Manager):** Another CLI utility that works in conjunction with BLIman, specifically responsible for creating and managing BeSEnvironments.1 It is typically installed and initialized as part of the BLIman setup process and is used by playbooks or scripts to provision the necessary runtime environments for security tools.1 +* **BeSEnvironment:** Represents a customized computing setup, often containerized or defined by setup scripts, containing the specific tools, libraries, and dependencies required to execute a particular set of security assessments.1 These environments ensure that assessments run consistently and with the correct prerequisites. They are defined in the BeSEnvironment repository and managed by BeSman.1 +* **BeSPlaybook:** An automated workflow or script designed to orchestrate specific security assessment tasks.1 A playbook typically defines which BeSEnvironment to use and which BeSPlugins (security tools) to execute in sequence, along with any necessary configuration or data handling steps. Playbooks codify the assessment process for different types of assets or security checks (e.g., SAST for Python, AI model safety scan). +* **BeSPlugin:** Represents an integration wrapper for a specific security tool (e.g., SAST scanner, DAST scanner, SCA tool, secrets detector, AI model analyzer). Plugins are the "workhorses" of the lab, performing the actual security scans. They are invoked by BeSPlaybooks within the appropriate BeSEnvironment. The lab's assessment capabilities are directly determined by the range and quality of the integrated BeSPlugins. The BeSLab framework is extensible, allowing new tools to be integrated as plugins over time. + +### **2.3 Key Concepts** + +Understanding the following concepts is crucial for operating the BeSLab effectively: + +* **OSSPoI / OSSMoI / OSSVoI:** + * **OSSPoI (Open Source Projects of Interest):** Specific open-source software projects that the organization uses or depends on, which are onboarded into the lab for continuous security assessment and monitoring. + * **OSSMoI (Open Source Models of Interest):** Specific open-source AI/ML models used or considered by the organization, onboarded for security and safety assessments. + * **OSSVoI (Open Source Vulnerabilities of Interest):** Represents the specific vulnerabilities (often identified by CVE numbers or other identifiers) discovered in the tracked OSSPoI and OSSMoI. The lab focuses on tracking and managing these relevant vulnerabilities.1 +* **OSAR (Open Source Assessment Report):** The standardized output report generated after a BeSPlaybook completes an assessment run on an OSSPoI or OSSMoI.1 It details the scope, methodology, findings (including OSSVoI), risk posture, and potentially remediation guidance. OSARs should ideally conform to the BeS Schema for consistency.4 +* **TAVOSS (Trusted and Verified Open Source Software):** A designation indicating that an OSS project or AI model has undergone a defined assessment process within the BeSLab instance and meets certain security criteria established by the organization.1 Achieving TAVOSS status is an *outcome* of the lab's assurance activities, signifying a higher level of confidence in the artifact's security posture based on the internal assessment process.3 The lab might facilitate the distribution or identification of these TAVOSS-designated versions internally.1 +* **OSAP (Open Source Assurance Provider):** Each BeSLab instance, whether private or public, functions as an OSAP.1 In the context of this guide (a private lab), the CISO's organization acts as its own internal OSAP, providing assurance services for the assets it chooses to monitor. +* **BeS Schema / Exchange Schema:** A standardized data format defined by the Be-Secure initiative to facilitate the exchange of information about assets, vulnerabilities, and assessments between different components of the BeSLab ecosystem and potentially between different BeSLab instances.1 Adherence to this schema promotes interoperability, enables consistent data processing and visualization (e.g., by BeSLighthouse), simplifies the development of tools that consume lab data, and ensures that generated reports (OSARs) have a uniform structure.4 This focus on standardization future-proofs the lab's data, even in a private deployment. + +## **3\. Prerequisites for Deployment** + +Before initiating the BeSLab installation, ensure the target environment meets the following prerequisites. Careful preparation prevents common setup issues. + +### **3.1 Hardware** + +A dedicated host machine (Virtual Machine recommended for flexibility) is required to run the core BeSLab components. + +* **Minimum:** 4 vCPU, 8 GB RAM, 16 GB Disk Space.1 *Note: This is the absolute minimum and may result in slow performance, especially for GitLab.* +* **Recommended for Enterprise Use:** 8+ vCPU, 16+ GB RAM, 100+ GB Disk Space (SSD recommended). Sufficient disk space is crucial for storing GitLab data (repositories, container registry, etc.) and potentially large assessment artifacts or logs. + +### **3.2 Software** + +The host machine must have the following software installed and configured: + +* **Operating System:** Ubuntu Linux (LTS version recommended, as per documentation examples 1). Other Linux distributions might work but may require adjustments. +* **Essential Utilities:** curl, unzip, bash, git, sudo access for the installing user.1 +* **Container Runtime:** Docker Engine or a compatible container runtime is required, as BLIman typically deploys GitLab CE and BeSLighthouse as containers. +* **NodeJS:** Required for BeSLighthouse. Version 16.0 or higher is specified.2 Install via package manager or NVM (Node Version Manager). +* **Python & pip:** May be required for specific BeSPlugins, BeSEnvironments, or alternative installation methods.1 Install Python 3 and pip. + +### **3.3 Network** + +Configure the network environment appropriately: + +* **IP Address/DNS:** The BeSLab host requires a static IP address or a resolvable DNS hostname within the enterprise network. This address will be used to access GitLab and BeSLighthouse UIs. +* **Internet Access:** The host needs outbound internet access to download BeSLab components (BLIman, Docker images for GitLab, BeSLighthouse, plugins), clone open-source repositories, and fetch vulnerability database updates. +* **Firewall Rules:** Ensure necessary ports are open: + * SSH (typically TCP/22) for administrative access. + * HTTP (TCP/80) and/or HTTPS (TCP/443) for accessing the GitLab web UI and API. + * BeSLighthouse Port (e.g., TCP/3000 default, or TCP/80 if configured 2) for accessing the dashboard UI. + * Potentially other ports if specific plugins or services require them. +* **Internal Connectivity:** Users (Analysts, Developers) need network access to the GitLab and BeSLighthouse UIs. Systems submitting assets might need API access to GitLab. + +### **3.4 GitLab CE** + +This guide assumes GitLab CE will be installed *by* the BLIman launchlab process. If an existing GitLab instance is intended for use, significant manual configuration beyond the scope of this standard installation guide would be required to integrate BeSLab components and repositories correctly. + +### **3.5 User Accounts** + +* **Host OS:** An operating system user account with sudo privileges is required to perform the installation steps.1 +* **GitLab:** Initial administrative credentials for GitLab will be set during installation (via genesis.yaml) and must be changed immediately upon first login.1 + +### **3.6 Prerequisites Summary Table** + +The following table summarizes the key prerequisites for deploying a private BeSLab Lite Mode instance. + +| Category | Requirement | Details / Recommendations | Reference | +| :---- | :---- | :---- | :---- | +| **Hardware** | CPU | Min: 4 vCPU, Recommended: 8+ vCPU | 1 | +| | RAM | Min: 8 GB, Recommended: 16+ GB | 1 | +| | Disk Space | Min: 16 GB, Recommended: 100+ GB (SSD) | 1 | +| **Software** | Operating System | Ubuntu LTS Recommended | 1 | +| | Utilities | curl, unzip, bash, git, sudo access | 1 | +| | Container Runtime | Docker Engine or compatible | Implied | +| | NodeJS | v16.0+ | 2 | +| | Python | Python 3, pip (Optional, depending on tools/methods) | 1 | +| **Network** | Host Addressing | Static IP or resolvable DNS hostname | Required | +| | Internet Access | Outbound access for downloads/updates | Required | +| | Firewall Ports | SSH (22), HTTP/S (80/443 for GitLab), BeSLighthouse Port (e.g., 3000 or 80), potentially others | Required | +| | Internal Access | User access to GitLab/BeSLighthouse UIs | Required | +| **Accounts** | Host OS User | User with sudo privileges | 1 | +| | GitLab Admin | Initial credentials set via genesis.yaml, change immediately | 1 | + +**Table 1: Prerequisites Summary** + +## **4\. BeSLab Installation Guide (Private Lite Mode via BLIman)** + +### **4.1 Overview** + +This section provides step-by-step instructions for installing a private BeSLab instance in 'Lite Mode' using the BLIman CLI tool.1 Lite Mode typically installs all core components, including GitLab CE and BeSLighthouse, onto the single prepared host machine. The installation is driven by the genesis.yaml configuration file. + +### **4.2 Step 1: Prepare the Host** + +Ensure the designated host machine meets all prerequisites outlined in Section 3\. Log in to the host machine using a user account with sudo privileges.1 + +### **4.3 Step 2: Install BLIman** + +BLIman is the primary tool for managing the BeSLab lifecycle.1 Install it using the following commands (referencing the official Be-Secure/BLIman repository for the latest instructions, as indicated in 1): + +Bash + +\# Example installation commands (Verify against official BLIman README) +\# Download the installer script (URL might change) +curl \-sSL \ \-o install-bliman.sh + +\# Run the installer script +sudo bash install-bliman.sh + +\# Clean up installer script +rm install-bliman.sh + +\# Verify installation by checking the help command +bli help + +Successful execution of bli help should display the available BLIman commands. + +### **4.4 Step 3: Configure genesis.yaml** + +The genesis.yaml file defines all configuration parameters for the BeSLab instance.1 Create this file in your current working directory (e.g., /home/user/beslab\_setup/genesis.yaml). + +Below is a sample structure for a private Lite Mode deployment. **Customize the values** (especially URLs, IPs, ports, and initial credentials) according to your environment. + +YAML + +\# Sample genesis.yaml for Private Lite Mode +\# \--- Global Configuration \--- +beslab\_mode: "lite" \# Specifies Lite Mode deployment +deployment\_type: "private" \# Specifies a private instance + +\# \--- GitLab Configuration \--- +gitlab: + host\_url: "http://\" \# \*\*REQUIRED\*\*: URL users will use + initial\_root\_password: "\" \# \*\*REQUIRED\*\*: Set a strong temporary password + \# Optional: Specify ports if not default 80/443/22 + \# http\_port: 80 + \# https\_port: 443 + \# ssh\_port: 22 + \# Optional: Specify data volume path + \# data\_volume: "/srv/gitlab/data" + +\# \--- BeSLighthouse Configuration \--- +beslighthouse: + host\_ip: "0.0.0.0" \# Listen on all interfaces within the container + host\_port: "3000" \# \*\*REQUIRED\*\*: Port BeSLighthouse will listen on (e.g., 3000\) + \# Optional: Specify data volume path + \# config\_volume: "/srv/beslighthouse/config" + +\# \--- Other Optional Configurations (Add as needed based on BLIman documentation) \--- +\# Example: Default user settings, registry settings, etc. + +**Critical Security Note:** Set a strong, unique initial\_root\_password for GitLab. This password **must** be changed immediately after the first login to the GitLab UI. Do not use default or easily guessable passwords. Store this genesis.yaml file securely, as it contains sensitive initial configuration details. + +### **4.5 Step 4: Load Configuration** + +Use BLIman to parse and load the configuration from your genesis.yaml file 1: + +Bash + +\# Ensure you are in the directory containing genesis.yaml or provide the full path +bli load genesis.yaml + +BLIman will validate the file structure and load the parameters. Address any errors reported. + +### **4.6 Step 5: Initialize Mode** + +Initialize BLIman for the specified deployment mode ('lite' in this case) 1: + +Bash + +bli initmode lite + +This command prepares BLIman and potentially sets up necessary base configurations for the Lite Mode deployment. + +### **4.7 Step 6: Initialize BeSman** + +Initialize the BeS Environment Manager (BeSman), which is typically installed by bli initmode 1: + +Bash + +source $HOME/.besman/bin/besman-init.sh + +This command loads BeSman functions into your current shell environment. Verify the initialization: + +Bash + +bes help + +Successful execution should display the available BeSman commands.1 + +### **4.8 Step 7: Launch the Lab** + +Initiate the BeSLab deployment process 1: + +Bash + +bli launchlab + +This command triggers the core installation process. BLIman will: + +* Download necessary Docker images (GitLab CE, BeSLighthouse, etc.). +* Configure and start the containers based on genesis.yaml settings. +* Set up networking and volumes. +* Potentially perform initial seeding of required GitLab structures (groups/projects). + +This step can take a considerable amount of time depending on network speed and host performance. Monitor the console output closely for any errors or prompts. + +### **4.9 Step 8: Initial Verification** + +Once bli launchlab completes successfully, perform these verification steps 1: + +1. **Access GitLab UI:** Open a web browser and navigate to the gitlab.host\_url specified in genesis.yaml. +2. **Login to GitLab:** Log in using the username root and the initial\_root\_password set in genesis.yaml. +3. **Change GitLab Password:** GitLab will immediately prompt you to change the default root password. Set a new, strong, unique password and store it securely. **This is a critical security step.** +4. **Access BeSLighthouse UI:** Open another browser tab and navigate to http://\:\ (e.g., http://192.168.1.100:3000). +5. **Verify BeSLighthouse Load:** The BeSLighthouse dashboard should load. Initially, lists like "Projects Of Interest" will likely be empty, which is expected.1 +6. **(Optional) Check Container Status:** On the BeSLab host, use docker ps (or the equivalent for your container runtime) to verify that the GitLab and BeSLighthouse containers (and any supporting containers) are running. + +Successful completion of these steps indicates that the core BeSLab infrastructure is installed and operational. + +## **5\. GitLab CE Integration and Repository Setup** + +### **5.1 Post-Installation GitLab Configuration** + +After the initial setup and password change, consider these basic GitLab configurations relevant to BeSLab operation: + +* **User Registration:** Navigate to Admin Area \-\> Settings \-\> General \-\> Sign-up restrictions. It is highly recommended to *disable* new sign-ups (Sign-up enabled checkbox unchecked) and potentially enable Require admin approval for new sign-ups if self-registration is needed later. This ensures only authorized personnel can access the lab's SCM. +* **Group/Project Creation:** Navigate to Admin Area \-\> Settings \-\> General \-\> Account and limit settings. Review permissions related to who can create top-level groups and projects. Initially, restricting this to Administrators might be prudent. +* **Runner Configuration (Optional \- Future Use):** If planning to use GitLab CI/CD pipelines to automate BeSPlaybook execution later, configure GitLab Runners (either shared or specific) that can execute jobs, potentially interacting with Docker or the BeSLab host environment. This is an advanced step not covered in the basic setup. + +### **5.2 Initializing Be-Secure Repositories** + +The BeSLab relies on a specific structure of Git repositories within GitLab to store its data and configurations.1 While bli launchlab might perform some initial setup, manual creation or verification of the core repositories might be necessary. + +1. **Login to GitLab:** Log in as the root user or another administrative user. +2. **Create a Top-Level Group:** Create a new group to house all BeSLab-related repositories (e.g., besecure-lab). This helps organize the instance. +3. **Create Core Repositories:** Within the besecure-lab group, create the following projects (Git repositories): + * BeSEnvironment: Stores definitions for assessment environments. + * BeSPlaybook: Stores assessment playbook scripts. + * BeSAssessment: Stores OSAR output files and assessment metadata. + * besecure-assets-store (or similar name based on datastore.ts defaults): Stores lists/definitions of OSSPoI, OSSMoI, etc..2 + * Potentially others as required by specific configurations or future extensions. Initialize these repositories with a README file. The exact structure and initial content might need refinement based on specific playbook and plugin requirements. + +### **5.3 Configuring BeSLighthouse Connection** + +BeSLighthouse needs to know where to find the data repositories within your private GitLab instance.2 + +1. **Locate datastore.ts:** Access the BeSLab host machine via SSH. Locate the BeSLighthouse installation directory. The exact path depends on how BLIman deployed it, but it might be within a Docker volume mount or a standard location like /opt/BeSLighthouse or /usr/local/share/beslighthouse. Inside this directory, find the configuration file, typically src/config/datastore.ts or similar. +2. **Edit datastore.ts:** Open the file with a text editor (e.g., nano, vim). You will find variables defining the URLs for the datastore repositories. Update these URLs to point to the repositories created in your private GitLab instance within the besecure-lab group.2 + * Example (modify paths and URLs): + TypeScript + // Before modification (pointing to public GitHub) + // export const PoI\_Repo\_URL \= "https://github.com/Be-Secure/besecure-assets-store.git"; + // export const Assessment\_Repo\_URL \= "https://github.com/Be-Secure/besecure-assessment-datastore.git"; + + // After modification (pointing to internal GitLab) + export const PoI\_Repo\_URL \= "http://\/besecure-lab/besecure-assets-store.git"; + export const Assessment\_Repo\_URL \= "http://\/besecure-lab/BeSAssessment.git"; + // Update other relevant repository URLs (MoI, ML assessments, etc.) similarly + +3. **Restart BeSLighthouse:** For the changes to take effect, restart the BeSLighthouse service or container. If running via Docker: + Bash + \# Find the BeSLighthouse container ID or name + sudo docker ps + + \# Restart the container + sudo docker restart \ + +4. **Verify Connection:** Refresh the BeSLighthouse UI in your browser. While still empty, check browser developer tools (network tab) or container logs (sudo docker logs \) for any errors related to accessing the configured GitLab repository URLs. Successful connection means BeSLighthouse can now read data once it's populated. + +This configuration establishes the crucial link between the visualization front-end (BeSLighthouse) and the Git-based data back-end, reinforcing the GitOps foundation and the importance of the standardized repository structure for the lab's operation. + +## **6\. Onboarding Guide** + +With the core BeSLab infrastructure in place, the next step is to onboard users, assets (projects and models), and the tools (plugins) required for assessment. + +### **6.1 User Onboarding** + +Define roles and assign appropriate permissions within GitLab to control access to lab resources. + +* **Typical Roles:** + * **Lab Administrator:** Responsible for installing, configuring, maintaining, and upgrading the BeSLab instance; managing users; integrating core plugins/environments/playbooks. Needs high-level access. + * **Security Analyst:** Responsible for onboarding assets (OSSPoI/OSSMoI), triggering assessments, reviewing OSARs, triaging vulnerabilities (OSSVoI), and potentially customizing playbooks or integrating specific plugins. + * **Developer / Asset Owner:** Submits projects/models for assessment, consumes OSARs for their assets, responsible for remediation based on findings. Needs access primarily to their specific project results. + * **CISO / Management:** Oversight role, views dashboards (BeSLighthouse) and summary reports to understand organizational risk posture related to OSS/AI. Typically read-only access. +* **GitLab Permission Mapping (Example):** + * Lab Administrator: Owner role on the top-level besecure-lab group. + * Security Analyst: Maintainer role on the besecure-lab group (allowing repository management, potentially pipeline triggering). + * Developer / Asset Owner: Developer or Reporter role on specific BeSAssessment sub-projects or asset tracking repositories relevant to them. Access might be granted per project/asset. + * CISO / Management: Guest or Reporter role on the besecure-lab group for read-only access to repositories and potentially BeSLighthouse data sources. +* **Onboarding Process:** + 1. Lab Administrator logs into GitLab. + 2. Navigates to Admin Area \-\> Overview \-\> Users. + 3. Creates new user accounts or invites existing users. + 4. Navigates to the besecure-lab group \-\> Group information \-\> Members. + 5. Invites users to the group, assigning the appropriate role based on the mapping above. Adjust permissions on specific sub-projects as needed for finer-grained control. + +### **6.2 Project Onboarding (OSSPoI)** + +Onboarding Open Source Projects of Interest (OSSPoI) involves adding them to the lab's tracking system, typically managed within a Git repository. + +* **Definition:** OSSPoI are specific open-source software projects critical to the organization's operations or products, requiring security assessment. +* **Process:** + 1. Identify the target OSSPoI (e.g., a library used in a critical application). + 2. Locate the designated asset tracking repository in GitLab (e.g., besecure-assets-store). + 3. Clone the repository locally. + 4. Edit the relevant file (e.g., osspoi\_list.yaml, projects.json \- the exact format depends on BeSLab configuration) to add the new project. Include required metadata: + * Project Name (e.g., Apache Log4j Core) + * Source Repository URL (e.g., https://github.com/apache/logging-log4j2.git) + * Version(s) of interest (e.g., 2.17.1, main branch) + * Potentially, a flag indicating if it's designated for TAVOSS assessment. + 5. Commit the changes with a descriptive message. + 6. Push the changes back to the GitLab repository. + 7. (Optional) A GitLab CI pipeline or a webhook could trigger automated validation or initial processing upon commit. +* **TAVOSS Designation:** Marking an OSSPoI for TAVOSS implies it will undergo rigorous assessment according to defined playbooks, aiming to achieve the 'Trusted and Verified' status within the organization's context.1 This designation might be a flag in the asset list file or managed through group/project structure. +* **Example OSSPoI Candidates:** Identifying initial candidates helps jumpstart the lab's value. Consider projects based on criticality, usage prevalence, and known risk profiles. + +| OSSPoI Candidate | Rationale | Potential Assessment Focus | +| :---- | :---- | :---- | +| Apache Log4j 2 | Critical logging library; past high-severity vulnerabilities | SCA (Dependencies), SAST (Java) | +| Apache Struts2 | Web framework; history of critical RCE vulnerabilities | SCA, SAST (Java), DAST | +| Spring Boot / Framework | Widely used Java application framework | SCA, SAST (Java), Secrets Scan | +| TensorFlow | Foundational ML framework | SCA (Python deps), SAST (Python) | +| PyTorch | Foundational ML framework | SCA (Python deps), SAST (Python) | +| Node.js Express | Common web framework for Node.js applications | SCA (npm), SAST (JavaScript/TS) | +| Internal Library X | Critical shared component developed internally | SAST, SCA, Secrets Scan | + +**Table 2: Example OSSPoI Candidates** + +### **6.3 Model Onboarding (OSSMoI)** + +Similar to projects, Open Source Models of Interest (OSSMoI) are onboarded for tracking and assessment. + +* **Definition:** OSSMoI are specific open-source AI/ML models used, fine-tuned, or considered for use within the organization. +* **Process:** Follows the same Git-based workflow as OSSPoI, updating a designated list (e.g., ossmoi\_list.yaml within besecure-assets-store). Required metadata typically includes: + * Model Name (e.g., BERT Large Uncased) + * Source URL (e.g., Hugging Face Hub URL, GitHub repo) + * Version/Identifier (e.g., commit hash, tag, specific file checkpoint) + * Base Model (if fine-tuned) + * License Information +* **Example OSSMoI Candidates:** Focus on models relevant to the organization's AI initiatives. + +| OSSMoI Candidate | Rationale | Potential Assessment Focus | +| :---- | :---- | :---- | +| BERT (e.g., base-uncased) | Popular foundational NLP model | Model Scanning (operator safety, serialization), Provenance | +| Stable Diffusion (e.g., v1.5) | Widely used image generation model | Model Scanning, License Compliance, Potential Bias Checks | +| Llama (e.g., Llama-2-7b-hf) | Common open Large Language Model (LLM) | Model Scanning, Safety Alignment Checks, License Compliance | +| GPT-2 | Foundational LLM, often used for experiments | Model Scanning, Provenance | +| Internally Fine-tuned Model Y | Model derived from OSSMoI, used internally | Model Scanning (inheritance), Fine-tuning Data Privacy | + +**Table 3: Example OSSMoI Candidates** + +### **6.4 Tool Onboarding (BeSPlugins)** + +Integrating security tools via BeSPlugins is fundamental to the lab's assessment capabilities. + +* **Definition:** A BeSPlugin is the integration layer that allows a BeSPlaybook to invoke a specific security tool and process its results within the BeSLab framework. +* **Integration Process:** + 1. **Identify Tool:** Select the security tool to integrate (e.g., Semgrep for SAST). + 2. **Check Existing Plugins:** Consult the official Be-Secure/BeSLab-Plugins repository (as mentioned in the query) for pre-built plugins. + 3. **Develop/Configure Plugin:** If no existing plugin is suitable, one needs to be developed or configured. This typically involves: + * Creating a script or configuration file defining how to execute the tool (command-line arguments, input/output handling). + * Defining how to parse the tool's output into a standardized format (ideally aligning with BeS Schema elements for findings). + * Specifying dependencies required by the tool, which should be included in a relevant BeSEnvironment. + * Packaging the plugin according to BeSLab conventions (e.g., a directory structure within the BeSPlaybook or a dedicated plugin repository). + 4. **Define BeSEnvironment:** Ensure a BeSEnvironment exists (or create one) that contains the tool itself and all its runtime dependencies (e.g., specific Python version, libraries, OS packages). This might involve creating a Dockerfile managed within the BeSEnvironment repository. + 5. **Reference in BeSPlaybook:** Update or create a BeSPlaybook to invoke the new plugin at the appropriate stage of the assessment workflow. +* **Extensibility:** This plugin architecture is key to the lab's flexibility. As new security tools emerge or organizational needs change, new plugins can be added to enhance assessment coverage without altering the core BeSLab framework. The lab's value grows directly with the number and quality of its integrated plugins. +* **Example Default BeSPlugins:** Start with a core set of plugins covering common security assessment types. + +| BeSPlugin Example | Tool Integrated (Example) | Security Assessment Type | Purpose | +| :---- | :---- | :---- | :---- | +| Semgrep-Plugin | Semgrep | SAST | Static code analysis for various languages using pattern matching. | +| Trivy-Plugin | Trivy | SCA, Container Scanning | Detects vulnerabilities in OS packages and language dependencies. | +| Bandit-Plugin | Bandit | SAST (Python) | Finds common security issues in Python code. | +| Gitleaks-Plugin | Gitleaks | Secret Scanning | Detects hardcoded secrets (API keys, passwords) in Git history. | +| OWASP-ZAP-Plugin | OWASP ZAP | DAST | Dynamic analysis of web application security vulnerabilities. | +| ModelScan-Plugin | ModelScan (or similar) | AI Model Security | Scans ML models for unsafe operators, serialization issues, etc. | + +**Table 4: Example Default BeSPlugins** + +## **7\. AI Security Lab Operational Workflows** + +Once the lab is set up and initial assets/tools are onboarded, day-to-day operations involve standardized workflows for assessment and vulnerability management. + +### **7.1 Asset Submission** + +The process for submitting new OSS projects or AI models for assessment needs to be defined. Options include: + +* **Manual Git Update:** As described in sections 6.2 and 6.3, authorized users (Developers, Analysts) clone the asset repository, update the list, and push the changes. This is the simplest method aligned with the GitOps approach. +* **GitLab Merge Request (MR):** A more controlled process where developers submit MRs to the asset repository. Security Analysts review and approve the MR to formally onboard the asset. +* **API Integration (Advanced):** Develop an internal tool or script that interacts with the GitLab API to add assets to the tracking list, potentially triggered from other internal systems (e.g., CI/CD pipeline, internal software catalog). + +### **7.2 Assessment Execution** + +Assessments are performed by executing BeSPlaybooks against target assets. + +* **Triggering Mechanisms:** + * **Manual:** Security Analysts trigger playbooks via CLI commands (interacting with BeSman/BLIman or custom scripts) or potentially through a custom UI element (if developed). + * **Scheduled:** Configure cron jobs on the BeSLab host or use GitLab's CI/CD schedules to run specific playbooks periodically (e.g., daily SCA scans). + * **Event-Driven (Git Hooks/CI):** Configure GitLab CI/CD pipelines or webhooks on the asset repositories (or the main code repositories) to automatically trigger relevant playbooks upon events like new commits, merge requests, or new version tags. +* **Playbook Invocation:** The trigger mechanism selects and executes the appropriate BeSPlaybook based on the asset type (OSSPoI vs. OSSMoI), language/framework, and the desired assessment type (e.g., sast-python-standard, ai-model-onboarding-safety). +* **Environment and Plugin Use:** The selected playbook orchestrates the assessment 1: + 1. It typically invokes BeSman to prepare or launch the required BeSEnvironment (e.g., pulling/starting a specific Docker container). + 2. Within that environment, it executes one or more BeSPlugins in sequence. + 3. Each plugin runs its corresponding security tool against the target asset (code checkout, model file). + 4. Plugins collect and parse the results from the tools. +* **Modularity in Action:** This workflow highlights the modularity and extensibility of BeSLab. The effectiveness of an assessment hinges on the combination of the chosen Playbook, the completeness of the Environment, and the capabilities of the invoked Plugins. New assessment types can be added by creating new combinations of these components. + +### **7.3 OSAR Generation and Storage** + +Assessment results are formalized into standardized reports. + +* **Aggregation:** The BeSPlaybook (or a dedicated reporting script called by it) aggregates the findings from all executed plugins. +* **Formatting:** Results are formatted into an OSAR (Open Source Assessment Report), ideally conforming to the BeS Schema structure 4 (see Section 9.1 for details). This ensures consistency. +* **Storage:** The generated OSAR file (e.g., in JSON, YAML, or Markdown format) is typically committed to the BeSAssessment Git repository.1 The commit message or file naming convention should link the OSAR to the specific asset (OSSPoI/OSSMoI), its version/commit hash, and the assessment run timestamp or ID. This provides an auditable history of assessments. + +### **7.4 BeSLighthouse Visualization** + +BeSLighthouse serves as the central dashboard for monitoring lab activities and results.1 Users access it via a web browser to: + +* View lists of currently tracked OSSPoI and OSSMoI. +* Check the status of ongoing or completed assessments. +* Review historical assessment results for specific assets. +* Visualize aggregated vulnerability data (OSSVoI), potentially filtered by severity, asset, or time. +* Access direct links to the detailed OSAR files stored in the BeSAssessment repository for deeper investigation. + +### **7.5 Vulnerability Tracking (OSSVoI/CVEs)** + +A core function of the lab is tracking identified vulnerabilities. + +* **Identification:** BeSPlugins performing SCA, SAST, DAST, etc., identify potential vulnerabilities. These findings, including CVE identifiers where available, are captured in the OSAR. +* **Extraction & Storage:** A process (within the playbook or a post-processing step) extracts key vulnerability information (CVE ID, CWE ID, severity, affected component/version, description, location) from the OSAR. This structured data (OSSVoI) is stored, potentially: + * Directly within the OSAR file in a structured format (e.g., a findings array). + * In a separate dedicated vulnerability database or file within the BeSAssessment or another repository, linked back to the OSAR and the affected asset. +* **Visualization:** BeSLighthouse queries this structured OSSVoI data to provide aggregated views, trends, and lists of outstanding vulnerabilities across all tracked assets.2 +* **Triage & Remediation:** Security Analysts use the OSARs and BeSLighthouse data to triage new findings, prioritize remediation efforts based on severity and context, assign findings to relevant development teams, and track the status of remediation actions. + +### **7.6 OASP Engagement Options** + +While this guide focuses on a private, internal lab (acting as a private OSAP 1), there are potential future options for engaging with the wider ecosystem, subject to organizational policy: + +* **Contribute Back:** Share identified vulnerabilities and suggested patches back to the upstream open source projects. +* **Data Sharing:** Anonymize and share vulnerability trend data (using the BeS Exchange Schema 1) with trusted partners, industry groups (ISACs), or Be-Secure community initiatives to contribute to collective security intelligence. +* **Consume External Data:** Integrate external vulnerability feeds (e.g., NVD, vendor advisories, other OSAP reports) to correlate with internal findings and enrich the OSSVoI data. + +## **8\. Configuring Default Lab Components** + +To ensure the BeSLab instance provides immediate value upon setup, it's essential to configure a baseline set of Environments, Playbooks, and Plugins. These defaults provide core assessment capabilities that can be expanded later. + +### **8.1 Purpose of Defaults** + +Defining default components establishes a foundational set of security checks applicable to common languages, frameworks, and asset types within the organization. This allows the lab to start performing basic assessments quickly after installation and onboarding the first assets. + +### **8.2 Default BeSEnvironments** + +These environments provide the necessary runtime context for common security tools. They are typically defined as Dockerfiles or setup scripts within the BeSEnvironment repository. + +| BeSEnvironment Name | Key Components Included | Purpose | +| :---- | :---- | :---- | +| python-base-env | Python 3.x, pip, common build tools, Git | Running Python-specific SAST (Bandit, Semgrep) & SCA tools. | +| node-base-env | NodeJS (LTS), npm/yarn, Git | Running JavaScript/TypeScript SAST/Linters, SCA (npm audit/yarn audit). | +| generic-scanner-env | Base Linux (e.g., Alpine/Debian), curl, jq, git, Trivy | Running generic scanners like Trivy (FS), Gitleaks, or simple scripts. | +| ai-model-env | Python 3.x, PyTorch/TF libs, ModelScan deps, Git | Dedicated environment for AI model security/safety scanning tools. | +| java-build-env | JDK (e.g., 11/17), Maven/Gradle, Git | Environment for building Java projects and running Java SAST/SCA tools. | + +**Table 5: Example Default BeSEnvironments** + +### **8.3 Default BeSPlaybooks** + +These playbooks combine environments and plugins to perform standard assessment workflows. They reside in the BeSPlaybook repository. + +| BeSPlaybook Name | BeSEnvironment Used | BeSPlugins Invoked (Example) | Suggested Frequency | Purpose | +| :---- | :---- | :---- | :---- | :---- | +| sast-python-standard | python-base-env | Semgrep-Plugin, Bandit-Plugin | On Commit / Pull Request | Basic static analysis security checks for Python projects. | +| sca-generic-standard | generic-scanner-env | Trivy-Plugin (FS mode) | Daily / Weekly | Scans project dependencies for known vulnerabilities (CVEs). | +| secrets-scan-standard | generic-scanner-env | Gitleaks-Plugin | On Commit / Pull Request | Detects potential secrets accidentally committed to Git history. | +| ai-model-onboarding-safety | ai-model-env | ModelScan-Plugin | On New Model Onboarding | Performs initial safety/security checks on newly added AI models. | +| dast-web-scan-basic | generic-scanner-env | OWASP-ZAP-Plugin (Baseline) | Weekly / On Demand | Performs a basic dynamic scan against a deployed web application URL. | + +**Table 6: Example Default BeSPlaybooks** + +### **8.4 Default BeSPlugins** + +The recommended initial set of plugins provides coverage across essential security domains. Refer back to **Table 4: Example Default BeSPlugins** (Section 6.4) for the list, including tools like Semgrep, Trivy, Bandit, Gitleaks, OWASP ZAP, and an AI Model Scanner. Integrating these plugins provides the foundational scanning capabilities orchestrated by the default playbooks. + +## **9\. Reporting and Governance** + +Effective operation of the AI Security Lab requires standardized reporting and clear governance structures. + +### **9.1 Sample OSAR Structure** + +Consistent reporting is vital for tracking findings, comparing assessments over time, and communicating risk effectively. The Open Source Assessment Report (OSAR) should be structured logically, ideally aligning with the principles of the BeS Schema.4 + +| OSAR Section | Content Description | Purpose | +| :---- | :---- | :---- | +| **Metadata** | Assessment ID, Timestamp, Asset ID (OSSPoI/OSSMoI Name), Asset Version/Commit, BeSPlaybook Used, BeSEnvironment Used, Triggering Event (if applicable). | Uniquely identifies the assessment and its context. | +| **Executive Summary** | Brief overview of the assessment scope, key findings, overall risk level (e.g., Critical, High, Medium, Low), and critical recommendations. | Provides a high-level snapshot for management and quick triage. | +| **Asset Details** | Full Name, Source URL, Description, Exact Version/Commit Hash Assessed, License Information (if applicable). | Clearly identifies the specific artifact that was assessed. | +| **Assessment Scope & Methodology** | Description of the checks performed, list of tools (BeSPlugins) executed, specific configurations used (e.g., scan depth, rule sets), any limitations or exclusions. | Defines the boundaries and methods of the assessment for accurate interpretation of results. | +| **Findings Summary** | Aggregated counts of findings categorized by severity (e.g., Critical, High, Medium, Low, Informational). May include charts or tables. | Provides a quantitative overview of the identified issues. | +| **Detailed Findings** | A list of individual findings. Each finding includes: Finding ID, Description, Severity, Status (New, Triaged, Mitigated, False Positive), Location (File, Line, Model Layer, Dependency Name), Evidence/Code Snippet, Remediation Guidance, Associated Identifiers (CVE, CWE \- constituting OSSVoI). | Provides actionable details for each identified vulnerability or issue for analysts and developers. | +| **Attestation (Optional)** | A formal statement regarding the level of assurance provided by this assessment, based on the scope and findings. May reference TAVOSS criteria if applicable. | Formally documents the outcome and confidence level derived from the assessment process. | + +**Table 7: OSAR Sample Structure** + +### **9.2 RACI Matrix** + +A RACI (Responsible, Accountable, Consulted, Informed) matrix clarifies roles and responsibilities for key lab activities, ensuring smooth operation and accountability. + +| Activity | CISO | Lab Administrator | Security Analyst | Developer Lead / App Owner | Legal / Compliance | +| :---- | :---- | :---- | :---- | :---- | :---- | +| Lab Setup/Config | A | R | C | I | I | +| User Onboarding | A | R | C | I | I | +| OSSPoI Onboarding | A | C | R | C | I | +| OSSMoI Onboarding | A | C | R | C | C | +| BeSPlugin Integration | A | R | C | I | I | +| Assessment Execution/Scheduling | I | C | R | I | I | +| OSAR Review/Triage | C | I | R | C | C | +| Vulnerability Remediation Tracking | A | I | R | C | I | +| Vulnerability Remediation Implementation | I | I | C | R | I | +| Lab Maintenance/Upgrades | A | R | C | I | I | +| Policy Definition (Scope, SLA) | A | C | C | C | R | + +**Table 8: RACI Matrix** *(R=Responsible, A=Accountable, C=Consulted, I=Informed)* + +### **9.3 Governance Considerations** + +Beyond the RACI matrix, establish clear policies and procedures: + +* **Asset Onboarding Criteria:** Define rules for which OSSPoI and OSSMoI must be onboarded (e.g., based on usage in critical systems, external facing applications, handling sensitive data). +* **Assessment Frequency:** Define minimum assessment frequencies based on asset criticality and type (e.g., SAST/Secrets on commit, SCA daily, DAST weekly, Model Scan on update). +* **Vulnerability Triage Process:** Document the workflow for reviewing new findings, assigning severity based on organizational context, determining validity (true positive/false positive), and assigning ownership. +* **Remediation SLAs:** Define expected timelines for acknowledging and fixing vulnerabilities based on severity levels. +* **Tool Validation & Updates:** Regularly review and update integrated BeSPlugins and their underlying tools. Validate tool effectiveness periodically. +* **Reporting Cadence:** Define how and when assessment results and risk posture summaries are reported to the CISO and other stakeholders. + +## **10\. Deployment and Interaction Diagrams (PlantUML)** + +The following diagrams illustrate the BeSLab architecture and key operational flows. + +### **10.1 Diagram 1: High-Level Enterprise Deployment** + +Code snippet + +@startuml +\!theme plain +skinparam rectangle\<\\> { + borderColor Black + borderThickness 1 +} +skinparam node { + borderColor Black + borderThickness 1 +} +skinparam actor { + borderColor Black + borderThickness 1 +} + +rectangle "Enterprise Network" \<\\> { + actor "Security Analyst" as Analyst + actor "Developer" as Dev + actor "CISO / Mgmt" as CISO + + node "BeSLab Host (VM/Server)" as BeSLabHost { + cloud "Core BeSLab Services" as CoreServices + database "GitLab CE Data" as GitLabData + database "Config/Logs" as ConfigData + } + + node "Internal Code Repositories" as InternalRepos + node "Internal AI Model Stores" as InternalModels + node "User Workstations" as Workstations + + Analyst \-- BeSLabHost : Access UI/CLI + Dev \-- BeSLabHost : Access UI/Submit Assets + CISO \-- BeSLabHost : Access Dashboard (BeSLighthouse) + Workstations \--\> Analyst + Workstations \--\> Dev + Workstations \--\> CISO + + BeSLabHost \-- InternalRepos : Clone/Assess Code + BeSLabHost \-- InternalModels : Access/Assess Models +} + +cloud "Internet / External Sources" as Internet { + node "OSS Repositories (GitHub, etc.)" as OSSRepos + node "AI Model Hubs (Hugging Face, etc.)" as ModelHubs + node "Vulnerability Feeds (NVD, etc.)" as VulnFeeds + node "Plugin/Tool Updates" as Updates +} + +BeSLabHost \-- Internet : Fetch OSS Code, Models, Updates, Feeds + +@enduml + +### **10.2 Diagram 2: Detailed BeSLab Component Layout (Lite Mode Host)** + +Code snippet + +@startuml +\!theme plain +skinparam node { + borderColor Black + borderThickness 1 +} +skinparam storage { + borderColor Black + borderThickness 1 +} +skinparam interface { + borderColor Black + borderThickness 1 +} + +node "BeSLab Host (VM/Server)" as Host { + interface "Network Interface (IP/DNS)" as HostNIC + + node "Container Runtime (Docker)" as Docker { + node "GitLab CE Container" as GitLab { + folder "Git Repositories" as GitRepos \<\\> + interface "Web UI/API (80/443)" as GitLabNIC + interface "SSH (22)" as GitLabSSH + } + node "BeSLighthouse Container" as Lighthouse { + interface "Web UI (3000/80)" as LighthouseNIC + } + node "BeSEnvironment Containers (Transient)" as EnvContainers { + label "Runs BeSPlugins (Tools)" + } + } + + folder "BLIman / BeSman CLI Tools" as CLITools + folder "Configuration Files (genesis.yaml)" as ConfigFiles \<\\> + folder "Persistent Volumes" as Volumes \<\\> { + storage "GitLab Data Volume" as GitLabVol + storage "BeSLighthouse Config Volume" as LighthouseVol + storage "Other Data/Logs" as OtherVol + } + + HostNIC \-- GitLabNIC + HostNIC \-- LighthouseNIC + HostNIC \-- GitLabSSH + + Lighthouse..\> GitLab : Reads Repo Data (Git/API) + CLITools \--\> Docker : Manage Containers + CLITools \--\> ConfigFiles : Read Config + GitLab..\> GitLabVol : Store Data + Lighthouse..\> LighthouseVol : Store Config + Docker..\> EnvContainers : Start/Stop Assessment Envs + EnvContainers..\> GitLab : Clone Code/Assets +} + +@enduml + +### **10.3 Diagram 3: Project/Model Onboarding Flow (Git-based)** + +Code snippet + +@startuml +\!theme plain +actor "User (Dev/Analyst)" as User +participant "Local Workstation" as Local +participant "GitLab Server\\n(Asset Repo)" as GitLabRepo +participant "BeSLab System\\n(Monitor/Hook)" as BeSLabSys +participant "BeSLighthouse" as Lighthouse + +User \-\> Local : Clone Asset Repo +User \-\> Local : Edit Asset List (Add OSSPoI/OSSMoI) +User \-\> Local : Git Commit +User \-\> Local : Git Push +Local \-\> GitLabRepo : Push Changes +activate GitLabRepo + +GitLabRepo \-\> BeSLabSys : Notify (Webhook/Poll) +activate BeSLabSys +BeSLabSys \-\> GitLabRepo : Fetch Updated List +BeSLabSys \-\> BeSLabSys : Validate New Asset Info +alt Validation OK + BeSLabSys \-\> BeSLabSys : Mark Asset as 'Onboarded' / 'Pending Scan' + BeSLabSys \-\> Lighthouse : Update Asset List Cache/Display +else Validation Failed + BeSLabSys \-\> User : Notify Failure (e.g., email, comment) +end +deactivate BeSLabSys +deactivate GitLabRepo + +@enduml + +### **10.4 Diagram 4: Assessment Execution Flow** + +Code snippet + +@startuml +\!theme plain +participant "Trigger\\n(Schedule/Hook/Manual)" as Trigger +participant "BeSLab Orchestrator\\n(e.g., CI Pipeline/Script)" as Orchestrator +participant "BeSPlaybook" as Playbook +participant "BeSman" as Besman +participant "BeSEnvironment\\n(Container)" as Env +participant "BeSPlugin(s)" as Plugins +participant "GitLab Server\\n(Asset/Assessment Repos)" as GitLabRepo +participant "BeSLighthouse" as Lighthouse + +Trigger \-\> Orchestrator : Initiate Assessment (Asset X, Playbook Y) +activate Orchestrator +Orchestrator \-\> Playbook : Execute Playbook Y for Asset X +activate Playbook +Playbook \-\> Besman : Request Environment Z +activate Besman +Besman \-\> Env : Create/Start Environment Z +activate Env +Besman \--\> Playbook : Environment Ready +deactivate Besman +Playbook \-\> GitLabRepo : Clone/Fetch Asset X Code/Model +Playbook \-\> Env : Execute Plugin A +activate Plugins +Env \-\> Plugins : Run Tool A +Plugins \--\> Env : Results A +deactivate Plugins +Playbook \-\> Env : Execute Plugin B +activate Plugins +Env \-\> Plugins : Run Tool B +Plugins \--\> Env : Results B +deactivate Plugins +Env \--\> Playbook : All Plugin Results +deactivate Env +Playbook \-\> Playbook : Aggregate Results & Generate OSAR +Playbook \-\> GitLabRepo : Commit OSAR to BeSAssessment Repo +activate GitLabRepo +GitLabRepo \--\> Playbook : Commit Successful +deactivate GitLabRepo +Playbook \--\> Orchestrator : Assessment Complete +deactivate Playbook +Orchestrator \-\> Lighthouse : Notify/Update Assessment Status +deactivate Orchestrator + +@enduml + +### **10.5 Diagram 5: Vulnerability Tracking Flow (OSSVoI)** + +Code snippet + +@startuml +\!theme plain +start +:Assessment Runs (SAST/SCA/DAST Plugin); +:Plugin Detects Vulnerability; +:OSAR Generated with Finding Details (incl. CVE if available); +:Store OSAR in BeSAssessment Repo; +:Extract Structured Vulnerability Data (OSSVoI)\\n(CVE, Severity, Component, etc.); +if (OSSVoI Data Stored Separately?) then (yes) + :Store OSSVoI in Vulnerability Datastore\\n(Linked to Asset & OSAR); +else (no) + :OSSVoI Data Resides within OSAR; +endif +:BeSLighthouse Reads OSSVoI Data\\n(from Datastore or OSARs); +:Display Vulnerability in Dashboard\\n(Aggregated Views, Lists); +:Security Analyst Reviews New OSSVoI; +:Triage Vulnerability\\n(Validate, Prioritize, Assign Owner); +:Track Remediation Status\\n(e.g., Open, In Progress, Fixed, False Positive); +:Update Status in Datastore/OSAR Metadata; +:BeSLighthouse Reflects Updated Status; +stop +@enduml + +## **11\. Conclusion** + +### **11.1 Benefits Recap** + +Implementing an AI Security Lab using the Be-Secure BeSLab blueprint provides the CISO's organization with a powerful, centralized capability to manage the growing security risks associated with open source software and artificial intelligence models. Key benefits include: + +* **Standardized and Proactive Assurance:** Moving from ad-hoc reviews to consistent, automated assessments.1 +* **Enhanced Visibility and Control:** Centralized tracking of critical assets (OSSPoI, OSSMoI) and their associated vulnerabilities (OSSVoI) via BeSLighthouse.1 +* **Reduced Risk Posture:** Early identification and facilitated remediation of vulnerabilities in the software supply chain and AI models. +* **Internal Trust Validation:** The ability to generate internal TAVOSS designations for assessed components, building confidence in their use.1 +* **Extensibility and Adaptability:** A modular architecture based on Playbooks, Environments, and Plugins allows the lab to evolve and integrate new tools and assessment techniques over time. + +### **11.2 Next Steps** + +Following the successful installation and initial configuration outlined in this guide, prioritize these immediate actions: + +1. **Onboard Initial Assets:** Identify and onboard a pilot set of high-priority OSSPoI and OSSMoI based on organizational risk assessment. +2. **Configure & Test Default Workflows:** Ensure the default BeSPlugins, BeSEnvironments, and BeSPlaybooks (Tables 4, 5, 6\) are correctly configured and execute successfully against test assets. +3. **User Training:** Train Security Analysts on operating the lab (triggering scans, reviewing OSARs, using BeSLighthouse) and Developers on submitting assets and interpreting results. +4. **Establish Governance:** Formalize the processes outlined in Section 9.3 (triage, SLAs, reporting) and communicate the RACI matrix (Table 8). +5. **Secure the Lab:** Implement robust security hardening for the BeSLab host, GitLab instance, and associated accounts. Regularly apply security patches. + +### **11.3 Continuous Improvement** + +The AI Security Lab is not a static entity. Its value lies in its continuous operation and evolution: + +* **Expand Plugin Coverage:** Regularly evaluate and integrate new BeSPlugins for emerging tools and assessment types (e.g., advanced AI safety checks, infrastructure-as-code scanning, license compliance). +* **Refine Playbooks:** Optimize existing playbooks and create new ones tailored to specific application stacks, risk profiles, or compliance requirements. +* **Update Environments:** Keep the underlying tools and dependencies within BeSEnvironments up-to-date. +* **Integrate with DevSecOps:** Explore deeper integration with existing CI/CD pipelines to automate security feedback loops for developers. +* **Monitor Effectiveness:** Regularly review the lab's performance, the types of vulnerabilities being found, and the speed of remediation to identify areas for improvement in tooling or processes. + +By following this guide and embracing a culture of continuous improvement, the CISO's organization can leverage the BeSLab blueprint to build a robust, effective, and adaptable AI Security Lab, significantly strengthening its posture against modern cyber threats. + +#### **Works cited** + +1. Empowering Open Source Project Security , This Repository includes BeS Environment Scripts to launch an instance of BeSLab \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/BeSLab](https://github.com/Be-Secure/BeSLab) +2. Be-Secure/BeSLighthouse: Community dashboard for security assessment of open source projects of interest for BeSecure community. Various visualizations on Projects of Interest and Vulnerabilities of interest are available in the dashboard \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/BeSLighthouse](https://github.com/Be-Secure/BeSLighthouse) +3. Wipro's Open Source Security Solution for Enhanced Cybersecurity, accessed May 1, 2025, [https://www.wipro.com/cybersecurity/o31e-wipros-open-source-security-program-a-key-initiative-to-enhancing-cybersecurity-with-open-source/](https://www.wipro.com/cybersecurity/o31e-wipros-open-source-security-program-a-key-initiative-to-enhancing-cybersecurity-with-open-source/) +4. Be-Secure/bes-schema: This repository defines the data ... \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/bes-schema](https://github.com/Be-Secure/bes-schema) From 47c89e1ab6830ce28d4b4c0d9ce905e7feec8312 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 11:13:48 +0530 Subject: [PATCH 07/30] Update AISecurityLabUserGuide.md Linked images to the draft AI Security Lab User Guide --- AISecurityLabUserGuide.md | 216 +------------------------------------- 1 file changed, 5 insertions(+), 211 deletions(-) diff --git a/AISecurityLabUserGuide.md b/AISecurityLabUserGuide.md index 01458c2..0bdf685 100644 --- a/AISecurityLabUserGuide.md +++ b/AISecurityLabUserGuide.md @@ -585,229 +585,23 @@ The following diagrams illustrate the BeSLab architecture and key operational fl ### **10.1 Diagram 1: High-Level Enterprise Deployment** -Code snippet - -@startuml -\!theme plain -skinparam rectangle\<\\> { - borderColor Black - borderThickness 1 -} -skinparam node { - borderColor Black - borderThickness 1 -} -skinparam actor { - borderColor Black - borderThickness 1 -} - -rectangle "Enterprise Network" \<\\> { - actor "Security Analyst" as Analyst - actor "Developer" as Dev - actor "CISO / Mgmt" as CISO - - node "BeSLab Host (VM/Server)" as BeSLabHost { - cloud "Core BeSLab Services" as CoreServices - database "GitLab CE Data" as GitLabData - database "Config/Logs" as ConfigData - } - - node "Internal Code Repositories" as InternalRepos - node "Internal AI Model Stores" as InternalModels - node "User Workstations" as Workstations - - Analyst \-- BeSLabHost : Access UI/CLI - Dev \-- BeSLabHost : Access UI/Submit Assets - CISO \-- BeSLabHost : Access Dashboard (BeSLighthouse) - Workstations \--\> Analyst - Workstations \--\> Dev - Workstations \--\> CISO - - BeSLabHost \-- InternalRepos : Clone/Assess Code - BeSLabHost \-- InternalModels : Access/Assess Models -} - -cloud "Internet / External Sources" as Internet { - node "OSS Repositories (GitHub, etc.)" as OSSRepos - node "AI Model Hubs (Hugging Face, etc.)" as ModelHubs - node "Vulnerability Feeds (NVD, etc.)" as VulnFeeds - node "Plugin/Tool Updates" as Updates -} - -BeSLabHost \-- Internet : Fetch OSS Code, Models, Updates, Feeds - -@enduml +![High-Level Enterprise Deployment](./docs/images/Diagram1HighlevelEnterpriseDeployment.png) ### **10.2 Diagram 2: Detailed BeSLab Component Layout (Lite Mode Host)** -Code snippet - -@startuml -\!theme plain -skinparam node { - borderColor Black - borderThickness 1 -} -skinparam storage { - borderColor Black - borderThickness 1 -} -skinparam interface { - borderColor Black - borderThickness 1 -} - -node "BeSLab Host (VM/Server)" as Host { - interface "Network Interface (IP/DNS)" as HostNIC - - node "Container Runtime (Docker)" as Docker { - node "GitLab CE Container" as GitLab { - folder "Git Repositories" as GitRepos \<\\> - interface "Web UI/API (80/443)" as GitLabNIC - interface "SSH (22)" as GitLabSSH - } - node "BeSLighthouse Container" as Lighthouse { - interface "Web UI (3000/80)" as LighthouseNIC - } - node "BeSEnvironment Containers (Transient)" as EnvContainers { - label "Runs BeSPlugins (Tools)" - } - } - - folder "BLIman / BeSman CLI Tools" as CLITools - folder "Configuration Files (genesis.yaml)" as ConfigFiles \<\\> - folder "Persistent Volumes" as Volumes \<\\> { - storage "GitLab Data Volume" as GitLabVol - storage "BeSLighthouse Config Volume" as LighthouseVol - storage "Other Data/Logs" as OtherVol - } - - HostNIC \-- GitLabNIC - HostNIC \-- LighthouseNIC - HostNIC \-- GitLabSSH - - Lighthouse..\> GitLab : Reads Repo Data (Git/API) - CLITools \--\> Docker : Manage Containers - CLITools \--\> ConfigFiles : Read Config - GitLab..\> GitLabVol : Store Data - Lighthouse..\> LighthouseVol : Store Config - Docker..\> EnvContainers : Start/Stop Assessment Envs - EnvContainers..\> GitLab : Clone Code/Assets -} - -@enduml +![Detailed BeSLab Component Layout (Lite Mode Host)](./docs/images/Diagram2BeSLabComponentsLayout.png) ### **10.3 Diagram 3: Project/Model Onboarding Flow (Git-based)** -Code snippet - -@startuml -\!theme plain -actor "User (Dev/Analyst)" as User -participant "Local Workstation" as Local -participant "GitLab Server\\n(Asset Repo)" as GitLabRepo -participant "BeSLab System\\n(Monitor/Hook)" as BeSLabSys -participant "BeSLighthouse" as Lighthouse - -User \-\> Local : Clone Asset Repo -User \-\> Local : Edit Asset List (Add OSSPoI/OSSMoI) -User \-\> Local : Git Commit -User \-\> Local : Git Push -Local \-\> GitLabRepo : Push Changes -activate GitLabRepo - -GitLabRepo \-\> BeSLabSys : Notify (Webhook/Poll) -activate BeSLabSys -BeSLabSys \-\> GitLabRepo : Fetch Updated List -BeSLabSys \-\> BeSLabSys : Validate New Asset Info -alt Validation OK - BeSLabSys \-\> BeSLabSys : Mark Asset as 'Onboarded' / 'Pending Scan' - BeSLabSys \-\> Lighthouse : Update Asset List Cache/Display -else Validation Failed - BeSLabSys \-\> User : Notify Failure (e.g., email, comment) -end -deactivate BeSLabSys -deactivate GitLabRepo - -@enduml +![Project/Model Onboarding Flow (Git-based)](./docs/images/Diagram3BeSLabProjectModelOnboardingWorkflow.png) ### **10.4 Diagram 4: Assessment Execution Flow** -Code snippet - -@startuml -\!theme plain -participant "Trigger\\n(Schedule/Hook/Manual)" as Trigger -participant "BeSLab Orchestrator\\n(e.g., CI Pipeline/Script)" as Orchestrator -participant "BeSPlaybook" as Playbook -participant "BeSman" as Besman -participant "BeSEnvironment\\n(Container)" as Env -participant "BeSPlugin(s)" as Plugins -participant "GitLab Server\\n(Asset/Assessment Repos)" as GitLabRepo -participant "BeSLighthouse" as Lighthouse - -Trigger \-\> Orchestrator : Initiate Assessment (Asset X, Playbook Y) -activate Orchestrator -Orchestrator \-\> Playbook : Execute Playbook Y for Asset X -activate Playbook -Playbook \-\> Besman : Request Environment Z -activate Besman -Besman \-\> Env : Create/Start Environment Z -activate Env -Besman \--\> Playbook : Environment Ready -deactivate Besman -Playbook \-\> GitLabRepo : Clone/Fetch Asset X Code/Model -Playbook \-\> Env : Execute Plugin A -activate Plugins -Env \-\> Plugins : Run Tool A -Plugins \--\> Env : Results A -deactivate Plugins -Playbook \-\> Env : Execute Plugin B -activate Plugins -Env \-\> Plugins : Run Tool B -Plugins \--\> Env : Results B -deactivate Plugins -Env \--\> Playbook : All Plugin Results -deactivate Env -Playbook \-\> Playbook : Aggregate Results & Generate OSAR -Playbook \-\> GitLabRepo : Commit OSAR to BeSAssessment Repo -activate GitLabRepo -GitLabRepo \--\> Playbook : Commit Successful -deactivate GitLabRepo -Playbook \--\> Orchestrator : Assessment Complete -deactivate Playbook -Orchestrator \-\> Lighthouse : Notify/Update Assessment Status -deactivate Orchestrator - -@enduml +![Assessment Execution Flow](./docs/images/Diagram4AssessmentExecutionWorkflow.png) ### **10.5 Diagram 5: Vulnerability Tracking Flow (OSSVoI)** -Code snippet - -@startuml -\!theme plain -start -:Assessment Runs (SAST/SCA/DAST Plugin); -:Plugin Detects Vulnerability; -:OSAR Generated with Finding Details (incl. CVE if available); -:Store OSAR in BeSAssessment Repo; -:Extract Structured Vulnerability Data (OSSVoI)\\n(CVE, Severity, Component, etc.); -if (OSSVoI Data Stored Separately?) then (yes) - :Store OSSVoI in Vulnerability Datastore\\n(Linked to Asset & OSAR); -else (no) - :OSSVoI Data Resides within OSAR; -endif -:BeSLighthouse Reads OSSVoI Data\\n(from Datastore or OSARs); -:Display Vulnerability in Dashboard\\n(Aggregated Views, Lists); -:Security Analyst Reviews New OSSVoI; -:Triage Vulnerability\\n(Validate, Prioritize, Assign Owner); -:Track Remediation Status\\n(e.g., Open, In Progress, Fixed, False Positive); -:Update Status in Datastore/OSAR Metadata; -:BeSLighthouse Reflects Updated Status; -stop -@enduml +![Vulnerability Tracking Flow (OSSVoI)](./docs/images/Diagram5BeSLabVulnerabilityTrackingWorkflow.png) ## **11\. Conclusion** From f6b2c9c2707d5e6e882aa85179ddb613d03e6f52 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 13:17:46 +0530 Subject: [PATCH 08/30] Update AISecurityLabUserGuide.md Updated to a simplified version --- AISecurityLabUserGuide.md | 1010 +++++++++++++++---------------------- 1 file changed, 415 insertions(+), 595 deletions(-) diff --git a/AISecurityLabUserGuide.md b/AISecurityLabUserGuide.md index 0bdf685..1dde8f7 100644 --- a/AISecurityLabUserGuide.md +++ b/AISecurityLabUserGuide.md @@ -1,645 +1,465 @@ # **User Guide: Establishing and Operating an AI Security Lab with the Be-Secure BeSLab Blueprint** -## **1\. Introduction to the BeSLab AI Security Lab** - -### **1.1 Purpose and Need** - -In the contemporary digital landscape, organizations increasingly rely on Open Source Software (OSS) and Artificial Intelligence (AI) / Machine Learning (ML) models to drive innovation and operational efficiency. However, this reliance introduces significant security risks stemming from vulnerabilities within these third-party components and the unique attack surfaces presented by AI models themselves. Managing these risks requires a structured, proactive approach. Establishing a dedicated AI Security Lab provides the CISO's organization with the in-house capability to systematically assess, manage, and mitigate the security risks associated with OSS and AI artifacts used or considered by the enterprise. - -### **1.2 The Be-Secure Philosophy and BeSLab Blueprint** - -The Be-Secure initiative aims to empower organizations and the broader community to fortify open source artifacts – including software projects, ML models, and training datasets – against potential vulnerabilities.1 The BeSLab blueprint emerges from this philosophy, offering a design for an open-source security lab. It is not a single software product but rather an architectural pattern and a collection of tools and processes designed to create a comprehensive security assessment environment.1 A key goal is to provide application security and security operations teams with complete control and transparency over the assessment process for these critical components.1 - -### **1.3 Value Proposition for the CISO** - -Implementing a BeSLab instance offers tangible benefits for the CISO's organization: - -* **Standardized Assurance:** Establishes consistent, repeatable processes for security assessments of OSS projects and AI models. -* **Centralized Visibility:** Provides a single pane of glass (via BeSLighthouse) for tracking Projects of Interest (OSSPoI), Models of Interest (OSSMoI), and associated Vulnerabilities of Interest (OSSVoI).1 -* **Reduced Risk Exposure:** Proactively identifies and facilitates the mitigation of vulnerabilities in critical dependencies before they can be exploited. -* **Cost Efficiency:** Potentially reduces the overall cost of risk assessment compared to ad-hoc external engagements or manual reviews, especially as the number of tracked assets grows.1 -* **Internal Attestation:** Enables the generation of internal attestations or designations like Trusted and Verified Open Source Software (TAVOSS) for artifacts that pass the lab's scrutiny, providing a measure of internal assurance.1 - -### **1.4 Scope of this Guide** - -This document provides a comprehensive user guide for setting up, configuring, and operating a *private* AI Security Lab based on the BeSLab blueprint within an enterprise environment. It specifically focuses on the 'Lite Mode' deployment, which integrates essential components onto a single host, and details the integration with GitLab Community Edition (CE) as the code collaboration platform. The guide covers the full lifecycle: architecture, prerequisites, installation, onboarding of users, projects, models, and tools, operational workflows for various security assessments, reporting (OSARs), governance (RACI), and configuration of default components. - -## **2\. BeSLab Architecture and Components** - -### **2.1 Blueprint Overview** - -Understanding the BeSLab architecture requires recognizing it as a *blueprint* – a template defining how various components interact to form a functional security lab.1 It leverages existing open-source tools and defines specific Be-Secure utilities and data structures to create a cohesive system for assessing and managing the security of open source artifacts. The architecture is designed for flexibility, allowing organizations to tailor the lab's capabilities to their specific needs. - -### **2.2 Core Components** - -A typical private BeSLab instance, as described in this guide, comprises the following core components: - -* **Git-based Source Code Management (SCM) Platform (e.g., GitLab CE):** This is the backbone of the BeSLab instance. It hosts critical datastore repositories containing configurations, asset definitions (OSSPoI, OSSMoI), assessment playbooks, environment definitions, and assessment results (OSARs).1 The choice of GitLab CE provides a robust, self-hosted platform with features supporting collaboration, version control, and potentially CI/CD integration for automating assessment workflows. - * This Git-centric design inherently supports a **GitOps workflow** for managing the lab itself. All configurations and operational state definitions reside in Git repositories. Changes to the lab's setup, tracked assets, assessment playbooks, or environments are managed through Git commits, providing version history, auditability, and the ability to roll back changes. This approach enhances manageability, reproducibility, and disaster recovery capabilities for the lab infrastructure. -* **Datastore Repositories:** Specific Git repositories within the SCM platform are designated for storing different types of lab data. Common examples include: - * BeSEnvironment: Stores definitions and scripts for creating assessment environments. - * BeSPlaybook: Contains the scripts and configurations defining assessment workflows. - * BeSAssessment: Archives the generated Open Source Assessment Reports (OSARs) and associated metadata. - * Asset Stores (e.g., besecure-assets-store): Repositories holding lists and details of tracked OSSPoI, OSSMoI, etc..2 The specific structure and naming convention are important for tools like BeSLighthouse to locate and interpret the data correctly.2 -* **BeSLighthouse:** A web-based dashboard application that serves as the primary user interface for visualizing the lab's data.1 It reads information directly from the designated Git datastore repositories and presents visualizations of tracked assets (PoI, MoI), associated vulnerabilities (VoI), assessment status, and links to detailed reports.2 Its reliance on the Git backend reinforces the GitOps model, as the dashboard reflects the state defined in the repositories. -* **BLIman (BeSLab Lifecycle Management):** A command-line interface (CLI) utility specifically designed for deploying, configuring, and managing the lifecycle of a BeSLab instance.1 It utilizes a configuration file (genesis.yaml) to define the lab's parameters and provides commands like bli load (to load configuration), bli initmode (to set the deployment mode, e.g., 'lite'), and bli launchlab (to orchestrate the installation of components like GitLab CE and BeSLighthouse).1 - * Proficiency with CLI tools is essential for administrators managing the BeSLab instance. The reliance on BLIman for core management tasks means that automation efforts, operational runbooks, and troubleshooting will heavily involve executing and scripting these commands. -* **BeSman (BeS Environment Manager):** Another CLI utility that works in conjunction with BLIman, specifically responsible for creating and managing BeSEnvironments.1 It is typically installed and initialized as part of the BLIman setup process and is used by playbooks or scripts to provision the necessary runtime environments for security tools.1 -* **BeSEnvironment:** Represents a customized computing setup, often containerized or defined by setup scripts, containing the specific tools, libraries, and dependencies required to execute a particular set of security assessments.1 These environments ensure that assessments run consistently and with the correct prerequisites. They are defined in the BeSEnvironment repository and managed by BeSman.1 -* **BeSPlaybook:** An automated workflow or script designed to orchestrate specific security assessment tasks.1 A playbook typically defines which BeSEnvironment to use and which BeSPlugins (security tools) to execute in sequence, along with any necessary configuration or data handling steps. Playbooks codify the assessment process for different types of assets or security checks (e.g., SAST for Python, AI model safety scan). -* **BeSPlugin:** Represents an integration wrapper for a specific security tool (e.g., SAST scanner, DAST scanner, SCA tool, secrets detector, AI model analyzer). Plugins are the "workhorses" of the lab, performing the actual security scans. They are invoked by BeSPlaybooks within the appropriate BeSEnvironment. The lab's assessment capabilities are directly determined by the range and quality of the integrated BeSPlugins. The BeSLab framework is extensible, allowing new tools to be integrated as plugins over time. - -### **2.3 Key Concepts** - -Understanding the following concepts is crucial for operating the BeSLab effectively: - -* **OSSPoI / OSSMoI / OSSVoI:** - * **OSSPoI (Open Source Projects of Interest):** Specific open-source software projects that the organization uses or depends on, which are onboarded into the lab for continuous security assessment and monitoring. - * **OSSMoI (Open Source Models of Interest):** Specific open-source AI/ML models used or considered by the organization, onboarded for security and safety assessments. - * **OSSVoI (Open Source Vulnerabilities of Interest):** Represents the specific vulnerabilities (often identified by CVE numbers or other identifiers) discovered in the tracked OSSPoI and OSSMoI. The lab focuses on tracking and managing these relevant vulnerabilities.1 -* **OSAR (Open Source Assessment Report):** The standardized output report generated after a BeSPlaybook completes an assessment run on an OSSPoI or OSSMoI.1 It details the scope, methodology, findings (including OSSVoI), risk posture, and potentially remediation guidance. OSARs should ideally conform to the BeS Schema for consistency.4 -* **TAVOSS (Trusted and Verified Open Source Software):** A designation indicating that an OSS project or AI model has undergone a defined assessment process within the BeSLab instance and meets certain security criteria established by the organization.1 Achieving TAVOSS status is an *outcome* of the lab's assurance activities, signifying a higher level of confidence in the artifact's security posture based on the internal assessment process.3 The lab might facilitate the distribution or identification of these TAVOSS-designated versions internally.1 -* **OSAP (Open Source Assurance Provider):** Each BeSLab instance, whether private or public, functions as an OSAP.1 In the context of this guide (a private lab), the CISO's organization acts as its own internal OSAP, providing assurance services for the assets it chooses to monitor. -* **BeS Schema / Exchange Schema:** A standardized data format defined by the Be-Secure initiative to facilitate the exchange of information about assets, vulnerabilities, and assessments between different components of the BeSLab ecosystem and potentially between different BeSLab instances.1 Adherence to this schema promotes interoperability, enables consistent data processing and visualization (e.g., by BeSLighthouse), simplifies the development of tools that consume lab data, and ensures that generated reports (OSARs) have a uniform structure.4 This focus on standardization future-proofs the lab's data, even in a private deployment. - -## **3\. Prerequisites for Deployment** - -Before initiating the BeSLab installation, ensure the target environment meets the following prerequisites. Careful preparation prevents common setup issues. - -### **3.1 Hardware** - -A dedicated host machine (Virtual Machine recommended for flexibility) is required to run the core BeSLab components. - -* **Minimum:** 4 vCPU, 8 GB RAM, 16 GB Disk Space.1 *Note: This is the absolute minimum and may result in slow performance, especially for GitLab.* -* **Recommended for Enterprise Use:** 8+ vCPU, 16+ GB RAM, 100+ GB Disk Space (SSD recommended). Sufficient disk space is crucial for storing GitLab data (repositories, container registry, etc.) and potentially large assessment artifacts or logs. - -### **3.2 Software** - -The host machine must have the following software installed and configured: - -* **Operating System:** Ubuntu Linux (LTS version recommended, as per documentation examples 1). Other Linux distributions might work but may require adjustments. -* **Essential Utilities:** curl, unzip, bash, git, sudo access for the installing user.1 -* **Container Runtime:** Docker Engine or a compatible container runtime is required, as BLIman typically deploys GitLab CE and BeSLighthouse as containers. -* **NodeJS:** Required for BeSLighthouse. Version 16.0 or higher is specified.2 Install via package manager or NVM (Node Version Manager). -* **Python & pip:** May be required for specific BeSPlugins, BeSEnvironments, or alternative installation methods.1 Install Python 3 and pip. - -### **3.3 Network** - -Configure the network environment appropriately: - -* **IP Address/DNS:** The BeSLab host requires a static IP address or a resolvable DNS hostname within the enterprise network. This address will be used to access GitLab and BeSLighthouse UIs. -* **Internet Access:** The host needs outbound internet access to download BeSLab components (BLIman, Docker images for GitLab, BeSLighthouse, plugins), clone open-source repositories, and fetch vulnerability database updates. -* **Firewall Rules:** Ensure necessary ports are open: - * SSH (typically TCP/22) for administrative access. - * HTTP (TCP/80) and/or HTTPS (TCP/443) for accessing the GitLab web UI and API. - * BeSLighthouse Port (e.g., TCP/3000 default, or TCP/80 if configured 2) for accessing the dashboard UI. - * Potentially other ports if specific plugins or services require them. -* **Internal Connectivity:** Users (Analysts, Developers) need network access to the GitLab and BeSLighthouse UIs. Systems submitting assets might need API access to GitLab. - -### **3.4 GitLab CE** - -This guide assumes GitLab CE will be installed *by* the BLIman launchlab process. If an existing GitLab instance is intended for use, significant manual configuration beyond the scope of this standard installation guide would be required to integrate BeSLab components and repositories correctly. - -### **3.5 User Accounts** - -* **Host OS:** An operating system user account with sudo privileges is required to perform the installation steps.1 -* **GitLab:** Initial administrative credentials for GitLab will be set during installation (via genesis.yaml) and must be changed immediately upon first login.1 - -### **3.6 Prerequisites Summary Table** - -The following table summarizes the key prerequisites for deploying a private BeSLab Lite Mode instance. +**Part 1: Understanding BeSLab** + +**1\. Introduction: Your AI Security Lab** + +* **1.1 What is BeSLab and Why Use It?** + In today's digital world, organizations heavily rely on Open Source Software (OSS) and Artificial Intelligence (AI) / Machine Learning (ML) models. While these components accelerate innovation, they also introduce security risks from potential vulnerabilities within them and the unique ways AI models can be attacked. Effectively managing these risks demands a structured and proactive strategy. + Establishing a dedicated AI Security Lab, based on the BeSLab blueprint, provides an organization's security team (specifically the CISO's office) with the necessary *internal* capability. It allows the organization to systematically check, track, and reduce the security risks tied to the OSS and AI components it uses or considers using . This focus on building internal capacity is central; BeSLab facilitates the development of in-house expertise and provides direct control over the security assurance process for these critical third-party assets, moving beyond reliance on external assessments or inconsistent manual reviews. +* **1.2 The Be-Secure Philosophy: Beyond a Single Tool** + The Be-Secure initiative aims to help organizations and the wider community strengthen open source artifacts—software, ML models, and datasets—against vulnerabilities . The BeSLab blueprint stems from this goal, offering a design for an open-source security lab. + It is crucial to understand that BeSLab is not a single software product that can be installed with one click. Instead, it is a *blueprint* or an *architectural pattern* . Think of it as a template defining how various tools and processes work together to create a comprehensive security assessment environment . This approach provides significant flexibility, allowing organizations to tailor the lab's capabilities. However, it also means that implementation involves assembling and integrating these components according to the blueprint's design, rather than installing a monolithic application. The core objective is to give application security and security operations teams full control and transparency over how these critical components are assessed . +* **1.3 Value for the CISO and Security Teams** + Implementing a BeSLab instance based on this blueprint delivers clear advantages for the CISO's organization and security teams : + * **Standardized Assurance:** Creates consistent and repeatable processes for security assessments of both OSS projects and AI models. + * **Centralized Visibility:** Offers a unified view through the BeSLighthouse dashboard, tracking Projects of Interest (OSSPoI), Models of Interest (OSSMoI), and related Vulnerabilities of Interest (OSSVoI) . + * **Reduced Risk Exposure:** Enables proactive identification and facilitates the fixing of vulnerabilities in essential software and models before attackers can exploit them. + * **Cost Efficiency:** Can lower the overall cost of risk assessment compared to frequent external security engagements or time-consuming manual reviews, especially as the number of tracked assets increases . + * **Internal Attestation:** Allows the organization to generate internal trust marks, such as a "Trusted and Verified Open Source Software" (TAVOSS) designation, for components that pass the lab's defined security checks . This TAVOSS status serves as a tangible outcome, providing a standardized way to communicate assurance levels internally and build confidence in the security posture of approved components . +* **1.4 Scope of This Guide** + This document serves as a comprehensive user guide focused specifically on setting up, configuring, and operating a *private* AI Security Lab using the BeSLab blueprint within an enterprise setting. It details the *'Lite Mode'* deployment, which consolidates essential components onto a single host machine, and covers integration with GitLab Community Edition (CE) as the code collaboration platform . The guide walks through the entire lifecycle: understanding the architecture, meeting prerequisites, installation steps, onboarding users, projects, models, and tools, defining operational workflows for security assessments, generating reports (OSARs), establishing governance (RACI), and configuring default components. + +**2\. How BeSLab Works: Architecture and Concepts** + +* **2.1 The Blueprint Explained: Core Components** + The BeSLab architecture, being a blueprint, defines how various components interact to form a working security lab . It integrates existing open-source tools with specific Be-Secure utilities and data structures to build a cohesive system for security assessment . A typical private BeSLab instance deployed in Lite Mode, as covered in this guide, includes these core parts : + * **Git-based Source Code Management (SCM) Platform (e.g., GitLab CE):** This is the central nervous system of the BeSLab instance. It hosts the critical datastore repositories containing configurations, definitions of assets (OSSPoI, OSSMoI), assessment playbooks, environment definitions, and the assessment results (OSARs) . Using GitLab CE provides a powerful, self-hosted platform supporting version control, collaboration, and potential CI/CD integration for automating assessment workflows. + * **Datastore Repositories:** These are specific Git repositories within the SCM platform designated for storing different types of lab data. Common examples include : + * BeSEnvironment: Stores definitions and scripts for creating assessment environments. + * BeSPlaybook: Contains the scripts and configurations defining assessment workflows (playbooks). + * BeSAssessment: Archives the generated Open Source Assessment Reports (OSARs) and related metadata. + * Asset Stores (e.g., besecure-assets-store): Repositories holding lists and details of tracked OSSPoI, OSSMoI, etc. The precise naming and structure are important for tools like BeSLighthouse to locate data correctly . + * **BeSLighthouse:** A web-based dashboard application providing the main user interface for visualizing the lab's data . It reads information directly from the designated Git datastore repositories and presents views of tracked assets, associated vulnerabilities, assessment statuses, and links to detailed reports . Its direct reliance on the Git backend reinforces the GitOps model described below. + * **BLIman (BeSLab Lifecycle Management):** A command-line interface (CLI) tool specifically created for deploying, configuring, and managing the lifecycle of a BeSLab instance . It uses a configuration file (genesis.yaml) to define the lab's setup and provides commands like bli load, bli initmode, and bli launchlab to orchestrate the installation . + * **BeSman (BeS Environment Manager):** Another CLI utility, working alongside BLIman, focused on creating and managing the BeSEnvironments needed for assessments . It is typically installed during the BLIman setup and used by playbooks to provision the correct runtime environments for security tools . The reliance on distinct CLI tools like BLIman and BeSman for core management tasks means that administrators need proficiency with command-line operations. Automation efforts, operational procedures, and troubleshooting will heavily involve executing and scripting these commands, differing from purely GUI-managed systems. + * **BeSEnvironment:** Represents a specific computing setup (often a container image or defined by setup scripts) containing the necessary tools, libraries, and dependencies to run a particular set of security assessments . These ensure assessments are consistent and repeatable. They are defined in the BeSEnvironment repository and managed by BeSman . + * **BeSPlaybook:** An automated script or workflow designed to orchestrate specific security assessment tasks . A playbook typically specifies which BeSEnvironment to use and which BeSPlugins (security tools) to run in sequence, along with configuration and data handling steps. Playbooks codify the assessment process for different asset types or security checks (e.g., SAST scan for Python code, AI model safety check). + * **BeSPlugin:** Represents an integration wrapper around a specific security tool (e.g., a SAST scanner like Semgrep, an SCA tool like Trivy, a secrets detector like Gitleaks, or an AI model analyzer) . These plugins are the "workhorses" that perform the actual security scans. They are called by BeSPlaybooks within the appropriate BeSEnvironment. The lab's assessment capabilities are directly determined by the range and quality of integrated BeSPlugins. The framework is extensible, allowing new tools to be added as plugins over time . +* **2.2 The GitOps Foundation** + A fundamental aspect of the BeSLab architecture is its reliance on a GitOps workflow for managing the lab itself . This means that nearly all configurations, operational state definitions, asset lists, assessment playbooks, environment definitions, and even assessment results (OSARs) reside within Git repositories hosted on the SCM platform (like GitLab CE) . + Changes to the lab's setup—adding a new project to track, modifying an assessment playbook, updating an environment, or configuring a tool—are managed through standard Git operations: making changes, committing them with descriptive messages, and pushing them to the central repository. This approach offers significant advantages for managing the security lab infrastructure: + * **Auditability:** Every change is recorded in the Git history, providing a clear audit trail of who changed what and when. + * **Version History:** Previous configurations and states can be easily reviewed or restored if needed. + * **Reproducibility:** The entire lab configuration is defined in code, making it easier to replicate the setup or recover from failures. + * **Collaboration:** Multiple team members can collaborate on managing the lab's configuration using familiar Git workflows. + * **Infrastructure-as-Code:** It treats the lab's configuration and operational definitions as code, promoting discipline, automation potential, and reliability in its management. BeSLighthouse reading directly from these repositories further reinforces this model, ensuring the dashboard always reflects the state defined in Git . +* **2.3 Key Terms You Need to Know** + Understanding this terminology is essential for working with BeSLab : + * **OSSPoI (Open Source Projects of Interest):** Specific open-source software projects your organization uses or depends on, which are onboarded into the lab for security assessment and monitoring. + * **OSSMoI (Open Source Models of Interest):** Specific open-source AI/ML models used or considered by your organization, onboarded for security and safety assessments. + * **OSSVoI (Open Source Vulnerabilities of Interest):** The specific vulnerabilities (often identified by CVEs or similar IDs) discovered within the tracked OSSPoI and OSSMoI. The lab focuses on tracking and managing these relevant vulnerabilities . + * **OSAR (Open Source Assessment Report):** The standardized report generated after a BeSPlaybook completes an assessment run . It details the scope, methods, findings (including OSSVoI), risk posture, and potentially remediation advice. OSARs should ideally follow the BeS Schema for consistency . + * **TAVOSS (Trusted and Verified Open Source Software):** An internal designation indicating that an OSS project or AI model has passed a defined assessment process within your BeSLab instance and meets your organization's security criteria . Achieving TAVOSS status signifies a higher level of confidence based on the internal assessment . The lab facilitates identifying or distributing these TAVOSS-approved versions internally . + * **OSAP (Open Source Assurance Provider):** Each BeSLab instance acts as an OSAP . In the context of this guide (a private lab), your organization functions as its own internal OSAP, providing assurance for the assets it monitors. + * **BeS Schema / Exchange Schema:** A standardized data format defined by Be-Secure to enable consistent exchange of information about assets, vulnerabilities, and assessments between BeSLab components and potentially other systems or labs . Adhering to this schema, even in a private deployment, promotes interoperability, allows consistent data processing and visualization (e.g., by BeSLighthouse), simplifies tool development, and ensures reports (OSARs) have a uniform structure, making the lab's data more valuable and future-proof . + +**Part 2: Setting Up and Configuring Your Lab** + +**3\. Setting Up Your Private BeSLab (Lite Mode)** + +* **3.1 Before You Begin: Prerequisites Checklist** + Ensuring the target environment meets all requirements before starting installation is crucial for avoiding common setup problems. A dedicated host machine (a Virtual Machine is recommended for easier management and snapshots) is needed . + The following table summarizes the key prerequisites for deploying a private BeSLab Lite Mode instance. Meeting the recommended specifications is advisable for enterprise use to ensure adequate performance, especially for GitLab and concurrent assessments. Sufficient disk space is particularly important for storing Git repository data, container images, and potentially large assessment artifacts or logs. | Category | Requirement | Details / Recommendations | Reference | | :---- | :---- | :---- | :---- | -| **Hardware** | CPU | Min: 4 vCPU, Recommended: 8+ vCPU | 1 | -| | RAM | Min: 8 GB, Recommended: 16+ GB | 1 | -| | Disk Space | Min: 16 GB, Recommended: 100+ GB (SSD) | 1 | -| **Software** | Operating System | Ubuntu LTS Recommended | 1 | -| | Utilities | curl, unzip, bash, git, sudo access | 1 | +| **Hardware** | CPU | Min: 4 vCPU, Recommended: 8+ vCPU | | +| | RAM | Min: 8 GB, Recommended: 16+ GB | | +| | Disk Space | Min: 16 GB, Recommended: 100+ GB (SSD) | | +| **Software** | Operating System | Ubuntu LTS Recommended | | +| | Utilities | curl, unzip, bash, git, sudo access | | | | Container Runtime | Docker Engine or compatible | Implied | -| | NodeJS | v16.0+ | 2 | -| | Python | Python 3, pip (Optional, depending on tools/methods) | 1 | +| | NodeJS | v16.0+ | | +| | Python | Python 3, pip (Optional, depending on tools/methods) | | | **Network** | Host Addressing | Static IP or resolvable DNS hostname | Required | | | Internet Access | Outbound access for downloads/updates | Required | | | Firewall Ports | SSH (22), HTTP/S (80/443 for GitLab), BeSLighthouse Port (e.g., 3000 or 80), potentially others | Required | | | Internal Access | User access to GitLab/BeSLighthouse UIs | Required | -| **Accounts** | Host OS User | User with sudo privileges | 1 | -| | GitLab Admin | Initial credentials set via genesis.yaml, change immediately | 1 | - -**Table 1: Prerequisites Summary** - -## **4\. BeSLab Installation Guide (Private Lite Mode via BLIman)** - -### **4.1 Overview** - -This section provides step-by-step instructions for installing a private BeSLab instance in 'Lite Mode' using the BLIman CLI tool.1 Lite Mode typically installs all core components, including GitLab CE and BeSLighthouse, onto the single prepared host machine. The installation is driven by the genesis.yaml configuration file. - -### **4.2 Step 1: Prepare the Host** - -Ensure the designated host machine meets all prerequisites outlined in Section 3\. Log in to the host machine using a user account with sudo privileges.1 - -### **4.3 Step 2: Install BLIman** - -BLIman is the primary tool for managing the BeSLab lifecycle.1 Install it using the following commands (referencing the official Be-Secure/BLIman repository for the latest instructions, as indicated in 1): - -Bash - -\# Example installation commands (Verify against official BLIman README) -\# Download the installer script (URL might change) -curl \-sSL \ \-o install-bliman.sh - -\# Run the installer script -sudo bash install-bliman.sh - -\# Clean up installer script -rm install-bliman.sh - -\# Verify installation by checking the help command -bli help - -Successful execution of bli help should display the available BLIman commands. - -### **4.4 Step 3: Configure genesis.yaml** - -The genesis.yaml file defines all configuration parameters for the BeSLab instance.1 Create this file in your current working directory (e.g., /home/user/beslab\_setup/genesis.yaml). - -Below is a sample structure for a private Lite Mode deployment. **Customize the values** (especially URLs, IPs, ports, and initial credentials) according to your environment. - -YAML - -\# Sample genesis.yaml for Private Lite Mode -\# \--- Global Configuration \--- -beslab\_mode: "lite" \# Specifies Lite Mode deployment -deployment\_type: "private" \# Specifies a private instance - -\# \--- GitLab Configuration \--- -gitlab: - host\_url: "http://\" \# \*\*REQUIRED\*\*: URL users will use - initial\_root\_password: "\" \# \*\*REQUIRED\*\*: Set a strong temporary password - \# Optional: Specify ports if not default 80/443/22 - \# http\_port: 80 - \# https\_port: 443 - \# ssh\_port: 22 - \# Optional: Specify data volume path - \# data\_volume: "/srv/gitlab/data" - -\# \--- BeSLighthouse Configuration \--- -beslighthouse: - host\_ip: "0.0.0.0" \# Listen on all interfaces within the container - host\_port: "3000" \# \*\*REQUIRED\*\*: Port BeSLighthouse will listen on (e.g., 3000\) - \# Optional: Specify data volume path - \# config\_volume: "/srv/beslighthouse/config" - -\# \--- Other Optional Configurations (Add as needed based on BLIman documentation) \--- -\# Example: Default user settings, registry settings, etc. - -**Critical Security Note:** Set a strong, unique initial\_root\_password for GitLab. This password **must** be changed immediately after the first login to the GitLab UI. Do not use default or easily guessable passwords. Store this genesis.yaml file securely, as it contains sensitive initial configuration details. - -### **4.5 Step 4: Load Configuration** - -Use BLIman to parse and load the configuration from your genesis.yaml file 1: - -Bash - -\# Ensure you are in the directory containing genesis.yaml or provide the full path -bli load genesis.yaml - -BLIman will validate the file structure and load the parameters. Address any errors reported. - -### **4.6 Step 5: Initialize Mode** - -Initialize BLIman for the specified deployment mode ('lite' in this case) 1: - -Bash - -bli initmode lite - -This command prepares BLIman and potentially sets up necessary base configurations for the Lite Mode deployment. - -### **4.7 Step 6: Initialize BeSman** - -Initialize the BeS Environment Manager (BeSman), which is typically installed by bli initmode 1: - -Bash - -source $HOME/.besman/bin/besman-init.sh - -This command loads BeSman functions into your current shell environment. Verify the initialization: - -Bash - -bes help - -Successful execution should display the available BeSman commands.1 - -### **4.8 Step 7: Launch the Lab** - -Initiate the BeSLab deployment process 1: - -Bash - -bli launchlab - -This command triggers the core installation process. BLIman will: - -* Download necessary Docker images (GitLab CE, BeSLighthouse, etc.). -* Configure and start the containers based on genesis.yaml settings. -* Set up networking and volumes. -* Potentially perform initial seeding of required GitLab structures (groups/projects). - -This step can take a considerable amount of time depending on network speed and host performance. Monitor the console output closely for any errors or prompts. - -### **4.9 Step 8: Initial Verification** - -Once bli launchlab completes successfully, perform these verification steps 1: - -1. **Access GitLab UI:** Open a web browser and navigate to the gitlab.host\_url specified in genesis.yaml. -2. **Login to GitLab:** Log in using the username root and the initial\_root\_password set in genesis.yaml. -3. **Change GitLab Password:** GitLab will immediately prompt you to change the default root password. Set a new, strong, unique password and store it securely. **This is a critical security step.** -4. **Access BeSLighthouse UI:** Open another browser tab and navigate to http://\:\ (e.g., http://192.168.1.100:3000). -5. **Verify BeSLighthouse Load:** The BeSLighthouse dashboard should load. Initially, lists like "Projects Of Interest" will likely be empty, which is expected.1 -6. **(Optional) Check Container Status:** On the BeSLab host, use docker ps (or the equivalent for your container runtime) to verify that the GitLab and BeSLighthouse containers (and any supporting containers) are running. - -Successful completion of these steps indicates that the core BeSLab infrastructure is installed and operational. - -## **5\. GitLab CE Integration and Repository Setup** - -### **5.1 Post-Installation GitLab Configuration** - -After the initial setup and password change, consider these basic GitLab configurations relevant to BeSLab operation: - -* **User Registration:** Navigate to Admin Area \-\> Settings \-\> General \-\> Sign-up restrictions. It is highly recommended to *disable* new sign-ups (Sign-up enabled checkbox unchecked) and potentially enable Require admin approval for new sign-ups if self-registration is needed later. This ensures only authorized personnel can access the lab's SCM. -* **Group/Project Creation:** Navigate to Admin Area \-\> Settings \-\> General \-\> Account and limit settings. Review permissions related to who can create top-level groups and projects. Initially, restricting this to Administrators might be prudent. -* **Runner Configuration (Optional \- Future Use):** If planning to use GitLab CI/CD pipelines to automate BeSPlaybook execution later, configure GitLab Runners (either shared or specific) that can execute jobs, potentially interacting with Docker or the BeSLab host environment. This is an advanced step not covered in the basic setup. - -### **5.2 Initializing Be-Secure Repositories** - -The BeSLab relies on a specific structure of Git repositories within GitLab to store its data and configurations.1 While bli launchlab might perform some initial setup, manual creation or verification of the core repositories might be necessary. - -1. **Login to GitLab:** Log in as the root user or another administrative user. -2. **Create a Top-Level Group:** Create a new group to house all BeSLab-related repositories (e.g., besecure-lab). This helps organize the instance. -3. **Create Core Repositories:** Within the besecure-lab group, create the following projects (Git repositories): - * BeSEnvironment: Stores definitions for assessment environments. - * BeSPlaybook: Stores assessment playbook scripts. - * BeSAssessment: Stores OSAR output files and assessment metadata. - * besecure-assets-store (or similar name based on datastore.ts defaults): Stores lists/definitions of OSSPoI, OSSMoI, etc..2 - * Potentially others as required by specific configurations or future extensions. Initialize these repositories with a README file. The exact structure and initial content might need refinement based on specific playbook and plugin requirements. - -### **5.3 Configuring BeSLighthouse Connection** - -BeSLighthouse needs to know where to find the data repositories within your private GitLab instance.2 - -1. **Locate datastore.ts:** Access the BeSLab host machine via SSH. Locate the BeSLighthouse installation directory. The exact path depends on how BLIman deployed it, but it might be within a Docker volume mount or a standard location like /opt/BeSLighthouse or /usr/local/share/beslighthouse. Inside this directory, find the configuration file, typically src/config/datastore.ts or similar. -2. **Edit datastore.ts:** Open the file with a text editor (e.g., nano, vim). You will find variables defining the URLs for the datastore repositories. Update these URLs to point to the repositories created in your private GitLab instance within the besecure-lab group.2 - * Example (modify paths and URLs): - TypeScript - // Before modification (pointing to public GitHub) - // export const PoI\_Repo\_URL \= "https://github.com/Be-Secure/besecure-assets-store.git"; - // export const Assessment\_Repo\_URL \= "https://github.com/Be-Secure/besecure-assessment-datastore.git"; - - // After modification (pointing to internal GitLab) - export const PoI\_Repo\_URL \= "http://\/besecure-lab/besecure-assets-store.git"; - export const Assessment\_Repo\_URL \= "http://\/besecure-lab/BeSAssessment.git"; - // Update other relevant repository URLs (MoI, ML assessments, etc.) similarly - -3. **Restart BeSLighthouse:** For the changes to take effect, restart the BeSLighthouse service or container. If running via Docker: - Bash - \# Find the BeSLighthouse container ID or name - sudo docker ps - - \# Restart the container - sudo docker restart \ - -4. **Verify Connection:** Refresh the BeSLighthouse UI in your browser. While still empty, check browser developer tools (network tab) or container logs (sudo docker logs \) for any errors related to accessing the configured GitLab repository URLs. Successful connection means BeSLighthouse can now read data once it's populated. - -This configuration establishes the crucial link between the visualization front-end (BeSLighthouse) and the Git-based data back-end, reinforcing the GitOps foundation and the importance of the standardized repository structure for the lab's operation. - -## **6\. Onboarding Guide** - -With the core BeSLab infrastructure in place, the next step is to onboard users, assets (projects and models), and the tools (plugins) required for assessment. - -### **6.1 User Onboarding** - -Define roles and assign appropriate permissions within GitLab to control access to lab resources. - -* **Typical Roles:** - * **Lab Administrator:** Responsible for installing, configuring, maintaining, and upgrading the BeSLab instance; managing users; integrating core plugins/environments/playbooks. Needs high-level access. - * **Security Analyst:** Responsible for onboarding assets (OSSPoI/OSSMoI), triggering assessments, reviewing OSARs, triaging vulnerabilities (OSSVoI), and potentially customizing playbooks or integrating specific plugins. - * **Developer / Asset Owner:** Submits projects/models for assessment, consumes OSARs for their assets, responsible for remediation based on findings. Needs access primarily to their specific project results. - * **CISO / Management:** Oversight role, views dashboards (BeSLighthouse) and summary reports to understand organizational risk posture related to OSS/AI. Typically read-only access. -* **GitLab Permission Mapping (Example):** - * Lab Administrator: Owner role on the top-level besecure-lab group. - * Security Analyst: Maintainer role on the besecure-lab group (allowing repository management, potentially pipeline triggering). - * Developer / Asset Owner: Developer or Reporter role on specific BeSAssessment sub-projects or asset tracking repositories relevant to them. Access might be granted per project/asset. - * CISO / Management: Guest or Reporter role on the besecure-lab group for read-only access to repositories and potentially BeSLighthouse data sources. -* **Onboarding Process:** - 1. Lab Administrator logs into GitLab. - 2. Navigates to Admin Area \-\> Overview \-\> Users. - 3. Creates new user accounts or invites existing users. - 4. Navigates to the besecure-lab group \-\> Group information \-\> Members. - 5. Invites users to the group, assigning the appropriate role based on the mapping above. Adjust permissions on specific sub-projects as needed for finer-grained control. - -### **6.2 Project Onboarding (OSSPoI)** - -Onboarding Open Source Projects of Interest (OSSPoI) involves adding them to the lab's tracking system, typically managed within a Git repository. - -* **Definition:** OSSPoI are specific open-source software projects critical to the organization's operations or products, requiring security assessment. -* **Process:** - 1. Identify the target OSSPoI (e.g., a library used in a critical application). - 2. Locate the designated asset tracking repository in GitLab (e.g., besecure-assets-store). - 3. Clone the repository locally. - 4. Edit the relevant file (e.g., osspoi\_list.yaml, projects.json \- the exact format depends on BeSLab configuration) to add the new project. Include required metadata: - * Project Name (e.g., Apache Log4j Core) - * Source Repository URL (e.g., https://github.com/apache/logging-log4j2.git) - * Version(s) of interest (e.g., 2.17.1, main branch) - * Potentially, a flag indicating if it's designated for TAVOSS assessment. - 5. Commit the changes with a descriptive message. - 6. Push the changes back to the GitLab repository. - 7. (Optional) A GitLab CI pipeline or a webhook could trigger automated validation or initial processing upon commit. -* **TAVOSS Designation:** Marking an OSSPoI for TAVOSS implies it will undergo rigorous assessment according to defined playbooks, aiming to achieve the 'Trusted and Verified' status within the organization's context.1 This designation might be a flag in the asset list file or managed through group/project structure. -* **Example OSSPoI Candidates:** Identifying initial candidates helps jumpstart the lab's value. Consider projects based on criticality, usage prevalence, and known risk profiles. +| **Accounts** | Host OS User | User with sudo privileges | | +| | GitLab Admin | Initial credentials set via genesis.yaml, change immediately | | + +\*\*Table 1: Prerequisites Summary\*\* + +This guide assumes GitLab CE will be installed by the BLIman \`launchlab\` process . Using an existing GitLab instance requires significant manual configuration beyond this standard guide. + +* **3.2 Step-by-Step Installation using BLIman** + Follow these steps to install a private BeSLab instance in 'Lite Mode' using the BLIman CLI tool . Lite Mode installs core components like GitLab CE and BeSLighthouse onto the single prepared host . The installation is driven by the genesis.yaml configuration file. + 1. **Prepare Host:** Log in to the designated host machine (which meets all prerequisites) using an account with sudo privileges . + 2. **Install BLIman:** Install the BeSLab Lifecycle Management tool. Always refer to the official Be-Secure/BLIman repository for the most current installation instructions . Example commands (verify URLs): + Bash + \# Example installation commands (Verify against official BLIman README) + \# Download the installer script (URL might change) + curl \-sSL \ \-o install-bliman.sh + + \# Run the installer script + sudo bash install-bliman.sh + + \# Clean up installer script + rm install-bliman.sh + + \# Verify installation by checking the help command + bli help + Successful execution of bli help confirms installation. + 3. **Configure genesis.yaml:** Create the genesis.yaml file in your working directory. This file defines all parameters for the BeSLab instance . Customize the values below (especially URLs, IPs, ports, and the initial GitLab password) for your environment. + YAML + \# Sample genesis.yaml for Private Lite Mode + \# \--- Global Configuration \--- + beslab\_mode: "lite" \# Specifies Lite Mode deployment + deployment\_type: "private" \# Specifies a private instance + + \# \--- GitLab Configuration \--- + gitlab: + host\_url: "http://\" \# \*\*REQUIRED\*\*: URL users will use + initial\_root\_password: "\" \# \*\*REQUIRED\*\*: Set a strong temporary password + \# Optional: Specify ports if not default 80/443/22 + \# http\_port: 80 + \# https\_port: 443 + \# ssh\_port: 22 + \# Optional: Specify data volume path + \# data\_volume: "/srv/gitlab/data" + + \# \--- BeSLighthouse Configuration \--- + beslighthouse: + host\_ip: "0.0.0.0" \# Listen on all interfaces within the container + host\_port: "3000" \# \*\*REQUIRED\*\*: Port BeSLighthouse will listen on (e.g., 3000\) + \# Optional: Specify data volume path + \# config\_volume: "/srv/beslighthouse/config" + + \# \--- Other Optional Configurations (Add as needed based on BLIman documentation) \--- + \# Example: Default user settings, registry settings, etc. + **Critical Security Note:** Choose a strong, unique initial\_root\_password for GitLab. This password **must** be changed immediately after the first login. Store the genesis.yaml file securely. + 4. **Load Configuration:** Use BLIman to parse and load the configuration : + Bash + \# Ensure you are in the directory containing genesis.yaml or provide the full path + bli load genesis.yaml + Address any validation errors reported by BLIman. + 5. **Initialize Mode:** Prepare BLIman for the 'lite' deployment mode : + Bash + bli initmode lite + + 6. **Initialize BeSman:** Initialize the BeS Environment Manager, usually installed by bli initmode : + Bash + source $HOME/.besman/bin/besman-init.sh + Verify initialization by checking its help command : + Bash + bes help + + 7. **Launch the Lab:** Start the main deployment process : + Bash + bli launchlab + This command downloads Docker images, configures and starts containers (GitLab, BeSLighthouse), sets up networking/volumes, and potentially seeds initial GitLab structures . This step can take significant time. Monitor the console output for errors. +* **3.3 Initial Verification: Checking Your Setup** + Once bli launchlab finishes successfully, verify the installation : + 1. **Access GitLab UI:** Open a web browser and go to the gitlab.host\_url defined in genesis.yaml. + 2. **Login to GitLab:** Use username root and the initial\_root\_password from genesis.yaml. + 3. **CRITICAL: Change GitLab Password:** GitLab will force a password change on first login. Set a new, strong, unique password and store it securely. This is vital for security. + 4. **Access BeSLighthouse UI:** Open another browser tab and navigate to http://\:\ (e.g., http://192.168.1.100:3000). + 5. **Verify BeSLighthouse Load:** The dashboard should load. Expect lists like "Projects Of Interest" to be empty initially . + 6. **(Optional) Check Container Status:** On the BeSLab host, run docker ps to confirm the GitLab and BeSLighthouse containers are running. + +Successful completion of these checks indicates the core BeSLab infrastructure is operational. + +**4\. Configuring Your BeSLab Instance** + +* **4.1 Essential GitLab Configuration** + After the initial setup and password change, configure these GitLab settings relevant for BeSLab : + * **User Sign-up Restrictions:** Navigate to Admin Area \-\> Settings \-\> General \-\> Sign-up restrictions. It is strongly recommended to *disable* new sign-ups (uncheck "Sign-up enabled") to prevent unauthorized access. If self-registration is needed later, enable admin approval. + * **Group/Project Creation Permissions:** Go to Admin Area \-\> Settings \-\> General \-\> Account and limit settings. Review who can create top-level groups and projects. Restricting this to Administrators initially is advisable for better control. + * **(Future Use) Runner Configuration:** If planning to automate assessment workflows using GitLab CI/CD pipelines later, GitLab Runners will need to be configured. This is an advanced step involving setting up agents that can execute jobs, potentially interacting with Docker or the BeSLab host. +* **4.2 Setting Up Be-Secure Repositories in GitLab** + BeSLab relies on a specific structure of Git repositories within GitLab to store its data and configurations . While bli launchlab might perform some setup, manually creating or verifying these core repositories is often necessary. The precise naming and structure are important, as tools like BeSLighthouse often expect specific repository names and locations to function correctly . Deviating from expected conventions might prevent the dashboard or other tools from finding and processing data. + 1. **Login to GitLab:** Log in as the root user or another administrator. + 2. **Create a Top-Level Group:** Create a new group (e.g., besecure-lab) to logically organize all BeSLab-related repositories. + 3. **Create Core Repositories:** Within the besecure-lab group, create the following projects (Git repositories). Initialize each with at least a README file: + * BeSEnvironment: Stores assessment environment definitions (e.g., Dockerfiles). + * BeSPlaybook: Stores assessment playbook scripts. + * BeSAssessment: Stores assessment output reports (OSARs) and metadata. + * besecure-assets-store (or the name expected by BeSLighthouse's configuration): Stores lists/definitions of OSSPoI, OSSMoI, etc. . + * Potentially others depending on specific configurations or extensions. +* **4.3 Connecting BeSLighthouse to Your Data** + BeSLighthouse needs to be configured to find the data repositories within your private GitLab instance . This step activates the dashboard by linking the visualization front-end to the Git-based data back-end. + 1. **Locate datastore.ts:** Access the BeSLab host machine (e.g., via SSH). Find the BeSLighthouse installation directory. The exact path depends on the deployment, potentially within a Docker volume mount (check docker inspect \ for volume details) or a location like /opt/BeSLighthouse or /usr/local/share/beslighthouse. Inside this directory, locate the configuration file, typically src/config/datastore.ts . + 2. **Edit datastore.ts:** Open the file using a text editor (like nano or vim). Find the variables defining the URLs for the datastore repositories. Update these URLs to point to the repositories created in **your private GitLab instance** within the besecure-lab group . + * Example modification: + TypeScript + // Before modification (example pointing to public GitHub) + // export const PoI\_Repo\_URL \= "https://github.com/Be-Secure/besecure-assets-store.git"; + // export const Assessment\_Repo\_URL \= "https://github.com/Be-Secure/besecure-assessment-datastore.git"; + + // After modification (pointing to internal GitLab) + export const PoI\_Repo\_URL \= "http://\/besecure-lab/besecure-assets-store.git"; + export const Assessment\_Repo\_URL \= "http://\/besecure-lab/BeSAssessment.git"; + // Update other relevant repository URLs (MoI, ML assessments, etc.) similarly + + 3. **Restart BeSLighthouse:** Apply the changes by restarting the BeSLighthouse service or container. If using Docker: + Bash + \# Find the BeSLighthouse container ID or name + sudo docker ps + + \# Restart the container + sudo docker restart \ + + 4. **Verify Connection:** Refresh the BeSLighthouse UI in your browser. Although the lists will still be empty until data is added, check the browser's developer tools (Network tab) or the container logs (sudo docker logs \) for any errors related to accessing the configured GitLab repository URLs. Successful connection means BeSLighthouse can now read data once it's populated in the repositories. + +**Part 3: Populating and Operating Your Lab** + +**5\. Populating Your Lab: Onboarding Guide** + +* **5.1 Managing User Access and Roles** + Properly managing user access is crucial for security and operational efficiency. Define roles within the BeSLab context and map them to GitLab's permission model to control who can perform specific actions . + * **Typical Roles:** + * **Lab Administrator:** Installs, configures, maintains, and upgrades BeSLab; manages users; integrates core tools. Requires high-level privileges. + * **Security Analyst:** Onboards assets (OSSPoI/OSSMoI), defines and triggers assessments, reviews reports (OSARs), triages vulnerabilities (OSSVoI), customizes assessment workflows (playbooks). Needs broad operational access. + * **Developer / Asset Owner:** Submits their projects/models for assessment, views reports relevant to their assets, responsible for implementing fixes. Needs access primarily to specific results. + * **CISO / Management:** Oversees the overall risk posture via dashboards (BeSLighthouse) and summary reports. Typically requires read-only access. + * **GitLab Permission Mapping (Example):** + * Lab Administrator: Assign Owner role on the top-level besecure-lab group in GitLab. + * Security Analyst: Assign Maintainer role on the besecure-lab group. + * Developer / Asset Owner: Assign Developer or Reporter role on specific projects/repositories relevant to them. + * CISO / Management: Assign Guest or Reporter role on the besecure-lab group for viewing access. + * **Onboarding Process:** + 1. The Lab Administrator logs into GitLab. + 2. Navigates to Admin Area \-\> Overview \-\> Users. + 3. Creates new user accounts as needed (assuming sign-up is restricted). + 4. Navigates to the besecure-lab group \-\> Group information \-\> Members. + 5. Invites users to the group, assigning the appropriate role based on the mapping above. Permissions can be further refined on individual sub-projects (repositories) if necessary. +* **5.2 Adding Projects (OSSPoI) for Assessment** + Onboarding Open Source Projects of Interest (OSSPoI) means adding the software projects your organization relies on to the lab's tracking system so they can be assessed . + * **Definition:** OSSPoI are specific open-source software projects deemed important or critical enough by the organization to warrant regular security assessment. + * **Process:** The process leverages the GitOps workflow: + 1. Identify the OSS project to onboard. + 2. Locate the designated asset tracking repository in GitLab (e.g., besecure-lab/besecure-assets-store). + 3. Clone this repository to your local machine. + 4. Edit the relevant file within the repository (e.g., osspoi\_list.yaml or projects.json, depending on the convention established). Add an entry for the new project, including metadata such as Project Name, Source Code URL (e.g., Git repository URL), specific Version(s) of interest, and potentially a flag indicating if it's targeted for TAVOSS designation. + 5. Commit the changes locally using a clear, descriptive commit message (e.g., "Add OSSPoI: Apache Commons Text v1.10"). + 6. Push the changes back to the central GitLab repository. BeSLighthouse should automatically pick up the changes on its next refresh cycle . + * **TAVOSS Designation:** Marking an OSSPoI for TAVOSS signifies an intent to subject it to a more rigorous assessment process defined by the organization, aiming to achieve the internal 'Trusted and Verified' status . + * **Example OSSPoI Candidates:** Prioritize projects based on their criticality to business operations, widespread usage within the organization, known history of vulnerabilities, or handling of sensitive data. | OSSPoI Candidate | Rationale | Potential Assessment Focus | | :---- | :---- | :---- | -| Apache Log4j 2 | Critical logging library; past high-severity vulnerabilities | SCA (Dependencies), SAST (Java) | -| Apache Struts2 | Web framework; history of critical RCE vulnerabilities | SCA, SAST (Java), DAST | -| Spring Boot / Framework | Widely used Java application framework | SCA, SAST (Java), Secrets Scan | +| Apache Log4j 2 | Critical logging library; past vulnerabilities | SCA (Dependencies), SAST (Java) | +| Apache Struts2 | Web framework; history of RCE vulnerabilities | SCA, SAST (Java), DAST | +| Spring Boot / Framework | Widely used Java framework | SCA, SAST (Java), Secrets Scan | | TensorFlow | Foundational ML framework | SCA (Python deps), SAST (Python) | | PyTorch | Foundational ML framework | SCA (Python deps), SAST (Python) | -| Node.js Express | Common web framework for Node.js applications | SCA (npm), SAST (JavaScript/TS) | -| Internal Library X | Critical shared component developed internally | SAST, SCA, Secrets Scan | - -**Table 2: Example OSSPoI Candidates** +| Node.js Express | Common web framework for Node.js | SCA (npm), SAST (JavaScript/TS) | +| Internal Shared Library X | Critical internal component used by many apps | SAST, SCA, Secrets Scan | -### **6.3 Model Onboarding (OSSMoI)** + \*\*Table 2: Example OSSPoI Candidates\*\* -Similar to projects, Open Source Models of Interest (OSSMoI) are onboarded for tracking and assessment. - -* **Definition:** OSSMoI are specific open-source AI/ML models used, fine-tuned, or considered for use within the organization. -* **Process:** Follows the same Git-based workflow as OSSPoI, updating a designated list (e.g., ossmoi\_list.yaml within besecure-assets-store). Required metadata typically includes: - * Model Name (e.g., BERT Large Uncased) - * Source URL (e.g., Hugging Face Hub URL, GitHub repo) - * Version/Identifier (e.g., commit hash, tag, specific file checkpoint) - * Base Model (if fine-tuned) - * License Information -* **Example OSSMoI Candidates:** Focus on models relevant to the organization's AI initiatives. +* **5.3 Adding AI Models (OSSMoI) for Assessment** + Similar to software projects, Open Source Models of Interest (OSSMoI) need to be onboarded for tracking and security/safety assessment . + * **Definition:** OSSMoI are specific open-source AI/ML models used or being considered for use by the organization. + * **Process:** This follows the same Git-based workflow used for OSSPoI. An analyst or administrator clones the asset tracking repository (or a dedicated model repository), edits the designated list file (e.g., ossmoi\_list.yaml), adds the new model with relevant metadata (Model Name, Source URL/Identifier like Hugging Face Hub ID, Version, Base Model if fine-tuned, License information), commits, and pushes the changes. + * **Example OSSMoI Candidates:** Focus on models relevant to the organization's AI strategy, particularly those used in production, handling sensitive data, or interacting with users. | OSSMoI Candidate | Rationale | Potential Assessment Focus | | :---- | :---- | :---- | -| BERT (e.g., base-uncased) | Popular foundational NLP model | Model Scanning (operator safety, serialization), Provenance | +| BERT (e.g., base-uncased) | Popular foundational NLP model | Model Scanning (safety, e.g., unsafe operators), Provenance Checks, License Compliance | | Stable Diffusion (e.g., v1.5) | Widely used image generation model | Model Scanning, License Compliance, Potential Bias Checks | -| Llama (e.g., Llama-2-7b-hf) | Common open Large Language Model (LLM) | Model Scanning, Safety Alignment Checks, License Compliance | -| GPT-2 | Foundational LLM, often used for experiments | Model Scanning, Provenance | -| Internally Fine-tuned Model Y | Model derived from OSSMoI, used internally | Model Scanning (inheritance), Fine-tuning Data Privacy | - -**Table 3: Example OSSMoI Candidates** - -### **6.4 Tool Onboarding (BeSPlugins)** - -Integrating security tools via BeSPlugins is fundamental to the lab's assessment capabilities. - -* **Definition:** A BeSPlugin is the integration layer that allows a BeSPlaybook to invoke a specific security tool and process its results within the BeSLab framework. -* **Integration Process:** - 1. **Identify Tool:** Select the security tool to integrate (e.g., Semgrep for SAST). - 2. **Check Existing Plugins:** Consult the official Be-Secure/BeSLab-Plugins repository (as mentioned in the query) for pre-built plugins. - 3. **Develop/Configure Plugin:** If no existing plugin is suitable, one needs to be developed or configured. This typically involves: - * Creating a script or configuration file defining how to execute the tool (command-line arguments, input/output handling). - * Defining how to parse the tool's output into a standardized format (ideally aligning with BeS Schema elements for findings). - * Specifying dependencies required by the tool, which should be included in a relevant BeSEnvironment. - * Packaging the plugin according to BeSLab conventions (e.g., a directory structure within the BeSPlaybook or a dedicated plugin repository). - 4. **Define BeSEnvironment:** Ensure a BeSEnvironment exists (or create one) that contains the tool itself and all its runtime dependencies (e.g., specific Python version, libraries, OS packages). This might involve creating a Dockerfile managed within the BeSEnvironment repository. - 5. **Reference in BeSPlaybook:** Update or create a BeSPlaybook to invoke the new plugin at the appropriate stage of the assessment workflow. -* **Extensibility:** This plugin architecture is key to the lab's flexibility. As new security tools emerge or organizational needs change, new plugins can be added to enhance assessment coverage without altering the core BeSLab framework. The lab's value grows directly with the number and quality of its integrated plugins. -* **Example Default BeSPlugins:** Start with a core set of plugins covering common security assessment types. +| Llama (e.g., Llama-2-7b-hf) | Common open Large Language Model (LLM) | Model Scanning (safety), License Compliance, Responsible AI checks | +| GPT-2 | Foundational LLM, often used for experiments | Model Scanning, Provenance Checks | +| Internally Fine-tuned Model Y | Model derived from OSSMoI, used in production | Model Scanning, Fine-tuning Data Privacy Review, Robustness Testing | + + \*\*Table 3: Example OSSMoI Candidates\*\* + +* **5.4 Integrating Security Tools (BeSPlugins)** + The actual security assessment capabilities of the BeSLab depend entirely on the integrated security tools, made available via BeSPlugins . Integrating these tools is therefore a fundamental task. + * **Definition:** A BeSPlugin acts as the integration layer or wrapper that allows a BeSPlaybook to invoke a specific security tool (like a scanner or linter) within the BeSLab framework . + * **Integration Process:** + 1. **Identify Tool:** Select the security tool needed (e.g., Semgrep for code pattern matching, Trivy for vulnerability scanning, Bandit for Python security linting, Gitleaks for secret detection, OWASP ZAP for dynamic scanning, or a specialized AI model scanner). + 2. **Check Existing Plugins:** Look within the Be-Secure community repositories or internal repositories for pre-built BeSPlugins for the chosen tool. Reusing existing plugins saves significant effort. + 3. **Develop/Configure Plugin:** If no suitable plugin exists, one needs to be developed or configured. This typically involves creating a script (e.g., shell script, Python script) that: + * Knows how to execute the security tool with appropriate arguments (taking input like target repository path or URL). + * Parses the tool's output (e.g., JSON, XML, plain text). + * Ideally, transforms the output into the standardized BeS Schema format for consistent reporting and processing . + * Defines any dependencies required by the tool or the wrapper script. + * Is packaged or made available for execution within a BeSEnvironment. + 4. **Define BeSEnvironment:** Ensure a suitable BeSEnvironment exists (or create one) that contains the security tool itself and all its runtime dependencies (e.g., specific Python version, libraries, OS packages). This environment definition (e.g., a Dockerfile) should reside in the BeSEnvironment repository . + 5. **Reference in BeSPlaybook:** Update an existing BeSPlaybook or create a new one in the BeSPlaybook repository to invoke the newly integrated BeSPlugin at the appropriate step in the assessment workflow . + * **Extensibility:** This plugin-based architecture is designed for extensibility, allowing the organization to add new security tools, techniques, or custom checks over time as threats evolve and new technologies are adopted . + * **Example Default BeSPlugins:** Start by integrating a core set of plugins covering common security assessment types. The effectiveness of the lab is directly linked to the quality and breadth of these integrated plugins. Maintaining them (e.g., updating tools, adapting parsers) requires ongoing effort but is essential for deriving value. | BeSPlugin Example | Tool Integrated (Example) | Security Assessment Type | Purpose | | :---- | :---- | :---- | :---- | -| Semgrep-Plugin | Semgrep | SAST | Static code analysis for various languages using pattern matching. | -| Trivy-Plugin | Trivy | SCA, Container Scanning | Detects vulnerabilities in OS packages and language dependencies. | -| Bandit-Plugin | Bandit | SAST (Python) | Finds common security issues in Python code. | +| Semgrep-Plugin | Semgrep | SAST | Static code analysis using customizable pattern matching. | +| Trivy-Plugin | Trivy | SCA, Container Scanning | Detects known vulnerabilities in OS packages & dependencies. | +| Bandit-Plugin | Bandit | SAST (Python) | Finds common security issues specifically in Python code. | | Gitleaks-Plugin | Gitleaks | Secret Scanning | Detects hardcoded secrets (API keys, passwords) in Git history. | -| OWASP-ZAP-Plugin | OWASP ZAP | DAST | Dynamic analysis of web application security vulnerabilities. | +| OWASP-ZAP-Plugin | OWASP ZAP | DAST | Dynamic analysis of web application vulnerabilities via crawling/attacking. | | ModelScan-Plugin | ModelScan (or similar) | AI Model Security | Scans ML models for unsafe operators, serialization issues, etc. | -**Table 4: Example Default BeSPlugins** - -## **7\. AI Security Lab Operational Workflows** - -Once the lab is set up and initial assets/tools are onboarded, day-to-day operations involve standardized workflows for assessment and vulnerability management. - -### **7.1 Asset Submission** - -The process for submitting new OSS projects or AI models for assessment needs to be defined. Options include: - -* **Manual Git Update:** As described in sections 6.2 and 6.3, authorized users (Developers, Analysts) clone the asset repository, update the list, and push the changes. This is the simplest method aligned with the GitOps approach. -* **GitLab Merge Request (MR):** A more controlled process where developers submit MRs to the asset repository. Security Analysts review and approve the MR to formally onboard the asset. -* **API Integration (Advanced):** Develop an internal tool or script that interacts with the GitLab API to add assets to the tracking list, potentially triggered from other internal systems (e.g., CI/CD pipeline, internal software catalog). - -### **7.2 Assessment Execution** - -Assessments are performed by executing BeSPlaybooks against target assets. - -* **Triggering Mechanisms:** - * **Manual:** Security Analysts trigger playbooks via CLI commands (interacting with BeSman/BLIman or custom scripts) or potentially through a custom UI element (if developed). - * **Scheduled:** Configure cron jobs on the BeSLab host or use GitLab's CI/CD schedules to run specific playbooks periodically (e.g., daily SCA scans). - * **Event-Driven (Git Hooks/CI):** Configure GitLab CI/CD pipelines or webhooks on the asset repositories (or the main code repositories) to automatically trigger relevant playbooks upon events like new commits, merge requests, or new version tags. -* **Playbook Invocation:** The trigger mechanism selects and executes the appropriate BeSPlaybook based on the asset type (OSSPoI vs. OSSMoI), language/framework, and the desired assessment type (e.g., sast-python-standard, ai-model-onboarding-safety). -* **Environment and Plugin Use:** The selected playbook orchestrates the assessment 1: - 1. It typically invokes BeSman to prepare or launch the required BeSEnvironment (e.g., pulling/starting a specific Docker container). - 2. Within that environment, it executes one or more BeSPlugins in sequence. - 3. Each plugin runs its corresponding security tool against the target asset (code checkout, model file). - 4. Plugins collect and parse the results from the tools. -* **Modularity in Action:** This workflow highlights the modularity and extensibility of BeSLab. The effectiveness of an assessment hinges on the combination of the chosen Playbook, the completeness of the Environment, and the capabilities of the invoked Plugins. New assessment types can be added by creating new combinations of these components. - -### **7.3 OSAR Generation and Storage** - -Assessment results are formalized into standardized reports. - -* **Aggregation:** The BeSPlaybook (or a dedicated reporting script called by it) aggregates the findings from all executed plugins. -* **Formatting:** Results are formatted into an OSAR (Open Source Assessment Report), ideally conforming to the BeS Schema structure 4 (see Section 9.1 for details). This ensures consistency. -* **Storage:** The generated OSAR file (e.g., in JSON, YAML, or Markdown format) is typically committed to the BeSAssessment Git repository.1 The commit message or file naming convention should link the OSAR to the specific asset (OSSPoI/OSSMoI), its version/commit hash, and the assessment run timestamp or ID. This provides an auditable history of assessments. - -### **7.4 BeSLighthouse Visualization** - -BeSLighthouse serves as the central dashboard for monitoring lab activities and results.1 Users access it via a web browser to: - -* View lists of currently tracked OSSPoI and OSSMoI. -* Check the status of ongoing or completed assessments. -* Review historical assessment results for specific assets. -* Visualize aggregated vulnerability data (OSSVoI), potentially filtered by severity, asset, or time. -* Access direct links to the detailed OSAR files stored in the BeSAssessment repository for deeper investigation. - -### **7.5 Vulnerability Tracking (OSSVoI/CVEs)** - -A core function of the lab is tracking identified vulnerabilities. - -* **Identification:** BeSPlugins performing SCA, SAST, DAST, etc., identify potential vulnerabilities. These findings, including CVE identifiers where available, are captured in the OSAR. -* **Extraction & Storage:** A process (within the playbook or a post-processing step) extracts key vulnerability information (CVE ID, CWE ID, severity, affected component/version, description, location) from the OSAR. This structured data (OSSVoI) is stored, potentially: - * Directly within the OSAR file in a structured format (e.g., a findings array). - * In a separate dedicated vulnerability database or file within the BeSAssessment or another repository, linked back to the OSAR and the affected asset. -* **Visualization:** BeSLighthouse queries this structured OSSVoI data to provide aggregated views, trends, and lists of outstanding vulnerabilities across all tracked assets.2 -* **Triage & Remediation:** Security Analysts use the OSARs and BeSLighthouse data to triage new findings, prioritize remediation efforts based on severity and context, assign findings to relevant development teams, and track the status of remediation actions. - -### **7.6 OASP Engagement Options** - -While this guide focuses on a private, internal lab (acting as a private OSAP 1), there are potential future options for engaging with the wider ecosystem, subject to organizational policy: - -* **Contribute Back:** Share identified vulnerabilities and suggested patches back to the upstream open source projects. -* **Data Sharing:** Anonymize and share vulnerability trend data (using the BeS Exchange Schema 1) with trusted partners, industry groups (ISACs), or Be-Secure community initiatives to contribute to collective security intelligence. -* **Consume External Data:** Integrate external vulnerability feeds (e.g., NVD, vendor advisories, other OSAP reports) to correlate with internal findings and enrich the OSSVoI data. - -## **8\. Configuring Default Lab Components** - -To ensure the BeSLab instance provides immediate value upon setup, it's essential to configure a baseline set of Environments, Playbooks, and Plugins. These defaults provide core assessment capabilities that can be expanded later. - -### **8.1 Purpose of Defaults** - -Defining default components establishes a foundational set of security checks applicable to common languages, frameworks, and asset types within the organization. This allows the lab to start performing basic assessments quickly after installation and onboarding the first assets. - -### **8.2 Default BeSEnvironments** - -These environments provide the necessary runtime context for common security tools. They are typically defined as Dockerfiles or setup scripts within the BeSEnvironment repository. + \*\*Table 4: Example Default BeSPlugins\*\* + +**6\. Operating Your BeSLab: Workflows in Action** + +* **6.1 Submitting Assets for Assessment** + Define a clear process for how new projects (OSSPoI) and models (OSSMoI) are submitted for tracking and assessment : + * **Manual Git Update:** Authorized users (e.g., Security Analysts) directly clone the asset repository, edit the list file, commit, and push the changes. This is the simplest method and aligns directly with the GitOps model. + * **GitLab Merge Request (MR):** Developers or other stakeholders can submit changes to the asset list file via a GitLab Merge Request. This allows Security Analysts to review and approve the submission before it's merged into the main branch, providing an approval gate. + * **API Integration (Advanced):** For more sophisticated integration, scripts or internal tools could interact with the GitLab API to update the asset lists, potentially triggered by events in other systems (e.g., a new project created in an internal registry). + +*Diagram Reference:* The Git-based submission process, whether manual or via MR, is conceptually illustrated in **Diagram 3: Project/Model Onboarding Flow** (./docs/images/Diagram3BeSLabProjectModelOnboardingWorkflow.png). + +* **6.2 Running Security Assessments** + Assessments are executed using the defined BeSPlaybooks, which orchestrate the use of BeSEnvironments and BeSPlugins . The separation of these components provides modularity—allowing environments to be reused across playbooks, or playbooks to run different sets of plugins—but requires careful coordination to ensure they work together correctly. + * **Triggering Mechanisms:** Assessments can be initiated in several ways: + * **Manual:** Security Analysts can trigger specific playbooks on demand, often via CLI commands or custom scripts interacting with BeSman or potentially GitLab CI. + * **Scheduled:** Use standard scheduling tools like cron on the host or GitLab CI Schedules to run assessments periodically (e.g., daily SCA scans on critical projects, weekly DAST scans). + * **Event-Driven:** Integrate with GitLab CI/CD pipelines or use webhooks. For example, trigger a SAST and secrets scan automatically on every code commit to a specific branch, or run a full assessment suite when a Merge Request is created. + * **Playbook Invocation Flow:** When triggered, the process typically follows these steps : + 1. The trigger mechanism selects and starts the appropriate BeSPlaybook script. + 2. The playbook script uses BeSman commands to prepare or provision the required BeSEnvironment (e.g., pulling and starting a specific Docker container). + 3. The playbook then executes the sequence of defined BeSPlugins (security tools) within that environment, passing the target asset (e.g., code repository path, model file location) as input to each plugin. + 4. The playbook collects the results from each plugin. + +*Diagram Reference:* This sequence of a playbook orchestrating environments and plugins is visually depicted in **Diagram 4: Assessment Execution Flow** (./docs/images/Diagram4AssessmentExecutionWorkflow.png). + +* **6.3 Generating and Storing Reports (OSARs)** + After the plugins within a playbook have run, the results need to be formalized into a standard report . + * **Aggregation & Formatting:** The BeSPlaybook script is responsible for aggregating the findings from the various BeSPlugins executed during the run. It should format these findings into a structured Open Source Assessment Report (OSAR). Adhering to the BeS Schema for the OSAR format is highly recommended for consistency and easier automated processing . + * **Storage:** The generated OSAR file (commonly in JSON or YAML format) is then committed back to the designated BeSAssessment Git repository . The commit message or metadata associated with the file should link the OSAR to the specific asset (OSSPoI/OSSMoI), the version assessed (e.g., Git commit hash, model version tag), the playbook used, and the timestamp of the assessment run. This creates an immutable, version-controlled audit trail of all assessment activities. +* **6.4 Visualizing Results with BeSLighthouse** + The BeSLighthouse dashboard serves as the primary interface for monitoring the lab's activities and results . Users interact with BeSLighthouse to: + * View the lists of currently tracked assets (OSSPoI and OSSMoI) as read from the asset repositories . + * Check the status and history of assessment runs for each asset. + * Visualize aggregated vulnerability data (OSSVoI) associated with the tracked assets . + * Access direct links to the detailed OSAR files stored in the BeSAssessment Git repository for deeper investigation. +* **6.5 Tracking Vulnerabilities (OSSVoI)** + A key function of the lab is to identify and track specific vulnerabilities (OSSVoI) within the monitored assets . + * **Identification & Extraction:** BeSPlugins (especially SCA, SAST, and DAST tools) identify potential vulnerabilities, often providing standard identifiers like CVE numbers. This information is captured by the playbook and included in the OSAR . Key details like the vulnerability ID (CVE), severity level, affected component/file, and location should be extracted and structured within the OSAR . + * **Storage:** Structured OSSVoI data is stored as part of the OSAR in the BeSAssessment repository, or potentially in a separate linked file or database if more complex tracking is implemented. + * **Visualization:** BeSLighthouse reads the OSSVoI data from the assessment results and presents aggregated views, such as counts of vulnerabilities by severity per project . + * **Triage & Remediation:** Security Analysts use the OSARs and the BeSLighthouse dashboard to review new findings, validate their authenticity, prioritize them based on severity and context, assign remediation tasks (e.g., creating tickets in an issue tracker), and track the progress of fixes. + +*Diagram Reference:* The flow of identifying vulnerabilities during scans and tracking them as OSSVoI is outlined in **Diagram 5: BeSLab Vulnerability Tracking Workflow** (./docs/images/Diagram5BeSLabVulnerabilityTrackingWorkflow.png). + +* **6.6 Engagement Options (Beyond Private Use)** + While this guide focuses on a private, internal BeSLab instance functioning as an internal OSAP , the Be-Secure ecosystem allows for potential future interactions: + * **Contribute Back:** Share identified vulnerabilities or patches securely with the upstream open source projects. + * **Data Sharing:** If appropriate agreements are in place, share anonymized vulnerability data (using the BeS Schema for interoperability ) with trusted partners, industry groups, or security communities . + * **Consume External Data:** Integrate external threat intelligence or vulnerability feeds to enrich the findings identified internally and provide broader context. + +**Part 4: Defaults and Governance** + +**7\. Getting Started Quickly: Default Configurations** + +* **7.1 Why Defaults Matter** + Establishing a set of default configurations for environments, playbooks, and plugins provides immediate value after the initial BeSLab setup . These defaults offer foundational security checks for common types of assets, allowing the team to start performing basic assessments quickly without needing extensive customization upfront. +* **7.2 Default Assessment Environments (BeSEnvironments)** + Define a baseline set of reusable runtime environments in the BeSEnvironment repository. These typically encapsulate the dependencies needed for common categories of security tools . Examples often use Dockerfiles for definition. | BeSEnvironment Name | Key Components Included | Purpose | | :---- | :---- | :---- | -| python-base-env | Python 3.x, pip, common build tools, Git | Running Python-specific SAST (Bandit, Semgrep) & SCA tools. | -| node-base-env | NodeJS (LTS), npm/yarn, Git | Running JavaScript/TypeScript SAST/Linters, SCA (npm audit/yarn audit). | -| generic-scanner-env | Base Linux (e.g., Alpine/Debian), curl, jq, git, Trivy | Running generic scanners like Trivy (FS), Gitleaks, or simple scripts. | -| ai-model-env | Python 3.x, PyTorch/TF libs, ModelScan deps, Git | Dedicated environment for AI model security/safety scanning tools. | -| java-build-env | JDK (e.g., 11/17), Maven/Gradle, Git | Environment for building Java projects and running Java SAST/SCA tools. | +| python-base-env | Python 3.x, pip, common build tools, Git | Running Python-specific tools like Bandit, Semgrep (Python rules), Python SCA tools. | +| node-base-env | NodeJS (LTS), npm/yarn, Git | Running JavaScript/TypeScript SAST/Linters, SCA tools (npm audit, yarn audit). | +| generic-scanner-env | Base Linux OS, curl, jq, git, Trivy binary | Running generic scanners like Trivy (filesystem/repo scanning), Gitleaks, potentially simple script-based checks. | +| ai-model-env | Python 3.x, PyTorch/TF libs, ModelScan deps | Dedicated environment for AI model security scanning tools (e.g., ModelScan, custom checks). | +| java-build-env | JDK (e.g., 11/17), Maven/Gradle, Git | Environment for building Java projects and running Java-specific SAST/SCA tools. | -**Table 5: Example Default BeSEnvironments** +\*\*Table 5: Example Default BeSEnvironments\*\* -### **8.3 Default BeSPlaybooks** - -These playbooks combine environments and plugins to perform standard assessment workflows. They reside in the BeSPlaybook repository. +* **7.3 Default Assessment Workflows (BeSPlaybooks)** + Create standard assessment workflows (playbooks) in the BeSPlaybook repository by combining the default environments and plugins for common tasks . These serve as templates that can be used directly or adapted. | BeSPlaybook Name | BeSEnvironment Used | BeSPlugins Invoked (Example) | Suggested Frequency | Purpose | | :---- | :---- | :---- | :---- | :---- | -| sast-python-standard | python-base-env | Semgrep-Plugin, Bandit-Plugin | On Commit / Pull Request | Basic static analysis security checks for Python projects. | +| sast-python-standard | python-base-env | Semgrep-Plugin, Bandit-Plugin | On Commit / Pull Request | Basic static analysis checks for Python projects. | | sca-generic-standard | generic-scanner-env | Trivy-Plugin (FS mode) | Daily / Weekly | Scans project dependencies for known vulnerabilities (CVEs). | -| secrets-scan-standard | generic-scanner-env | Gitleaks-Plugin | On Commit / Pull Request | Detects potential secrets accidentally committed to Git history. | -| ai-model-onboarding-safety | ai-model-env | ModelScan-Plugin | On New Model Onboarding | Performs initial safety/security checks on newly added AI models. | -| dast-web-scan-basic | generic-scanner-env | OWASP-ZAP-Plugin (Baseline) | Weekly / On Demand | Performs a basic dynamic scan against a deployed web application URL. | - -**Table 6: Example Default BeSPlaybooks** +| secrets-scan-standard | generic-scanner-env | Gitleaks-Plugin | On Commit / Pull Request | Detects potential hardcoded secrets committed to Git history. | +| ai-model-onboarding-safety | ai-model-env | ModelScan-Plugin | On New Model Onboarding | Initial safety/security checks on newly added AI models. | +| dast-web-scan-basic | generic-scanner-env | OWASP-ZAP-Plugin (Baseline Scan) | Weekly / On Demand | Basic dynamic scan against a deployed web application URL (requires target URL). | -### **8.4 Default BeSPlugins** +\*\*Table 6: Example Default BeSPlaybooks\*\* -The recommended initial set of plugins provides coverage across essential security domains. Refer back to **Table 4: Example Default BeSPlugins** (Section 6.4) for the list, including tools like Semgrep, Trivy, Bandit, Gitleaks, OWASP ZAP, and an AI Model Scanner. Integrating these plugins provides the foundational scanning capabilities orchestrated by the default playbooks. +* **7.4 Recap: Default Security Tools (BeSPlugins)** + The default playbooks listed above would typically utilize the core set of BeSPlugins recommended earlier (refer back to **Table 4: Example Default BeSPlugins**). Ensuring these foundational plugins (e.g., Semgrep, Trivy, Bandit, Gitleaks, an AI model scanner, potentially OWASP ZAP) are integrated and functional is key to making the default playbooks operational. -## **9\. Reporting and Governance** +**8\. Reporting and Governance for Your Lab** -Effective operation of the AI Security Lab requires standardized reporting and clear governance structures. - -### **9.1 Sample OSAR Structure** - -Consistent reporting is vital for tracking findings, comparing assessments over time, and communicating risk effectively. The Open Source Assessment Report (OSAR) should be structured logically, ideally aligning with the principles of the BeS Schema.4 +* **8.1 Standard Assessment Reports (OSAR Structure)** + Consistent and comprehensive reporting is vital for communicating assessment results effectively. Open Source Assessment Reports (OSARs) should be standardized, ideally aligning with the principles of the BeS Schema . A well-structured OSAR ensures that all necessary information is captured and presented clearly. | OSAR Section | Content Description | Purpose | | :---- | :---- | :---- | -| **Metadata** | Assessment ID, Timestamp, Asset ID (OSSPoI/OSSMoI Name), Asset Version/Commit, BeSPlaybook Used, BeSEnvironment Used, Triggering Event (if applicable). | Uniquely identifies the assessment and its context. | -| **Executive Summary** | Brief overview of the assessment scope, key findings, overall risk level (e.g., Critical, High, Medium, Low), and critical recommendations. | Provides a high-level snapshot for management and quick triage. | -| **Asset Details** | Full Name, Source URL, Description, Exact Version/Commit Hash Assessed, License Information (if applicable). | Clearly identifies the specific artifact that was assessed. | -| **Assessment Scope & Methodology** | Description of the checks performed, list of tools (BeSPlugins) executed, specific configurations used (e.g., scan depth, rule sets), any limitations or exclusions. | Defines the boundaries and methods of the assessment for accurate interpretation of results. | -| **Findings Summary** | Aggregated counts of findings categorized by severity (e.g., Critical, High, Medium, Low, Informational). May include charts or tables. | Provides a quantitative overview of the identified issues. | -| **Detailed Findings** | A list of individual findings. Each finding includes: Finding ID, Description, Severity, Status (New, Triaged, Mitigated, False Positive), Location (File, Line, Model Layer, Dependency Name), Evidence/Code Snippet, Remediation Guidance, Associated Identifiers (CVE, CWE \- constituting OSSVoI). | Provides actionable details for each identified vulnerability or issue for analysts and developers. | -| **Attestation (Optional)** | A formal statement regarding the level of assurance provided by this assessment, based on the scope and findings. May reference TAVOSS criteria if applicable. | Formally documents the outcome and confidence level derived from the assessment process. | - -**Table 7: OSAR Sample Structure** +| **Metadata** | Unique Assessment ID, Timestamp, Asset ID/Name (OSSPoI/OSSMoI), Asset Version/Commit Assessed, Playbook Used, Environment Used, Triggering Event. | Uniquely identifies the assessment context and parameters. | +| **Executive Summary** | Brief description of the assessment scope, summary of key findings, overall assessed risk level (e.g., Critical/High/Medium/Low), critical recommendations. | Provides a high-level snapshot for quick review by management and triage teams. | +| **Asset Details** | Full Name/Identifier, Source URL/Location, Brief Description, Exact Version/Commit Hash Assessed, License Information. | Clearly identifies the specific artifact that was assessed. | +| **Scope & Methodology** | Description of the checks performed, list of tools (BeSPlugins) used and their versions, specific configurations applied, known limitations or exclusions. | Defines the boundaries and methods of the assessment for transparency and reproducibility. | +| **Findings Summary** | Aggregated counts of findings categorized by severity (e.g., Critical, High, Medium, Low, Informational). May include charts or graphs. | Gives a quantitative overview of the identified issues. | +| **Detailed Findings** | A list of individual findings. Each finding should include: Unique ID, Clear Description, Assigned Severity, Current Status (New, Confirmed, Mitigated, False Positive), Location (File path, line number, component name), Evidence (Code snippet, tool output), Remediation Guidance, Associated Identifiers (CVE, CWE \- forming the OSSVoI). | Provides actionable details required by analysts and developers for validation and remediation. | +| **Attestation (Optional)** | A formal statement regarding the level of assurance provided by this assessment, based on the scope and findings. May reference internal criteria like TAVOSS if applicable. | Documents the assessment outcome and the confidence level derived from the process. | -### **9.2 RACI Matrix** +\*\*Table 7: OSAR Sample Structure\*\* -A RACI (Responsible, Accountable, Consulted, Informed) matrix clarifies roles and responsibilities for key lab activities, ensuring smooth operation and accountability. +* **8.2 Defining Roles and Responsibilities (RACI Matrix)** + A RACI (Responsible, Accountable, Consulted, Informed) matrix helps clarify roles and responsibilities for various BeSLab activities, preventing confusion and ensuring tasks are owned. -| Activity | CISO | Lab Administrator | Security Analyst | Developer Lead / App Owner | Legal / Compliance | +| Activity | CISO | Lab Admin | Security Analyst | Dev Lead / App Owner | Legal / Compliance | | :---- | :---- | :---- | :---- | :---- | :---- | -| Lab Setup/Config | A | R | C | I | I | -| User Onboarding | A | R | C | I | I | -| OSSPoI Onboarding | A | C | R | C | I | -| OSSMoI Onboarding | A | C | R | C | C | -| BeSPlugin Integration | A | R | C | I | I | +| Lab Setup/Configuration | A | R | C | I | I | +| User Onboarding & Permissions | A | R | C | I | I | +| OSSPoI Onboarding (Decision) | A | C | R | C | I | +| OSSMoI Onboarding (Decision) | A | C | R | C | C | +| BeSPlugin Integration/Maintenance | A | R | C | I | I | | Assessment Execution/Scheduling | I | C | R | I | I | -| OSAR Review/Triage | C | I | R | C | C | +| OSAR Review & Vulnerability Triage | C | I | R | C | C | | Vulnerability Remediation Tracking | A | I | R | C | I | | Vulnerability Remediation Implementation | I | I | C | R | I | -| Lab Maintenance/Upgrades | A | R | C | I | I | -| Policy Definition (Scope, SLA) | A | C | C | C | R | - -**Table 8: RACI Matrix** *(R=Responsible, A=Accountable, C=Consulted, I=Informed)* - -### **9.3 Governance Considerations** - -Beyond the RACI matrix, establish clear policies and procedures: - -* **Asset Onboarding Criteria:** Define rules for which OSSPoI and OSSMoI must be onboarded (e.g., based on usage in critical systems, external facing applications, handling sensitive data). -* **Assessment Frequency:** Define minimum assessment frequencies based on asset criticality and type (e.g., SAST/Secrets on commit, SCA daily, DAST weekly, Model Scan on update). -* **Vulnerability Triage Process:** Document the workflow for reviewing new findings, assigning severity based on organizational context, determining validity (true positive/false positive), and assigning ownership. -* **Remediation SLAs:** Define expected timelines for acknowledging and fixing vulnerabilities based on severity levels. -* **Tool Validation & Updates:** Regularly review and update integrated BeSPlugins and their underlying tools. Validate tool effectiveness periodically. -* **Reporting Cadence:** Define how and when assessment results and risk posture summaries are reported to the CISO and other stakeholders. - -## **10\. Deployment and Interaction Diagrams (PlantUML)** - -The following diagrams illustrate the BeSLab architecture and key operational flows. - -### **10.1 Diagram 1: High-Level Enterprise Deployment** - -![High-Level Enterprise Deployment](./docs/images/Diagram1HighlevelEnterpriseDeployment.png) - -### **10.2 Diagram 2: Detailed BeSLab Component Layout (Lite Mode Host)** - -![Detailed BeSLab Component Layout (Lite Mode Host)](./docs/images/Diagram2BeSLabComponentsLayout.png) - -### **10.3 Diagram 3: Project/Model Onboarding Flow (Git-based)** - -![Project/Model Onboarding Flow (Git-based)](./docs/images/Diagram3BeSLabProjectModelOnboardingWorkflow.png) - -### **10.4 Diagram 4: Assessment Execution Flow** - -![Assessment Execution Flow](./docs/images/Diagram4AssessmentExecutionWorkflow.png) - -### **10.5 Diagram 5: Vulnerability Tracking Flow (OSSVoI)** - -![Vulnerability Tracking Flow (OSSVoI)](./docs/images/Diagram5BeSLabVulnerabilityTrackingWorkflow.png) - -## **11\. Conclusion** - -### **11.1 Benefits Recap** - -Implementing an AI Security Lab using the Be-Secure BeSLab blueprint provides the CISO's organization with a powerful, centralized capability to manage the growing security risks associated with open source software and artificial intelligence models. Key benefits include: - -* **Standardized and Proactive Assurance:** Moving from ad-hoc reviews to consistent, automated assessments.1 -* **Enhanced Visibility and Control:** Centralized tracking of critical assets (OSSPoI, OSSMoI) and their associated vulnerabilities (OSSVoI) via BeSLighthouse.1 -* **Reduced Risk Posture:** Early identification and facilitated remediation of vulnerabilities in the software supply chain and AI models. -* **Internal Trust Validation:** The ability to generate internal TAVOSS designations for assessed components, building confidence in their use.1 -* **Extensibility and Adaptability:** A modular architecture based on Playbooks, Environments, and Plugins allows the lab to evolve and integrate new tools and assessment techniques over time. - -### **11.2 Next Steps** - -Following the successful installation and initial configuration outlined in this guide, prioritize these immediate actions: - -1. **Onboard Initial Assets:** Identify and onboard a pilot set of high-priority OSSPoI and OSSMoI based on organizational risk assessment. -2. **Configure & Test Default Workflows:** Ensure the default BeSPlugins, BeSEnvironments, and BeSPlaybooks (Tables 4, 5, 6\) are correctly configured and execute successfully against test assets. -3. **User Training:** Train Security Analysts on operating the lab (triggering scans, reviewing OSARs, using BeSLighthouse) and Developers on submitting assets and interpreting results. -4. **Establish Governance:** Formalize the processes outlined in Section 9.3 (triage, SLAs, reporting) and communicate the RACI matrix (Table 8). -5. **Secure the Lab:** Implement robust security hardening for the BeSLab host, GitLab instance, and associated accounts. Regularly apply security patches. - -### **11.3 Continuous Improvement** - -The AI Security Lab is not a static entity. Its value lies in its continuous operation and evolution: - -* **Expand Plugin Coverage:** Regularly evaluate and integrate new BeSPlugins for emerging tools and assessment types (e.g., advanced AI safety checks, infrastructure-as-code scanning, license compliance). -* **Refine Playbooks:** Optimize existing playbooks and create new ones tailored to specific application stacks, risk profiles, or compliance requirements. -* **Update Environments:** Keep the underlying tools and dependencies within BeSEnvironments up-to-date. -* **Integrate with DevSecOps:** Explore deeper integration with existing CI/CD pipelines to automate security feedback loops for developers. -* **Monitor Effectiveness:** Regularly review the lab's performance, the types of vulnerabilities being found, and the speed of remediation to identify areas for improvement in tooling or processes. - -By following this guide and embracing a culture of continuous improvement, the CISO's organization can leverage the BeSLab blueprint to build a robust, effective, and adaptable AI Security Lab, significantly strengthening its posture against modern cyber threats. - -#### **Works cited** - -1. Empowering Open Source Project Security , This Repository includes BeS Environment Scripts to launch an instance of BeSLab \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/BeSLab](https://github.com/Be-Secure/BeSLab) -2. Be-Secure/BeSLighthouse: Community dashboard for security assessment of open source projects of interest for BeSecure community. Various visualizations on Projects of Interest and Vulnerabilities of interest are available in the dashboard \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/BeSLighthouse](https://github.com/Be-Secure/BeSLighthouse) -3. Wipro's Open Source Security Solution for Enhanced Cybersecurity, accessed May 1, 2025, [https://www.wipro.com/cybersecurity/o31e-wipros-open-source-security-program-a-key-initiative-to-enhancing-cybersecurity-with-open-source/](https://www.wipro.com/cybersecurity/o31e-wipros-open-source-security-program-a-key-initiative-to-enhancing-cybersecurity-with-open-source/) -4. Be-Secure/bes-schema: This repository defines the data ... \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/bes-schema](https://github.com/Be-Secure/bes-schema) +| Lab Maintenance & Upgrades | A | R | C | I | I | +| Policy Definition (Scope, SLAs) | A | C | C | C | R | + +\*\*Table 8: RACI Matrix\*\* \*(R=Responsible, A=Accountable, C=Consulted, I=Informed)\* + +* **8.3 Key Governance Policies to Establish** + Implementing the BeSLab technology is only part of the solution. Establishing clear governance processes and policies is crucial to ensure the lab operates effectively and contributes meaningfully to risk reduction . Without governance, scan results might be inconsistent, ignored, or overwhelming. Key areas requiring formal policies include : + * **Onboarding Criteria:** Define clear rules for which types of OSS projects and AI models *must* be onboarded into the lab (e.g., based on criticality, external facing, handling sensitive data). + * **Assessment Frequency:** Establish minimum scanning schedules based on asset criticality and type of scan (e.g., critical web frameworks scanned daily with SCA, less critical libraries weekly; SAST on every commit). + * **Triage Process:** Document the workflow for how findings reported in OSARs are reviewed, validated (confirming they are true positives), prioritized (based on severity and context), and assigned for remediation. + * **Remediation SLAs:** Define expected timelines (Service Level Agreements) for fixing vulnerabilities based on their severity level (e.g., Critical vulnerabilities fixed within 7 days, High within 30 days). + * **Tool Validation & Updates:** Implement a process for regularly reviewing the effectiveness of integrated BeSPlugins, updating the underlying tools to their latest stable versions, and validating parser logic. + * **Reporting Cadence:** Define how and when assessment results and overall risk posture summaries are reported to different stakeholders (e.g., immediate alerts for critical findings, monthly summaries for management). + +**Part 5: Visual Aids and Conclusion** + +**9\. Visualizing the Setup** + +The following diagrams, referenced by their original file names in the source documentation, provide visual context for the BeSLab architecture and workflows. While the images themselves are not embedded here, understanding their purpose can aid comprehension: + +* **9.1 High-Level Enterprise View:** This diagram illustrates how the private BeSLab instance fits within the broader enterprise IT environment, showing potential interactions with development teams, CI/CD pipelines, and vulnerability management systems. *(Reference Diagram 1: ./docs/images/Diagram1HighlevelEnterpriseDeployment.png)*. +* **9.2 Detailed Component Layout:** This diagram provides a closer look at the components running on the single host machine in the Lite Mode deployment described in this guide, showing GitLab CE, BeSLighthouse, the underlying container runtime, and their basic connections. *(Reference Diagram 2: ./docs/images/Diagram2BeSLabComponentsLayout.png)*. + +**10\. Conclusion and Next Steps** + +* **10.1 Summary of Benefits** + Establishing and operating an AI Security Lab using the BeSLab blueprint offers significant advantages for strengthening an organization's security posture regarding open source software and AI models : + * **Standardized Assurance:** Implements consistent, automated, and repeatable security assessment processes. + * **Visibility & Control:** Provides centralized tracking and visualization of monitored assets (OSSPoI/MoI) and their associated vulnerabilities (OSSVoI) through the BeSLighthouse dashboard . + * **Reduced Risk:** Enables the early identification and facilitates the timely remediation of vulnerabilities before they can be exploited. + * **Internal Trust:** Creates a mechanism (TAVOSS) for establishing and communicating internal trust levels for assessed components . + * **Extensibility:** Offers a modular architecture allowing the integration of new tools, techniques, and assessment types over time . +* **10.2 Immediate Actions After Setup** + Once the initial installation and configuration described in this guide are complete, focus on these next steps to make the lab operational : + 1. **Onboard Initial Assets:** Begin by onboarding a small set of high-priority or representative OSS projects (OSSPoI) and AI models (OSSMoI). + 2. **Configure & Test Defaults:** Ensure the default BeSEnvironments, BeSPlaybooks, and BeSPlugins (Tables 4, 5, 6\) are correctly configured and functioning as expected by running test assessments. + 3. **User Training:** Provide training to Security Analysts, relevant Developers, and other stakeholders on how to use the lab (submitting assets, running scans, interpreting reports, using BeSLighthouse). + 4. **Establish Governance:** Formalize the key governance policies (Section 8.3) and communicate the RACI matrix (Table 8\) to ensure clear processes and responsibilities. + 5. **Secure the Lab:** Implement security best practices for the BeSLab host OS, the GitLab instance (user management, network access), and ensure components are kept patched and updated. +* **10.3 Continuous Improvement Roadmap** + An effective AI Security Lab requires ongoing maintenance and evolution : + * **Expand Plugin Coverage:** Continuously identify and integrate new BeSPlugins to cover more languages, frameworks, vulnerability types, and AI-specific risks. + * **Refine Playbooks:** Optimize existing BeSPlaybooks and create new ones tailored to specific organizational needs, risk profiles, or compliance requirements. + * **Update Environments:** Regularly update the tools, libraries, and base images within BeSEnvironments to ensure accurate scanning and benefit from the latest tool features. + * **Integrate with DevSecOps:** Enhance automation by integrating BeSLab assessment triggers and feedback loops directly into developer CI/CD pipelines. + * **Monitor Effectiveness:** Regularly review the lab's performance, the quality of findings, the speed of remediation, and feedback from users to identify areas for improvement in tools, processes, and governance. + +By following this guide to establish the initial BeSLab instance and committing to its continuous improvement, organizations can build a powerful internal capability to manage the security risks associated with open source software and artificial intelligence. + +**11\. Works Cited** + +Empowering Open Source Project Security , This Repository includes BeS Environment Scripts to launch an instance of BeSLab \- GitHub, accessed May 1, 2025, https://github.com/Be-Secure/BeSLab +Be-Secure/BeSLighthouse: Community dashboard for security assessment of open source projects of interest for BeSecure community. Various visualizations on Projects of Interest and Vulnerabilities of interest are available in the dashboard \- GitHub, accessed May 1, 2025, https://github.com/Be-Secure/BeSLighthouse +Wipro's Open Source Security Solution for Enhanced Cybersecurity, accessed May 1, 2025, https://www.wipro.com/cybersecurity/o31e-wipros-open-source-security-program-a-key-initiative-to-enhancing-cybersecurity-with-open-source/ +Be-Secure/bes-schema: This repository defines the data... \- GitHub, accessed May 1, 2025, https://github.com/Be-Secure/bes-schema From 908e5c2fece9c0a19e8782f46a81ecf5e6d68064 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 13:31:35 +0530 Subject: [PATCH 09/30] Update AISecurityLabUserGuide.md rollback changes --- AISecurityLabUserGuide.md | 1108 +++++++++++++++++++++---------------- 1 file changed, 644 insertions(+), 464 deletions(-) diff --git a/AISecurityLabUserGuide.md b/AISecurityLabUserGuide.md index 1dde8f7..850a7e9 100644 --- a/AISecurityLabUserGuide.md +++ b/AISecurityLabUserGuide.md @@ -1,465 +1,645 @@ # **User Guide: Establishing and Operating an AI Security Lab with the Be-Secure BeSLab Blueprint** - -**Part 1: Understanding BeSLab** - -**1\. Introduction: Your AI Security Lab** - -* **1.1 What is BeSLab and Why Use It?** - In today's digital world, organizations heavily rely on Open Source Software (OSS) and Artificial Intelligence (AI) / Machine Learning (ML) models. While these components accelerate innovation, they also introduce security risks from potential vulnerabilities within them and the unique ways AI models can be attacked. Effectively managing these risks demands a structured and proactive strategy. - Establishing a dedicated AI Security Lab, based on the BeSLab blueprint, provides an organization's security team (specifically the CISO's office) with the necessary *internal* capability. It allows the organization to systematically check, track, and reduce the security risks tied to the OSS and AI components it uses or considers using . This focus on building internal capacity is central; BeSLab facilitates the development of in-house expertise and provides direct control over the security assurance process for these critical third-party assets, moving beyond reliance on external assessments or inconsistent manual reviews. -* **1.2 The Be-Secure Philosophy: Beyond a Single Tool** - The Be-Secure initiative aims to help organizations and the wider community strengthen open source artifacts—software, ML models, and datasets—against vulnerabilities . The BeSLab blueprint stems from this goal, offering a design for an open-source security lab. - It is crucial to understand that BeSLab is not a single software product that can be installed with one click. Instead, it is a *blueprint* or an *architectural pattern* . Think of it as a template defining how various tools and processes work together to create a comprehensive security assessment environment . This approach provides significant flexibility, allowing organizations to tailor the lab's capabilities. However, it also means that implementation involves assembling and integrating these components according to the blueprint's design, rather than installing a monolithic application. The core objective is to give application security and security operations teams full control and transparency over how these critical components are assessed . -* **1.3 Value for the CISO and Security Teams** - Implementing a BeSLab instance based on this blueprint delivers clear advantages for the CISO's organization and security teams : - * **Standardized Assurance:** Creates consistent and repeatable processes for security assessments of both OSS projects and AI models. - * **Centralized Visibility:** Offers a unified view through the BeSLighthouse dashboard, tracking Projects of Interest (OSSPoI), Models of Interest (OSSMoI), and related Vulnerabilities of Interest (OSSVoI) . - * **Reduced Risk Exposure:** Enables proactive identification and facilitates the fixing of vulnerabilities in essential software and models before attackers can exploit them. - * **Cost Efficiency:** Can lower the overall cost of risk assessment compared to frequent external security engagements or time-consuming manual reviews, especially as the number of tracked assets increases . - * **Internal Attestation:** Allows the organization to generate internal trust marks, such as a "Trusted and Verified Open Source Software" (TAVOSS) designation, for components that pass the lab's defined security checks . This TAVOSS status serves as a tangible outcome, providing a standardized way to communicate assurance levels internally and build confidence in the security posture of approved components . -* **1.4 Scope of This Guide** - This document serves as a comprehensive user guide focused specifically on setting up, configuring, and operating a *private* AI Security Lab using the BeSLab blueprint within an enterprise setting. It details the *'Lite Mode'* deployment, which consolidates essential components onto a single host machine, and covers integration with GitLab Community Edition (CE) as the code collaboration platform . The guide walks through the entire lifecycle: understanding the architecture, meeting prerequisites, installation steps, onboarding users, projects, models, and tools, defining operational workflows for security assessments, generating reports (OSARs), establishing governance (RACI), and configuring default components. - -**2\. How BeSLab Works: Architecture and Concepts** - -* **2.1 The Blueprint Explained: Core Components** - The BeSLab architecture, being a blueprint, defines how various components interact to form a working security lab . It integrates existing open-source tools with specific Be-Secure utilities and data structures to build a cohesive system for security assessment . A typical private BeSLab instance deployed in Lite Mode, as covered in this guide, includes these core parts : - * **Git-based Source Code Management (SCM) Platform (e.g., GitLab CE):** This is the central nervous system of the BeSLab instance. It hosts the critical datastore repositories containing configurations, definitions of assets (OSSPoI, OSSMoI), assessment playbooks, environment definitions, and the assessment results (OSARs) . Using GitLab CE provides a powerful, self-hosted platform supporting version control, collaboration, and potential CI/CD integration for automating assessment workflows. - * **Datastore Repositories:** These are specific Git repositories within the SCM platform designated for storing different types of lab data. Common examples include : - * BeSEnvironment: Stores definitions and scripts for creating assessment environments. - * BeSPlaybook: Contains the scripts and configurations defining assessment workflows (playbooks). - * BeSAssessment: Archives the generated Open Source Assessment Reports (OSARs) and related metadata. - * Asset Stores (e.g., besecure-assets-store): Repositories holding lists and details of tracked OSSPoI, OSSMoI, etc. The precise naming and structure are important for tools like BeSLighthouse to locate data correctly . - * **BeSLighthouse:** A web-based dashboard application providing the main user interface for visualizing the lab's data . It reads information directly from the designated Git datastore repositories and presents views of tracked assets, associated vulnerabilities, assessment statuses, and links to detailed reports . Its direct reliance on the Git backend reinforces the GitOps model described below. - * **BLIman (BeSLab Lifecycle Management):** A command-line interface (CLI) tool specifically created for deploying, configuring, and managing the lifecycle of a BeSLab instance . It uses a configuration file (genesis.yaml) to define the lab's setup and provides commands like bli load, bli initmode, and bli launchlab to orchestrate the installation . - * **BeSman (BeS Environment Manager):** Another CLI utility, working alongside BLIman, focused on creating and managing the BeSEnvironments needed for assessments . It is typically installed during the BLIman setup and used by playbooks to provision the correct runtime environments for security tools . The reliance on distinct CLI tools like BLIman and BeSman for core management tasks means that administrators need proficiency with command-line operations. Automation efforts, operational procedures, and troubleshooting will heavily involve executing and scripting these commands, differing from purely GUI-managed systems. - * **BeSEnvironment:** Represents a specific computing setup (often a container image or defined by setup scripts) containing the necessary tools, libraries, and dependencies to run a particular set of security assessments . These ensure assessments are consistent and repeatable. They are defined in the BeSEnvironment repository and managed by BeSman . - * **BeSPlaybook:** An automated script or workflow designed to orchestrate specific security assessment tasks . A playbook typically specifies which BeSEnvironment to use and which BeSPlugins (security tools) to run in sequence, along with configuration and data handling steps. Playbooks codify the assessment process for different asset types or security checks (e.g., SAST scan for Python code, AI model safety check). - * **BeSPlugin:** Represents an integration wrapper around a specific security tool (e.g., a SAST scanner like Semgrep, an SCA tool like Trivy, a secrets detector like Gitleaks, or an AI model analyzer) . These plugins are the "workhorses" that perform the actual security scans. They are called by BeSPlaybooks within the appropriate BeSEnvironment. The lab's assessment capabilities are directly determined by the range and quality of integrated BeSPlugins. The framework is extensible, allowing new tools to be added as plugins over time . -* **2.2 The GitOps Foundation** - A fundamental aspect of the BeSLab architecture is its reliance on a GitOps workflow for managing the lab itself . This means that nearly all configurations, operational state definitions, asset lists, assessment playbooks, environment definitions, and even assessment results (OSARs) reside within Git repositories hosted on the SCM platform (like GitLab CE) . - Changes to the lab's setup—adding a new project to track, modifying an assessment playbook, updating an environment, or configuring a tool—are managed through standard Git operations: making changes, committing them with descriptive messages, and pushing them to the central repository. This approach offers significant advantages for managing the security lab infrastructure: - * **Auditability:** Every change is recorded in the Git history, providing a clear audit trail of who changed what and when. - * **Version History:** Previous configurations and states can be easily reviewed or restored if needed. - * **Reproducibility:** The entire lab configuration is defined in code, making it easier to replicate the setup or recover from failures. - * **Collaboration:** Multiple team members can collaborate on managing the lab's configuration using familiar Git workflows. - * **Infrastructure-as-Code:** It treats the lab's configuration and operational definitions as code, promoting discipline, automation potential, and reliability in its management. BeSLighthouse reading directly from these repositories further reinforces this model, ensuring the dashboard always reflects the state defined in Git . -* **2.3 Key Terms You Need to Know** - Understanding this terminology is essential for working with BeSLab : - * **OSSPoI (Open Source Projects of Interest):** Specific open-source software projects your organization uses or depends on, which are onboarded into the lab for security assessment and monitoring. - * **OSSMoI (Open Source Models of Interest):** Specific open-source AI/ML models used or considered by your organization, onboarded for security and safety assessments. - * **OSSVoI (Open Source Vulnerabilities of Interest):** The specific vulnerabilities (often identified by CVEs or similar IDs) discovered within the tracked OSSPoI and OSSMoI. The lab focuses on tracking and managing these relevant vulnerabilities . - * **OSAR (Open Source Assessment Report):** The standardized report generated after a BeSPlaybook completes an assessment run . It details the scope, methods, findings (including OSSVoI), risk posture, and potentially remediation advice. OSARs should ideally follow the BeS Schema for consistency . - * **TAVOSS (Trusted and Verified Open Source Software):** An internal designation indicating that an OSS project or AI model has passed a defined assessment process within your BeSLab instance and meets your organization's security criteria . Achieving TAVOSS status signifies a higher level of confidence based on the internal assessment . The lab facilitates identifying or distributing these TAVOSS-approved versions internally . - * **OSAP (Open Source Assurance Provider):** Each BeSLab instance acts as an OSAP . In the context of this guide (a private lab), your organization functions as its own internal OSAP, providing assurance for the assets it monitors. - * **BeS Schema / Exchange Schema:** A standardized data format defined by Be-Secure to enable consistent exchange of information about assets, vulnerabilities, and assessments between BeSLab components and potentially other systems or labs . Adhering to this schema, even in a private deployment, promotes interoperability, allows consistent data processing and visualization (e.g., by BeSLighthouse), simplifies tool development, and ensures reports (OSARs) have a uniform structure, making the lab's data more valuable and future-proof . - -**Part 2: Setting Up and Configuring Your Lab** - -**3\. Setting Up Your Private BeSLab (Lite Mode)** - -* **3.1 Before You Begin: Prerequisites Checklist** - Ensuring the target environment meets all requirements before starting installation is crucial for avoiding common setup problems. A dedicated host machine (a Virtual Machine is recommended for easier management and snapshots) is needed . - The following table summarizes the key prerequisites for deploying a private BeSLab Lite Mode instance. Meeting the recommended specifications is advisable for enterprise use to ensure adequate performance, especially for GitLab and concurrent assessments. Sufficient disk space is particularly important for storing Git repository data, container images, and potentially large assessment artifacts or logs. - -| Category | Requirement | Details / Recommendations | Reference | -| :---- | :---- | :---- | :---- | -| **Hardware** | CPU | Min: 4 vCPU, Recommended: 8+ vCPU | | -| | RAM | Min: 8 GB, Recommended: 16+ GB | | -| | Disk Space | Min: 16 GB, Recommended: 100+ GB (SSD) | | -| **Software** | Operating System | Ubuntu LTS Recommended | | -| | Utilities | curl, unzip, bash, git, sudo access | | -| | Container Runtime | Docker Engine or compatible | Implied | -| | NodeJS | v16.0+ | | -| | Python | Python 3, pip (Optional, depending on tools/methods) | | -| **Network** | Host Addressing | Static IP or resolvable DNS hostname | Required | -| | Internet Access | Outbound access for downloads/updates | Required | -| | Firewall Ports | SSH (22), HTTP/S (80/443 for GitLab), BeSLighthouse Port (e.g., 3000 or 80), potentially others | Required | -| | Internal Access | User access to GitLab/BeSLighthouse UIs | Required | -| **Accounts** | Host OS User | User with sudo privileges | | -| | GitLab Admin | Initial credentials set via genesis.yaml, change immediately | | - -\*\*Table 1: Prerequisites Summary\*\* - -This guide assumes GitLab CE will be installed by the BLIman \`launchlab\` process . Using an existing GitLab instance requires significant manual configuration beyond this standard guide. - -* **3.2 Step-by-Step Installation using BLIman** - Follow these steps to install a private BeSLab instance in 'Lite Mode' using the BLIman CLI tool . Lite Mode installs core components like GitLab CE and BeSLighthouse onto the single prepared host . The installation is driven by the genesis.yaml configuration file. - 1. **Prepare Host:** Log in to the designated host machine (which meets all prerequisites) using an account with sudo privileges . - 2. **Install BLIman:** Install the BeSLab Lifecycle Management tool. Always refer to the official Be-Secure/BLIman repository for the most current installation instructions . Example commands (verify URLs): - Bash - \# Example installation commands (Verify against official BLIman README) - \# Download the installer script (URL might change) - curl \-sSL \ \-o install-bliman.sh - - \# Run the installer script - sudo bash install-bliman.sh - - \# Clean up installer script - rm install-bliman.sh - - \# Verify installation by checking the help command - bli help - Successful execution of bli help confirms installation. - 3. **Configure genesis.yaml:** Create the genesis.yaml file in your working directory. This file defines all parameters for the BeSLab instance . Customize the values below (especially URLs, IPs, ports, and the initial GitLab password) for your environment. - YAML - \# Sample genesis.yaml for Private Lite Mode - \# \--- Global Configuration \--- - beslab\_mode: "lite" \# Specifies Lite Mode deployment - deployment\_type: "private" \# Specifies a private instance - - \# \--- GitLab Configuration \--- - gitlab: - host\_url: "http://\" \# \*\*REQUIRED\*\*: URL users will use - initial\_root\_password: "\" \# \*\*REQUIRED\*\*: Set a strong temporary password - \# Optional: Specify ports if not default 80/443/22 - \# http\_port: 80 - \# https\_port: 443 - \# ssh\_port: 22 - \# Optional: Specify data volume path - \# data\_volume: "/srv/gitlab/data" - - \# \--- BeSLighthouse Configuration \--- - beslighthouse: - host\_ip: "0.0.0.0" \# Listen on all interfaces within the container - host\_port: "3000" \# \*\*REQUIRED\*\*: Port BeSLighthouse will listen on (e.g., 3000\) - \# Optional: Specify data volume path - \# config\_volume: "/srv/beslighthouse/config" - - \# \--- Other Optional Configurations (Add as needed based on BLIman documentation) \--- - \# Example: Default user settings, registry settings, etc. - **Critical Security Note:** Choose a strong, unique initial\_root\_password for GitLab. This password **must** be changed immediately after the first login. Store the genesis.yaml file securely. - 4. **Load Configuration:** Use BLIman to parse and load the configuration : - Bash - \# Ensure you are in the directory containing genesis.yaml or provide the full path - bli load genesis.yaml - Address any validation errors reported by BLIman. - 5. **Initialize Mode:** Prepare BLIman for the 'lite' deployment mode : - Bash - bli initmode lite - - 6. **Initialize BeSman:** Initialize the BeS Environment Manager, usually installed by bli initmode : - Bash - source $HOME/.besman/bin/besman-init.sh - Verify initialization by checking its help command : - Bash - bes help - - 7. **Launch the Lab:** Start the main deployment process : - Bash - bli launchlab - This command downloads Docker images, configures and starts containers (GitLab, BeSLighthouse), sets up networking/volumes, and potentially seeds initial GitLab structures . This step can take significant time. Monitor the console output for errors. -* **3.3 Initial Verification: Checking Your Setup** - Once bli launchlab finishes successfully, verify the installation : - 1. **Access GitLab UI:** Open a web browser and go to the gitlab.host\_url defined in genesis.yaml. - 2. **Login to GitLab:** Use username root and the initial\_root\_password from genesis.yaml. - 3. **CRITICAL: Change GitLab Password:** GitLab will force a password change on first login. Set a new, strong, unique password and store it securely. This is vital for security. - 4. **Access BeSLighthouse UI:** Open another browser tab and navigate to http://\:\ (e.g., http://192.168.1.100:3000). - 5. **Verify BeSLighthouse Load:** The dashboard should load. Expect lists like "Projects Of Interest" to be empty initially . - 6. **(Optional) Check Container Status:** On the BeSLab host, run docker ps to confirm the GitLab and BeSLighthouse containers are running. - -Successful completion of these checks indicates the core BeSLab infrastructure is operational. - -**4\. Configuring Your BeSLab Instance** - -* **4.1 Essential GitLab Configuration** - After the initial setup and password change, configure these GitLab settings relevant for BeSLab : - * **User Sign-up Restrictions:** Navigate to Admin Area \-\> Settings \-\> General \-\> Sign-up restrictions. It is strongly recommended to *disable* new sign-ups (uncheck "Sign-up enabled") to prevent unauthorized access. If self-registration is needed later, enable admin approval. - * **Group/Project Creation Permissions:** Go to Admin Area \-\> Settings \-\> General \-\> Account and limit settings. Review who can create top-level groups and projects. Restricting this to Administrators initially is advisable for better control. - * **(Future Use) Runner Configuration:** If planning to automate assessment workflows using GitLab CI/CD pipelines later, GitLab Runners will need to be configured. This is an advanced step involving setting up agents that can execute jobs, potentially interacting with Docker or the BeSLab host. -* **4.2 Setting Up Be-Secure Repositories in GitLab** - BeSLab relies on a specific structure of Git repositories within GitLab to store its data and configurations . While bli launchlab might perform some setup, manually creating or verifying these core repositories is often necessary. The precise naming and structure are important, as tools like BeSLighthouse often expect specific repository names and locations to function correctly . Deviating from expected conventions might prevent the dashboard or other tools from finding and processing data. - 1. **Login to GitLab:** Log in as the root user or another administrator. - 2. **Create a Top-Level Group:** Create a new group (e.g., besecure-lab) to logically organize all BeSLab-related repositories. - 3. **Create Core Repositories:** Within the besecure-lab group, create the following projects (Git repositories). Initialize each with at least a README file: - * BeSEnvironment: Stores assessment environment definitions (e.g., Dockerfiles). - * BeSPlaybook: Stores assessment playbook scripts. - * BeSAssessment: Stores assessment output reports (OSARs) and metadata. - * besecure-assets-store (or the name expected by BeSLighthouse's configuration): Stores lists/definitions of OSSPoI, OSSMoI, etc. . - * Potentially others depending on specific configurations or extensions. -* **4.3 Connecting BeSLighthouse to Your Data** - BeSLighthouse needs to be configured to find the data repositories within your private GitLab instance . This step activates the dashboard by linking the visualization front-end to the Git-based data back-end. - 1. **Locate datastore.ts:** Access the BeSLab host machine (e.g., via SSH). Find the BeSLighthouse installation directory. The exact path depends on the deployment, potentially within a Docker volume mount (check docker inspect \ for volume details) or a location like /opt/BeSLighthouse or /usr/local/share/beslighthouse. Inside this directory, locate the configuration file, typically src/config/datastore.ts . - 2. **Edit datastore.ts:** Open the file using a text editor (like nano or vim). Find the variables defining the URLs for the datastore repositories. Update these URLs to point to the repositories created in **your private GitLab instance** within the besecure-lab group . - * Example modification: - TypeScript - // Before modification (example pointing to public GitHub) - // export const PoI\_Repo\_URL \= "https://github.com/Be-Secure/besecure-assets-store.git"; - // export const Assessment\_Repo\_URL \= "https://github.com/Be-Secure/besecure-assessment-datastore.git"; - - // After modification (pointing to internal GitLab) - export const PoI\_Repo\_URL \= "http://\/besecure-lab/besecure-assets-store.git"; - export const Assessment\_Repo\_URL \= "http://\/besecure-lab/BeSAssessment.git"; - // Update other relevant repository URLs (MoI, ML assessments, etc.) similarly - - 3. **Restart BeSLighthouse:** Apply the changes by restarting the BeSLighthouse service or container. If using Docker: - Bash - \# Find the BeSLighthouse container ID or name - sudo docker ps - - \# Restart the container - sudo docker restart \ - - 4. **Verify Connection:** Refresh the BeSLighthouse UI in your browser. Although the lists will still be empty until data is added, check the browser's developer tools (Network tab) or the container logs (sudo docker logs \) for any errors related to accessing the configured GitLab repository URLs. Successful connection means BeSLighthouse can now read data once it's populated in the repositories. - -**Part 3: Populating and Operating Your Lab** - -**5\. Populating Your Lab: Onboarding Guide** - -* **5.1 Managing User Access and Roles** - Properly managing user access is crucial for security and operational efficiency. Define roles within the BeSLab context and map them to GitLab's permission model to control who can perform specific actions . - * **Typical Roles:** - * **Lab Administrator:** Installs, configures, maintains, and upgrades BeSLab; manages users; integrates core tools. Requires high-level privileges. - * **Security Analyst:** Onboards assets (OSSPoI/OSSMoI), defines and triggers assessments, reviews reports (OSARs), triages vulnerabilities (OSSVoI), customizes assessment workflows (playbooks). Needs broad operational access. - * **Developer / Asset Owner:** Submits their projects/models for assessment, views reports relevant to their assets, responsible for implementing fixes. Needs access primarily to specific results. - * **CISO / Management:** Oversees the overall risk posture via dashboards (BeSLighthouse) and summary reports. Typically requires read-only access. - * **GitLab Permission Mapping (Example):** - * Lab Administrator: Assign Owner role on the top-level besecure-lab group in GitLab. - * Security Analyst: Assign Maintainer role on the besecure-lab group. - * Developer / Asset Owner: Assign Developer or Reporter role on specific projects/repositories relevant to them. - * CISO / Management: Assign Guest or Reporter role on the besecure-lab group for viewing access. - * **Onboarding Process:** - 1. The Lab Administrator logs into GitLab. - 2. Navigates to Admin Area \-\> Overview \-\> Users. - 3. Creates new user accounts as needed (assuming sign-up is restricted). - 4. Navigates to the besecure-lab group \-\> Group information \-\> Members. - 5. Invites users to the group, assigning the appropriate role based on the mapping above. Permissions can be further refined on individual sub-projects (repositories) if necessary. -* **5.2 Adding Projects (OSSPoI) for Assessment** - Onboarding Open Source Projects of Interest (OSSPoI) means adding the software projects your organization relies on to the lab's tracking system so they can be assessed . - * **Definition:** OSSPoI are specific open-source software projects deemed important or critical enough by the organization to warrant regular security assessment. - * **Process:** The process leverages the GitOps workflow: - 1. Identify the OSS project to onboard. - 2. Locate the designated asset tracking repository in GitLab (e.g., besecure-lab/besecure-assets-store). - 3. Clone this repository to your local machine. - 4. Edit the relevant file within the repository (e.g., osspoi\_list.yaml or projects.json, depending on the convention established). Add an entry for the new project, including metadata such as Project Name, Source Code URL (e.g., Git repository URL), specific Version(s) of interest, and potentially a flag indicating if it's targeted for TAVOSS designation. - 5. Commit the changes locally using a clear, descriptive commit message (e.g., "Add OSSPoI: Apache Commons Text v1.10"). - 6. Push the changes back to the central GitLab repository. BeSLighthouse should automatically pick up the changes on its next refresh cycle . - * **TAVOSS Designation:** Marking an OSSPoI for TAVOSS signifies an intent to subject it to a more rigorous assessment process defined by the organization, aiming to achieve the internal 'Trusted and Verified' status . - * **Example OSSPoI Candidates:** Prioritize projects based on their criticality to business operations, widespread usage within the organization, known history of vulnerabilities, or handling of sensitive data. - -| OSSPoI Candidate | Rationale | Potential Assessment Focus | -| :---- | :---- | :---- | -| Apache Log4j 2 | Critical logging library; past vulnerabilities | SCA (Dependencies), SAST (Java) | -| Apache Struts2 | Web framework; history of RCE vulnerabilities | SCA, SAST (Java), DAST | -| Spring Boot / Framework | Widely used Java framework | SCA, SAST (Java), Secrets Scan | -| TensorFlow | Foundational ML framework | SCA (Python deps), SAST (Python) | -| PyTorch | Foundational ML framework | SCA (Python deps), SAST (Python) | -| Node.js Express | Common web framework for Node.js | SCA (npm), SAST (JavaScript/TS) | -| Internal Shared Library X | Critical internal component used by many apps | SAST, SCA, Secrets Scan | - - \*\*Table 2: Example OSSPoI Candidates\*\* - -* **5.3 Adding AI Models (OSSMoI) for Assessment** - Similar to software projects, Open Source Models of Interest (OSSMoI) need to be onboarded for tracking and security/safety assessment . - * **Definition:** OSSMoI are specific open-source AI/ML models used or being considered for use by the organization. - * **Process:** This follows the same Git-based workflow used for OSSPoI. An analyst or administrator clones the asset tracking repository (or a dedicated model repository), edits the designated list file (e.g., ossmoi\_list.yaml), adds the new model with relevant metadata (Model Name, Source URL/Identifier like Hugging Face Hub ID, Version, Base Model if fine-tuned, License information), commits, and pushes the changes. - * **Example OSSMoI Candidates:** Focus on models relevant to the organization's AI strategy, particularly those used in production, handling sensitive data, or interacting with users. - -| OSSMoI Candidate | Rationale | Potential Assessment Focus | -| :---- | :---- | :---- | -| BERT (e.g., base-uncased) | Popular foundational NLP model | Model Scanning (safety, e.g., unsafe operators), Provenance Checks, License Compliance | -| Stable Diffusion (e.g., v1.5) | Widely used image generation model | Model Scanning, License Compliance, Potential Bias Checks | -| Llama (e.g., Llama-2-7b-hf) | Common open Large Language Model (LLM) | Model Scanning (safety), License Compliance, Responsible AI checks | -| GPT-2 | Foundational LLM, often used for experiments | Model Scanning, Provenance Checks | -| Internally Fine-tuned Model Y | Model derived from OSSMoI, used in production | Model Scanning, Fine-tuning Data Privacy Review, Robustness Testing | - - \*\*Table 3: Example OSSMoI Candidates\*\* - -* **5.4 Integrating Security Tools (BeSPlugins)** - The actual security assessment capabilities of the BeSLab depend entirely on the integrated security tools, made available via BeSPlugins . Integrating these tools is therefore a fundamental task. - * **Definition:** A BeSPlugin acts as the integration layer or wrapper that allows a BeSPlaybook to invoke a specific security tool (like a scanner or linter) within the BeSLab framework . - * **Integration Process:** - 1. **Identify Tool:** Select the security tool needed (e.g., Semgrep for code pattern matching, Trivy for vulnerability scanning, Bandit for Python security linting, Gitleaks for secret detection, OWASP ZAP for dynamic scanning, or a specialized AI model scanner). - 2. **Check Existing Plugins:** Look within the Be-Secure community repositories or internal repositories for pre-built BeSPlugins for the chosen tool. Reusing existing plugins saves significant effort. - 3. **Develop/Configure Plugin:** If no suitable plugin exists, one needs to be developed or configured. This typically involves creating a script (e.g., shell script, Python script) that: - * Knows how to execute the security tool with appropriate arguments (taking input like target repository path or URL). - * Parses the tool's output (e.g., JSON, XML, plain text). - * Ideally, transforms the output into the standardized BeS Schema format for consistent reporting and processing . - * Defines any dependencies required by the tool or the wrapper script. - * Is packaged or made available for execution within a BeSEnvironment. - 4. **Define BeSEnvironment:** Ensure a suitable BeSEnvironment exists (or create one) that contains the security tool itself and all its runtime dependencies (e.g., specific Python version, libraries, OS packages). This environment definition (e.g., a Dockerfile) should reside in the BeSEnvironment repository . - 5. **Reference in BeSPlaybook:** Update an existing BeSPlaybook or create a new one in the BeSPlaybook repository to invoke the newly integrated BeSPlugin at the appropriate step in the assessment workflow . - * **Extensibility:** This plugin-based architecture is designed for extensibility, allowing the organization to add new security tools, techniques, or custom checks over time as threats evolve and new technologies are adopted . - * **Example Default BeSPlugins:** Start by integrating a core set of plugins covering common security assessment types. The effectiveness of the lab is directly linked to the quality and breadth of these integrated plugins. Maintaining them (e.g., updating tools, adapting parsers) requires ongoing effort but is essential for deriving value. - -| BeSPlugin Example | Tool Integrated (Example) | Security Assessment Type | Purpose | -| :---- | :---- | :---- | :---- | -| Semgrep-Plugin | Semgrep | SAST | Static code analysis using customizable pattern matching. | -| Trivy-Plugin | Trivy | SCA, Container Scanning | Detects known vulnerabilities in OS packages & dependencies. | -| Bandit-Plugin | Bandit | SAST (Python) | Finds common security issues specifically in Python code. | -| Gitleaks-Plugin | Gitleaks | Secret Scanning | Detects hardcoded secrets (API keys, passwords) in Git history. | -| OWASP-ZAP-Plugin | OWASP ZAP | DAST | Dynamic analysis of web application vulnerabilities via crawling/attacking. | -| ModelScan-Plugin | ModelScan (or similar) | AI Model Security | Scans ML models for unsafe operators, serialization issues, etc. | - - \*\*Table 4: Example Default BeSPlugins\*\* - -**6\. Operating Your BeSLab: Workflows in Action** - -* **6.1 Submitting Assets for Assessment** - Define a clear process for how new projects (OSSPoI) and models (OSSMoI) are submitted for tracking and assessment : - * **Manual Git Update:** Authorized users (e.g., Security Analysts) directly clone the asset repository, edit the list file, commit, and push the changes. This is the simplest method and aligns directly with the GitOps model. - * **GitLab Merge Request (MR):** Developers or other stakeholders can submit changes to the asset list file via a GitLab Merge Request. This allows Security Analysts to review and approve the submission before it's merged into the main branch, providing an approval gate. - * **API Integration (Advanced):** For more sophisticated integration, scripts or internal tools could interact with the GitLab API to update the asset lists, potentially triggered by events in other systems (e.g., a new project created in an internal registry). - -*Diagram Reference:* The Git-based submission process, whether manual or via MR, is conceptually illustrated in **Diagram 3: Project/Model Onboarding Flow** (./docs/images/Diagram3BeSLabProjectModelOnboardingWorkflow.png). - -* **6.2 Running Security Assessments** - Assessments are executed using the defined BeSPlaybooks, which orchestrate the use of BeSEnvironments and BeSPlugins . The separation of these components provides modularity—allowing environments to be reused across playbooks, or playbooks to run different sets of plugins—but requires careful coordination to ensure they work together correctly. - * **Triggering Mechanisms:** Assessments can be initiated in several ways: - * **Manual:** Security Analysts can trigger specific playbooks on demand, often via CLI commands or custom scripts interacting with BeSman or potentially GitLab CI. - * **Scheduled:** Use standard scheduling tools like cron on the host or GitLab CI Schedules to run assessments periodically (e.g., daily SCA scans on critical projects, weekly DAST scans). - * **Event-Driven:** Integrate with GitLab CI/CD pipelines or use webhooks. For example, trigger a SAST and secrets scan automatically on every code commit to a specific branch, or run a full assessment suite when a Merge Request is created. - * **Playbook Invocation Flow:** When triggered, the process typically follows these steps : - 1. The trigger mechanism selects and starts the appropriate BeSPlaybook script. - 2. The playbook script uses BeSman commands to prepare or provision the required BeSEnvironment (e.g., pulling and starting a specific Docker container). - 3. The playbook then executes the sequence of defined BeSPlugins (security tools) within that environment, passing the target asset (e.g., code repository path, model file location) as input to each plugin. - 4. The playbook collects the results from each plugin. - -*Diagram Reference:* This sequence of a playbook orchestrating environments and plugins is visually depicted in **Diagram 4: Assessment Execution Flow** (./docs/images/Diagram4AssessmentExecutionWorkflow.png). - -* **6.3 Generating and Storing Reports (OSARs)** - After the plugins within a playbook have run, the results need to be formalized into a standard report . - * **Aggregation & Formatting:** The BeSPlaybook script is responsible for aggregating the findings from the various BeSPlugins executed during the run. It should format these findings into a structured Open Source Assessment Report (OSAR). Adhering to the BeS Schema for the OSAR format is highly recommended for consistency and easier automated processing . - * **Storage:** The generated OSAR file (commonly in JSON or YAML format) is then committed back to the designated BeSAssessment Git repository . The commit message or metadata associated with the file should link the OSAR to the specific asset (OSSPoI/OSSMoI), the version assessed (e.g., Git commit hash, model version tag), the playbook used, and the timestamp of the assessment run. This creates an immutable, version-controlled audit trail of all assessment activities. -* **6.4 Visualizing Results with BeSLighthouse** - The BeSLighthouse dashboard serves as the primary interface for monitoring the lab's activities and results . Users interact with BeSLighthouse to: - * View the lists of currently tracked assets (OSSPoI and OSSMoI) as read from the asset repositories . - * Check the status and history of assessment runs for each asset. - * Visualize aggregated vulnerability data (OSSVoI) associated with the tracked assets . - * Access direct links to the detailed OSAR files stored in the BeSAssessment Git repository for deeper investigation. -* **6.5 Tracking Vulnerabilities (OSSVoI)** - A key function of the lab is to identify and track specific vulnerabilities (OSSVoI) within the monitored assets . - * **Identification & Extraction:** BeSPlugins (especially SCA, SAST, and DAST tools) identify potential vulnerabilities, often providing standard identifiers like CVE numbers. This information is captured by the playbook and included in the OSAR . Key details like the vulnerability ID (CVE), severity level, affected component/file, and location should be extracted and structured within the OSAR . - * **Storage:** Structured OSSVoI data is stored as part of the OSAR in the BeSAssessment repository, or potentially in a separate linked file or database if more complex tracking is implemented. - * **Visualization:** BeSLighthouse reads the OSSVoI data from the assessment results and presents aggregated views, such as counts of vulnerabilities by severity per project . - * **Triage & Remediation:** Security Analysts use the OSARs and the BeSLighthouse dashboard to review new findings, validate their authenticity, prioritize them based on severity and context, assign remediation tasks (e.g., creating tickets in an issue tracker), and track the progress of fixes. - -*Diagram Reference:* The flow of identifying vulnerabilities during scans and tracking them as OSSVoI is outlined in **Diagram 5: BeSLab Vulnerability Tracking Workflow** (./docs/images/Diagram5BeSLabVulnerabilityTrackingWorkflow.png). - -* **6.6 Engagement Options (Beyond Private Use)** - While this guide focuses on a private, internal BeSLab instance functioning as an internal OSAP , the Be-Secure ecosystem allows for potential future interactions: - * **Contribute Back:** Share identified vulnerabilities or patches securely with the upstream open source projects. - * **Data Sharing:** If appropriate agreements are in place, share anonymized vulnerability data (using the BeS Schema for interoperability ) with trusted partners, industry groups, or security communities . - * **Consume External Data:** Integrate external threat intelligence or vulnerability feeds to enrich the findings identified internally and provide broader context. - -**Part 4: Defaults and Governance** - -**7\. Getting Started Quickly: Default Configurations** - -* **7.1 Why Defaults Matter** - Establishing a set of default configurations for environments, playbooks, and plugins provides immediate value after the initial BeSLab setup . These defaults offer foundational security checks for common types of assets, allowing the team to start performing basic assessments quickly without needing extensive customization upfront. -* **7.2 Default Assessment Environments (BeSEnvironments)** - Define a baseline set of reusable runtime environments in the BeSEnvironment repository. These typically encapsulate the dependencies needed for common categories of security tools . Examples often use Dockerfiles for definition. - -| BeSEnvironment Name | Key Components Included | Purpose | -| :---- | :---- | :---- | -| python-base-env | Python 3.x, pip, common build tools, Git | Running Python-specific tools like Bandit, Semgrep (Python rules), Python SCA tools. | -| node-base-env | NodeJS (LTS), npm/yarn, Git | Running JavaScript/TypeScript SAST/Linters, SCA tools (npm audit, yarn audit). | -| generic-scanner-env | Base Linux OS, curl, jq, git, Trivy binary | Running generic scanners like Trivy (filesystem/repo scanning), Gitleaks, potentially simple script-based checks. | -| ai-model-env | Python 3.x, PyTorch/TF libs, ModelScan deps | Dedicated environment for AI model security scanning tools (e.g., ModelScan, custom checks). | -| java-build-env | JDK (e.g., 11/17), Maven/Gradle, Git | Environment for building Java projects and running Java-specific SAST/SCA tools. | - -\*\*Table 5: Example Default BeSEnvironments\*\* - -* **7.3 Default Assessment Workflows (BeSPlaybooks)** - Create standard assessment workflows (playbooks) in the BeSPlaybook repository by combining the default environments and plugins for common tasks . These serve as templates that can be used directly or adapted. - -| BeSPlaybook Name | BeSEnvironment Used | BeSPlugins Invoked (Example) | Suggested Frequency | Purpose | -| :---- | :---- | :---- | :---- | :---- | -| sast-python-standard | python-base-env | Semgrep-Plugin, Bandit-Plugin | On Commit / Pull Request | Basic static analysis checks for Python projects. | -| sca-generic-standard | generic-scanner-env | Trivy-Plugin (FS mode) | Daily / Weekly | Scans project dependencies for known vulnerabilities (CVEs). | -| secrets-scan-standard | generic-scanner-env | Gitleaks-Plugin | On Commit / Pull Request | Detects potential hardcoded secrets committed to Git history. | -| ai-model-onboarding-safety | ai-model-env | ModelScan-Plugin | On New Model Onboarding | Initial safety/security checks on newly added AI models. | -| dast-web-scan-basic | generic-scanner-env | OWASP-ZAP-Plugin (Baseline Scan) | Weekly / On Demand | Basic dynamic scan against a deployed web application URL (requires target URL). | - -\*\*Table 6: Example Default BeSPlaybooks\*\* - -* **7.4 Recap: Default Security Tools (BeSPlugins)** - The default playbooks listed above would typically utilize the core set of BeSPlugins recommended earlier (refer back to **Table 4: Example Default BeSPlugins**). Ensuring these foundational plugins (e.g., Semgrep, Trivy, Bandit, Gitleaks, an AI model scanner, potentially OWASP ZAP) are integrated and functional is key to making the default playbooks operational. - -**8\. Reporting and Governance for Your Lab** - -* **8.1 Standard Assessment Reports (OSAR Structure)** - Consistent and comprehensive reporting is vital for communicating assessment results effectively. Open Source Assessment Reports (OSARs) should be standardized, ideally aligning with the principles of the BeS Schema . A well-structured OSAR ensures that all necessary information is captured and presented clearly. - -| OSAR Section | Content Description | Purpose | -| :---- | :---- | :---- | -| **Metadata** | Unique Assessment ID, Timestamp, Asset ID/Name (OSSPoI/OSSMoI), Asset Version/Commit Assessed, Playbook Used, Environment Used, Triggering Event. | Uniquely identifies the assessment context and parameters. | -| **Executive Summary** | Brief description of the assessment scope, summary of key findings, overall assessed risk level (e.g., Critical/High/Medium/Low), critical recommendations. | Provides a high-level snapshot for quick review by management and triage teams. | -| **Asset Details** | Full Name/Identifier, Source URL/Location, Brief Description, Exact Version/Commit Hash Assessed, License Information. | Clearly identifies the specific artifact that was assessed. | -| **Scope & Methodology** | Description of the checks performed, list of tools (BeSPlugins) used and their versions, specific configurations applied, known limitations or exclusions. | Defines the boundaries and methods of the assessment for transparency and reproducibility. | -| **Findings Summary** | Aggregated counts of findings categorized by severity (e.g., Critical, High, Medium, Low, Informational). May include charts or graphs. | Gives a quantitative overview of the identified issues. | -| **Detailed Findings** | A list of individual findings. Each finding should include: Unique ID, Clear Description, Assigned Severity, Current Status (New, Confirmed, Mitigated, False Positive), Location (File path, line number, component name), Evidence (Code snippet, tool output), Remediation Guidance, Associated Identifiers (CVE, CWE \- forming the OSSVoI). | Provides actionable details required by analysts and developers for validation and remediation. | -| **Attestation (Optional)** | A formal statement regarding the level of assurance provided by this assessment, based on the scope and findings. May reference internal criteria like TAVOSS if applicable. | Documents the assessment outcome and the confidence level derived from the process. | - -\*\*Table 7: OSAR Sample Structure\*\* - -* **8.2 Defining Roles and Responsibilities (RACI Matrix)** - A RACI (Responsible, Accountable, Consulted, Informed) matrix helps clarify roles and responsibilities for various BeSLab activities, preventing confusion and ensuring tasks are owned. - -| Activity | CISO | Lab Admin | Security Analyst | Dev Lead / App Owner | Legal / Compliance | -| :---- | :---- | :---- | :---- | :---- | :---- | -| Lab Setup/Configuration | A | R | C | I | I | -| User Onboarding & Permissions | A | R | C | I | I | -| OSSPoI Onboarding (Decision) | A | C | R | C | I | -| OSSMoI Onboarding (Decision) | A | C | R | C | C | -| BeSPlugin Integration/Maintenance | A | R | C | I | I | -| Assessment Execution/Scheduling | I | C | R | I | I | -| OSAR Review & Vulnerability Triage | C | I | R | C | C | -| Vulnerability Remediation Tracking | A | I | R | C | I | -| Vulnerability Remediation Implementation | I | I | C | R | I | -| Lab Maintenance & Upgrades | A | R | C | I | I | -| Policy Definition (Scope, SLAs) | A | C | C | C | R | - -\*\*Table 8: RACI Matrix\*\* \*(R=Responsible, A=Accountable, C=Consulted, I=Informed)\* - -* **8.3 Key Governance Policies to Establish** - Implementing the BeSLab technology is only part of the solution. Establishing clear governance processes and policies is crucial to ensure the lab operates effectively and contributes meaningfully to risk reduction . Without governance, scan results might be inconsistent, ignored, or overwhelming. Key areas requiring formal policies include : - * **Onboarding Criteria:** Define clear rules for which types of OSS projects and AI models *must* be onboarded into the lab (e.g., based on criticality, external facing, handling sensitive data). - * **Assessment Frequency:** Establish minimum scanning schedules based on asset criticality and type of scan (e.g., critical web frameworks scanned daily with SCA, less critical libraries weekly; SAST on every commit). - * **Triage Process:** Document the workflow for how findings reported in OSARs are reviewed, validated (confirming they are true positives), prioritized (based on severity and context), and assigned for remediation. - * **Remediation SLAs:** Define expected timelines (Service Level Agreements) for fixing vulnerabilities based on their severity level (e.g., Critical vulnerabilities fixed within 7 days, High within 30 days). - * **Tool Validation & Updates:** Implement a process for regularly reviewing the effectiveness of integrated BeSPlugins, updating the underlying tools to their latest stable versions, and validating parser logic. - * **Reporting Cadence:** Define how and when assessment results and overall risk posture summaries are reported to different stakeholders (e.g., immediate alerts for critical findings, monthly summaries for management). - -**Part 5: Visual Aids and Conclusion** - -**9\. Visualizing the Setup** - -The following diagrams, referenced by their original file names in the source documentation, provide visual context for the BeSLab architecture and workflows. While the images themselves are not embedded here, understanding their purpose can aid comprehension: - -* **9.1 High-Level Enterprise View:** This diagram illustrates how the private BeSLab instance fits within the broader enterprise IT environment, showing potential interactions with development teams, CI/CD pipelines, and vulnerability management systems. *(Reference Diagram 1: ./docs/images/Diagram1HighlevelEnterpriseDeployment.png)*. -* **9.2 Detailed Component Layout:** This diagram provides a closer look at the components running on the single host machine in the Lite Mode deployment described in this guide, showing GitLab CE, BeSLighthouse, the underlying container runtime, and their basic connections. *(Reference Diagram 2: ./docs/images/Diagram2BeSLabComponentsLayout.png)*. - -**10\. Conclusion and Next Steps** - -* **10.1 Summary of Benefits** - Establishing and operating an AI Security Lab using the BeSLab blueprint offers significant advantages for strengthening an organization's security posture regarding open source software and AI models : - * **Standardized Assurance:** Implements consistent, automated, and repeatable security assessment processes. - * **Visibility & Control:** Provides centralized tracking and visualization of monitored assets (OSSPoI/MoI) and their associated vulnerabilities (OSSVoI) through the BeSLighthouse dashboard . - * **Reduced Risk:** Enables the early identification and facilitates the timely remediation of vulnerabilities before they can be exploited. - * **Internal Trust:** Creates a mechanism (TAVOSS) for establishing and communicating internal trust levels for assessed components . - * **Extensibility:** Offers a modular architecture allowing the integration of new tools, techniques, and assessment types over time . -* **10.2 Immediate Actions After Setup** - Once the initial installation and configuration described in this guide are complete, focus on these next steps to make the lab operational : - 1. **Onboard Initial Assets:** Begin by onboarding a small set of high-priority or representative OSS projects (OSSPoI) and AI models (OSSMoI). - 2. **Configure & Test Defaults:** Ensure the default BeSEnvironments, BeSPlaybooks, and BeSPlugins (Tables 4, 5, 6\) are correctly configured and functioning as expected by running test assessments. - 3. **User Training:** Provide training to Security Analysts, relevant Developers, and other stakeholders on how to use the lab (submitting assets, running scans, interpreting reports, using BeSLighthouse). - 4. **Establish Governance:** Formalize the key governance policies (Section 8.3) and communicate the RACI matrix (Table 8\) to ensure clear processes and responsibilities. - 5. **Secure the Lab:** Implement security best practices for the BeSLab host OS, the GitLab instance (user management, network access), and ensure components are kept patched and updated. -* **10.3 Continuous Improvement Roadmap** - An effective AI Security Lab requires ongoing maintenance and evolution : - * **Expand Plugin Coverage:** Continuously identify and integrate new BeSPlugins to cover more languages, frameworks, vulnerability types, and AI-specific risks. - * **Refine Playbooks:** Optimize existing BeSPlaybooks and create new ones tailored to specific organizational needs, risk profiles, or compliance requirements. - * **Update Environments:** Regularly update the tools, libraries, and base images within BeSEnvironments to ensure accurate scanning and benefit from the latest tool features. - * **Integrate with DevSecOps:** Enhance automation by integrating BeSLab assessment triggers and feedback loops directly into developer CI/CD pipelines. - * **Monitor Effectiveness:** Regularly review the lab's performance, the quality of findings, the speed of remediation, and feedback from users to identify areas for improvement in tools, processes, and governance. - -By following this guide to establish the initial BeSLab instance and committing to its continuous improvement, organizations can build a powerful internal capability to manage the security risks associated with open source software and artificial intelligence. - -**11\. Works Cited** - -Empowering Open Source Project Security , This Repository includes BeS Environment Scripts to launch an instance of BeSLab \- GitHub, accessed May 1, 2025, https://github.com/Be-Secure/BeSLab -Be-Secure/BeSLighthouse: Community dashboard for security assessment of open source projects of interest for BeSecure community. Various visualizations on Projects of Interest and Vulnerabilities of interest are available in the dashboard \- GitHub, accessed May 1, 2025, https://github.com/Be-Secure/BeSLighthouse -Wipro's Open Source Security Solution for Enhanced Cybersecurity, accessed May 1, 2025, https://www.wipro.com/cybersecurity/o31e-wipros-open-source-security-program-a-key-initiative-to-enhancing-cybersecurity-with-open-source/ -Be-Secure/bes-schema: This repository defines the data... \- GitHub, accessed May 1, 2025, https://github.com/Be-Secure/bes-schema + + ## **1\. Introduction to the BeSLab AI Security Lab** + + ### **1.1 Purpose and Need** + + In the contemporary digital landscape, organizations increasingly rely on Open Source Software (OSS) and Artificial Intelligence (AI) / Machine Learning (ML) models to drive innovation and operational efficiency. However, this reliance introduces significant security risks stemming from vulnerabilities within these third-party components and the unique attack surfaces presented by AI models themselves. Managing these risks requires a structured, proactive approach. Establishing a dedicated AI Security Lab provides the CISO's organization with the in-house capability to systematically assess, manage, and mitigate the security risks associated with OSS and AI artifacts used or considered by the enterprise. + + ### **1.2 The Be-Secure Philosophy and BeSLab Blueprint** + + The Be-Secure initiative aims to empower organizations and the broader community to fortify open source artifacts – including software projects, ML models, and training datasets – against potential vulnerabilities.1 The BeSLab blueprint emerges from this philosophy, offering a design for an open-source security lab. It is not a single software product but rather an architectural pattern and a collection of tools and processes designed to create a comprehensive security assessment environment.1 A key goal is to provide application security and security operations teams with complete control and transparency over the assessment process for these critical components.1 + + ### **1.3 Value Proposition for the CISO** + + Implementing a BeSLab instance offers tangible benefits for the CISO's organization: + + * **Standardized Assurance:** Establishes consistent, repeatable processes for security assessments of OSS projects and AI models. + * **Centralized Visibility:** Provides a single pane of glass (via BeSLighthouse) for tracking Projects of Interest (OSSPoI), Models of Interest (OSSMoI), and associated Vulnerabilities of Interest (OSSVoI).1 + * **Reduced Risk Exposure:** Proactively identifies and facilitates the mitigation of vulnerabilities in critical dependencies before they can be exploited. + * **Cost Efficiency:** Potentially reduces the overall cost of risk assessment compared to ad-hoc external engagements or manual reviews, especially as the number of tracked assets grows.1 + * **Internal Attestation:** Enables the generation of internal attestations or designations like Trusted and Verified Open Source Software (TAVOSS) for artifacts that pass the lab's scrutiny, providing a measure of internal assurance.1 + + ### **1.4 Scope of this Guide** + + This document provides a comprehensive user guide for setting up, configuring, and operating a *private* AI Security Lab based on the BeSLab blueprint within an enterprise environment. It specifically focuses on the 'Lite Mode' deployment, which integrates essential components onto a single host, and details the integration with GitLab Community Edition (CE) as the code collaboration platform. The guide covers the full lifecycle: architecture, prerequisites, installation, onboarding of users, projects, models, and tools, operational workflows for various security assessments, reporting (OSARs), governance (RACI), and configuration of default components. + + ## **2\. BeSLab Architecture and Components** + + ### **2.1 Blueprint Overview** + + Understanding the BeSLab architecture requires recognizing it as a *blueprint* – a template defining how various components interact to form a functional security lab.1 It leverages existing open-source tools and defines specific Be-Secure utilities and data structures to create a cohesive system for assessing and managing the security of open source artifacts. The architecture is designed for flexibility, allowing organizations to tailor the lab's capabilities to their specific needs. + + ### **2.2 Core Components** + + A typical private BeSLab instance, as described in this guide, comprises the following core components: + + * **Git-based Source Code Management (SCM) Platform (e.g., GitLab CE):** This is the backbone of the BeSLab instance. It hosts critical datastore repositories containing configurations, asset definitions (OSSPoI, OSSMoI), assessment playbooks, environment definitions, and assessment results (OSARs).1 The choice of GitLab CE provides a robust, self-hosted platform with features supporting collaboration, version control, and potentially CI/CD integration for automating assessment workflows. + * This Git-centric design inherently supports a **GitOps workflow** for managing the lab itself. All configurations and operational state definitions reside in Git repositories. Changes to the lab's setup, tracked assets, assessment playbooks, or environments are managed through Git commits, providing version history, auditability, and the ability to roll back changes. This approach enhances manageability, reproducibility, and disaster recovery capabilities for the lab infrastructure. + * **Datastore Repositories:** Specific Git repositories within the SCM platform are designated for storing different types of lab data. Common examples include: + * BeSEnvironment: Stores definitions and scripts for creating assessment environments. + * BeSPlaybook: Contains the scripts and configurations defining assessment workflows. + * BeSAssessment: Archives the generated Open Source Assessment Reports (OSARs) and associated metadata. + * Asset Stores (e.g., besecure-assets-store): Repositories holding lists and details of tracked OSSPoI, OSSMoI, etc..2 The specific structure and naming convention are important for tools like BeSLighthouse to locate and interpret the data correctly.2 + * **BeSLighthouse:** A web-based dashboard application that serves as the primary user interface for visualizing the lab's data.1 It reads information directly from the designated Git datastore repositories and presents visualizations of tracked assets (PoI, MoI), associated vulnerabilities (VoI), assessment status, and links to detailed reports.2 Its reliance on the Git backend reinforces the GitOps model, as the dashboard reflects the state defined in the repositories. + * **BLIman (BeSLab Lifecycle Management):** A command-line interface (CLI) utility specifically designed for deploying, configuring, and managing the lifecycle of a BeSLab instance.1 It utilizes a configuration file (genesis.yaml) to define the lab's parameters and provides commands like bli load (to load configuration), bli initmode (to set the deployment mode, e.g., 'lite'), and bli launchlab (to orchestrate the installation of components like GitLab CE and BeSLighthouse).1 + * Proficiency with CLI tools is essential for administrators managing the BeSLab instance. The reliance on BLIman for core management tasks means that automation efforts, operational runbooks, and troubleshooting will heavily involve executing and scripting these commands. + * **BeSman (BeS Environment Manager):** Another CLI utility that works in conjunction with BLIman, specifically responsible for creating and managing BeSEnvironments.1 It is typically installed and initialized as part of the BLIman setup process and is used by playbooks or scripts to provision the necessary runtime environments for security tools.1 + * **BeSEnvironment:** Represents a customized computing setup, often containerized or defined by setup scripts, containing the specific tools, libraries, and dependencies required to execute a particular set of security assessments.1 These environments ensure that assessments run consistently and with the correct prerequisites. They are defined in the BeSEnvironment repository and managed by BeSman.1 + * **BeSPlaybook:** An automated workflow or script designed to orchestrate specific security assessment tasks.1 A playbook typically defines which BeSEnvironment to use and which BeSPlugins (security tools) to execute in sequence, along with any necessary configuration or data handling steps. Playbooks codify the assessment process for different types of assets or security checks (e.g., SAST for Python, AI model safety scan). + * **BeSPlugin:** Represents an integration wrapper for a specific security tool (e.g., SAST scanner, DAST scanner, SCA tool, secrets detector, AI model analyzer). Plugins are the "workhorses" of the lab, performing the actual security scans. They are invoked by BeSPlaybooks within the appropriate BeSEnvironment. The lab's assessment capabilities are directly determined by the range and quality of the integrated BeSPlugins. The BeSLab framework is extensible, allowing new tools to be integrated as plugins over time. + + ### **2.3 Key Concepts** + + Understanding the following concepts is crucial for operating the BeSLab effectively: + + * **OSSPoI / OSSMoI / OSSVoI:** + * **OSSPoI (Open Source Projects of Interest):** Specific open-source software projects that the organization uses or depends on, which are onboarded into the lab for continuous security assessment and monitoring. + * **OSSMoI (Open Source Models of Interest):** Specific open-source AI/ML models used or considered by the organization, onboarded for security and safety assessments. + * **OSSVoI (Open Source Vulnerabilities of Interest):** Represents the specific vulnerabilities (often identified by CVE numbers or other identifiers) discovered in the tracked OSSPoI and OSSMoI. The lab focuses on tracking and managing these relevant vulnerabilities.1 + * **OSAR (Open Source Assessment Report):** The standardized output report generated after a BeSPlaybook completes an assessment run on an OSSPoI or OSSMoI.1 It details the scope, methodology, findings (including OSSVoI), risk posture, and potentially remediation guidance. OSARs should ideally conform to the BeS Schema for consistency.4 + * **TAVOSS (Trusted and Verified Open Source Software):** A designation indicating that an OSS project or AI model has undergone a defined assessment process within the BeSLab instance and meets certain security criteria established by the organization.1 Achieving TAVOSS status is an *outcome* of the lab's assurance activities, signifying a higher level of confidence in the artifact's security posture based on the internal assessment process.3 The lab might facilitate the distribution or identification of these TAVOSS-designated versions internally.1 + * **OSAP (Open Source Assurance Provider):** Each BeSLab instance, whether private or public, functions as an OSAP.1 In the context of this guide (a private lab), the CISO's organization acts as its own internal OSAP, providing assurance services for the assets it chooses to monitor. + * **BeS Schema / Exchange Schema:** A standardized data format defined by the Be-Secure initiative to facilitate the exchange of information about assets, vulnerabilities, and assessments between different components of the BeSLab ecosystem and potentially between different BeSLab instances.1 Adherence to this schema promotes interoperability, enables consistent data processing and visualization (e.g., by BeSLighthouse), simplifies the development of tools that consume lab data, and ensures that generated reports (OSARs) have a uniform structure.4 This focus on standardization future-proofs the lab's data, even in a private deployment. + + ## **3\. Prerequisites for Deployment** + + Before initiating the BeSLab installation, ensure the target environment meets the following prerequisites. Careful preparation prevents common setup issues. + + ### **3.1 Hardware** + + A dedicated host machine (Virtual Machine recommended for flexibility) is required to run the core BeSLab components. + + * **Minimum:** 4 vCPU, 8 GB RAM, 16 GB Disk Space.1 *Note: This is the absolute minimum and may result in slow performance, especially for GitLab.* + * **Recommended for Enterprise Use:** 8+ vCPU, 16+ GB RAM, 100+ GB Disk Space (SSD recommended). Sufficient disk space is crucial for storing GitLab data (repositories, container registry, etc.) and potentially large assessment artifacts or logs. + + ### **3.2 Software** + + The host machine must have the following software installed and configured: + + * **Operating System:** Ubuntu Linux (LTS version recommended, as per documentation examples 1). Other Linux distributions might work but may require adjustments. + * **Essential Utilities:** curl, unzip, bash, git, sudo access for the installing user.1 + * **Container Runtime:** Docker Engine or a compatible container runtime is required, as BLIman typically deploys GitLab CE and BeSLighthouse as containers. + * **NodeJS:** Required for BeSLighthouse. Version 16.0 or higher is specified.2 Install via package manager or NVM (Node Version Manager). + * **Python & pip:** May be required for specific BeSPlugins, BeSEnvironments, or alternative installation methods.1 Install Python 3 and pip. + + ### **3.3 Network** + + Configure the network environment appropriately: + + * **IP Address/DNS:** The BeSLab host requires a static IP address or a resolvable DNS hostname within the enterprise network. This address will be used to access GitLab and BeSLighthouse UIs. + * **Internet Access:** The host needs outbound internet access to download BeSLab components (BLIman, Docker images for GitLab, BeSLighthouse, plugins), clone open-source repositories, and fetch vulnerability database updates. + * **Firewall Rules:** Ensure necessary ports are open: + * SSH (typically TCP/22) for administrative access. + * HTTP (TCP/80) and/or HTTPS (TCP/443) for accessing the GitLab web UI and API. + * BeSLighthouse Port (e.g., TCP/3000 default, or TCP/80 if configured 2) for accessing the dashboard UI. + * Potentially other ports if specific plugins or services require them. + * **Internal Connectivity:** Users (Analysts, Developers) need network access to the GitLab and BeSLighthouse UIs. Systems submitting assets might need API access to GitLab. + + ### **3.4 GitLab CE** + + This guide assumes GitLab CE will be installed *by* the BLIman launchlab process. If an existing GitLab instance is intended for use, significant manual configuration beyond the scope of this standard installation guide would be required to integrate BeSLab components and repositories correctly. + + ### **3.5 User Accounts** + + * **Host OS:** An operating system user account with sudo privileges is required to perform the installation steps.1 + * **GitLab:** Initial administrative credentials for GitLab will be set during installation (via genesis.yaml) and must be changed immediately upon first login.1 + + ### **3.6 Prerequisites Summary Table** + + The following table summarizes the key prerequisites for deploying a private BeSLab Lite Mode instance. + + | Category | Requirement | Details / Recommendations | Reference | + | :---- | :---- | :---- | :---- | + | **Hardware** | CPU | Min: 4 vCPU, Recommended: 8+ vCPU | 1 | + | | RAM | Min: 8 GB, Recommended: 16+ GB | 1 | + | | Disk Space | Min: 16 GB, Recommended: 100+ GB (SSD) | 1 | + | **Software** | Operating System | Ubuntu LTS Recommended | 1 | + | | Utilities | curl, unzip, bash, git, sudo access | 1 | + | | Container Runtime | Docker Engine or compatible | Implied | + | | NodeJS | v16.0+ | 2 | + | | Python | Python 3, pip (Optional, depending on tools/methods) | 1 | + | **Network** | Host Addressing | Static IP or resolvable DNS hostname | Required | + | | Internet Access | Outbound access for downloads/updates | Required | + | | Firewall Ports | SSH (22), HTTP/S (80/443 for GitLab), BeSLighthouse Port (e.g., 3000 or 80), potentially others | Required | + | | Internal Access | User access to GitLab/BeSLighthouse UIs | Required | + | **Accounts** | Host OS User | User with sudo privileges | 1 | + | | GitLab Admin | Initial credentials set via genesis.yaml, change immediately | 1 | + + **Table 1: Prerequisites Summary** + + ## **4\. BeSLab Installation Guide (Private Lite Mode via BLIman)** + + ### **4.1 Overview** + + This section provides step-by-step instructions for installing a private BeSLab instance in 'Lite Mode' using the BLIman CLI tool.1 Lite Mode typically installs all core components, including GitLab CE and BeSLighthouse, onto the single prepared host machine. The installation is driven by the genesis.yaml configuration file. + + ### **4.2 Step 1: Prepare the Host** + + Ensure the designated host machine meets all prerequisites outlined in Section 3\. Log in to the host machine using a user account with sudo privileges.1 + + ### **4.3 Step 2: Install BLIman** + + BLIman is the primary tool for managing the BeSLab lifecycle.1 Install it using the following commands (referencing the official Be-Secure/BLIman repository for the latest instructions, as indicated in 1): + + Bash + + \# Example installation commands (Verify against official BLIman README) + \# Download the installer script (URL might change) + curl \-sSL \ \-o install-bliman.sh + + \# Run the installer script + sudo bash install-bliman.sh + + \# Clean up installer script + rm install-bliman.sh + + \# Verify installation by checking the help command + bli help + + Successful execution of bli help should display the available BLIman commands. + + ### **4.4 Step 3: Configure genesis.yaml** + + The genesis.yaml file defines all configuration parameters for the BeSLab instance.1 Create this file in your current working directory (e.g., /home/user/beslab\_setup/genesis.yaml). + + Below is a sample structure for a private Lite Mode deployment. **Customize the values** (especially URLs, IPs, ports, and initial credentials) according to your environment. + + YAML + + \# Sample genesis.yaml for Private Lite Mode + \# \--- Global Configuration \--- + beslab\_mode: "lite" \# Specifies Lite Mode deployment + deployment\_type: "private" \# Specifies a private instance + + \# \--- GitLab Configuration \--- + gitlab: + host\_url: "http://\" \# \*\*REQUIRED\*\*: URL users will use + initial\_root\_password: "\" \# \*\*REQUIRED\*\*: Set a strong temporary password + \# Optional: Specify ports if not default 80/443/22 + \# http\_port: 80 + \# https\_port: 443 + \# ssh\_port: 22 + \# Optional: Specify data volume path + \# data\_volume: "/srv/gitlab/data" + + \# \--- BeSLighthouse Configuration \--- + beslighthouse: + host\_ip: "0.0.0.0" \# Listen on all interfaces within the container + host\_port: "3000" \# \*\*REQUIRED\*\*: Port BeSLighthouse will listen on (e.g., 3000\) + \# Optional: Specify data volume path + \# config\_volume: "/srv/beslighthouse/config" + + \# \--- Other Optional Configurations (Add as needed based on BLIman documentation) \--- + \# Example: Default user settings, registry settings, etc. + + **Critical Security Note:** Set a strong, unique initial\_root\_password for GitLab. This password **must** be changed immediately after the first login to the GitLab UI. Do not use default or easily guessable passwords. Store this genesis.yaml file securely, as it contains sensitive initial configuration details. + + ### **4.5 Step 4: Load Configuration** + + Use BLIman to parse and load the configuration from your genesis.yaml file 1: + + Bash + + \# Ensure you are in the directory containing genesis.yaml or provide the full path + bli load genesis.yaml + + BLIman will validate the file structure and load the parameters. Address any errors reported. + + ### **4.6 Step 5: Initialize Mode** + + Initialize BLIman for the specified deployment mode ('lite' in this case) 1: + + Bash + + bli initmode lite + + This command prepares BLIman and potentially sets up necessary base configurations for the Lite Mode deployment. + + ### **4.7 Step 6: Initialize BeSman** + + Initialize the BeS Environment Manager (BeSman), which is typically installed by bli initmode 1: + + Bash + + source $HOME/.besman/bin/besman-init.sh + + This command loads BeSman functions into your current shell environment. Verify the initialization: + + Bash + + bes help + + Successful execution should display the available BeSman commands.1 + + ### **4.8 Step 7: Launch the Lab** + + Initiate the BeSLab deployment process 1: + + Bash + + bli launchlab + + This command triggers the core installation process. BLIman will: + + * Download necessary Docker images (GitLab CE, BeSLighthouse, etc.). + * Configure and start the containers based on genesis.yaml settings. + * Set up networking and volumes. + * Potentially perform initial seeding of required GitLab structures (groups/projects). + + This step can take a considerable amount of time depending on network speed and host performance. Monitor the console output closely for any errors or prompts. + + ### **4.9 Step 8: Initial Verification** + + Once bli launchlab completes successfully, perform these verification steps 1: + + 1. **Access GitLab UI:** Open a web browser and navigate to the gitlab.host\_url specified in genesis.yaml. + 2. **Login to GitLab:** Log in using the username root and the initial\_root\_password set in genesis.yaml. + 3. **Change GitLab Password:** GitLab will immediately prompt you to change the default root password. Set a new, strong, unique password and store it securely. **This is a critical security step.** + 4. **Access BeSLighthouse UI:** Open another browser tab and navigate to http://\:\ (e.g., http://192.168.1.100:3000). + 5. **Verify BeSLighthouse Load:** The BeSLighthouse dashboard should load. Initially, lists like "Projects Of Interest" will likely be empty, which is expected.1 + 6. **(Optional) Check Container Status:** On the BeSLab host, use docker ps (or the equivalent for your container runtime) to verify that the GitLab and BeSLighthouse containers (and any supporting containers) are running. + + Successful completion of these steps indicates that the core BeSLab infrastructure is installed and operational. + + ## **5\. GitLab CE Integration and Repository Setup** + + ### **5.1 Post-Installation GitLab Configuration** + + After the initial setup and password change, consider these basic GitLab configurations relevant to BeSLab operation: + + * **User Registration:** Navigate to Admin Area \-\> Settings \-\> General \-\> Sign-up restrictions. It is highly recommended to *disable* new sign-ups (Sign-up enabled checkbox unchecked) and potentially enable Require admin approval for new sign-ups if self-registration is needed later. This ensures only authorized personnel can access the lab's SCM. + * **Group/Project Creation:** Navigate to Admin Area \-\> Settings \-\> General \-\> Account and limit settings. Review permissions related to who can create top-level groups and projects. Initially, restricting this to Administrators might be prudent. + * **Runner Configuration (Optional \- Future Use):** If planning to use GitLab CI/CD pipelines to automate BeSPlaybook execution later, configure GitLab Runners (either shared or specific) that can execute jobs, potentially interacting with Docker or the BeSLab host environment. This is an advanced step not covered in the basic setup. + + ### **5.2 Initializing Be-Secure Repositories** + + The BeSLab relies on a specific structure of Git repositories within GitLab to store its data and configurations.1 While bli launchlab might perform some initial setup, manual creation or verification of the core repositories might be necessary. + + 1. **Login to GitLab:** Log in as the root user or another administrative user. + 2. **Create a Top-Level Group:** Create a new group to house all BeSLab-related repositories (e.g., besecure-lab). This helps organize the instance. + 3. **Create Core Repositories:** Within the besecure-lab group, create the following projects (Git repositories): + * BeSEnvironment: Stores definitions for assessment environments. + * BeSPlaybook: Stores assessment playbook scripts. + * BeSAssessment: Stores OSAR output files and assessment metadata. + * besecure-assets-store (or similar name based on datastore.ts defaults): Stores lists/definitions of OSSPoI, OSSMoI, etc..2 + * Potentially others as required by specific configurations or future extensions. Initialize these repositories with a README file. The exact structure and initial content might need refinement based on specific playbook and plugin requirements. + + ### **5.3 Configuring BeSLighthouse Connection** + + BeSLighthouse needs to know where to find the data repositories within your private GitLab instance.2 + + 1. **Locate datastore.ts:** Access the BeSLab host machine via SSH. Locate the BeSLighthouse installation directory. The exact path depends on how BLIman deployed it, but it might be within a Docker volume mount or a standard location like /opt/BeSLighthouse or /usr/local/share/beslighthouse. Inside this directory, find the configuration file, typically src/config/datastore.ts or similar. + 2. **Edit datastore.ts:** Open the file with a text editor (e.g., nano, vim). You will find variables defining the URLs for the datastore repositories. Update these URLs to point to the repositories created in your private GitLab instance within the besecure-lab group.2 + * Example (modify paths and URLs): + TypeScript + // Before modification (pointing to public GitHub) + // export const PoI\_Repo\_URL \= "https://github.com/Be-Secure/besecure-assets-store.git"; + // export const Assessment\_Repo\_URL \= "https://github.com/Be-Secure/besecure-assessment-datastore.git"; + + // After modification (pointing to internal GitLab) + export const PoI\_Repo\_URL \= "http://\/besecure-lab/besecure-assets-store.git"; + export const Assessment\_Repo\_URL \= "http://\/besecure-lab/BeSAssessment.git"; + // Update other relevant repository URLs (MoI, ML assessments, etc.) similarly + + 3. **Restart BeSLighthouse:** For the changes to take effect, restart the BeSLighthouse service or container. If running via Docker: + Bash + \# Find the BeSLighthouse container ID or name + sudo docker ps + + \# Restart the container + sudo docker restart \ + + 4. **Verify Connection:** Refresh the BeSLighthouse UI in your browser. While still empty, check browser developer tools (network tab) or container logs (sudo docker logs \) for any errors related to accessing the configured GitLab repository URLs. Successful connection means BeSLighthouse can now read data once it's populated. + + This configuration establishes the crucial link between the visualization front-end (BeSLighthouse) and the Git-based data back-end, reinforcing the GitOps foundation and the importance of the standardized repository structure for the lab's operation. + + ## **6\. Onboarding Guide** + + With the core BeSLab infrastructure in place, the next step is to onboard users, assets (projects and models), and the tools (plugins) required for assessment. + + ### **6.1 User Onboarding** + + Define roles and assign appropriate permissions within GitLab to control access to lab resources. + + * **Typical Roles:** + * **Lab Administrator:** Responsible for installing, configuring, maintaining, and upgrading the BeSLab instance; managing users; integrating core plugins/environments/playbooks. Needs high-level access. + * **Security Analyst:** Responsible for onboarding assets (OSSPoI/OSSMoI), triggering assessments, reviewing OSARs, triaging vulnerabilities (OSSVoI), and potentially customizing playbooks or integrating specific plugins. + * **Developer / Asset Owner:** Submits projects/models for assessment, consumes OSARs for their assets, responsible for remediation based on findings. Needs access primarily to their specific project results. + * **CISO / Management:** Oversight role, views dashboards (BeSLighthouse) and summary reports to understand organizational risk posture related to OSS/AI. Typically read-only access. + * **GitLab Permission Mapping (Example):** + * Lab Administrator: Owner role on the top-level besecure-lab group. + * Security Analyst: Maintainer role on the besecure-lab group (allowing repository management, potentially pipeline triggering). + * Developer / Asset Owner: Developer or Reporter role on specific BeSAssessment sub-projects or asset tracking repositories relevant to them. Access might be granted per project/asset. + * CISO / Management: Guest or Reporter role on the besecure-lab group for read-only access to repositories and potentially BeSLighthouse data sources. + * **Onboarding Process:** + 1. Lab Administrator logs into GitLab. + 2. Navigates to Admin Area \-\> Overview \-\> Users. + 3. Creates new user accounts or invites existing users. + 4. Navigates to the besecure-lab group \-\> Group information \-\> Members. + 5. Invites users to the group, assigning the appropriate role based on the mapping above. Adjust permissions on specific sub-projects as needed for finer-grained control. + + ### **6.2 Project Onboarding (OSSPoI)** + + Onboarding Open Source Projects of Interest (OSSPoI) involves adding them to the lab's tracking system, typically managed within a Git repository. + + * **Definition:** OSSPoI are specific open-source software projects critical to the organization's operations or products, requiring security assessment. + * **Process:** + 1. Identify the target OSSPoI (e.g., a library used in a critical application). + 2. Locate the designated asset tracking repository in GitLab (e.g., besecure-assets-store). + 3. Clone the repository locally. + 4. Edit the relevant file (e.g., osspoi\_list.yaml, projects.json \- the exact format depends on BeSLab configuration) to add the new project. Include required metadata: + * Project Name (e.g., Apache Log4j Core) + * Source Repository URL (e.g., https://github.com/apache/logging-log4j2.git) + * Version(s) of interest (e.g., 2.17.1, main branch) + * Potentially, a flag indicating if it's designated for TAVOSS assessment. + 5. Commit the changes with a descriptive message. + 6. Push the changes back to the GitLab repository. + 7. (Optional) A GitLab CI pipeline or a webhook could trigger automated validation or initial processing upon commit. + * **TAVOSS Designation:** Marking an OSSPoI for TAVOSS implies it will undergo rigorous assessment according to defined playbooks, aiming to achieve the 'Trusted and Verified' status within the organization's context.1 This designation might be a flag in the asset list file or managed through group/project structure. + * **Example OSSPoI Candidates:** Identifying initial candidates helps jumpstart the lab's value. Consider projects based on criticality, usage prevalence, and known risk profiles. + + | OSSPoI Candidate | Rationale | Potential Assessment Focus | + | :---- | :---- | :---- | + | Apache Log4j 2 | Critical logging library; past high-severity vulnerabilities | SCA (Dependencies), SAST (Java) | + | Apache Struts2 | Web framework; history of critical RCE vulnerabilities | SCA, SAST (Java), DAST | + | Spring Boot / Framework | Widely used Java application framework | SCA, SAST (Java), Secrets Scan | + | TensorFlow | Foundational ML framework | SCA (Python deps), SAST (Python) | + | PyTorch | Foundational ML framework | SCA (Python deps), SAST (Python) | + | Node.js Express | Common web framework for Node.js applications | SCA (npm), SAST (JavaScript/TS) | + | Internal Library X | Critical shared component developed internally | SAST, SCA, Secrets Scan | + + **Table 2: Example OSSPoI Candidates** + + ### **6.3 Model Onboarding (OSSMoI)** + + Similar to projects, Open Source Models of Interest (OSSMoI) are onboarded for tracking and assessment. + + * **Definition:** OSSMoI are specific open-source AI/ML models used, fine-tuned, or considered for use within the organization. + * **Process:** Follows the same Git-based workflow as OSSPoI, updating a designated list (e.g., ossmoi\_list.yaml within besecure-assets-store). Required metadata typically includes: + * Model Name (e.g., BERT Large Uncased) + * Source URL (e.g., Hugging Face Hub URL, GitHub repo) + * Version/Identifier (e.g., commit hash, tag, specific file checkpoint) + * Base Model (if fine-tuned) + * License Information + * **Example OSSMoI Candidates:** Focus on models relevant to the organization's AI initiatives. + + | OSSMoI Candidate | Rationale | Potential Assessment Focus | + | :---- | :---- | :---- | + | BERT (e.g., base-uncased) | Popular foundational NLP model | Model Scanning (operator safety, serialization), Provenance | + | Stable Diffusion (e.g., v1.5) | Widely used image generation model | Model Scanning, License Compliance, Potential Bias Checks | + | Llama (e.g., Llama-2-7b-hf) | Common open Large Language Model (LLM) | Model Scanning, Safety Alignment Checks, License Compliance | + | GPT-2 | Foundational LLM, often used for experiments | Model Scanning, Provenance | + | Internally Fine-tuned Model Y | Model derived from OSSMoI, used internally | Model Scanning (inheritance), Fine-tuning Data Privacy | + + **Table 3: Example OSSMoI Candidates** + + ### **6.4 Tool Onboarding (BeSPlugins)** + + Integrating security tools via BeSPlugins is fundamental to the lab's assessment capabilities. + + * **Definition:** A BeSPlugin is the integration layer that allows a BeSPlaybook to invoke a specific security tool and process its results within the BeSLab framework. + * **Integration Process:** + 1. **Identify Tool:** Select the security tool to integrate (e.g., Semgrep for SAST). + 2. **Check Existing Plugins:** Consult the official Be-Secure/BeSLab-Plugins repository (as mentioned in the query) for pre-built plugins. + 3. **Develop/Configure Plugin:** If no existing plugin is suitable, one needs to be developed or configured. This typically involves: + * Creating a script or configuration file defining how to execute the tool (command-line arguments, input/output handling). + * Defining how to parse the tool's output into a standardized format (ideally aligning with BeS Schema elements for findings). + * Specifying dependencies required by the tool, which should be included in a relevant BeSEnvironment. + * Packaging the plugin according to BeSLab conventions (e.g., a directory structure within the BeSPlaybook or a dedicated plugin repository). + 4. **Define BeSEnvironment:** Ensure a BeSEnvironment exists (or create one) that contains the tool itself and all its runtime dependencies (e.g., specific Python version, libraries, OS packages). This might involve creating a Dockerfile managed within the BeSEnvironment repository. + 5. **Reference in BeSPlaybook:** Update or create a BeSPlaybook to invoke the new plugin at the appropriate stage of the assessment workflow. + * **Extensibility:** This plugin architecture is key to the lab's flexibility. As new security tools emerge or organizational needs change, new plugins can be added to enhance assessment coverage without altering the core BeSLab framework. The lab's value grows directly with the number and quality of its integrated plugins. + * **Example Default BeSPlugins:** Start with a core set of plugins covering common security assessment types. + + | BeSPlugin Example | Tool Integrated (Example) | Security Assessment Type | Purpose | + | :---- | :---- | :---- | :---- | + | Semgrep-Plugin | Semgrep | SAST | Static code analysis for various languages using pattern matching. | + | Trivy-Plugin | Trivy | SCA, Container Scanning | Detects vulnerabilities in OS packages and language dependencies. | + | Bandit-Plugin | Bandit | SAST (Python) | Finds common security issues in Python code. | + | Gitleaks-Plugin | Gitleaks | Secret Scanning | Detects hardcoded secrets (API keys, passwords) in Git history. | + | OWASP-ZAP-Plugin | OWASP ZAP | DAST | Dynamic analysis of web application security vulnerabilities. | + | ModelScan-Plugin | ModelScan (or similar) | AI Model Security | Scans ML models for unsafe operators, serialization issues, etc. | + + **Table 4: Example Default BeSPlugins** + + ## **7\. AI Security Lab Operational Workflows** + + Once the lab is set up and initial assets/tools are onboarded, day-to-day operations involve standardized workflows for assessment and vulnerability management. + + ### **7.1 Asset Submission** + + The process for submitting new OSS projects or AI models for assessment needs to be defined. Options include: + + * **Manual Git Update:** As described in sections 6.2 and 6.3, authorized users (Developers, Analysts) clone the asset repository, update the list, and push the changes. This is the simplest method aligned with the GitOps approach. + * **GitLab Merge Request (MR):** A more controlled process where developers submit MRs to the asset repository. Security Analysts review and approve the MR to formally onboard the asset. + * **API Integration (Advanced):** Develop an internal tool or script that interacts with the GitLab API to add assets to the tracking list, potentially triggered from other internal systems (e.g., CI/CD pipeline, internal software catalog). + + ### **7.2 Assessment Execution** + + Assessments are performed by executing BeSPlaybooks against target assets. + + * **Triggering Mechanisms:** + * **Manual:** Security Analysts trigger playbooks via CLI commands (interacting with BeSman/BLIman or custom scripts) or potentially through a custom UI element (if developed). + * **Scheduled:** Configure cron jobs on the BeSLab host or use GitLab's CI/CD schedules to run specific playbooks periodically (e.g., daily SCA scans). + * **Event-Driven (Git Hooks/CI):** Configure GitLab CI/CD pipelines or webhooks on the asset repositories (or the main code repositories) to automatically trigger relevant playbooks upon events like new commits, merge requests, or new version tags. + * **Playbook Invocation:** The trigger mechanism selects and executes the appropriate BeSPlaybook based on the asset type (OSSPoI vs. OSSMoI), language/framework, and the desired assessment type (e.g., sast-python-standard, ai-model-onboarding-safety). + * **Environment and Plugin Use:** The selected playbook orchestrates the assessment 1: + 1. It typically invokes BeSman to prepare or launch the required BeSEnvironment (e.g., pulling/starting a specific Docker container). + 2. Within that environment, it executes one or more BeSPlugins in sequence. + 3. Each plugin runs its corresponding security tool against the target asset (code checkout, model file). + 4. Plugins collect and parse the results from the tools. + * **Modularity in Action:** This workflow highlights the modularity and extensibility of BeSLab. The effectiveness of an assessment hinges on the combination of the chosen Playbook, the completeness of the Environment, and the capabilities of the invoked Plugins. New assessment types can be added by creating new combinations of these components. + + ### **7.3 OSAR Generation and Storage** + + Assessment results are formalized into standardized reports. + + * **Aggregation:** The BeSPlaybook (or a dedicated reporting script called by it) aggregates the findings from all executed plugins. + * **Formatting:** Results are formatted into an OSAR (Open Source Assessment Report), ideally conforming to the BeS Schema structure 4 (see Section 9.1 for details). This ensures consistency. + * **Storage:** The generated OSAR file (e.g., in JSON, YAML, or Markdown format) is typically committed to the BeSAssessment Git repository.1 The commit message or file naming convention should link the OSAR to the specific asset (OSSPoI/OSSMoI), its version/commit hash, and the assessment run timestamp or ID. This provides an auditable history of assessments. + + ### **7.4 BeSLighthouse Visualization** + + BeSLighthouse serves as the central dashboard for monitoring lab activities and results.1 Users access it via a web browser to: + + * View lists of currently tracked OSSPoI and OSSMoI. + * Check the status of ongoing or completed assessments. + * Review historical assessment results for specific assets. + * Visualize aggregated vulnerability data (OSSVoI), potentially filtered by severity, asset, or time. + * Access direct links to the detailed OSAR files stored in the BeSAssessment repository for deeper investigation. + + ### **7.5 Vulnerability Tracking (OSSVoI/CVEs)** + + A core function of the lab is tracking identified vulnerabilities. + + * **Identification:** BeSPlugins performing SCA, SAST, DAST, etc., identify potential vulnerabilities. These findings, including CVE identifiers where available, are captured in the OSAR. + * **Extraction & Storage:** A process (within the playbook or a post-processing step) extracts key vulnerability information (CVE ID, CWE ID, severity, affected component/version, description, location) from the OSAR. This structured data (OSSVoI) is stored, potentially: + * Directly within the OSAR file in a structured format (e.g., a findings array). + * In a separate dedicated vulnerability database or file within the BeSAssessment or another repository, linked back to the OSAR and the affected asset. + * **Visualization:** BeSLighthouse queries this structured OSSVoI data to provide aggregated views, trends, and lists of outstanding vulnerabilities across all tracked assets.2 + * **Triage & Remediation:** Security Analysts use the OSARs and BeSLighthouse data to triage new findings, prioritize remediation efforts based on severity and context, assign findings to relevant development teams, and track the status of remediation actions. + + ### **7.6 OASP Engagement Options** + + While this guide focuses on a private, internal lab (acting as a private OSAP 1), there are potential future options for engaging with the wider ecosystem, subject to organizational policy: + + * **Contribute Back:** Share identified vulnerabilities and suggested patches back to the upstream open source projects. + * **Data Sharing:** Anonymize and share vulnerability trend data (using the BeS Exchange Schema 1) with trusted partners, industry groups (ISACs), or Be-Secure community initiatives to contribute to collective security intelligence. + * **Consume External Data:** Integrate external vulnerability feeds (e.g., NVD, vendor advisories, other OSAP reports) to correlate with internal findings and enrich the OSSVoI data. + + ## **8\. Configuring Default Lab Components** + + To ensure the BeSLab instance provides immediate value upon setup, it's essential to configure a baseline set of Environments, Playbooks, and Plugins. These defaults provide core assessment capabilities that can be expanded later. + + ### **8.1 Purpose of Defaults** + + Defining default components establishes a foundational set of security checks applicable to common languages, frameworks, and asset types within the organization. This allows the lab to start performing basic assessments quickly after installation and onboarding the first assets. + + ### **8.2 Default BeSEnvironments** + + These environments provide the necessary runtime context for common security tools. They are typically defined as Dockerfiles or setup scripts within the BeSEnvironment repository. + + | BeSEnvironment Name | Key Components Included | Purpose | + | :---- | :---- | :---- | + | python-base-env | Python 3.x, pip, common build tools, Git | Running Python-specific SAST (Bandit, Semgrep) & SCA tools. | + | node-base-env | NodeJS (LTS), npm/yarn, Git | Running JavaScript/TypeScript SAST/Linters, SCA (npm audit/yarn audit). | + | generic-scanner-env | Base Linux (e.g., Alpine/Debian), curl, jq, git, Trivy | Running generic scanners like Trivy (FS), Gitleaks, or simple scripts. | + | ai-model-env | Python 3.x, PyTorch/TF libs, ModelScan deps, Git | Dedicated environment for AI model security/safety scanning tools. | + | java-build-env | JDK (e.g., 11/17), Maven/Gradle, Git | Environment for building Java projects and running Java SAST/SCA tools. | + + **Table 5: Example Default BeSEnvironments** + + ### **8.3 Default BeSPlaybooks** + + These playbooks combine environments and plugins to perform standard assessment workflows. They reside in the BeSPlaybook repository. + + | BeSPlaybook Name | BeSEnvironment Used | BeSPlugins Invoked (Example) | Suggested Frequency | Purpose | + | :---- | :---- | :---- | :---- | :---- | + | sast-python-standard | python-base-env | Semgrep-Plugin, Bandit-Plugin | On Commit / Pull Request | Basic static analysis security checks for Python projects. | + | sca-generic-standard | generic-scanner-env | Trivy-Plugin (FS mode) | Daily / Weekly | Scans project dependencies for known vulnerabilities (CVEs). | + | secrets-scan-standard | generic-scanner-env | Gitleaks-Plugin | On Commit / Pull Request | Detects potential secrets accidentally committed to Git history. | + | ai-model-onboarding-safety | ai-model-env | ModelScan-Plugin | On New Model Onboarding | Performs initial safety/security checks on newly added AI models. | + | dast-web-scan-basic | generic-scanner-env | OWASP-ZAP-Plugin (Baseline) | Weekly / On Demand | Performs a basic dynamic scan against a deployed web application URL. | + + **Table 6: Example Default BeSPlaybooks** + + ### **8.4 Default BeSPlugins** + + The recommended initial set of plugins provides coverage across essential security domains. Refer back to **Table 4: Example Default BeSPlugins** (Section 6.4) for the list, including tools like Semgrep, Trivy, Bandit, Gitleaks, OWASP ZAP, and an AI Model Scanner. Integrating these plugins provides the foundational scanning capabilities orchestrated by the default playbooks. + + ## **9\. Reporting and Governance** + + Effective operation of the AI Security Lab requires standardized reporting and clear governance structures. + + ### **9.1 Sample OSAR Structure** + + Consistent reporting is vital for tracking findings, comparing assessments over time, and communicating risk effectively. The Open Source Assessment Report (OSAR) should be structured logically, ideally aligning with the principles of the BeS Schema.4 + + | OSAR Section | Content Description | Purpose | + | :---- | :---- | :---- | + | **Metadata** | Assessment ID, Timestamp, Asset ID (OSSPoI/OSSMoI Name), Asset Version/Commit, BeSPlaybook Used, BeSEnvironment Used, Triggering Event (if applicable). | Uniquely identifies the assessment and its context. | + | **Executive Summary** | Brief overview of the assessment scope, key findings, overall risk level (e.g., Critical, High, Medium, Low), and critical recommendations. | Provides a high-level snapshot for management and quick triage. | + | **Asset Details** | Full Name, Source URL, Description, Exact Version/Commit Hash Assessed, License Information (if applicable). | Clearly identifies the specific artifact that was assessed. | + | **Assessment Scope & Methodology** | Description of the checks performed, list of tools (BeSPlugins) executed, specific configurations used (e.g., scan depth, rule sets), any limitations or exclusions. | Defines the boundaries and methods of the assessment for accurate interpretation of results. | + | **Findings Summary** | Aggregated counts of findings categorized by severity (e.g., Critical, High, Medium, Low, Informational). May include charts or tables. | Provides a quantitative overview of the identified issues. | + | **Detailed Findings** | A list of individual findings. Each finding includes: Finding ID, Description, Severity, Status (New, Triaged, Mitigated, False Positive), Location (File, Line, Model Layer, Dependency Name), Evidence/Code Snippet, Remediation Guidance, Associated Identifiers (CVE, CWE \- constituting OSSVoI). | Provides actionable details for each identified vulnerability or issue for analysts and developers. | + | **Attestation (Optional)** | A formal statement regarding the level of assurance provided by this assessment, based on the scope and findings. May reference TAVOSS criteria if applicable. | Formally documents the outcome and confidence level derived from the assessment process. | + + **Table 7: OSAR Sample Structure** + + ### **9.2 RACI Matrix** + + A RACI (Responsible, Accountable, Consulted, Informed) matrix clarifies roles and responsibilities for key lab activities, ensuring smooth operation and accountability. + + | Activity | CISO | Lab Administrator | Security Analyst | Developer Lead / App Owner | Legal / Compliance | + | :---- | :---- | :---- | :---- | :---- | :---- | + | Lab Setup/Config | A | R | C | I | I | + | User Onboarding | A | R | C | I | I | + | OSSPoI Onboarding | A | C | R | C | I | + | OSSMoI Onboarding | A | C | R | C | C | + | BeSPlugin Integration | A | R | C | I | I | + | Assessment Execution/Scheduling | I | C | R | I | I | + | OSAR Review/Triage | C | I | R | C | C | + | Vulnerability Remediation Tracking | A | I | R | C | I | + | Vulnerability Remediation Implementation | I | I | C | R | I | + | Lab Maintenance/Upgrades | A | R | C | I | I | + | Policy Definition (Scope, SLA) | A | C | C | C | R | + + **Table 8: RACI Matrix** *(R=Responsible, A=Accountable, C=Consulted, I=Informed)* + + ### **9.3 Governance Considerations** + + Beyond the RACI matrix, establish clear policies and procedures: + + * **Asset Onboarding Criteria:** Define rules for which OSSPoI and OSSMoI must be onboarded (e.g., based on usage in critical systems, external facing applications, handling sensitive data). + * **Assessment Frequency:** Define minimum assessment frequencies based on asset criticality and type (e.g., SAST/Secrets on commit, SCA daily, DAST weekly, Model Scan on update). + * **Vulnerability Triage Process:** Document the workflow for reviewing new findings, assigning severity based on organizational context, determining validity (true positive/false positive), and assigning ownership. + * **Remediation SLAs:** Define expected timelines for acknowledging and fixing vulnerabilities based on severity levels. + * **Tool Validation & Updates:** Regularly review and update integrated BeSPlugins and their underlying tools. Validate tool effectiveness periodically. + * **Reporting Cadence:** Define how and when assessment results and risk posture summaries are reported to the CISO and other stakeholders. + + ## **10\. Deployment and Interaction Diagrams (PlantUML)** + + The following diagrams illustrate the BeSLab architecture and key operational flows. + + ### **10.1 Diagram 1: High-Level Enterprise Deployment** + + ![High-Level Enterprise Deployment](./docs/images/Diagram1HighlevelEnterpriseDeployment.png) + + ### **10.2 Diagram 2: Detailed BeSLab Component Layout (Lite Mode Host)** + + ![Detailed BeSLab Component Layout (Lite Mode Host)](./docs/images/Diagram2BeSLabComponentsLayout.png) + + ### **10.3 Diagram 3: Project/Model Onboarding Flow (Git-based)** + + ![Project/Model Onboarding Flow (Git-based)](./docs/images/Diagram3BeSLabProjectModelOnboardingWorkflow.png) + + ### **10.4 Diagram 4: Assessment Execution Flow** + + ![Assessment Execution Flow](./docs/images/Diagram4AssessmentExecutionWorkflow.png) + + ### **10.5 Diagram 5: Vulnerability Tracking Flow (OSSVoI)** + + ![Vulnerability Tracking Flow (OSSVoI)](./docs/images/Diagram5BeSLabVulnerabilityTrackingWorkflow.png) + + ## **11\. Conclusion** + + ### **11.1 Benefits Recap** + + Implementing an AI Security Lab using the Be-Secure BeSLab blueprint provides the CISO's organization with a powerful, centralized capability to manage the growing security risks associated with open source software and artificial intelligence models. Key benefits include: + + * **Standardized and Proactive Assurance:** Moving from ad-hoc reviews to consistent, automated assessments.1 + * **Enhanced Visibility and Control:** Centralized tracking of critical assets (OSSPoI, OSSMoI) and their associated vulnerabilities (OSSVoI) via BeSLighthouse.1 + * **Reduced Risk Posture:** Early identification and facilitated remediation of vulnerabilities in the software supply chain and AI models. + * **Internal Trust Validation:** The ability to generate internal TAVOSS designations for assessed components, building confidence in their use.1 + * **Extensibility and Adaptability:** A modular architecture based on Playbooks, Environments, and Plugins allows the lab to evolve and integrate new tools and assessment techniques over time. + + ### **11.2 Next Steps** + + Following the successful installation and initial configuration outlined in this guide, prioritize these immediate actions: + + 1. **Onboard Initial Assets:** Identify and onboard a pilot set of high-priority OSSPoI and OSSMoI based on organizational risk assessment. + 2. **Configure & Test Default Workflows:** Ensure the default BeSPlugins, BeSEnvironments, and BeSPlaybooks (Tables 4, 5, 6\) are correctly configured and execute successfully against test assets. + 3. **User Training:** Train Security Analysts on operating the lab (triggering scans, reviewing OSARs, using BeSLighthouse) and Developers on submitting assets and interpreting results. + 4. **Establish Governance:** Formalize the processes outlined in Section 9.3 (triage, SLAs, reporting) and communicate the RACI matrix (Table 8). + 5. **Secure the Lab:** Implement robust security hardening for the BeSLab host, GitLab instance, and associated accounts. Regularly apply security patches. + + ### **11.3 Continuous Improvement** + + The AI Security Lab is not a static entity. Its value lies in its continuous operation and evolution: + + * **Expand Plugin Coverage:** Regularly evaluate and integrate new BeSPlugins for emerging tools and assessment types (e.g., advanced AI safety checks, infrastructure-as-code scanning, license compliance). + * **Refine Playbooks:** Optimize existing playbooks and create new ones tailored to specific application stacks, risk profiles, or compliance requirements. + * **Update Environments:** Keep the underlying tools and dependencies within BeSEnvironments up-to-date. + * **Integrate with DevSecOps:** Explore deeper integration with existing CI/CD pipelines to automate security feedback loops for developers. + * **Monitor Effectiveness:** Regularly review the lab's performance, the types of vulnerabilities being found, and the speed of remediation to identify areas for improvement in tooling or processes. + + By following this guide and embracing a culture of continuous improvement, the CISO's organization can leverage the BeSLab blueprint to build a robust, effective, and adaptable AI Security Lab, significantly strengthening its posture against modern cyber threats. + + #### **Works cited** + + 1. Empowering Open Source Project Security , This Repository includes BeS Environment Scripts to launch an instance of BeSLab \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/BeSLab](https://github.com/Be-Secure/BeSLab) + 2. Be-Secure/BeSLighthouse: Community dashboard for security assessment of open source projects of interest for BeSecure community. Various visualizations on Projects of Interest and Vulnerabilities of interest are available in the dashboard \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/BeSLighthouse](https://github.com/Be-Secure/BeSLighthouse) + 3. Wipro's Open Source Security Solution for Enhanced Cybersecurity, accessed May 1, 2025, [https://www.wipro.com/cybersecurity/o31e-wipros-open-source-security-program-a-key-initiative-to-enhancing-cybersecurity-with-open-source/](https://www.wipro.com/cybersecurity/o31e-wipros-open-source-security-program-a-key-initiative-to-enhancing-cybersecurity-with-open-source/) + 4. Be-Secure/bes-schema: This repository defines the data ... \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/bes-schema](https://github.com/Be-Secure/bes-schema) From 250e6c943c0f4bdec00fe03a42aebb0b6527ae23 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 19:46:31 +0530 Subject: [PATCH 10/30] Create BeSLabSimplifiedGuide.md Draft version of Simplified Guide --- BeSLabSimplifiedGuide.md | 467 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 467 insertions(+) create mode 100644 BeSLabSimplifiedGuide.md diff --git a/BeSLabSimplifiedGuide.md b/BeSLabSimplifiedGuide.md new file mode 100644 index 0000000..3d6ff5a --- /dev/null +++ b/BeSLabSimplifiedGuide.md @@ -0,0 +1,467 @@ +# **User Guide: Establishing and Operating an AI Security Lab with the Be-Secure BeSLab Blueprint** + +**Part 1: Understanding BeSLab** + +**1\. Introduction: Your AI Security Lab** + +* **1.1 What is BeSLab and Why Use It?** + In today's digital world, organizations heavily rely on Open Source Software (OSS) and Artificial Intelligence (AI) / Machine Learning (ML) models. While these components accelerate innovation, they also introduce security risks from potential vulnerabilities within them and the unique ways AI models can be attacked. Effectively managing these risks demands a structured and proactive strategy. + Establishing a dedicated AI Security Lab, based on the BeSLab blueprint, provides an organization's security team (specifically the CISO's office) with the necessary *internal* capability. It allows the organization to systematically check, track, and reduce the security risks tied to the OSS and AI components it uses or considers using . This focus on building internal capacity is central; BeSLab facilitates the development of in-house expertise and provides direct control over the security assurance process for these critical third-party assets, moving beyond reliance on external assessments or inconsistent manual reviews. +* **1.2 The Be-Secure Philosophy: Beyond a Single Tool** + The Be-Secure initiative aims to help organizations and the wider community strengthen open source artifacts—software, ML models, and datasets—against vulnerabilities . The BeSLab blueprint stems from this goal, offering a design for an open-source security lab. + It is crucial to understand that BeSLab is not a single software product that can be installed with one click. Instead, it is a *blueprint* or an *architectural pattern* . Think of it as a template defining how various tools and processes work together to create a comprehensive security assessment environment . This approach provides significant flexibility, allowing organizations to tailor the lab's capabilities. However, it also means that implementation involves assembling and integrating these components according to the blueprint's design, rather than installing a monolithic application. The core objective is to give application security and security operations teams full control and transparency over how these critical components are assessed . +* **1.3 Value for the CISO and Security Teams** + Implementing a BeSLab instance based on this blueprint delivers clear advantages for the CISO's organization and security teams : + * **Standardized Assurance:** Creates consistent and repeatable processes for security assessments of both OSS projects and AI models. + * **Centralized Visibility:** Offers a unified view through the BeSLighthouse dashboard, tracking Projects of Interest (OSSPoI), Models of Interest (OSSMoI), and related Vulnerabilities of Interest (OSSVoI) . + * **Reduced Risk Exposure:** Enables proactive identification and facilitates the fixing of vulnerabilities in essential software and models before attackers can exploit them. + * **Cost Efficiency:** Can lower the overall cost of risk assessment compared to frequent external security engagements or time-consuming manual reviews, especially as the number of tracked assets increases . + * **Internal Attestation:** Allows the organization to generate internal trust marks, such as a "Trusted and Verified Open Source Software" (TAVOSS) designation, for components that pass the lab's defined security checks . This TAVOSS status serves as a tangible outcome, providing a standardized way to communicate assurance levels internally and build confidence in the security posture of approved components . +* **1.4 Scope of This Guide** + This document serves as a comprehensive user guide focused specifically on setting up, configuring, and operating a *private* AI Security Lab using the BeSLab blueprint within an enterprise setting. It details the *'Lite Mode'* deployment, which consolidates essential components onto a single host machine, and covers integration with GitLab Community Edition (CE) as the code collaboration platform . The guide walks through the entire lifecycle: understanding the architecture, meeting prerequisites, installation steps, onboarding users, projects, models, and tools, defining operational workflows for security assessments, generating reports (OSARs), establishing governance (RACI), and configuring default components. + +**2\. How BeSLab Works: Architecture and Concepts** + +* **2.1 The Blueprint Explained: Core Components** + The BeSLab architecture, being a blueprint, defines how various components interact to form a working security lab . It integrates existing open-source tools with specific Be-Secure utilities and data structures to build a cohesive system for security assessment . A typical private BeSLab instance deployed in Lite Mode, as covered in this guide, includes these core parts : + * **Git-based Source Code Management (SCM) Platform (e.g., GitLab CE):** This is the central nervous system of the BeSLab instance. It hosts the critical datastore repositories containing configurations, definitions of assets (OSSPoI, OSSMoI), assessment playbooks, environment definitions, and the assessment results (OSARs) . Using GitLab CE provides a powerful, self-hosted platform supporting version control, collaboration, and potential CI/CD integration for automating assessment workflows. + * **Datastore Repositories:** These are specific Git repositories within the SCM platform designated for storing different types of lab data. Common examples include : + * BeSEnvironment: Stores definitions and scripts for creating assessment environments. + * BeSPlaybook: Contains the scripts and configurations defining assessment workflows (playbooks). + * BeSAssessment: Archives the generated Open Source Assessment Reports (OSARs) and related metadata. + * Asset Stores (e.g., besecure-assets-store): Repositories holding lists and details of tracked OSSPoI, OSSMoI, etc. The precise naming and structure are important for tools like BeSLighthouse to locate data correctly . + * **BeSLighthouse:** A web-based dashboard application providing the main user interface for visualizing the lab's data . It reads information directly from the designated Git datastore repositories and presents views of tracked assets, associated vulnerabilities, assessment statuses, and links to detailed reports . Its direct reliance on the Git backend reinforces the GitOps model described below. + * **BLIman (BeSLab Lifecycle Management):** A command-line interface (CLI) tool specifically created for deploying, configuring, and managing the lifecycle of a BeSLab instance . It uses a configuration file (genesis.yaml) to define the lab's setup and provides commands like bli load, bli initmode, and bli launchlab to orchestrate the installation . + * **BeSman (BeS Environment Manager):** Another CLI utility, working alongside BLIman, focused on creating and managing the BeSEnvironments needed for assessments . It is typically installed during the BLIman setup and used by playbooks to provision the correct runtime environments for security tools . The reliance on distinct CLI tools like BLIman and BeSman for core management tasks means that administrators need proficiency with command-line operations. Automation efforts, operational procedures, and troubleshooting will heavily involve executing and scripting these commands, differing from purely GUI-managed systems. + * **BeSEnvironment:** Represents a specific computing setup (often a container image or defined by setup scripts) containing the necessary tools, libraries, and dependencies to run a particular set of security assessments . These ensure assessments are consistent and repeatable. They are defined in the BeSEnvironment repository and managed by BeSman . + * **BeSPlaybook:** An automated script or workflow designed to orchestrate specific security assessment tasks . A playbook typically specifies which BeSEnvironment to use and which BeSPlugins (security tools) to run in sequence, along with configuration and data handling steps. Playbooks codify the assessment process for different asset types or security checks (e.g., SAST scan for Python code, AI model safety check). + * **BeSPlugin:** Represents an integration wrapper around a specific security tool (e.g., a SAST scanner like Semgrep, an SCA tool like Trivy, a secrets detector like Gitleaks, or an AI model analyzer) . These plugins are the "workhorses" that perform the actual security scans. They are called by BeSPlaybooks within the appropriate BeSEnvironment. The lab's assessment capabilities are directly determined by the range and quality of integrated BeSPlugins. The framework is extensible, allowing new tools to be added as plugins over time . +* **2.2 The GitOps Foundation** + A fundamental aspect of the BeSLab architecture is its reliance on a GitOps workflow for managing the lab itself . This means that nearly all configurations, operational state definitions, asset lists, assessment playbooks, environment definitions, and even assessment results (OSARs) reside within Git repositories hosted on the SCM platform (like GitLab CE) . + Changes to the lab's setup—adding a new project to track, modifying an assessment playbook, updating an environment, or configuring a tool—are managed through standard Git operations: making changes, committing them with descriptive messages, and pushing them to the central repository. This approach offers significant advantages for managing the security lab infrastructure: + * **Auditability:** Every change is recorded in the Git history, providing a clear audit trail of who changed what and when. + * **Version History:** Previous configurations and states can be easily reviewed or restored if needed. + * **Reproducibility:** The entire lab configuration is defined in code, making it easier to replicate the setup or recover from failures. + * **Collaboration:** Multiple team members can collaborate on managing the lab's configuration using familiar Git workflows. + * **Infrastructure-as-Code:** It treats the lab's configuration and operational definitions as code, promoting discipline, automation potential, and reliability in its management. BeSLighthouse reading directly from these repositories further reinforces this model, ensuring the dashboard always reflects the state defined in Git . +* **2.3 Key Terms You Need to Know** + Understanding this terminology is essential for working with BeSLab : + * **OSSPoI (Open Source Projects of Interest):** Specific open-source software projects your organization uses or depends on, which are onboarded into the lab for security assessment and monitoring. + * **OSSMoI (Open Source Models of Interest):** Specific open-source AI/ML models used or considered by your organization, onboarded for security and safety assessments. + * **OSSVoI (Open Source Vulnerabilities of Interest):** The specific vulnerabilities (often identified by CVEs or similar IDs) discovered within the tracked OSSPoI and OSSMoI. The lab focuses on tracking and managing these relevant vulnerabilities . + * **OSAR (Open Source Assessment Report):** The standardized report generated after a BeSPlaybook completes an assessment run . It details the scope, methods, findings (including OSSVoI), risk posture, and potentially remediation advice. OSARs should ideally follow the BeS Schema for consistency . + * **TAVOSS (Trusted and Verified Open Source Software):** An internal designation indicating that an OSS project or AI model has passed a defined assessment process within your BeSLab instance and meets your organization's security criteria . Achieving TAVOSS status signifies a higher level of confidence based on the internal assessment . The lab facilitates identifying or distributing these TAVOSS-approved versions internally . + * **OSAP (Open Source Assurance Provider):** Each BeSLab instance acts as an OSAP . In the context of this guide (a private lab), your organization functions as its own internal OSAP, providing assurance for the assets it monitors. + * **BeS Schema / Exchange Schema:** A standardized data format defined by Be-Secure to enable consistent exchange of information about assets, vulnerabilities, and assessments between BeSLab components and potentially other systems or labs . Adhering to this schema, even in a private deployment, promotes interoperability, allows consistent data processing and visualization (e.g., by BeSLighthouse), simplifies tool development, and ensures reports (OSARs) have a uniform structure, making the lab's data more valuable and future-proof . + +**Part 2: Setting Up and Configuring Your Lab** + +**3\. Setting Up Your Private BeSLab (Lite Mode)** + +* **3.1 Before You Begin: Prerequisites Checklist** + Ensuring the target environment meets all requirements before starting installation is crucial for avoiding common setup problems. A dedicated host machine (a Virtual Machine is recommended for easier management and snapshots) is needed . + The following table summarizes the key prerequisites for deploying a private BeSLab Lite Mode instance. Meeting the recommended specifications is advisable for enterprise use to ensure adequate performance, especially for GitLab and concurrent assessments. Sufficient disk space is particularly important for storing Git repository data, container images, and potentially large assessment artifacts or logs. + +| Category | Requirement | Details / Recommendations | Reference | +| :---- | :---- | :---- | :---- | +| **Hardware** | CPU | Min: 4 vCPU, Recommended: 8+ vCPU | | +| | RAM | Min: 8 GB, Recommended: 16+ GB | | +| | Disk Space | Min: 16 GB, Recommended: 100+ GB (SSD) | | +| **Software** | Operating System | Ubuntu LTS Recommended | | +| | Utilities | curl, unzip, bash, git, sudo access | | +| | Container Runtime | Docker Engine or compatible | Implied | +| | NodeJS | v16.0+ | | +| | Python | Python 3, pip (Optional, depending on tools/methods) | | +| **Network** | Host Addressing | Static IP or resolvable DNS hostname | Required | +| | Internet Access | Outbound access for downloads/updates | Required | +| | Firewall Ports | SSH (22), HTTP/S (80/443 for GitLab), BeSLighthouse Port (e.g., 3000 or 80), potentially others | Required | +| | Internal Access | User access to GitLab/BeSLighthouse UIs | Required | +| **Accounts** | Host OS User | User with sudo privileges | | +| | GitLab Admin | Initial credentials set via genesis.yaml, change immediately | | + +\*\*Table 1: Prerequisites Summary\*\* + +This guide assumes GitLab CE will be installed by the BLIman \`launchlab\` process . Using an existing GitLab instance requires significant manual configuration beyond this standard guide. + +* **3.2 Step-by-Step Installation using BLIman** + Follow these steps to install a private BeSLab instance in 'Lite Mode' using the BLIman CLI tool . Lite Mode installs core components like GitLab CE and BeSLighthouse onto the single prepared host . The installation is driven by the genesis.yaml configuration file. + 1. **Prepare Host:** Log in to the designated host machine (which meets all prerequisites) using an account with sudo privileges . + 2. **Install BLIman:** Install the BeSLab Lifecycle Management tool. Always refer to the official Be-Secure/BLIman repository for the most current installation instructions . Example commands (verify URLs): + Bash + \# Example installation commands (Verify against official BLIman README) + \# Download the installer script (URL might change) + curl \-sSL \ \-o install-bliman.sh + + \# Run the installer script + sudo bash install-bliman.sh + + \# Clean up installer script + rm install-bliman.sh + + \# Verify installation by checking the help command + bli help + Successful execution of bli help confirms installation. + 3. **Configure genesis.yaml:** Create the genesis.yaml file in your working directory. This file defines all parameters for the BeSLab instance . Customize the values below (especially URLs, IPs, ports, and the initial GitLab password) for your environment. + YAML + \# Sample genesis.yaml for Private Lite Mode + \# \--- Global Configuration \--- + beslab\_mode: "lite" \# Specifies Lite Mode deployment + deployment\_type: "private" \# Specifies a private instance + + \# \--- GitLab Configuration \--- + gitlab: + host\_url: "http://\" \# \*\*REQUIRED\*\*: URL users will use + initial\_root\_password: "\" \# \*\*REQUIRED\*\*: Set a strong temporary password + \# Optional: Specify ports if not default 80/443/22 + \# http\_port: 80 + \# https\_port: 443 + \# ssh\_port: 22 + \# Optional: Specify data volume path + \# data\_volume: "/srv/gitlab/data" + + \# \--- BeSLighthouse Configuration \--- + beslighthouse: + host\_ip: "0.0.0.0" \# Listen on all interfaces within the container + host\_port: "3000" \# \*\*REQUIRED\*\*: Port BeSLighthouse will listen on (e.g., 3000\) + \# Optional: Specify data volume path + \# config\_volume: "/srv/beslighthouse/config" + + \# \--- Other Optional Configurations (Add as needed based on BLIman documentation) \--- + \# Example: Default user settings, registry settings, etc. + **Critical Security Note:** Choose a strong, unique initial\_root\_password for GitLab. This password **must** be changed immediately after the first login. Store the genesis.yaml file securely. + 4. **Load Configuration:** Use BLIman to parse and load the configuration : + Bash + \# Ensure you are in the directory containing genesis.yaml or provide the full path + bli load genesis.yaml + Address any validation errors reported by BLIman. + 5. **Initialize Mode:** Prepare BLIman for the 'lite' deployment mode : + Bash + bli initmode lite + + 6. **Initialize BeSman:** Initialize the BeS Environment Manager, usually installed by bli initmode : + Bash + source $HOME/.besman/bin/besman-init.sh + Verify initialization by checking its help command : + Bash + bes help + + 7. **Launch the Lab:** Start the main deployment process : + Bash + bli launchlab + This command downloads Docker images, configures and starts containers (GitLab, BeSLighthouse), sets up networking/volumes, and potentially seeds initial GitLab structures . This step can take significant time. Monitor the console output for errors. +* **3.3 Initial Verification: Checking Your Setup** + Once bli launchlab finishes successfully, verify the installation : + 1. **Access GitLab UI:** Open a web browser and go to the gitlab.host\_url defined in genesis.yaml. + 2. **Login to GitLab:** Use username root and the initial\_root\_password from genesis.yaml. + 3. **CRITICAL: Change GitLab Password:** GitLab will force a password change on first login. Set a new, strong, unique password and store it securely. This is vital for security. + 4. **Access BeSLighthouse UI:** Open another browser tab and navigate to http://\:\ (e.g., http://192.168.1.100:3000). + 5. **Verify BeSLighthouse Load:** The dashboard should load. Expect lists like "Projects Of Interest" to be empty initially . + 6. **(Optional) Check Container Status:** On the BeSLab host, run docker ps to confirm the GitLab and BeSLighthouse containers are running. + +Successful completion of these checks indicates the core BeSLab infrastructure is operational. + +**4\. Configuring Your BeSLab Instance** + +* **4.1 Essential GitLab Configuration** + After the initial setup and password change, configure these GitLab settings relevant for BeSLab : + * **User Sign-up Restrictions:** Navigate to Admin Area \-\> Settings \-\> General \-\> Sign-up restrictions. It is strongly recommended to *disable* new sign-ups (uncheck "Sign-up enabled") to prevent unauthorized access. If self-registration is needed later, enable admin approval. + * **Group/Project Creation Permissions:** Go to Admin Area \-\> Settings \-\> General \-\> Account and limit settings. Review who can create top-level groups and projects. Restricting this to Administrators initially is advisable for better control. + * **(Future Use) Runner Configuration:** If planning to automate assessment workflows using GitLab CI/CD pipelines later, GitLab Runners will need to be configured. This is an advanced step involving setting up agents that can execute jobs, potentially interacting with Docker or the BeSLab host. +* **4.2 Setting Up Be-Secure Repositories in GitLab** + BeSLab relies on a specific structure of Git repositories within GitLab to store its data and configurations . While bli launchlab might perform some setup, manually creating or verifying these core repositories is often necessary. The precise naming and structure are important, as tools like BeSLighthouse often expect specific repository names and locations to function correctly . Deviating from expected conventions might prevent the dashboard or other tools from finding and processing data. + 1. **Login to GitLab:** Log in as the root user or another administrator. + 2. **Create a Top-Level Group:** Create a new group (e.g., besecure-lab) to logically organize all BeSLab-related repositories. + 3. **Create Core Repositories:** Within the besecure-lab group, create the following projects (Git repositories). Initialize each with at least a README file: + * BeSEnvironment: Stores assessment environment definitions (e.g., Dockerfiles). + * BeSPlaybook: Stores assessment playbook scripts. + * BeSAssessment: Stores assessment output reports (OSARs) and metadata. + * besecure-assets-store (or the name expected by BeSLighthouse's configuration): Stores lists/definitions of OSSPoI, OSSMoI, etc. . + * Potentially others depending on specific configurations or extensions. +* **4.3 Connecting BeSLighthouse to Your Data** + BeSLighthouse needs to be configured to find the data repositories within your private GitLab instance . This step activates the dashboard by linking the visualization front-end to the Git-based data back-end. + 1. **Locate datastore.ts:** Access the BeSLab host machine (e.g., via SSH). Find the BeSLighthouse installation directory. The exact path depends on the deployment, potentially within a Docker volume mount (check docker inspect \ for volume details) or a location like /opt/BeSLighthouse or /usr/local/share/beslighthouse. Inside this directory, locate the configuration file, typically src/config/datastore.ts . + 2. **Edit datastore.ts:** Open the file using a text editor (like nano or vim). Find the variables defining the URLs for the datastore repositories. Update these URLs to point to the repositories created in **your private GitLab instance** within the besecure-lab group . + * Example modification: + TypeScript + // Before modification (example pointing to public GitHub) + // export const PoI\_Repo\_URL \= "https://github.com/Be-Secure/besecure-assets-store.git"; + // export const Assessment\_Repo\_URL \= "https://github.com/Be-Secure/besecure-assessment-datastore.git"; + + // After modification (pointing to internal GitLab) + export const PoI\_Repo\_URL \= "http://\/besecure-lab/besecure-assets-store.git"; + export const Assessment\_Repo\_URL \= "http://\/besecure-lab/BeSAssessment.git"; + // Update other relevant repository URLs (MoI, ML assessments, etc.) similarly + + 3. **Restart BeSLighthouse:** Apply the changes by restarting the BeSLighthouse service or container. If using Docker: + Bash + \# Find the BeSLighthouse container ID or name + sudo docker ps + + \# Restart the container + sudo docker restart \ + + 4. **Verify Connection:** Refresh the BeSLighthouse UI in your browser. Although the lists will still be empty until data is added, check the browser's developer tools (Network tab) or the container logs (sudo docker logs \) for any errors related to accessing the configured GitLab repository URLs. Successful connection means BeSLighthouse can now read data once it's populated in the repositories. + +**Part 3: Populating and Operating Your Lab** + +**5\. Populating Your Lab: Onboarding Guide** + +* **5.1 Managing User Access and Roles** + Properly managing user access is crucial for security and operational efficiency. Define roles within the BeSLab context and map them to GitLab's permission model to control who can perform specific actions . + * **Typical Roles:** + * **Lab Administrator:** Installs, configures, maintains, and upgrades BeSLab; manages users; integrates core tools. Requires high-level privileges. + * **Security Analyst:** Onboards assets (OSSPoI/OSSMoI), defines and triggers assessments, reviews reports (OSARs), triages vulnerabilities (OSSVoI), customizes assessment workflows (playbooks). Needs broad operational access. + * **Developer / Asset Owner:** Submits their projects/models for assessment, views reports relevant to their assets, responsible for implementing fixes. Needs access primarily to specific results. + * **CISO / Management:** Oversees the overall risk posture via dashboards (BeSLighthouse) and summary reports. Typically requires read-only access. + * **GitLab Permission Mapping (Example):** + * Lab Administrator: Assign Owner role on the top-level besecure-lab group in GitLab. + * Security Analyst: Assign Maintainer role on the besecure-lab group. + * Developer / Asset Owner: Assign Developer or Reporter role on specific projects/repositories relevant to them. + * CISO / Management: Assign Guest or Reporter role on the besecure-lab group for viewing access. + * **Onboarding Process:** + 1. The Lab Administrator logs into GitLab. + 2. Navigates to Admin Area \-\> Overview \-\> Users. + 3. Creates new user accounts as needed (assuming sign-up is restricted). + 4. Navigates to the besecure-lab group \-\> Group information \-\> Members. + 5. Invites users to the group, assigning the appropriate role based on the mapping above. Permissions can be further refined on individual sub-projects (repositories) if necessary. +* **5.2 Adding Projects (OSSPoI) for Assessment** + Onboarding Open Source Projects of Interest (OSSPoI) means adding the software projects your organization relies on to the lab's tracking system so they can be assessed . + * **Definition:** OSSPoI are specific open-source software projects deemed important or critical enough by the organization to warrant regular security assessment. + * **Process:** The process leverages the GitOps workflow: + 1. Identify the OSS project to onboard. + 2. Locate the designated asset tracking repository in GitLab (e.g., besecure-lab/besecure-assets-store). + 3. Clone this repository to your local machine. + 4. Edit the relevant file within the repository (e.g., osspoi\_list.yaml or projects.json, depending on the convention established). Add an entry for the new project, including metadata such as Project Name, Source Code URL (e.g., Git repository URL), specific Version(s) of interest, and potentially a flag indicating if it's targeted for TAVOSS designation. + 5. Commit the changes locally using a clear, descriptive commit message (e.g., "Add OSSPoI: Apache Commons Text v1.10"). + 6. Push the changes back to the central GitLab repository. BeSLighthouse should automatically pick up the changes on its next refresh cycle . + * **TAVOSS Designation:** Marking an OSSPoI for TAVOSS signifies an intent to subject it to a more rigorous assessment process defined by the organization, aiming to achieve the internal 'Trusted and Verified' status . + * **Example OSSPoI Candidates:** Prioritize projects based on their criticality to business operations, widespread usage within the organization, known history of vulnerabilities, or handling of sensitive data. + +| OSSPoI Candidate | Rationale | Potential Assessment Focus | +| :---- | :---- | :---- | +| Apache Log4j 2 | Critical logging library; past vulnerabilities | SCA (Dependencies), SAST (Java) | +| Apache Struts2 | Web framework; history of RCE vulnerabilities | SCA, SAST (Java), DAST | +| Spring Boot / Framework | Widely used Java framework | SCA, SAST (Java), Secrets Scan | +| TensorFlow | Foundational ML framework | SCA (Python deps), SAST (Python) | +| PyTorch | Foundational ML framework | SCA (Python deps), SAST (Python) | +| Node.js Express | Common web framework for Node.js | SCA (npm), SAST (JavaScript/TS) | +| Internal Shared Library X | Critical internal component used by many apps | SAST, SCA, Secrets Scan | + + \*\*Table 2: Example OSSPoI Candidates\*\* + +* **5.3 Adding AI Models (OSSMoI) for Assessment** + Similar to software projects, Open Source Models of Interest (OSSMoI) need to be onboarded for tracking and security/safety assessment . + * **Definition:** OSSMoI are specific open-source AI/ML models used or being considered for use by the organization. + * **Process:** This follows the same Git-based workflow used for OSSPoI. An analyst or administrator clones the asset tracking repository (or a dedicated model repository), edits the designated list file (e.g., ossmoi\_list.yaml), adds the new model with relevant metadata (Model Name, Source URL/Identifier like Hugging Face Hub ID, Version, Base Model if fine-tuned, License information), commits, and pushes the changes. + * **Example OSSMoI Candidates:** Focus on models relevant to the organization's AI strategy, particularly those used in production, handling sensitive data, or interacting with users. + +| OSSMoI Candidate | Rationale | Potential Assessment Focus | +| :---- | :---- | :---- | +| BERT (e.g., base-uncased) | Popular foundational NLP model | Model Scanning (safety, e.g., unsafe operators), Provenance Checks, License Compliance | +| Stable Diffusion (e.g., v1.5) | Widely used image generation model | Model Scanning, License Compliance, Potential Bias Checks | +| Llama (e.g., Llama-2-7b-hf) | Common open Large Language Model (LLM) | Model Scanning (safety), License Compliance, Responsible AI checks | +| GPT-2 | Foundational LLM, often used for experiments | Model Scanning, Provenance Checks | +| Internally Fine-tuned Model Y | Model derived from OSSMoI, used in production | Model Scanning, Fine-tuning Data Privacy Review, Robustness Testing | + + \*\*Table 3: Example OSSMoI Candidates\*\* + +* **5.4 Integrating Security Tools (BeSPlugins)** + The actual security assessment capabilities of the BeSLab depend entirely on the integrated security tools, made available via BeSPlugins . Integrating these tools is therefore a fundamental task. + * **Definition:** A BeSPlugin acts as the integration layer or wrapper that allows a BeSPlaybook to invoke a specific security tool (like a scanner or linter) within the BeSLab framework . + * **Integration Process:** + 1. **Identify Tool:** Select the security tool needed (e.g., Semgrep for code pattern matching, Trivy for vulnerability scanning, Bandit for Python security linting, Gitleaks for secret detection, OWASP ZAP for dynamic scanning, or a specialized AI model scanner). + 2. **Check Existing Plugins:** Look within the Be-Secure community repositories or internal repositories for pre-built BeSPlugins for the chosen tool. Reusing existing plugins saves significant effort. + 3. **Develop/Configure Plugin:** If no suitable plugin exists, one needs to be developed or configured. This typically involves creating a script (e.g., shell script, Python script) that: + * Knows how to execute the security tool with appropriate arguments (taking input like target repository path or URL). + * Parses the tool's output (e.g., JSON, XML, plain text). + * Ideally, transforms the output into the standardized BeS Schema format for consistent reporting and processing . + * Defines any dependencies required by the tool or the wrapper script. + * Is packaged or made available for execution within a BeSEnvironment. + 4. **Define BeSEnvironment:** Ensure a suitable BeSEnvironment exists (or create one) that contains the security tool itself and all its runtime dependencies (e.g., specific Python version, libraries, OS packages). This environment definition (e.g., a Dockerfile) should reside in the BeSEnvironment repository . + 5. **Reference in BeSPlaybook:** Update an existing BeSPlaybook or create a new one in the BeSPlaybook repository to invoke the newly integrated BeSPlugin at the appropriate step in the assessment workflow . + * **Extensibility:** This plugin-based architecture is designed for extensibility, allowing the organization to add new security tools, techniques, or custom checks over time as threats evolve and new technologies are adopted . + * **Example Default BeSPlugins:** Start by integrating a core set of plugins covering common security assessment types. The effectiveness of the lab is directly linked to the quality and breadth of these integrated plugins. Maintaining them (e.g., updating tools, adapting parsers) requires ongoing effort but is essential for deriving value. + +| BeSPlugin Example | Tool Integrated (Example) | Security Assessment Type | Purpose | +| :---- | :---- | :---- | :---- | +| Semgrep-Plugin | Semgrep | SAST | Static code analysis using customizable pattern matching. | +| Trivy-Plugin | Trivy | SCA, Container Scanning | Detects known vulnerabilities in OS packages & dependencies. | +| Bandit-Plugin | Bandit | SAST (Python) | Finds common security issues specifically in Python code. | +| Gitleaks-Plugin | Gitleaks | Secret Scanning | Detects hardcoded secrets (API keys, passwords) in Git history. | +| OWASP-ZAP-Plugin | OWASP ZAP | DAST | Dynamic analysis of web application vulnerabilities via crawling/attacking. | +| ModelScan-Plugin | ModelScan (or similar) | AI Model Security | Scans ML models for unsafe operators, serialization issues, etc. | + + \*\*Table 4: Example Default BeSPlugins\*\* + +**6\. Operating Your BeSLab: Workflows in Action** + +* **6.1 Submitting Assets for Assessment** + Define a clear process for how new projects (OSSPoI) and models (OSSMoI) are submitted for tracking and assessment : + * **Manual Git Update:** Authorized users (e.g., Security Analysts) directly clone the asset repository, edit the list file, commit, and push the changes. This is the simplest method and aligns directly with the GitOps model. + * **GitLab Merge Request (MR):** Developers or other stakeholders can submit changes to the asset list file via a GitLab Merge Request. This allows Security Analysts to review and approve the submission before it's merged into the main branch, providing an approval gate. + * **API Integration (Advanced):** For more sophisticated integration, scripts or internal tools could interact with the GitLab API to update the asset lists, potentially triggered by events in other systems (e.g., a new project created in an internal registry). + +*Diagram Reference:* The Git-based submission process, whether manual or via MR, is conceptually illustrated in **Diagram 3: Project/Model Onboarding Flow** (./docs/images/Diagram3BeSLabProjectModelOnboardingWorkflow.png). + +* **6.2 Running Security Assessments** + Assessments are executed using the defined BeSPlaybooks, which orchestrate the use of BeSEnvironments and BeSPlugins . The separation of these components provides modularity—allowing environments to be reused across playbooks, or playbooks to run different sets of plugins—but requires careful coordination to ensure they work together correctly. + * **Triggering Mechanisms:** Assessments can be initiated in several ways: + * **Manual:** Security Analysts can trigger specific playbooks on demand, often via CLI commands or custom scripts interacting with BeSman or potentially GitLab CI. + * **Scheduled:** Use standard scheduling tools like cron on the host or GitLab CI Schedules to run assessments periodically (e.g., daily SCA scans on critical projects, weekly DAST scans). + * **Event-Driven:** Integrate with GitLab CI/CD pipelines or use webhooks. For example, trigger a SAST and secrets scan automatically on every code commit to a specific branch, or run a full assessment suite when a Merge Request is created. + * **Playbook Invocation Flow:** When triggered, the process typically follows these steps : + 1. The trigger mechanism selects and starts the appropriate BeSPlaybook script. + 2. The playbook script uses BeSman commands to prepare or provision the required BeSEnvironment (e.g., pulling and starting a specific Docker container). + 3. The playbook then executes the sequence of defined BeSPlugins (security tools) within that environment, passing the target asset (e.g., code repository path, model file location) as input to each plugin. + 4. The playbook collects the results from each plugin. + +*Diagram Reference:* This sequence of a playbook orchestrating environments and plugins is visually depicted in **Diagram 4: Assessment Execution Flow** (./docs/images/Diagram4AssessmentExecutionWorkflow.png). + +* **6.3 Generating and Storing Reports (OSARs)** + After the plugins within a playbook have run, the results need to be formalized into a standard report . + * **Aggregation & Formatting:** The BeSPlaybook script is responsible for aggregating the findings from the various BeSPlugins executed during the run. It should format these findings into a structured Open Source Assessment Report (OSAR). Adhering to the BeS Schema for the OSAR format is highly recommended for consistency and easier automated processing . + * **Storage:** The generated OSAR file (commonly in JSON or YAML format) is then committed back to the designated BeSAssessment Git repository . The commit message or metadata associated with the file should link the OSAR to the specific asset (OSSPoI/OSSMoI), the version assessed (e.g., Git commit hash, model version tag), the playbook used, and the timestamp of the assessment run. This creates an immutable, version-controlled audit trail of all assessment activities. +* **6.4 Visualizing Results with BeSLighthouse** + The BeSLighthouse dashboard serves as the primary interface for monitoring the lab's activities and results . Users interact with BeSLighthouse to: + * View the lists of currently tracked assets (OSSPoI and OSSMoI) as read from the asset repositories . + * Check the status and history of assessment runs for each asset. + * Visualize aggregated vulnerability data (OSSVoI) associated with the tracked assets . + * Access direct links to the detailed OSAR files stored in the BeSAssessment Git repository for deeper investigation. +* **6.5 Tracking Vulnerabilities (OSSVoI)** + A key function of the lab is to identify and track specific vulnerabilities (OSSVoI) within the monitored assets . + * **Identification & Extraction:** BeSPlugins (especially SCA, SAST, and DAST tools) identify potential vulnerabilities, often providing standard identifiers like CVE numbers. This information is captured by the playbook and included in the OSAR . Key details like the vulnerability ID (CVE), severity level, affected component/file, and location should be extracted and structured within the OSAR . + * **Storage:** Structured OSSVoI data is stored as part of the OSAR in the BeSAssessment repository, or potentially in a separate linked file or database if more complex tracking is implemented. + * **Visualization:** BeSLighthouse reads the OSSVoI data from the assessment results and presents aggregated views, such as counts of vulnerabilities by severity per project . + * **Triage & Remediation:** Security Analysts use the OSARs and the BeSLighthouse dashboard to review new findings, validate their authenticity, prioritize them based on severity and context, assign remediation tasks (e.g., creating tickets in an issue tracker), and track the progress of fixes. + +*Diagram Reference:* The flow of identifying vulnerabilities during scans and tracking them as OSSVoI is outlined in **Diagram 5: BeSLab Vulnerability Tracking Workflow** (./docs/images/Diagram5BeSLabVulnerabilityTrackingWorkflow.png). + +* **6.6 Engagement Options (Beyond Private Use)** + While this guide focuses on a private, internal BeSLab instance functioning as an internal OSAP , the Be-Secure ecosystem allows for potential future interactions: + * **Contribute Back:** Share identified vulnerabilities or patches securely with the upstream open source projects. + * **Data Sharing:** If appropriate agreements are in place, share anonymized vulnerability data (using the BeS Schema for interoperability ) with trusted partners, industry groups, or security communities . + * **Consume External Data:** Integrate external threat intelligence or vulnerability feeds to enrich the findings identified internally and provide broader context. + +**Part 4: Defaults and Governance** + +**7\. Getting Started Quickly: Default Configurations** + +* **7.1 Why Defaults Matter** + Establishing a set of default configurations for environments, playbooks, and plugins provides immediate value after the initial BeSLab setup . These defaults offer foundational security checks for common types of assets, allowing the team to start performing basic assessments quickly without needing extensive customization upfront. +* **7.2 Default Assessment Environments (BeSEnvironments)** + Define a baseline set of reusable runtime environments in the BeSEnvironment repository. These typically encapsulate the dependencies needed for common categories of security tools . Examples often use Dockerfiles for definition. + +| BeSEnvironment Name | Key Components Included | Purpose | +| :---- | :---- | :---- | +| python-base-env | Python 3.x, pip, common build tools, Git | Running Python-specific tools like Bandit, Semgrep (Python rules), Python SCA tools. | +| node-base-env | NodeJS (LTS), npm/yarn, Git | Running JavaScript/TypeScript SAST/Linters, SCA tools (npm audit, yarn audit). | +| generic-scanner-env | Base Linux OS, curl, jq, git, Trivy binary | Running generic scanners like Trivy (filesystem/repo scanning), Gitleaks, potentially simple script-based checks. | +| ai-model-env | Python 3.x, PyTorch/TF libs, ModelScan deps | Dedicated environment for AI model security scanning tools (e.g., ModelScan, custom checks). | +| java-build-env | JDK (e.g., 11/17), Maven/Gradle, Git | Environment for building Java projects and running Java-specific SAST/SCA tools. | + +\*\*Table 5: Example Default BeSEnvironments\*\* + +* **7.3 Default Assessment Workflows (BeSPlaybooks)** + Create standard assessment workflows (playbooks) in the BeSPlaybook repository by combining the default environments and plugins for common tasks . These serve as templates that can be used directly or adapted. + +| BeSPlaybook Name | BeSEnvironment Used | BeSPlugins Invoked (Example) | Suggested Frequency | Purpose | +| :---- | :---- | :---- | :---- | :---- | +| sast-python-standard | python-base-env | Semgrep-Plugin, Bandit-Plugin | On Commit / Pull Request | Basic static analysis checks for Python projects. | +| sca-generic-standard | generic-scanner-env | Trivy-Plugin (FS mode) | Daily / Weekly | Scans project dependencies for known vulnerabilities (CVEs). | +| secrets-scan-standard | generic-scanner-env | Gitleaks-Plugin | On Commit / Pull Request | Detects potential hardcoded secrets committed to Git history. | +| ai-model-onboarding-safety | ai-model-env | ModelScan-Plugin | On New Model Onboarding | Initial safety/security checks on newly added AI models. | +| dast-web-scan-basic | generic-scanner-env | OWASP-ZAP-Plugin (Baseline Scan) | Weekly / On Demand | Basic dynamic scan against a deployed web application URL (requires target URL). | + +\*\*Table 6: Example Default BeSPlaybooks\*\* + +* **7.4 Recap: Default Security Tools (BeSPlugins)** + The default playbooks listed above would typically utilize the core set of BeSPlugins recommended earlier (refer back to **Table 4: Example Default BeSPlugins**). Ensuring these foundational plugins (e.g., Semgrep, Trivy, Bandit, Gitleaks, an AI model scanner, potentially OWASP ZAP) are integrated and functional is key to making the default playbooks operational. + +**8\. Reporting and Governance for Your Lab** + +* **8.1 Standard Assessment Reports (OSAR Structure)** + Consistent and comprehensive reporting is vital for communicating assessment results effectively. Open Source Assessment Reports (OSARs) should be standardized, ideally aligning with the principles of the BeS Schema . A well-structured OSAR ensures that all necessary information is captured and presented clearly. + +| OSAR Section | Content Description | Purpose | +| :---- | :---- | :---- | +| **Metadata** | Unique Assessment ID, Timestamp, Asset ID/Name (OSSPoI/OSSMoI), Asset Version/Commit Assessed, Playbook Used, Environment Used, Triggering Event. | Uniquely identifies the assessment context and parameters. | +| **Executive Summary** | Brief description of the assessment scope, summary of key findings, overall assessed risk level (e.g., Critical/High/Medium/Low), critical recommendations. | Provides a high-level snapshot for quick review by management and triage teams. | +| **Asset Details** | Full Name/Identifier, Source URL/Location, Brief Description, Exact Version/Commit Hash Assessed, License Information. | Clearly identifies the specific artifact that was assessed. | +| **Scope & Methodology** | Description of the checks performed, list of tools (BeSPlugins) used and their versions, specific configurations applied, known limitations or exclusions. | Defines the boundaries and methods of the assessment for transparency and reproducibility. | +| **Findings Summary** | Aggregated counts of findings categorized by severity (e.g., Critical, High, Medium, Low, Informational). May include charts or graphs. | Gives a quantitative overview of the identified issues. | +| **Detailed Findings** | A list of individual findings. Each finding should include: Unique ID, Clear Description, Assigned Severity, Current Status (New, Confirmed, Mitigated, False Positive), Location (File path, line number, component name), Evidence (Code snippet, tool output), Remediation Guidance, Associated Identifiers (CVE, CWE \- forming the OSSVoI). | Provides actionable details required by analysts and developers for validation and remediation. | +| **Attestation (Optional)** | A formal statement regarding the level of assurance provided by this assessment, based on the scope and findings. May reference internal criteria like TAVOSS if applicable. | Documents the assessment outcome and the confidence level derived from the process. | + +\*\*Table 7: OSAR Sample Structure\*\* + +* **8.2 Defining Roles and Responsibilities (RACI Matrix)** + A RACI (Responsible, Accountable, Consulted, Informed) matrix helps clarify roles and responsibilities for various BeSLab activities, preventing confusion and ensuring tasks are owned. + +| Activity | CISO | Lab Admin | Security Analyst | Dev Lead / App Owner | Legal / Compliance | +| :---- | :---- | :---- | :---- | :---- | :---- | +| Lab Setup/Configuration | A | R | C | I | I | +| User Onboarding & Permissions | A | R | C | I | I | +| OSSPoI Onboarding (Decision) | A | C | R | C | I | +| OSSMoI Onboarding (Decision) | A | C | R | C | C | +| BeSPlugin Integration/Maintenance | A | R | C | I | I | +| Assessment Execution/Scheduling | I | C | R | I | I | +| OSAR Review & Vulnerability Triage | C | I | R | C | C | +| Vulnerability Remediation Tracking | A | I | R | C | I | +| Vulnerability Remediation Implementation | I | I | C | R | I | +| Lab Maintenance & Upgrades | A | R | C | I | I | +| Policy Definition (Scope, SLAs) | A | C | C | C | R | + +\*\*Table 8: RACI Matrix\*\* \*(R=Responsible, A=Accountable, C=Consulted, I=Informed)\* + +* **8.3 Key Governance Policies to Establish** + Implementing the BeSLab technology is only part of the solution. Establishing clear governance processes and policies is crucial to ensure the lab operates effectively and contributes meaningfully to risk reduction . Without governance, scan results might be inconsistent, ignored, or overwhelming. Key areas requiring formal policies include : + * **Onboarding Criteria:** Define clear rules for which types of OSS projects and AI models *must* be onboarded into the lab (e.g., based on criticality, external facing, handling sensitive data). + * **Assessment Frequency:** Establish minimum scanning schedules based on asset criticality and type of scan (e.g., critical web frameworks scanned daily with SCA, less critical libraries weekly; SAST on every commit). + * **Triage Process:** Document the workflow for how findings reported in OSARs are reviewed, validated (confirming they are true positives), prioritized (based on severity and context), and assigned for remediation. + * **Remediation SLAs:** Define expected timelines (Service Level Agreements) for fixing vulnerabilities based on their severity level (e.g., Critical vulnerabilities fixed within 7 days, High within 30 days). + * **Tool Validation & Updates:** Implement a process for regularly reviewing the effectiveness of integrated BeSPlugins, updating the underlying tools to their latest stable versions, and validating parser logic. + * **Reporting Cadence:** Define how and when assessment results and overall risk posture summaries are reported to different stakeholders (e.g., immediate alerts for critical findings, monthly summaries for management). + +**Part 5: Visual Aids and Conclusion** + +**9\. Visualizing the Setup** + +The following diagrams, referenced by their original file names in the source documentation, provide visual context for the BeSLab architecture and workflows. While the images themselves are not embedded here, understanding their purpose can aid comprehension: + +* **9.1 High-Level Enterprise View:** This diagram illustrates how the private BeSLab instance fits within the broader enterprise IT environment, showing potential interactions with development teams, CI/CD pipelines, and vulnerability management systems. *(Reference Diagram 1: ./docs/images/Diagram1HighlevelEnterpriseDeployment.png)*. +* **9.2 Detailed Component Layout:** This diagram provides a closer look at the components running on the single host machine in the Lite Mode deployment described in this guide, showing GitLab CE, BeSLighthouse, the underlying container runtime, and their basic connections. *(Reference Diagram 2: ./docs/images/Diagram2BeSLabComponentsLayout.png)*. + +*(Note: References to Diagram 3: Project/Model Onboarding Flow, Diagram 4: Assessment Execution Flow, and Diagram 5: Vulnerability Tracking Flow were placed contextually within Section 6 where those workflows were described.)* + +**10\. Conclusion and Next Steps** + +* **10.1 Summary of Benefits** + Establishing and operating an AI Security Lab using the BeSLab blueprint offers significant advantages for strengthening an organization's security posture regarding open source software and AI models : + * **Standardized Assurance:** Implements consistent, automated, and repeatable security assessment processes. + * **Visibility & Control:** Provides centralized tracking and visualization of monitored assets (OSSPoI/MoI) and their associated vulnerabilities (OSSVoI) through the BeSLighthouse dashboard . + * **Reduced Risk:** Enables the early identification and facilitates the timely remediation of vulnerabilities before they can be exploited. + * **Internal Trust:** Creates a mechanism (TAVOSS) for establishing and communicating internal trust levels for assessed components . + * **Extensibility:** Offers a modular architecture allowing the integration of new tools, techniques, and assessment types over time . +* **10.2 Immediate Actions After Setup** + Once the initial installation and configuration described in this guide are complete, focus on these next steps to make the lab operational : + 1. **Onboard Initial Assets:** Begin by onboarding a small set of high-priority or representative OSS projects (OSSPoI) and AI models (OSSMoI). + 2. **Configure & Test Defaults:** Ensure the default BeSEnvironments, BeSPlaybooks, and BeSPlugins (Tables 4, 5, 6\) are correctly configured and functioning as expected by running test assessments. + 3. **User Training:** Provide training to Security Analysts, relevant Developers, and other stakeholders on how to use the lab (submitting assets, running scans, interpreting reports, using BeSLighthouse). + 4. **Establish Governance:** Formalize the key governance policies (Section 8.3) and communicate the RACI matrix (Table 8\) to ensure clear processes and responsibilities. + 5. **Secure the Lab:** Implement security best practices for the BeSLab host OS, the GitLab instance (user management, network access), and ensure components are kept patched and updated. +* **10.3 Continuous Improvement Roadmap** + An effective AI Security Lab requires ongoing maintenance and evolution : + * **Expand Plugin Coverage:** Continuously identify and integrate new BeSPlugins to cover more languages, frameworks, vulnerability types, and AI-specific risks. + * **Refine Playbooks:** Optimize existing BeSPlaybooks and create new ones tailored to specific organizational needs, risk profiles, or compliance requirements. + * **Update Environments:** Regularly update the tools, libraries, and base images within BeSEnvironments to ensure accurate scanning and benefit from the latest tool features. + * **Integrate with DevSecOps:** Enhance automation by integrating BeSLab assessment triggers and feedback loops directly into developer CI/CD pipelines. + * **Monitor Effectiveness:** Regularly review the lab's performance, the quality of findings, the speed of remediation, and feedback from users to identify areas for improvement in tools, processes, and governance. + +By following this guide to establish the initial BeSLab instance and committing to its continuous improvement, organizations can build a powerful internal capability to manage the security risks associated with open source software and artificial intelligence. + +**11\. Works Cited** + +Empowering Open Source Project Security , This Repository includes BeS Environment Scripts to launch an instance of BeSLab \- GitHub, accessed May 1, 2025, https://github.com/Be-Secure/BeSLab +Be-Secure/BeSLighthouse: Community dashboard for security assessment of open source projects of interest for BeSecure community. Various visualizations on Projects of Interest and Vulnerabilities of interest are available in the dashboard \- GitHub, accessed May 1, 2025, https://github.com/Be-Secure/BeSLighthouse +Wipro's Open Source Security Solution for Enhanced Cybersecurity, accessed May 1, 2025, https://www.wipro.com/cybersecurity/o31e-wipros-open-source-security-program-a-key-initiative-to-enhancing-cybersecurity-with-open-source/ +Be-Secure/bes-schema: This repository defines the data... \- GitHub, accessed May 1, 2025, https://github.com/Be-Secure/bes-schema From 35ddcad00770660907b4907564c458664beb0c0c Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 19:48:31 +0530 Subject: [PATCH 11/30] Rename BeSLabSimplifiedGuide.md to BeSLabAISecurityLabUserGuide.md --- BeSLabSimplifiedGuide.md => BeSLabAISecurityLabUserGuide.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename BeSLabSimplifiedGuide.md => BeSLabAISecurityLabUserGuide.md (100%) diff --git a/BeSLabSimplifiedGuide.md b/BeSLabAISecurityLabUserGuide.md similarity index 100% rename from BeSLabSimplifiedGuide.md rename to BeSLabAISecurityLabUserGuide.md From 26ea78c578b42460c4c0b9860243bfa8c22f75ae Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 19:51:21 +0530 Subject: [PATCH 12/30] Rename BeSLabAISecurityLabUserGuide.md to AISecurityLabSetupGuide.md --- BeSLabAISecurityLabUserGuide.md => AISecurityLabSetupGuide.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename BeSLabAISecurityLabUserGuide.md => AISecurityLabSetupGuide.md (100%) diff --git a/BeSLabAISecurityLabUserGuide.md b/AISecurityLabSetupGuide.md similarity index 100% rename from BeSLabAISecurityLabUserGuide.md rename to AISecurityLabSetupGuide.md From a37508bacdda3873f06bf8935d97efa7eddbb5ee Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 19:59:51 +0530 Subject: [PATCH 13/30] Update AISecurityLabUserGuide.md Draft of Simplified Version --- AISecurityLabUserGuide.md | 54 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/AISecurityLabUserGuide.md b/AISecurityLabUserGuide.md index 850a7e9..6ec4fa8 100644 --- a/AISecurityLabUserGuide.md +++ b/AISecurityLabUserGuide.md @@ -1,4 +1,58 @@ # **User Guide: Establishing and Operating an AI Security Lab with the Be-Secure BeSLab Blueprint** + +Table of Contents +(#part-1-understanding-beslab) +(#1-introduction-your-ai-security-lab) +(#11-what-is-beslab-and-why-use-it) +(#12-the-be-secure-philosophy-beyond-a-single-tool) +(#13-value-for-the-ciso-and-security-teams) +(#14-scope-of-this-guide) +(#2-how-beslab-works-architecture-and-concepts) +(#21-the-blueprint-explained-core-components) +(#22-the-gitops-foundation) +(#23-key-terms-you-need-to-know) +(#part-2-setting-up-and-configuring-your-lab) +(#3-setting-up-your-private-beslab-lite-mode) +(#31-before-you-begin-prerequisites-checklist) +(#32-step-by-step-installation-using-bliman) +(#33-initial-verification-checking-your-setup) +(#4-configuring-your-beslab-instance) +4.1 Essential GitLab Configuration +(#42-setting-up-be-secure-repositories-in-gitlab) +(#43-connecting-beslighthouse-to-your-data) +Part 3: Populating and Operating Your Lab +5. Populating Your Lab: Onboarding Guide +(#51-managing-user-access-and-roles) +(#52-adding-projects-osspoi-for-assessment) +(#53-adding-ai-models-ossmoi-for-assessment) +(#54-integrating-security-tools-besplugins) +(#6-operating-your-beslab-workflows-in-action) +(#61-submitting-assets-for-assessment) +(#62-running-security-assessments) +(#63-generating-and-storing-reports-osars) +(#64-visualizing-results-with-beslighthouse) +(#65-tracking-vulnerabilities-ossvoi) +(#66-engagement-options-beyond-private-use) +Part 4: Defaults and Governance +(#7-getting-started-quickly-default-configurations) +7.1 Why Defaults Matter +(#72-default-assessment-environments-besenvironments) +(#73-default-assessment-workflows-besplaybooks) +(#74-recap-default-security-tools-besplugins) +(#8-reporting-and-governance-for-your-lab) +(#81-standard-assessment-reports-osar-structure) +(#82-defining-roles-and-responsibilities-raci-matrix) +8.3 Key Governance Policies to Establish +Part 5: Visual Aids and Conclusion +(#9-visualizing-the-setup) +9.1 High-Level Enterprise View +9.2 Detailed Component Layout +(#10-conclusion-and-next-steps) +(#101-summary-of-benefits) +(#102-immediate-actions-after-setup) +(#103-continuous-improvement-roadmap) +11. Works Cited + ## **1\. Introduction to the BeSLab AI Security Lab** From 46931340e2d2a5001c6f2f5ffd62d77ce1264c1f Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 20:00:52 +0530 Subject: [PATCH 14/30] Update AISecurityLabUserGuide.md reverted --- AISecurityLabUserGuide.md | 54 --------------------------------------- 1 file changed, 54 deletions(-) diff --git a/AISecurityLabUserGuide.md b/AISecurityLabUserGuide.md index 6ec4fa8..e3b6150 100644 --- a/AISecurityLabUserGuide.md +++ b/AISecurityLabUserGuide.md @@ -1,59 +1,5 @@ # **User Guide: Establishing and Operating an AI Security Lab with the Be-Secure BeSLab Blueprint** -Table of Contents -(#part-1-understanding-beslab) -(#1-introduction-your-ai-security-lab) -(#11-what-is-beslab-and-why-use-it) -(#12-the-be-secure-philosophy-beyond-a-single-tool) -(#13-value-for-the-ciso-and-security-teams) -(#14-scope-of-this-guide) -(#2-how-beslab-works-architecture-and-concepts) -(#21-the-blueprint-explained-core-components) -(#22-the-gitops-foundation) -(#23-key-terms-you-need-to-know) -(#part-2-setting-up-and-configuring-your-lab) -(#3-setting-up-your-private-beslab-lite-mode) -(#31-before-you-begin-prerequisites-checklist) -(#32-step-by-step-installation-using-bliman) -(#33-initial-verification-checking-your-setup) -(#4-configuring-your-beslab-instance) -4.1 Essential GitLab Configuration -(#42-setting-up-be-secure-repositories-in-gitlab) -(#43-connecting-beslighthouse-to-your-data) -Part 3: Populating and Operating Your Lab -5. Populating Your Lab: Onboarding Guide -(#51-managing-user-access-and-roles) -(#52-adding-projects-osspoi-for-assessment) -(#53-adding-ai-models-ossmoi-for-assessment) -(#54-integrating-security-tools-besplugins) -(#6-operating-your-beslab-workflows-in-action) -(#61-submitting-assets-for-assessment) -(#62-running-security-assessments) -(#63-generating-and-storing-reports-osars) -(#64-visualizing-results-with-beslighthouse) -(#65-tracking-vulnerabilities-ossvoi) -(#66-engagement-options-beyond-private-use) -Part 4: Defaults and Governance -(#7-getting-started-quickly-default-configurations) -7.1 Why Defaults Matter -(#72-default-assessment-environments-besenvironments) -(#73-default-assessment-workflows-besplaybooks) -(#74-recap-default-security-tools-besplugins) -(#8-reporting-and-governance-for-your-lab) -(#81-standard-assessment-reports-osar-structure) -(#82-defining-roles-and-responsibilities-raci-matrix) -8.3 Key Governance Policies to Establish -Part 5: Visual Aids and Conclusion -(#9-visualizing-the-setup) -9.1 High-Level Enterprise View -9.2 Detailed Component Layout -(#10-conclusion-and-next-steps) -(#101-summary-of-benefits) -(#102-immediate-actions-after-setup) -(#103-continuous-improvement-roadmap) -11. Works Cited - - ## **1\. Introduction to the BeSLab AI Security Lab** ### **1.1 Purpose and Need** From 55292508e0f2d5b0ba7343a499df3b1c8221d2d7 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 20:09:43 +0530 Subject: [PATCH 15/30] Update AISecurityLabSetupGuide.md Draft version of Simplified Guide --- AISecurityLabSetupGuide.md | 97 +++++++++++++++++++++++++++++++------- 1 file changed, 79 insertions(+), 18 deletions(-) diff --git a/AISecurityLabSetupGuide.md b/AISecurityLabSetupGuide.md index 3d6ff5a..063e963 100644 --- a/AISecurityLabSetupGuide.md +++ b/AISecurityLabSetupGuide.md @@ -1,5 +1,60 @@ # **User Guide: Establishing and Operating an AI Security Lab with the Be-Secure BeSLab Blueprint** +**Table of Contents** +[Part 1: Understanding BeSLab](#part-1-understanding-beslab) +(#1-introduction-your-ai-security-lab) +(#11-what-is-beslab-and-why-use-it) +(#12-the-be-secure-philosophy-beyond-a-single-tool) +(#13-value-for-the-ciso-and-security-teams) +(#14-scope-of-this-guide) +(#2-how-beslab-works-architecture-and-concepts) +(#21-the-blueprint-explained-core-components) +(#22-the-gitops-foundation) +(#23-key-terms-you-need-to-know) +[Part 2: setting-up-and-configuring-your-lab](#part-2-setting-up-and-configuring-your-lab) +(#3-setting-up-your-private-beslab-lite-mode) +(#31-before-you-begin-prerequisites-checklist) +(#32-step-by-step-installation-using-bliman) +(#33-initial-verification-checking-your-setup) +(#4-configuring-your-beslab-instance) +4.1 Essential GitLab Configuration +(#42-setting-up-be-secure-repositories-in-gitlab) +(#43-connecting-beslighthouse-to-your-data) +Part 3: Populating and Operating Your Lab +5. Populating Your Lab: Onboarding Guide +(#51-managing-user-access-and-roles) +(#52-adding-projects-osspoi-for-assessment) +(#53-adding-ai-models-ossmoi-for-assessment) +(#54-integrating-security-tools-besplugins) +(#6-operating-your-beslab-workflows-in-action) +(#61-submitting-assets-for-assessment) +(#62-running-security-assessments) +(#63-generating-and-storing-reports-osars) +(#64-visualizing-results-with-beslighthouse) +(#65-tracking-vulnerabilities-ossvoi) +(#66-engagement-options-beyond-private-use) +Part 4: Defaults and Governance +(#7-getting-started-quickly-default-configurations) +7.1 Why Defaults Matter +(#72-default-assessment-environments-besenvironments) +(#73-default-assessment-workflows-besplaybooks) +(#74-recap-default-security-tools-besplugins) +(#8-reporting-and-governance-for-your-lab) +(#81-standard-assessment-reports-osar-structure) +(#82-defining-roles-and-responsibilities-raci-matrix) +8.3 Key Governance Policies to Establish +Part 5: Visual Aids and Conclusion +(#9-visualizing-the-setup) +9.1 High-Level Enterprise View +9.2 Detailed Component Layout +(#10-conclusion-and-next-steps) +(#101-summary-of-benefits) +(#102-immediate-actions-after-setup) +(#103-continuous-improvement-roadmap) +11. Works Cited + + + **Part 1: Understanding BeSLab** **1\. Introduction: Your AI Security Lab** @@ -79,7 +134,7 @@ | **Accounts** | Host OS User | User with sudo privileges | | | | GitLab Admin | Initial credentials set via genesis.yaml, change immediately | | -\*\*Table 1: Prerequisites Summary\*\* +**Table 1: Prerequisites Summary** This guide assumes GitLab CE will be installed by the BLIman \`launchlab\` process . Using an existing GitLab instance requires significant manual configuration beyond this standard guide. @@ -247,7 +302,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i | Node.js Express | Common web framework for Node.js | SCA (npm), SAST (JavaScript/TS) | | Internal Shared Library X | Critical internal component used by many apps | SAST, SCA, Secrets Scan | - \*\*Table 2: Example OSSPoI Candidates\*\* + **Table 2: Example OSSPoI Candidates** * **5.3 Adding AI Models (OSSMoI) for Assessment** Similar to software projects, Open Source Models of Interest (OSSMoI) need to be onboarded for tracking and security/safety assessment . @@ -263,7 +318,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i | GPT-2 | Foundational LLM, often used for experiments | Model Scanning, Provenance Checks | | Internally Fine-tuned Model Y | Model derived from OSSMoI, used in production | Model Scanning, Fine-tuning Data Privacy Review, Robustness Testing | - \*\*Table 3: Example OSSMoI Candidates\*\* + **Table 3: Example OSSMoI Candidates** * **5.4 Integrating Security Tools (BeSPlugins)** The actual security assessment capabilities of the BeSLab depend entirely on the integrated security tools, made available via BeSPlugins . Integrating these tools is therefore a fundamental task. @@ -291,7 +346,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i | OWASP-ZAP-Plugin | OWASP ZAP | DAST | Dynamic analysis of web application vulnerabilities via crawling/attacking. | | ModelScan-Plugin | ModelScan (or similar) | AI Model Security | Scans ML models for unsafe operators, serialization issues, etc. | - \*\*Table 4: Example Default BeSPlugins\*\* + **Table 4: Example Default BeSPlugins** **6\. Operating Your BeSLab: Workflows in Action** @@ -301,7 +356,8 @@ Successful completion of these checks indicates the core BeSLab infrastructure i * **GitLab Merge Request (MR):** Developers or other stakeholders can submit changes to the asset list file via a GitLab Merge Request. This allows Security Analysts to review and approve the submission before it's merged into the main branch, providing an approval gate. * **API Integration (Advanced):** For more sophisticated integration, scripts or internal tools could interact with the GitLab API to update the asset lists, potentially triggered by events in other systems (e.g., a new project created in an internal registry). -*Diagram Reference:* The Git-based submission process, whether manual or via MR, is conceptually illustrated in **Diagram 3: Project/Model Onboarding Flow** (./docs/images/Diagram3BeSLabProjectModelOnboardingWorkflow.png). +*Diagram Reference:* The Git-based submission process, whether manual or via MR, is conceptually illustrated in **Diagram 3: Project/Model Onboarding Flow** +![Project/Model Onboarding Flow (Git-based)](./docs/images/Diagram3BeSLabProjectModelOnboardingWorkflow.png) * **6.2 Running Security Assessments** Assessments are executed using the defined BeSPlaybooks, which orchestrate the use of BeSEnvironments and BeSPlugins . The separation of these components provides modularity—allowing environments to be reused across playbooks, or playbooks to run different sets of plugins—but requires careful coordination to ensure they work together correctly. @@ -315,7 +371,8 @@ Successful completion of these checks indicates the core BeSLab infrastructure i 3. The playbook then executes the sequence of defined BeSPlugins (security tools) within that environment, passing the target asset (e.g., code repository path, model file location) as input to each plugin. 4. The playbook collects the results from each plugin. -*Diagram Reference:* This sequence of a playbook orchestrating environments and plugins is visually depicted in **Diagram 4: Assessment Execution Flow** (./docs/images/Diagram4AssessmentExecutionWorkflow.png). +*Diagram Reference:* This sequence of a playbook orchestrating environments and plugins is visually depicted in **Diagram 4: Assessment Execution Flow** +![Assessment Execution Flow](./docs/images/Diagram4AssessmentExecutionWorkflow.png) * **6.3 Generating and Storing Reports (OSARs)** After the plugins within a playbook have run, the results need to be formalized into a standard report . @@ -334,7 +391,8 @@ Successful completion of these checks indicates the core BeSLab infrastructure i * **Visualization:** BeSLighthouse reads the OSSVoI data from the assessment results and presents aggregated views, such as counts of vulnerabilities by severity per project . * **Triage & Remediation:** Security Analysts use the OSARs and the BeSLighthouse dashboard to review new findings, validate their authenticity, prioritize them based on severity and context, assign remediation tasks (e.g., creating tickets in an issue tracker), and track the progress of fixes. -*Diagram Reference:* The flow of identifying vulnerabilities during scans and tracking them as OSSVoI is outlined in **Diagram 5: BeSLab Vulnerability Tracking Workflow** (./docs/images/Diagram5BeSLabVulnerabilityTrackingWorkflow.png). +*Diagram Reference:* The flow of identifying vulnerabilities during scans and tracking them as OSSVoI is outlined in **Diagram 5: BeSLab Vulnerability Tracking Workflow** +![Vulnerability Tracking Flow (OSSVoI)](./docs/images/Diagram5BeSLabVulnerabilityTrackingWorkflow.png) * **6.6 Engagement Options (Beyond Private Use)** While this guide focuses on a private, internal BeSLab instance functioning as an internal OSAP , the Be-Secure ecosystem allows for potential future interactions: @@ -359,7 +417,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i | ai-model-env | Python 3.x, PyTorch/TF libs, ModelScan deps | Dedicated environment for AI model security scanning tools (e.g., ModelScan, custom checks). | | java-build-env | JDK (e.g., 11/17), Maven/Gradle, Git | Environment for building Java projects and running Java-specific SAST/SCA tools. | -\*\*Table 5: Example Default BeSEnvironments\*\* +**Table 5: Example Default BeSEnvironments** * **7.3 Default Assessment Workflows (BeSPlaybooks)** Create standard assessment workflows (playbooks) in the BeSPlaybook repository by combining the default environments and plugins for common tasks . These serve as templates that can be used directly or adapted. @@ -372,7 +430,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i | ai-model-onboarding-safety | ai-model-env | ModelScan-Plugin | On New Model Onboarding | Initial safety/security checks on newly added AI models. | | dast-web-scan-basic | generic-scanner-env | OWASP-ZAP-Plugin (Baseline Scan) | Weekly / On Demand | Basic dynamic scan against a deployed web application URL (requires target URL). | -\*\*Table 6: Example Default BeSPlaybooks\*\* +**Table 6: Example Default BeSPlaybooks** * **7.4 Recap: Default Security Tools (BeSPlugins)** The default playbooks listed above would typically utilize the core set of BeSPlugins recommended earlier (refer back to **Table 4: Example Default BeSPlugins**). Ensuring these foundational plugins (e.g., Semgrep, Trivy, Bandit, Gitleaks, an AI model scanner, potentially OWASP ZAP) are integrated and functional is key to making the default playbooks operational. @@ -392,7 +450,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i | **Detailed Findings** | A list of individual findings. Each finding should include: Unique ID, Clear Description, Assigned Severity, Current Status (New, Confirmed, Mitigated, False Positive), Location (File path, line number, component name), Evidence (Code snippet, tool output), Remediation Guidance, Associated Identifiers (CVE, CWE \- forming the OSSVoI). | Provides actionable details required by analysts and developers for validation and remediation. | | **Attestation (Optional)** | A formal statement regarding the level of assurance provided by this assessment, based on the scope and findings. May reference internal criteria like TAVOSS if applicable. | Documents the assessment outcome and the confidence level derived from the process. | -\*\*Table 7: OSAR Sample Structure\*\* +**Table 7: OSAR Sample Structure** * **8.2 Defining Roles and Responsibilities (RACI Matrix)** A RACI (Responsible, Accountable, Consulted, Informed) matrix helps clarify roles and responsibilities for various BeSLab activities, preventing confusion and ensuring tasks are owned. @@ -411,7 +469,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i | Lab Maintenance & Upgrades | A | R | C | I | I | | Policy Definition (Scope, SLAs) | A | C | C | C | R | -\*\*Table 8: RACI Matrix\*\* \*(R=Responsible, A=Accountable, C=Consulted, I=Informed)\* +**Table 8: RACI Matrix** \*(R=Responsible, A=Accountable, C=Consulted, I=Informed) * **8.3 Key Governance Policies to Establish** Implementing the BeSLab technology is only part of the solution. Establishing clear governance processes and policies is crucial to ensure the lab operates effectively and contributes meaningfully to risk reduction . Without governance, scan results might be inconsistent, ignored, or overwhelming. Key areas requiring formal policies include : @@ -428,10 +486,13 @@ Successful completion of these checks indicates the core BeSLab infrastructure i The following diagrams, referenced by their original file names in the source documentation, provide visual context for the BeSLab architecture and workflows. While the images themselves are not embedded here, understanding their purpose can aid comprehension: -* **9.1 High-Level Enterprise View:** This diagram illustrates how the private BeSLab instance fits within the broader enterprise IT environment, showing potential interactions with development teams, CI/CD pipelines, and vulnerability management systems. *(Reference Diagram 1: ./docs/images/Diagram1HighlevelEnterpriseDeployment.png)*. -* **9.2 Detailed Component Layout:** This diagram provides a closer look at the components running on the single host machine in the Lite Mode deployment described in this guide, showing GitLab CE, BeSLighthouse, the underlying container runtime, and their basic connections. *(Reference Diagram 2: ./docs/images/Diagram2BeSLabComponentsLayout.png)*. +* **9.1 High-Level Enterprise View:** This diagram illustrates how the private BeSLab instance fits within the broader enterprise IT environment, showing potential interactions with development teams, CI/CD pipelines, and vulnerability management systems. +![High-Level Enterprise Deployment](./docs/images/Diagram1HighlevelEnterpriseDeployment.png) + +* **9.2 Detailed Component Layout:** This diagram provides a closer look at the components running on the single host machine in the Lite Mode deployment described in this guide, showing GitLab CE, BeSLighthouse, the underlying container runtime, and their basic connections. +* +![Detailed BeSLab Component Layout (Lite Mode Host)](./docs/images/Diagram2BeSLabComponentsLayout.png) -*(Note: References to Diagram 3: Project/Model Onboarding Flow, Diagram 4: Assessment Execution Flow, and Diagram 5: Vulnerability Tracking Flow were placed contextually within Section 6 where those workflows were described.)* **10\. Conclusion and Next Steps** @@ -461,7 +522,7 @@ By following this guide to establish the initial BeSLab instance and committing **11\. Works Cited** -Empowering Open Source Project Security , This Repository includes BeS Environment Scripts to launch an instance of BeSLab \- GitHub, accessed May 1, 2025, https://github.com/Be-Secure/BeSLab -Be-Secure/BeSLighthouse: Community dashboard for security assessment of open source projects of interest for BeSecure community. Various visualizations on Projects of Interest and Vulnerabilities of interest are available in the dashboard \- GitHub, accessed May 1, 2025, https://github.com/Be-Secure/BeSLighthouse -Wipro's Open Source Security Solution for Enhanced Cybersecurity, accessed May 1, 2025, https://www.wipro.com/cybersecurity/o31e-wipros-open-source-security-program-a-key-initiative-to-enhancing-cybersecurity-with-open-source/ -Be-Secure/bes-schema: This repository defines the data... \- GitHub, accessed May 1, 2025, https://github.com/Be-Secure/bes-schema + 1. Empowering Open Source Project Security , This Repository includes BeS Environment Scripts to launch an instance of BeSLab \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/BeSLab](https://github.com/Be-Secure/BeSLab) + 2. Be-Secure/BeSLighthouse: Community dashboard for security assessment of open source projects of interest for BeSecure community. Various visualizations on Projects of Interest and Vulnerabilities of interest are available in the dashboard \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/BeSLighthouse](https://github.com/Be-Secure/BeSLighthouse) + 3. Wipro's Open Source Security Solution for Enhanced Cybersecurity, accessed May 1, 2025, [https://www.wipro.com/cybersecurity/o31e-wipros-open-source-security-program-a-key-initiative-to-enhancing-cybersecurity-with-open-source/](https://www.wipro.com/cybersecurity/o31e-wipros-open-source-security-program-a-key-initiative-to-enhancing-cybersecurity-with-open-source/) + 4. Be-Secure/bes-schema: This repository defines the data ... \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/bes-schema](https://github.com/Be-Secure/bes-schema) From fbc1557305b86e7a246f5c8c2a82cb4752ae1901 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 20:13:09 +0530 Subject: [PATCH 16/30] Update AISecurityLabSetupGuide.md Fixing ToC --- AISecurityLabSetupGuide.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/AISecurityLabSetupGuide.md b/AISecurityLabSetupGuide.md index 063e963..294b982 100644 --- a/AISecurityLabSetupGuide.md +++ b/AISecurityLabSetupGuide.md @@ -2,8 +2,9 @@ **Table of Contents** [Part 1: Understanding BeSLab](#part-1-understanding-beslab) -(#1-introduction-your-ai-security-lab) -(#11-what-is-beslab-and-why-use-it) + +[1.Introduction: Your AI Security Lab ](#1-introduction-your-ai-security-lab) +[1.1 What is BeSLab and Why Use It](#11-what-is-beslab-and-why-use-it) (#12-the-be-secure-philosophy-beyond-a-single-tool) (#13-value-for-the-ciso-and-security-teams) (#14-scope-of-this-guide) From 6a4f357744bec4eaada3e6e2fde8f0ce15a67fd2 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 20:15:30 +0530 Subject: [PATCH 17/30] Update AISecurityLabSetupGuide.md Fixing ToC --- AISecurityLabSetupGuide.md | 66 +++++++++++++++++++------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/AISecurityLabSetupGuide.md b/AISecurityLabSetupGuide.md index 294b982..e4363dc 100644 --- a/AISecurityLabSetupGuide.md +++ b/AISecurityLabSetupGuide.md @@ -5,40 +5,40 @@ [1.Introduction: Your AI Security Lab ](#1-introduction-your-ai-security-lab) [1.1 What is BeSLab and Why Use It](#11-what-is-beslab-and-why-use-it) -(#12-the-be-secure-philosophy-beyond-a-single-tool) -(#13-value-for-the-ciso-and-security-teams) -(#14-scope-of-this-guide) -(#2-how-beslab-works-architecture-and-concepts) -(#21-the-blueprint-explained-core-components) -(#22-the-gitops-foundation) -(#23-key-terms-you-need-to-know) +[](#12-the-be-secure-philosophy-beyond-a-single-tool) +[](#13-value-for-the-ciso-and-security-teams) +[](#14-scope-of-this-guide) +[](#2-how-beslab-works-architecture-and-concepts) +[](#21-the-blueprint-explained-core-components) +[](#22-the-gitops-foundation) +[](#23-key-terms-you-need-to-know) [Part 2: setting-up-and-configuring-your-lab](#part-2-setting-up-and-configuring-your-lab) -(#3-setting-up-your-private-beslab-lite-mode) -(#31-before-you-begin-prerequisites-checklist) -(#32-step-by-step-installation-using-bliman) -(#33-initial-verification-checking-your-setup) -(#4-configuring-your-beslab-instance) -4.1 Essential GitLab Configuration -(#42-setting-up-be-secure-repositories-in-gitlab) -(#43-connecting-beslighthouse-to-your-data) -Part 3: Populating and Operating Your Lab -5. Populating Your Lab: Onboarding Guide -(#51-managing-user-access-and-roles) -(#52-adding-projects-osspoi-for-assessment) -(#53-adding-ai-models-ossmoi-for-assessment) -(#54-integrating-security-tools-besplugins) -(#6-operating-your-beslab-workflows-in-action) -(#61-submitting-assets-for-assessment) -(#62-running-security-assessments) -(#63-generating-and-storing-reports-osars) -(#64-visualizing-results-with-beslighthouse) -(#65-tracking-vulnerabilities-ossvoi) -(#66-engagement-options-beyond-private-use) -Part 4: Defaults and Governance -(#7-getting-started-quickly-default-configurations) -7.1 Why Defaults Matter -(#72-default-assessment-environments-besenvironments) -(#73-default-assessment-workflows-besplaybooks) +[](#3-setting-up-your-private-beslab-lite-mode) +[](#31-before-you-begin-prerequisites-checklist) +[](#32-step-by-step-installation-using-bliman) +[](#33-initial-verification-checking-your-setup) +[](#4-configuring-your-beslab-instance) +[]4.1 Essential GitLab Configuration +[](#42-setting-up-be-secure-repositories-in-gitlab) +[](#43-connecting-beslighthouse-to-your-data) +[Part 3: Populating and Operating Your Lab] +[5. Populating Your Lab: Onboarding Guide] +[](#51-managing-user-access-and-roles) +[](#52-adding-projects-osspoi-for-assessment) +[](#53-adding-ai-models-ossmoi-for-assessment) +[](#54-integrating-security-tools-besplugins) +[](#6-operating-your-beslab-workflows-in-action) +[](#61-submitting-assets-for-assessment) +[](#62-running-security-assessments) +[](#63-generating-and-storing-reports-osars) +[](#64-visualizing-results-with-beslighthouse) +[](#65-tracking-vulnerabilities-ossvoi) +[](#66-engagement-options-beyond-private-use) +[Part 4: Defaults and Governance] +[](#7-getting-started-quickly-default-configurations) +[]7.1 Why Defaults Matter +[](#72-default-assessment-environments-besenvironments) +[](#73-default-assessment-workflows-besplaybooks) (#74-recap-default-security-tools-besplugins) (#8-reporting-and-governance-for-your-lab) (#81-standard-assessment-reports-osar-structure) From 6438fd31d0a43505151fbf49fcd3d874afd1917b Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 20:16:38 +0530 Subject: [PATCH 18/30] Update AISecurityLabSetupGuide.md Fixing ToC --- AISecurityLabSetupGuide.md | 50 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 48 insertions(+), 2 deletions(-) diff --git a/AISecurityLabSetupGuide.md b/AISecurityLabSetupGuide.md index e4363dc..44d289f 100644 --- a/AISecurityLabSetupGuide.md +++ b/AISecurityLabSetupGuide.md @@ -1,60 +1,106 @@ # **User Guide: Establishing and Operating an AI Security Lab with the Be-Secure BeSLab Blueprint** **Table of Contents** + [Part 1: Understanding BeSLab](#part-1-understanding-beslab) [1.Introduction: Your AI Security Lab ](#1-introduction-your-ai-security-lab) + [1.1 What is BeSLab and Why Use It](#11-what-is-beslab-and-why-use-it) + [](#12-the-be-secure-philosophy-beyond-a-single-tool) + [](#13-value-for-the-ciso-and-security-teams) + [](#14-scope-of-this-guide) + [](#2-how-beslab-works-architecture-and-concepts) + [](#21-the-blueprint-explained-core-components) + [](#22-the-gitops-foundation) + [](#23-key-terms-you-need-to-know) + [Part 2: setting-up-and-configuring-your-lab](#part-2-setting-up-and-configuring-your-lab) + [](#3-setting-up-your-private-beslab-lite-mode) + [](#31-before-you-begin-prerequisites-checklist) + [](#32-step-by-step-installation-using-bliman) + [](#33-initial-verification-checking-your-setup) + [](#4-configuring-your-beslab-instance) + []4.1 Essential GitLab Configuration + [](#42-setting-up-be-secure-repositories-in-gitlab) + [](#43-connecting-beslighthouse-to-your-data) + [Part 3: Populating and Operating Your Lab] + [5. Populating Your Lab: Onboarding Guide] + [](#51-managing-user-access-and-roles) + [](#52-adding-projects-osspoi-for-assessment) + [](#53-adding-ai-models-ossmoi-for-assessment) + [](#54-integrating-security-tools-besplugins) + [](#6-operating-your-beslab-workflows-in-action) + [](#61-submitting-assets-for-assessment) + [](#62-running-security-assessments) + [](#63-generating-and-storing-reports-osars) + [](#64-visualizing-results-with-beslighthouse) + [](#65-tracking-vulnerabilities-ossvoi) + [](#66-engagement-options-beyond-private-use) + [Part 4: Defaults and Governance] + [](#7-getting-started-quickly-default-configurations) + []7.1 Why Defaults Matter + [](#72-default-assessment-environments-besenvironments) + [](#73-default-assessment-workflows-besplaybooks) + (#74-recap-default-security-tools-besplugins) + (#8-reporting-and-governance-for-your-lab) + (#81-standard-assessment-reports-osar-structure) + (#82-defining-roles-and-responsibilities-raci-matrix) + 8.3 Key Governance Policies to Establish + Part 5: Visual Aids and Conclusion + (#9-visualizing-the-setup) + 9.1 High-Level Enterprise View + 9.2 Detailed Component Layout (#10-conclusion-and-next-steps) + (#101-summary-of-benefits) + (#102-immediate-actions-after-setup) (#103-continuous-improvement-roadmap) -11. Works Cited - +11. Works Cited **Part 1: Understanding BeSLab** From e5543b908ee586e4b392a229e5eaa9e15b1ee777 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 20:37:20 +0530 Subject: [PATCH 19/30] Update AISecurityLabSetupGuide.md --- AISecurityLabSetupGuide.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/AISecurityLabSetupGuide.md b/AISecurityLabSetupGuide.md index 44d289f..afd4d5a 100644 --- a/AISecurityLabSetupGuide.md +++ b/AISecurityLabSetupGuide.md @@ -1,4 +1,4 @@ -# **User Guide: Establishing and Operating an AI Security Lab with the Be-Secure BeSLab Blueprint** +# **Setup Guide: Establishing and Operating an AI Security Lab with the Be-Secure BeSLab Blueprint** **Table of Contents** @@ -8,7 +8,7 @@ [1.1 What is BeSLab and Why Use It](#11-what-is-beslab-and-why-use-it) -[](#12-the-be-secure-philosophy-beyond-a-single-tool) +[1.2 The Be-Secure Philosophy: Beyond a Single Tool](#12-the-be-secure-philosophy-beyond-a-single-tool) [](#13-value-for-the-ciso-and-security-teams) From b191590c08479b5b73e76d0e3a47b24060de71dd Mon Sep 17 00:00:00 2001 From: ANIL SINGLA Date: Thu, 1 May 2025 21:10:32 +0530 Subject: [PATCH 20/30] Update besman-gitlab.sh to set port set port in gitlab.rb --- src/besman-gitlab.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/besman-gitlab.sh b/src/besman-gitlab.sh index 1753cce..f41c5c3 100755 --- a/src/besman-gitlab.sh +++ b/src/besman-gitlab.sh @@ -185,9 +185,11 @@ function __besman_install_gitlab() __besman_echo_white "Updating gitlab domain and port ..." if [ ! -z $BESLAB_PRIVATE_LAB_CODECOLLAB_TOOL_PORT ];then - sed -i "/^external_url/c external_url '$gitlabURL':$BESLAB_PRIVATE_LAB_CODECOLLAB_TOOL_PORT" /etc/gitlab/gitlab.rb 2>&1 | __beslab_log + sed -i "/^external_url/c external_url '$gitlabURL:$BESLAB_PRIVATE_LAB_CODECOLLAB_TOOL_PORT'" /etc/gitlab/gitlab.rb 2>&1 | __beslab_log + echo "external_url $gitlabURL:$BESLAB_PRIVATE_LAB_CODECOLLAB_TOOL_PORT" else sed -i "/^external_url/c external_url '$gitlabURL'" /etc/gitlab/gitlab.rb 2>&1 | __beslab_log + echo "external_url $gitlabURL" fi sudo gitlab-ctl reconfigure 2>&1| __beslab_log From 6a94ab4113f999006d8b6958c323931fb4b8786a Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 22:07:26 +0530 Subject: [PATCH 21/30] Update AISecurityLabSetupGuide.md Fixing ToC --- AISecurityLabSetupGuide.md | 79 +++++++++++++++----------------------- 1 file changed, 31 insertions(+), 48 deletions(-) diff --git a/AISecurityLabSetupGuide.md b/AISecurityLabSetupGuide.md index afd4d5a..bc3f9d0 100644 --- a/AISecurityLabSetupGuide.md +++ b/AISecurityLabSetupGuide.md @@ -1,44 +1,27 @@ # **Setup Guide: Establishing and Operating an AI Security Lab with the Be-Secure BeSLab Blueprint** **Table of Contents** - -[Part 1: Understanding BeSLab](#part-1-understanding-beslab) - -[1.Introduction: Your AI Security Lab ](#1-introduction-your-ai-security-lab) - -[1.1 What is BeSLab and Why Use It](#11-what-is-beslab-and-why-use-it) - -[1.2 The Be-Secure Philosophy: Beyond a Single Tool](#12-the-be-secure-philosophy-beyond-a-single-tool) - -[](#13-value-for-the-ciso-and-security-teams) - -[](#14-scope-of-this-guide) - -[](#2-how-beslab-works-architecture-and-concepts) - -[](#21-the-blueprint-explained-core-components) - -[](#22-the-gitops-foundation) - -[](#23-key-terms-you-need-to-know) - -[Part 2: setting-up-and-configuring-your-lab](#part-2-setting-up-and-configuring-your-lab) - -[](#3-setting-up-your-private-beslab-lite-mode) - -[](#31-before-you-begin-prerequisites-checklist) - -[](#32-step-by-step-installation-using-bliman) - -[](#33-initial-verification-checking-your-setup) - -[](#4-configuring-your-beslab-instance) - -[]4.1 Essential GitLab Configuration - -[](#42-setting-up-be-secure-repositories-in-gitlab) - -[](#43-connecting-beslighthouse-to-your-data) +-[Part 1: Understanding BeSLab](#part-1) + -[1.1Introduction: Your AI Security Lab ](#1) + -[1.1.1 What is BeSLab and Why Use It](#1.1.1) + -[1.2.1 The Be-Secure Philosophy: Beyond a Single Tool](#1.1.2) + -[1.3.1 Value for the CISO and Security Team](#1.1.3) + -[1.4.1 Scope of this guide](#1.1.4) + -[1.2.How BeSLab works Architecture and Concepts ](#1.2) + -[1.2.11-introduction-your-ai-security-lab)](#1.2.1) + -[1.2.2 The gitops](#1.2.2) + -[1.2.3 Key terms you need to know](#1.2.3) +-[Part 2: setting-up-and-configuring-your-lab](#part-2) + -[2.1.1 Setting up your private BeSLab in Lite Mode](#2.1.1) + -[2.1.2 before-you-begin-prerequisites-checklist](#2.1.2) + -[2.1.3 step-by-step-installation-using-bliman](#2.1.3) + -[2.1.4 initial-verification-checking-your-setup](#2.1.4) + -[2.2 configuring-your-beslab-instance](#2.2) + -[2.2.1 Essential GitLab Configuration](#2.2.1) + +[2.2.2](#42-setting-up-be-secure-repositories-in-gitlab) + +[2.2.3](#43-connecting-beslighthouse-to-your-data) [Part 3: Populating and Operating Your Lab] @@ -100,31 +83,31 @@ Part 5: Visual Aids and Conclusion (#102-immediate-actions-after-setup) (#103-continuous-improvement-roadmap) -11. Works Cited +-[11. Works Cited](#11) -**Part 1: Understanding BeSLab** +## **Part 1: Understanding BeSLab** -**1\. Introduction: Your AI Security Lab** +### **1\. Introduction: Your AI Security Lab** -* **1.1 What is BeSLab and Why Use It?** +#### **1.1 What is BeSLab and Why Use It?** In today's digital world, organizations heavily rely on Open Source Software (OSS) and Artificial Intelligence (AI) / Machine Learning (ML) models. While these components accelerate innovation, they also introduce security risks from potential vulnerabilities within them and the unique ways AI models can be attacked. Effectively managing these risks demands a structured and proactive strategy. Establishing a dedicated AI Security Lab, based on the BeSLab blueprint, provides an organization's security team (specifically the CISO's office) with the necessary *internal* capability. It allows the organization to systematically check, track, and reduce the security risks tied to the OSS and AI components it uses or considers using . This focus on building internal capacity is central; BeSLab facilitates the development of in-house expertise and provides direct control over the security assurance process for these critical third-party assets, moving beyond reliance on external assessments or inconsistent manual reviews. -* **1.2 The Be-Secure Philosophy: Beyond a Single Tool** +#### **1.2 The Be-Secure Philosophy: Beyond a Single Tool** The Be-Secure initiative aims to help organizations and the wider community strengthen open source artifacts—software, ML models, and datasets—against vulnerabilities . The BeSLab blueprint stems from this goal, offering a design for an open-source security lab. It is crucial to understand that BeSLab is not a single software product that can be installed with one click. Instead, it is a *blueprint* or an *architectural pattern* . Think of it as a template defining how various tools and processes work together to create a comprehensive security assessment environment . This approach provides significant flexibility, allowing organizations to tailor the lab's capabilities. However, it also means that implementation involves assembling and integrating these components according to the blueprint's design, rather than installing a monolithic application. The core objective is to give application security and security operations teams full control and transparency over how these critical components are assessed . -* **1.3 Value for the CISO and Security Teams** +#### **1.3 Value for the CISO and Security Teams** Implementing a BeSLab instance based on this blueprint delivers clear advantages for the CISO's organization and security teams : * **Standardized Assurance:** Creates consistent and repeatable processes for security assessments of both OSS projects and AI models. * **Centralized Visibility:** Offers a unified view through the BeSLighthouse dashboard, tracking Projects of Interest (OSSPoI), Models of Interest (OSSMoI), and related Vulnerabilities of Interest (OSSVoI) . * **Reduced Risk Exposure:** Enables proactive identification and facilitates the fixing of vulnerabilities in essential software and models before attackers can exploit them. * **Cost Efficiency:** Can lower the overall cost of risk assessment compared to frequent external security engagements or time-consuming manual reviews, especially as the number of tracked assets increases . * **Internal Attestation:** Allows the organization to generate internal trust marks, such as a "Trusted and Verified Open Source Software" (TAVOSS) designation, for components that pass the lab's defined security checks . This TAVOSS status serves as a tangible outcome, providing a standardized way to communicate assurance levels internally and build confidence in the security posture of approved components . -* **1.4 Scope of This Guide** +#### **1.4 Scope of This Guide** This document serves as a comprehensive user guide focused specifically on setting up, configuring, and operating a *private* AI Security Lab using the BeSLab blueprint within an enterprise setting. It details the *'Lite Mode'* deployment, which consolidates essential components onto a single host machine, and covers integration with GitLab Community Edition (CE) as the code collaboration platform . The guide walks through the entire lifecycle: understanding the architecture, meeting prerequisites, installation steps, onboarding users, projects, models, and tools, defining operational workflows for security assessments, generating reports (OSARs), establishing governance (RACI), and configuring default components. -**2\. How BeSLab Works: Architecture and Concepts** +## **2\. How BeSLab Works: Architecture and Concepts** -* **2.1 The Blueprint Explained: Core Components** +### **2.1 The Blueprint Explained: Core Components** The BeSLab architecture, being a blueprint, defines how various components interact to form a working security lab . It integrates existing open-source tools with specific Be-Secure utilities and data structures to build a cohesive system for security assessment . A typical private BeSLab instance deployed in Lite Mode, as covered in this guide, includes these core parts : * **Git-based Source Code Management (SCM) Platform (e.g., GitLab CE):** This is the central nervous system of the BeSLab instance. It hosts the critical datastore repositories containing configurations, definitions of assets (OSSPoI, OSSMoI), assessment playbooks, environment definitions, and the assessment results (OSARs) . Using GitLab CE provides a powerful, self-hosted platform supporting version control, collaboration, and potential CI/CD integration for automating assessment workflows. * **Datastore Repositories:** These are specific Git repositories within the SCM platform designated for storing different types of lab data. Common examples include : @@ -138,7 +121,7 @@ Part 5: Visual Aids and Conclusion * **BeSEnvironment:** Represents a specific computing setup (often a container image or defined by setup scripts) containing the necessary tools, libraries, and dependencies to run a particular set of security assessments . These ensure assessments are consistent and repeatable. They are defined in the BeSEnvironment repository and managed by BeSman . * **BeSPlaybook:** An automated script or workflow designed to orchestrate specific security assessment tasks . A playbook typically specifies which BeSEnvironment to use and which BeSPlugins (security tools) to run in sequence, along with configuration and data handling steps. Playbooks codify the assessment process for different asset types or security checks (e.g., SAST scan for Python code, AI model safety check). * **BeSPlugin:** Represents an integration wrapper around a specific security tool (e.g., a SAST scanner like Semgrep, an SCA tool like Trivy, a secrets detector like Gitleaks, or an AI model analyzer) . These plugins are the "workhorses" that perform the actual security scans. They are called by BeSPlaybooks within the appropriate BeSEnvironment. The lab's assessment capabilities are directly determined by the range and quality of integrated BeSPlugins. The framework is extensible, allowing new tools to be added as plugins over time . -* **2.2 The GitOps Foundation** +### **2.2 The GitOps Foundation** A fundamental aspect of the BeSLab architecture is its reliance on a GitOps workflow for managing the lab itself . This means that nearly all configurations, operational state definitions, asset lists, assessment playbooks, environment definitions, and even assessment results (OSARs) reside within Git repositories hosted on the SCM platform (like GitLab CE) . Changes to the lab's setup—adding a new project to track, modifying an assessment playbook, updating an environment, or configuring a tool—are managed through standard Git operations: making changes, committing them with descriptive messages, and pushing them to the central repository. This approach offers significant advantages for managing the security lab infrastructure: * **Auditability:** Every change is recorded in the Git history, providing a clear audit trail of who changed what and when. From eab6be9053b4bd02f1810d265de8fee3b50284b9 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 22:14:39 +0530 Subject: [PATCH 22/30] Update AISecurityLabSetupGuide.md Fixing ToC --- AISecurityLabSetupGuide.md | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/AISecurityLabSetupGuide.md b/AISecurityLabSetupGuide.md index bc3f9d0..409b6db 100644 --- a/AISecurityLabSetupGuide.md +++ b/AISecurityLabSetupGuide.md @@ -2,8 +2,11 @@ **Table of Contents** -[Part 1: Understanding BeSLab](#part-1) + -[1.1Introduction: Your AI Security Lab ](#1) + -[1.1.1 What is BeSLab and Why Use It](#1.1.1) + -[1.2.1 The Be-Secure Philosophy: Beyond a Single Tool](#1.1.2) -[1.3.1 Value for the CISO and Security Team](#1.1.3) -[1.4.1 Scope of this guide](#1.1.4) @@ -85,29 +88,29 @@ Part 5: Visual Aids and Conclusion -[11. Works Cited](#11) -## **Part 1: Understanding BeSLab** +## **Part 1: Understanding BeSLab** -### **1\. Introduction: Your AI Security Lab** +### **1\. Introduction: Your AI Security Lab** -#### **1.1 What is BeSLab and Why Use It?** +#### **1.1.1 What is BeSLab and Why Use It?** In today's digital world, organizations heavily rely on Open Source Software (OSS) and Artificial Intelligence (AI) / Machine Learning (ML) models. While these components accelerate innovation, they also introduce security risks from potential vulnerabilities within them and the unique ways AI models can be attacked. Effectively managing these risks demands a structured and proactive strategy. Establishing a dedicated AI Security Lab, based on the BeSLab blueprint, provides an organization's security team (specifically the CISO's office) with the necessary *internal* capability. It allows the organization to systematically check, track, and reduce the security risks tied to the OSS and AI components it uses or considers using . This focus on building internal capacity is central; BeSLab facilitates the development of in-house expertise and provides direct control over the security assurance process for these critical third-party assets, moving beyond reliance on external assessments or inconsistent manual reviews. -#### **1.2 The Be-Secure Philosophy: Beyond a Single Tool** +#### **1.1.2 The Be-Secure Philosophy: Beyond a Single Tool** The Be-Secure initiative aims to help organizations and the wider community strengthen open source artifacts—software, ML models, and datasets—against vulnerabilities . The BeSLab blueprint stems from this goal, offering a design for an open-source security lab. It is crucial to understand that BeSLab is not a single software product that can be installed with one click. Instead, it is a *blueprint* or an *architectural pattern* . Think of it as a template defining how various tools and processes work together to create a comprehensive security assessment environment . This approach provides significant flexibility, allowing organizations to tailor the lab's capabilities. However, it also means that implementation involves assembling and integrating these components according to the blueprint's design, rather than installing a monolithic application. The core objective is to give application security and security operations teams full control and transparency over how these critical components are assessed . -#### **1.3 Value for the CISO and Security Teams** +#### **1.1.3 Value for the CISO and Security Teams** Implementing a BeSLab instance based on this blueprint delivers clear advantages for the CISO's organization and security teams : * **Standardized Assurance:** Creates consistent and repeatable processes for security assessments of both OSS projects and AI models. * **Centralized Visibility:** Offers a unified view through the BeSLighthouse dashboard, tracking Projects of Interest (OSSPoI), Models of Interest (OSSMoI), and related Vulnerabilities of Interest (OSSVoI) . * **Reduced Risk Exposure:** Enables proactive identification and facilitates the fixing of vulnerabilities in essential software and models before attackers can exploit them. * **Cost Efficiency:** Can lower the overall cost of risk assessment compared to frequent external security engagements or time-consuming manual reviews, especially as the number of tracked assets increases . * **Internal Attestation:** Allows the organization to generate internal trust marks, such as a "Trusted and Verified Open Source Software" (TAVOSS) designation, for components that pass the lab's defined security checks . This TAVOSS status serves as a tangible outcome, providing a standardized way to communicate assurance levels internally and build confidence in the security posture of approved components . -#### **1.4 Scope of This Guide** +#### **1.1.4 Scope of This Guide** This document serves as a comprehensive user guide focused specifically on setting up, configuring, and operating a *private* AI Security Lab using the BeSLab blueprint within an enterprise setting. It details the *'Lite Mode'* deployment, which consolidates essential components onto a single host machine, and covers integration with GitLab Community Edition (CE) as the code collaboration platform . The guide walks through the entire lifecycle: understanding the architecture, meeting prerequisites, installation steps, onboarding users, projects, models, and tools, defining operational workflows for security assessments, generating reports (OSARs), establishing governance (RACI), and configuring default components. -## **2\. How BeSLab Works: Architecture and Concepts** +## **1.2\. How BeSLab Works: Architecture and Concepts** -### **2.1 The Blueprint Explained: Core Components** +### **1.2.1 The Blueprint Explained: Core Components** The BeSLab architecture, being a blueprint, defines how various components interact to form a working security lab . It integrates existing open-source tools with specific Be-Secure utilities and data structures to build a cohesive system for security assessment . A typical private BeSLab instance deployed in Lite Mode, as covered in this guide, includes these core parts : * **Git-based Source Code Management (SCM) Platform (e.g., GitLab CE):** This is the central nervous system of the BeSLab instance. It hosts the critical datastore repositories containing configurations, definitions of assets (OSSPoI, OSSMoI), assessment playbooks, environment definitions, and the assessment results (OSARs) . Using GitLab CE provides a powerful, self-hosted platform supporting version control, collaboration, and potential CI/CD integration for automating assessment workflows. * **Datastore Repositories:** These are specific Git repositories within the SCM platform designated for storing different types of lab data. Common examples include : @@ -121,7 +124,7 @@ Part 5: Visual Aids and Conclusion * **BeSEnvironment:** Represents a specific computing setup (often a container image or defined by setup scripts) containing the necessary tools, libraries, and dependencies to run a particular set of security assessments . These ensure assessments are consistent and repeatable. They are defined in the BeSEnvironment repository and managed by BeSman . * **BeSPlaybook:** An automated script or workflow designed to orchestrate specific security assessment tasks . A playbook typically specifies which BeSEnvironment to use and which BeSPlugins (security tools) to run in sequence, along with configuration and data handling steps. Playbooks codify the assessment process for different asset types or security checks (e.g., SAST scan for Python code, AI model safety check). * **BeSPlugin:** Represents an integration wrapper around a specific security tool (e.g., a SAST scanner like Semgrep, an SCA tool like Trivy, a secrets detector like Gitleaks, or an AI model analyzer) . These plugins are the "workhorses" that perform the actual security scans. They are called by BeSPlaybooks within the appropriate BeSEnvironment. The lab's assessment capabilities are directly determined by the range and quality of integrated BeSPlugins. The framework is extensible, allowing new tools to be added as plugins over time . -### **2.2 The GitOps Foundation** +### **1.2.2 The GitOps Foundation** A fundamental aspect of the BeSLab architecture is its reliance on a GitOps workflow for managing the lab itself . This means that nearly all configurations, operational state definitions, asset lists, assessment playbooks, environment definitions, and even assessment results (OSARs) reside within Git repositories hosted on the SCM platform (like GitLab CE) . Changes to the lab's setup—adding a new project to track, modifying an assessment playbook, updating an environment, or configuring a tool—are managed through standard Git operations: making changes, committing them with descriptive messages, and pushing them to the central repository. This approach offers significant advantages for managing the security lab infrastructure: * **Auditability:** Every change is recorded in the Git history, providing a clear audit trail of who changed what and when. @@ -129,19 +132,19 @@ Part 5: Visual Aids and Conclusion * **Reproducibility:** The entire lab configuration is defined in code, making it easier to replicate the setup or recover from failures. * **Collaboration:** Multiple team members can collaborate on managing the lab's configuration using familiar Git workflows. * **Infrastructure-as-Code:** It treats the lab's configuration and operational definitions as code, promoting discipline, automation potential, and reliability in its management. BeSLighthouse reading directly from these repositories further reinforces this model, ensuring the dashboard always reflects the state defined in Git . -* **2.3 Key Terms You Need to Know** +### **1.2.3 Key Terms You Need to Know** Understanding this terminology is essential for working with BeSLab : * **OSSPoI (Open Source Projects of Interest):** Specific open-source software projects your organization uses or depends on, which are onboarded into the lab for security assessment and monitoring. * **OSSMoI (Open Source Models of Interest):** Specific open-source AI/ML models used or considered by your organization, onboarded for security and safety assessments. - * **OSSVoI (Open Source Vulnerabilities of Interest):** The specific vulnerabilities (often identified by CVEs or similar IDs) discovered within the tracked OSSPoI and OSSMoI. The lab focuses on tracking and managing these relevant vulnerabilities . + * **OSSVoI (Open Source Vulnerabilities of Interest):** The specific vulnerabilities (often identified by CVEs or similar IDs) di3scovered within the tracked OSSPoI and OSSMoI. The lab focuses on tracking and managing these relevant vulnerabilities . * **OSAR (Open Source Assessment Report):** The standardized report generated after a BeSPlaybook completes an assessment run . It details the scope, methods, findings (including OSSVoI), risk posture, and potentially remediation advice. OSARs should ideally follow the BeS Schema for consistency . * **TAVOSS (Trusted and Verified Open Source Software):** An internal designation indicating that an OSS project or AI model has passed a defined assessment process within your BeSLab instance and meets your organization's security criteria . Achieving TAVOSS status signifies a higher level of confidence based on the internal assessment . The lab facilitates identifying or distributing these TAVOSS-approved versions internally . * **OSAP (Open Source Assurance Provider):** Each BeSLab instance acts as an OSAP . In the context of this guide (a private lab), your organization functions as its own internal OSAP, providing assurance for the assets it monitors. * **BeS Schema / Exchange Schema:** A standardized data format defined by Be-Secure to enable consistent exchange of information about assets, vulnerabilities, and assessments between BeSLab components and potentially other systems or labs . Adhering to this schema, even in a private deployment, promotes interoperability, allows consistent data processing and visualization (e.g., by BeSLighthouse), simplifies tool development, and ensures reports (OSARs) have a uniform structure, making the lab's data more valuable and future-proof . -**Part 2: Setting Up and Configuring Your Lab** +### **Part 2: Setting Up and Configuring Your Lab** -**3\. Setting Up Your Private BeSLab (Lite Mode)** +### **Part 1: Understanding BeSLab** From 79cb225285956ecf1848d0aef9a3296ae18cd444 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 22:38:54 +0530 Subject: [PATCH 24/30] Update AISecurityLabSetupGuide.md Fixing ToC --- AISecurityLabSetupGuide.md | 70 +++++++++++++++++++------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/AISecurityLabSetupGuide.md b/AISecurityLabSetupGuide.md index b0a1a95..84c3a64 100644 --- a/AISecurityLabSetupGuide.md +++ b/AISecurityLabSetupGuide.md @@ -16,7 +16,7 @@ -[1.2.How BeSLab works Architecture and Concepts ](#1.2) - -[1.2.11-introduction-your-ai-security-lab)](#1.2.1) + -[1.2.1-introduction-your-ai-security-lab)](#1.2.1) -[1.2.2 The gitops](#1.2.2) @@ -34,75 +34,75 @@ -[2.2 configuring-your-beslab-instance](#2.2) - -[2.2.1 Essential GitLab Configuration](#2.2.1) + -[2.2.1 Essential GitLab Configuration](#2.2.1) --[2.2.2](#42-setting-up-be-secure-repositories-in-gitlab) + -[2.2.2](#42-setting-up-be-secure-repositories-in-gitlab) --[2.2.3](#43-connecting-beslighthouse-to-your-data) + -[2.2.3](#43-connecting-beslighthouse-to-your-data) --[Part 3: Populating and Operating Your Lab] +-[Part 3: Populating and Operating Your Lab](#part-3) --[3.1. Populating Your Lab: Onboarding Guide] + -[3.1 Populating Your Lab: Onboarding Guide](#3.1) --[3.1.1](#51-managing-user-access-and-roles) + -[3.1.1 Managing user access and roles](#3.1.1) --[3.1.2](#52-adding-projects-osspoi-for-assessment) + -[3.1.2 Adding Project OSSPoI for Assessment](#3.1.2) --[3.1.3](#53-adding-ai-models-ossmoi-for-assessment) + -[3.1.3 adding-ai-models-ossmoi-for-assessment](#3.1.3) --[3.1.4](#54-integrating-security-tools-besplugins) + -[3.1.4 integrating-security-tools-besplugins](#3.1.4) --[3.2](#6-operating-your-beslab-workflows-in-action) + -[3.2 operating-your-beslab-workflows-in-action](#3.2) --[3.2.1](#61-submitting-assets-for-assessment) + -[3.2.1 submitting-assets-for-assessment](#3.2.1) --[3.2.2](#62-running-security-assessments) + -[3.2.2 running-security-assessments](#3.2.2) --[3.2.3](#63-generating-and-storing-reports-osars) + -[3.2.3 generating-and-storing-reports-osars](#3.2.3) --[3.2.4](#64-visualizing-results-with-beslighthouse) + -[3.2.4 visualizing-results-with-beslighthouse](#3.2.4) --[3.2.5](#65-tracking-vulnerabilities-ossvoi) + -[3.2.5 tracking-vulnerabilities-ossvoi](#3.2.5) --[3.2.6](#66-engagement-options-beyond-private-use) + -[3.2.6 engagement-options-beyond-private-use](#3.2.6) -[Part 4: Defaults and Governance](#part-4) --[4.1](#7-getting-started-quickly-default-configurations) + -[4.1 getting-started-quickly-default-configurations](#4.1) --[4.1.1 Why Defaults Matter](#4.1.1) + -[4.1.1 Why Defaults Matter](#4.1.1) --[4.1.2](#72-default-assessment-environments-besenvironments) + -[4.1.2 default-assessment-environments-besenvironments](#4.1.2) --[4.1.3](#73-default-assessment-workflows-besplaybooks) + -[4.1.3 default-assessment-workflows-besplaybooks](#4.1.3) --[4.1.4](#74-recap-default-security-tools-besplugins) + -[4.1.4 recap-default-security-tools-besplugins](#4.1.4) --[4.2](#8-reporting-and-governance-for-your-lab) + -[4.2 reporting-and-governance-for-your-lab](#4.2) --[4.2.1](#81-standard-assessment-reports-osar-structure) + -[4.2.1 standard-assessment-reports-osar-structure](#4.2.1) --[4.2.2](#82-defining-roles-and-responsibilities-raci-matrix) + -[4.2.2 defining-roles-and-responsibilities-raci-matrix](#4.2.2) --[4.2.3 Key Governance Policies to Establish](#4.2.3) + -[4.2.3 Key Governance Policies to Establish](#4.2.3) --[Part 5: Visual Aids and Conclusion](#part-5) + -[Part 5: Visual Aids and Conclusion](#part-5) --[5.1](#9-visualizing-the-setup) + -[5.1 visualizing-the-setup](#5.1) --[5.1.1 High-Level Enterprise View](#5.2) + -[5.1.1 High-Level Enterprise View](#5.1.1) --[5.1.2 Detailed Component Layout] + -[5.1.2 Detailed Component Layout](#5.1.2) --[6](#10-conclusion-and-next-steps)(#6) + -[6 conclusion-and-next-steps](#6) --[6.1](#101-summary-of-benefits)(#6.1) + -[6.1 summary-of-benefits](#6.1) --[6.2](#102-immediate-actions-after-setup)(#6.2) + -[6.2 immediate-actions-after-setup](#6.2) --[6.3](#103-continuous-improvement-roadmap)(#6.3) + -[6.3 continuous-improvement-roadmap](#6.3) --[7. Works Cited](#7) + -[7. Works Cited](#7) ## **Part 1: Understanding BeSLab** From cb6797bb4e6c37166da4e73df222f0e2d5f2cb1c Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 22:40:17 +0530 Subject: [PATCH 25/30] Update AISecurityLabSetupGuide.md --- AISecurityLabSetupGuide.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/AISecurityLabSetupGuide.md b/AISecurityLabSetupGuide.md index 84c3a64..59ab605 100644 --- a/AISecurityLabSetupGuide.md +++ b/AISecurityLabSetupGuide.md @@ -36,9 +36,9 @@ -[2.2.1 Essential GitLab Configuration](#2.2.1) - -[2.2.2](#42-setting-up-be-secure-repositories-in-gitlab) + -[2.2.2 setting-up-be-secure-repositories-in-gitlab](#2.2.2) - -[2.2.3](#43-connecting-beslighthouse-to-your-data) + -[2.2.3 connecting-beslighthouse-to-your-data](#2.2.3) -[Part 3: Populating and Operating Your Lab](#part-3) From a0497c706d3a6f980665efae50b025f46a128584 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 22:52:55 +0530 Subject: [PATCH 26/30] Update AISecurityLabSetupGuide.md Fixed Dewy notation --- AISecurityLabSetupGuide.md | 92 +++++++++++++++++++------------------- 1 file changed, 46 insertions(+), 46 deletions(-) diff --git a/AISecurityLabSetupGuide.md b/AISecurityLabSetupGuide.md index 59ab605..2a872cb 100644 --- a/AISecurityLabSetupGuide.md +++ b/AISecurityLabSetupGuide.md @@ -1,6 +1,6 @@ # **Setup Guide: Establishing and Operating an AI Security Lab with the Be-Secure BeSLab Blueprint** -**Table of Contents** +## **Table of Contents** -[Part 1: Understanding BeSLab](#part-1) @@ -124,9 +124,9 @@ #### **1.1.4 Scope of This Guide** This document serves as a comprehensive user guide focused specifically on setting up, configuring, and operating a *private* AI Security Lab using the BeSLab blueprint within an enterprise setting. It details the *'Lite Mode'* deployment, which consolidates essential components onto a single host machine, and covers integration with GitLab Community Edition (CE) as the code collaboration platform . The guide walks through the entire lifecycle: understanding the architecture, meeting prerequisites, installation steps, onboarding users, projects, models, and tools, defining operational workflows for security assessments, generating reports (OSARs), establishing governance (RACI), and configuring default components. -## **1.2\. How BeSLab Works: Architecture and Concepts** +### **1.2\. How BeSLab Works: Architecture and Concepts** -### **1.2.1 The Blueprint Explained: Core Components** +#### **1.2.1 The Blueprint Explained: Core Components** The BeSLab architecture, being a blueprint, defines how various components interact to form a working security lab . It integrates existing open-source tools with specific Be-Secure utilities and data structures to build a cohesive system for security assessment . A typical private BeSLab instance deployed in Lite Mode, as covered in this guide, includes these core parts : * **Git-based Source Code Management (SCM) Platform (e.g., GitLab CE):** This is the central nervous system of the BeSLab instance. It hosts the critical datastore repositories containing configurations, definitions of assets (OSSPoI, OSSMoI), assessment playbooks, environment definitions, and the assessment results (OSARs) . Using GitLab CE provides a powerful, self-hosted platform supporting version control, collaboration, and potential CI/CD integration for automating assessment workflows. * **Datastore Repositories:** These are specific Git repositories within the SCM platform designated for storing different types of lab data. Common examples include : @@ -140,7 +140,7 @@ * **BeSEnvironment:** Represents a specific computing setup (often a container image or defined by setup scripts) containing the necessary tools, libraries, and dependencies to run a particular set of security assessments . These ensure assessments are consistent and repeatable. They are defined in the BeSEnvironment repository and managed by BeSman . * **BeSPlaybook:** An automated script or workflow designed to orchestrate specific security assessment tasks . A playbook typically specifies which BeSEnvironment to use and which BeSPlugins (security tools) to run in sequence, along with configuration and data handling steps. Playbooks codify the assessment process for different asset types or security checks (e.g., SAST scan for Python code, AI model safety check). * **BeSPlugin:** Represents an integration wrapper around a specific security tool (e.g., a SAST scanner like Semgrep, an SCA tool like Trivy, a secrets detector like Gitleaks, or an AI model analyzer) . These plugins are the "workhorses" that perform the actual security scans. They are called by BeSPlaybooks within the appropriate BeSEnvironment. The lab's assessment capabilities are directly determined by the range and quality of integrated BeSPlugins. The framework is extensible, allowing new tools to be added as plugins over time . -### **1.2.2 The GitOps Foundation** +#### **1.2.2 The GitOps Foundation** A fundamental aspect of the BeSLab architecture is its reliance on a GitOps workflow for managing the lab itself . This means that nearly all configurations, operational state definitions, asset lists, assessment playbooks, environment definitions, and even assessment results (OSARs) reside within Git repositories hosted on the SCM platform (like GitLab CE) . Changes to the lab's setup—adding a new project to track, modifying an assessment playbook, updating an environment, or configuring a tool—are managed through standard Git operations: making changes, committing them with descriptive messages, and pushing them to the central repository. This approach offers significant advantages for managing the security lab infrastructure: * **Auditability:** Every change is recorded in the Git history, providing a clear audit trail of who changed what and when. @@ -148,7 +148,7 @@ * **Reproducibility:** The entire lab configuration is defined in code, making it easier to replicate the setup or recover from failures. * **Collaboration:** Multiple team members can collaborate on managing the lab's configuration using familiar Git workflows. * **Infrastructure-as-Code:** It treats the lab's configuration and operational definitions as code, promoting discipline, automation potential, and reliability in its management. BeSLighthouse reading directly from these repositories further reinforces this model, ensuring the dashboard always reflects the state defined in Git . -### **1.2.3 Key Terms You Need to Know** +#### **1.2.3 Key Terms You Need to Know** Understanding this terminology is essential for working with BeSLab : * **OSSPoI (Open Source Projects of Interest):** Specific open-source software projects your organization uses or depends on, which are onboarded into the lab for security assessment and monitoring. * **OSSMoI (Open Source Models of Interest):** Specific open-source AI/ML models used or considered by your organization, onboarded for security and safety assessments. @@ -158,11 +158,11 @@ * **OSAP (Open Source Assurance Provider):** Each BeSLab instance acts as an OSAP . In the context of this guide (a private lab), your organization functions as its own internal OSAP, providing assurance for the assets it monitors. * **BeS Schema / Exchange Schema:** A standardized data format defined by Be-Secure to enable consistent exchange of information about assets, vulnerabilities, and assessments between BeSLab components and potentially other systems or labs . Adhering to this schema, even in a private deployment, promotes interoperability, allows consistent data processing and visualization (e.g., by BeSLighthouse), simplifies tool development, and ensures reports (OSARs) have a uniform structure, making the lab's data more valuable and future-proof . -### **Part 2: Setting Up and Configuring Your Lab** +## **Part 2: Setting Up and Configuring Your Lab** ### Settings \-\> General \-\> Account and limit settings. Review who can create top-level groups and projects. Restricting this to Administrators initially is advisable for better control. * **(Future Use) Runner Configuration:** If planning to automate assessment workflows using GitLab CI/CD pipelines later, GitLab Runners will need to be configured. This is an advanced step involving setting up agents that can execute jobs, potentially interacting with Docker or the BeSLab host. -* **4.2 Setting Up Be-Secure Repositories in GitLab** +#### **2.2.2 Setting Up Be-Secure Repositories in GitLab** BeSLab relies on a specific structure of Git repositories within GitLab to store its data and configurations . While bli launchlab might perform some setup, manually creating or verifying these core repositories is often necessary. The precise naming and structure are important, as tools like BeSLighthouse often expect specific repository names and locations to function correctly . Deviating from expected conventions might prevent the dashboard or other tools from finding and processing data. 1. **Login to GitLab:** Log in as the root user or another administrator. 2. **Create a Top-Level Group:** Create a new group (e.g., besecure-lab) to logically organize all BeSLab-related repositories. @@ -281,7 +281,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i * BeSAssessment: Stores assessment output reports (OSARs) and metadata. * besecure-assets-store (or the name expected by BeSLighthouse's configuration): Stores lists/definitions of OSSPoI, OSSMoI, etc. . * Potentially others depending on specific configurations or extensions. -* **4.3 Connecting BeSLighthouse to Your Data** +#### **2.2.3 Connecting BeSLighthouse to Your Data** BeSLighthouse needs to be configured to find the data repositories within your private GitLab instance . This step activates the dashboard by linking the visualization front-end to the Git-based data back-end. 1. **Locate datastore.ts:** Access the BeSLab host machine (e.g., via SSH). Find the BeSLighthouse installation directory. The exact path depends on the deployment, potentially within a Docker volume mount (check docker inspect \ for volume details) or a location like /opt/BeSLighthouse or /usr/local/share/beslighthouse. Inside this directory, locate the configuration file, typically src/config/datastore.ts . 2. **Edit datastore.ts:** Open the file using a text editor (like nano or vim). Find the variables defining the URLs for the datastore repositories. Update these URLs to point to the repositories created in **your private GitLab instance** within the besecure-lab group . @@ -306,11 +306,11 @@ Successful completion of these checks indicates the core BeSLab infrastructure i 4. **Verify Connection:** Refresh the BeSLighthouse UI in your browser. Although the lists will still be empty until data is added, check the browser's developer tools (Network tab) or the container logs (sudo docker logs \) for any errors related to accessing the configured GitLab repository URLs. Successful connection means BeSLighthouse can now read data once it's populated in the repositories. -**Part 3: Populating and Operating Your Lab** +## **Part 3: Populating and Operating Your Lab** -**5\. Populating Your Lab: Onboarding Guide** +### **3.1\. Populating Your Lab: Onboarding Guide** -* **5.1 Managing User Access and Roles** +#### **3.1.1 Managing User Access and Roles** Properly managing user access is crucial for security and operational efficiency. Define roles within the BeSLab context and map them to GitLab's permission model to control who can perform specific actions . * **Typical Roles:** * **Lab Administrator:** Installs, configures, maintains, and upgrades BeSLab; manages users; integrates core tools. Requires high-level privileges. @@ -328,7 +328,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i 3. Creates new user accounts as needed (assuming sign-up is restricted). 4. Navigates to the besecure-lab group \-\> Group information \-\> Members. 5. Invites users to the group, assigning the appropriate role based on the mapping above. Permissions can be further refined on individual sub-projects (repositories) if necessary. -* **5.2 Adding Projects (OSSPoI) for Assessment** +#### **3.1.2 Adding Projects (OSSPoI) for Assessment** Onboarding Open Source Projects of Interest (OSSPoI) means adding the software projects your organization relies on to the lab's tracking system so they can be assessed . * **Definition:** OSSPoI are specific open-source software projects deemed important or critical enough by the organization to warrant regular security assessment. * **Process:** The process leverages the GitOps workflow: @@ -353,7 +353,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i **Table 2: Example OSSPoI Candidates** -* **5.3 Adding AI Models (OSSMoI) for Assessment** +#### **3.1.3 Adding AI Models (OSSMoI) for Assessment** Similar to software projects, Open Source Models of Interest (OSSMoI) need to be onboarded for tracking and security/safety assessment . * **Definition:** OSSMoI are specific open-source AI/ML models used or being considered for use by the organization. * **Process:** This follows the same Git-based workflow used for OSSPoI. An analyst or administrator clones the asset tracking repository (or a dedicated model repository), edits the designated list file (e.g., ossmoi\_list.yaml), adds the new model with relevant metadata (Model Name, Source URL/Identifier like Hugging Face Hub ID, Version, Base Model if fine-tuned, License information), commits, and pushes the changes. @@ -369,7 +369,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i **Table 3: Example OSSMoI Candidates** -* **5.4 Integrating Security Tools (BeSPlugins)** +#### **3.1.4 Integrating Security Tools (BeSPlugins)** The actual security assessment capabilities of the BeSLab depend entirely on the integrated security tools, made available via BeSPlugins . Integrating these tools is therefore a fundamental task. * **Definition:** A BeSPlugin acts as the integration layer or wrapper that allows a BeSPlaybook to invoke a specific security tool (like a scanner or linter) within the BeSLab framework . * **Integration Process:** @@ -397,9 +397,9 @@ Successful completion of these checks indicates the core BeSLab infrastructure i **Table 4: Example Default BeSPlugins** -**6\. Operating Your BeSLab: Workflows in Action** +### **3.2\. Operating Your BeSLab: Workflows in Action** -* **6.1 Submitting Assets for Assessment** +#### **3.2.1 Submitting Assets for Assessment** Define a clear process for how new projects (OSSPoI) and models (OSSMoI) are submitted for tracking and assessment : * **Manual Git Update:** Authorized users (e.g., Security Analysts) directly clone the asset repository, edit the list file, commit, and push the changes. This is the simplest method and aligns directly with the GitOps model. * **GitLab Merge Request (MR):** Developers or other stakeholders can submit changes to the asset list file via a GitLab Merge Request. This allows Security Analysts to review and approve the submission before it's merged into the main branch, providing an approval gate. @@ -408,7 +408,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i *Diagram Reference:* The Git-based submission process, whether manual or via MR, is conceptually illustrated in **Diagram 3: Project/Model Onboarding Flow** ![Project/Model Onboarding Flow (Git-based)](./docs/images/Diagram3BeSLabProjectModelOnboardingWorkflow.png) -* **6.2 Running Security Assessments** +#### **3.2.2 Running Security Assessments** Assessments are executed using the defined BeSPlaybooks, which orchestrate the use of BeSEnvironments and BeSPlugins . The separation of these components provides modularity—allowing environments to be reused across playbooks, or playbooks to run different sets of plugins—but requires careful coordination to ensure they work together correctly. * **Triggering Mechanisms:** Assessments can be initiated in several ways: * **Manual:** Security Analysts can trigger specific playbooks on demand, often via CLI commands or custom scripts interacting with BeSman or potentially GitLab CI. @@ -423,39 +423,39 @@ Successful completion of these checks indicates the core BeSLab infrastructure i *Diagram Reference:* This sequence of a playbook orchestrating environments and plugins is visually depicted in **Diagram 4: Assessment Execution Flow** ![Assessment Execution Flow](./docs/images/Diagram4AssessmentExecutionWorkflow.png) -* **6.3 Generating and Storing Reports (OSARs)** +#### **3.2.3 Generating and Storing Reports (OSARs)** After the plugins within a playbook have run, the results need to be formalized into a standard report . * **Aggregation & Formatting:** The BeSPlaybook script is responsible for aggregating the findings from the various BeSPlugins executed during the run. It should format these findings into a structured Open Source Assessment Report (OSAR). Adhering to the BeS Schema for the OSAR format is highly recommended for consistency and easier automated processing . * **Storage:** The generated OSAR file (commonly in JSON or YAML format) is then committed back to the designated BeSAssessment Git repository . The commit message or metadata associated with the file should link the OSAR to the specific asset (OSSPoI/OSSMoI), the version assessed (e.g., Git commit hash, model version tag), the playbook used, and the timestamp of the assessment run. This creates an immutable, version-controlled audit trail of all assessment activities. -* **6.4 Visualizing Results with BeSLighthouse** +#### **3.2.4 Visualizing Results with BeSLighthouse** The BeSLighthouse dashboard serves as the primary interface for monitoring the lab's activities and results . Users interact with BeSLighthouse to: * View the lists of currently tracked assets (OSSPoI and OSSMoI) as read from the asset repositories . * Check the status and history of assessment runs for each asset. * Visualize aggregated vulnerability data (OSSVoI) associated with the tracked assets . * Access direct links to the detailed OSAR files stored in the BeSAssessment Git repository for deeper investigation. -* **6.5 Tracking Vulnerabilities (OSSVoI)** +#### **3.2.5 Tracking Vulnerabilities (OSSVoI)** A key function of the lab is to identify and track specific vulnerabilities (OSSVoI) within the monitored assets . * **Identification & Extraction:** BeSPlugins (especially SCA, SAST, and DAST tools) identify potential vulnerabilities, often providing standard identifiers like CVE numbers. This information is captured by the playbook and included in the OSAR . Key details like the vulnerability ID (CVE), severity level, affected component/file, and location should be extracted and structured within the OSAR . * **Storage:** Structured OSSVoI data is stored as part of the OSAR in the BeSAssessment repository, or potentially in a separate linked file or database if more complex tracking is implemented. * **Visualization:** BeSLighthouse reads the OSSVoI data from the assessment results and presents aggregated views, such as counts of vulnerabilities by severity per project . * **Triage & Remediation:** Security Analysts use the OSARs and the BeSLighthouse dashboard to review new findings, validate their authenticity, prioritize them based on severity and context, assign remediation tasks (e.g., creating tickets in an issue tracker), and track the progress of fixes. -*Diagram Reference:* The flow of identifying vulnerabilities during scans and tracking them as OSSVoI is outlined in **Diagram 5: BeSLab Vulnerability Tracking Workflow** +The flow of identifying vulnerabilities during scans and tracking them as OSSVoI is outlined in **Diagram 5: BeSLab Vulnerability Tracking Workflow** ![Vulnerability Tracking Flow (OSSVoI)](./docs/images/Diagram5BeSLabVulnerabilityTrackingWorkflow.png) -* **6.6 Engagement Options (Beyond Private Use)** +#### **3.2.6 Engagement Options (Beyond Private Use)** While this guide focuses on a private, internal BeSLab instance functioning as an internal OSAP , the Be-Secure ecosystem allows for potential future interactions: * **Contribute Back:** Share identified vulnerabilities or patches securely with the upstream open source projects. * **Data Sharing:** If appropriate agreements are in place, share anonymized vulnerability data (using the BeS Schema for interoperability ) with trusted partners, industry groups, or security communities . * **Consume External Data:** Integrate external threat intelligence or vulnerability feeds to enrich the findings identified internally and provide broader context. -**Part 4: Defaults and Governance** +## **Part 4: Defaults and Governance** -**7\. Getting Started Quickly: Default Configurations** +### **4.1 Getting Started Quickly: Default Configurations** -* **7.1 Why Defaults Matter** +#### **4.1.1 Why Defaults Matter** Establishing a set of default configurations for environments, playbooks, and plugins provides immediate value after the initial BeSLab setup . These defaults offer foundational security checks for common types of assets, allowing the team to start performing basic assessments quickly without needing extensive customization upfront. -* **7.2 Default Assessment Environments (BeSEnvironments)** +#### **4.1.2 Default Assessment Environments (BeSEnvironments)** Define a baseline set of reusable runtime environments in the BeSEnvironment repository. These typically encapsulate the dependencies needed for common categories of security tools . Examples often use Dockerfiles for definition. | BeSEnvironment Name | Key Components Included | Purpose | @@ -468,7 +468,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i **Table 5: Example Default BeSEnvironments** -* **7.3 Default Assessment Workflows (BeSPlaybooks)** +#### **4.1.3 Default Assessment Workflows (BeSPlaybooks)** Create standard assessment workflows (playbooks) in the BeSPlaybook repository by combining the default environments and plugins for common tasks . These serve as templates that can be used directly or adapted. | BeSPlaybook Name | BeSEnvironment Used | BeSPlugins Invoked (Example) | Suggested Frequency | Purpose | @@ -481,12 +481,12 @@ Successful completion of these checks indicates the core BeSLab infrastructure i **Table 6: Example Default BeSPlaybooks** -* **7.4 Recap: Default Security Tools (BeSPlugins)** +#### **4.1.4 Recap: Default Security Tools (BeSPlugins)** The default playbooks listed above would typically utilize the core set of BeSPlugins recommended earlier (refer back to **Table 4: Example Default BeSPlugins**). Ensuring these foundational plugins (e.g., Semgrep, Trivy, Bandit, Gitleaks, an AI model scanner, potentially OWASP ZAP) are integrated and functional is key to making the default playbooks operational. -**8\. Reporting and Governance for Your Lab** +### **4.2 Reporting and Governance for Your Lab** -* **8.1 Standard Assessment Reports (OSAR Structure)** +#### **4.2.1 Standard Assessment Reports (OSAR Structure)** Consistent and comprehensive reporting is vital for communicating assessment results effectively. Open Source Assessment Reports (OSARs) should be standardized, ideally aligning with the principles of the BeS Schema . A well-structured OSAR ensures that all necessary information is captured and presented clearly. | OSAR Section | Content Description | Purpose | @@ -501,7 +501,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i **Table 7: OSAR Sample Structure** -* **8.2 Defining Roles and Responsibilities (RACI Matrix)** +#### **4.2.2 Defining Roles and Responsibilities (RACI Matrix)** A RACI (Responsible, Accountable, Consulted, Informed) matrix helps clarify roles and responsibilities for various BeSLab activities, preventing confusion and ensuring tasks are owned. | Activity | CISO | Lab Admin | Security Analyst | Dev Lead / App Owner | Legal / Compliance | @@ -520,7 +520,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i **Table 8: RACI Matrix** \*(R=Responsible, A=Accountable, C=Consulted, I=Informed) -* **8.3 Key Governance Policies to Establish** +#### **4.2.3 Key Governance Policies to Establish** Implementing the BeSLab technology is only part of the solution. Establishing clear governance processes and policies is crucial to ensure the lab operates effectively and contributes meaningfully to risk reduction . Without governance, scan results might be inconsistent, ignored, or overwhelming. Key areas requiring formal policies include : * **Onboarding Criteria:** Define clear rules for which types of OSS projects and AI models *must* be onboarded into the lab (e.g., based on criticality, external facing, handling sensitive data). * **Assessment Frequency:** Establish minimum scanning schedules based on asset criticality and type of scan (e.g., critical web frameworks scanned daily with SCA, less critical libraries weekly; SAST on every commit). @@ -529,37 +529,37 @@ Successful completion of these checks indicates the core BeSLab infrastructure i * **Tool Validation & Updates:** Implement a process for regularly reviewing the effectiveness of integrated BeSPlugins, updating the underlying tools to their latest stable versions, and validating parser logic. * **Reporting Cadence:** Define how and when assessment results and overall risk posture summaries are reported to different stakeholders (e.g., immediate alerts for critical findings, monthly summaries for management). -**Part 5: Visual Aids and Conclusion** +## **Part 5: Visual Aids and Conclusion** -**9\. Visualizing the Setup** +### **5.1. Visualizing the Setup** The following diagrams, referenced by their original file names in the source documentation, provide visual context for the BeSLab architecture and workflows. While the images themselves are not embedded here, understanding their purpose can aid comprehension: -* **9.1 High-Level Enterprise View:** This diagram illustrates how the private BeSLab instance fits within the broader enterprise IT environment, showing potential interactions with development teams, CI/CD pipelines, and vulnerability management systems. +#### **5.1.1 High-Level Enterprise View:** This diagram illustrates how the private BeSLab instance fits within the broader enterprise IT environment, showing potential interactions with development teams, CI/CD pipelines, and vulnerability management systems. ![High-Level Enterprise Deployment](./docs/images/Diagram1HighlevelEnterpriseDeployment.png) -* **9.2 Detailed Component Layout:** This diagram provides a closer look at the components running on the single host machine in the Lite Mode deployment described in this guide, showing GitLab CE, BeSLighthouse, the underlying container runtime, and their basic connections. +#### **5.1.2 Detailed Component Layout:** This diagram provides a closer look at the components running on the single host machine in the Lite Mode deployment described in this guide, showing GitLab CE, BeSLighthouse, the underlying container runtime, and their basic connections. * ![Detailed BeSLab Component Layout (Lite Mode Host)](./docs/images/Diagram2BeSLabComponentsLayout.png) -**10\. Conclusion and Next Steps** +## **6 Conclusion and Next Steps** -* **10.1 Summary of Benefits** +### **6.1 Summary of Benefits** Establishing and operating an AI Security Lab using the BeSLab blueprint offers significant advantages for strengthening an organization's security posture regarding open source software and AI models : * **Standardized Assurance:** Implements consistent, automated, and repeatable security assessment processes. * **Visibility & Control:** Provides centralized tracking and visualization of monitored assets (OSSPoI/MoI) and their associated vulnerabilities (OSSVoI) through the BeSLighthouse dashboard . * **Reduced Risk:** Enables the early identification and facilitates the timely remediation of vulnerabilities before they can be exploited. * **Internal Trust:** Creates a mechanism (TAVOSS) for establishing and communicating internal trust levels for assessed components . * **Extensibility:** Offers a modular architecture allowing the integration of new tools, techniques, and assessment types over time . -* **10.2 Immediate Actions After Setup** +### **6.2 Immediate Actions After Setup** Once the initial installation and configuration described in this guide are complete, focus on these next steps to make the lab operational : 1. **Onboard Initial Assets:** Begin by onboarding a small set of high-priority or representative OSS projects (OSSPoI) and AI models (OSSMoI). 2. **Configure & Test Defaults:** Ensure the default BeSEnvironments, BeSPlaybooks, and BeSPlugins (Tables 4, 5, 6\) are correctly configured and functioning as expected by running test assessments. 3. **User Training:** Provide training to Security Analysts, relevant Developers, and other stakeholders on how to use the lab (submitting assets, running scans, interpreting reports, using BeSLighthouse). 4. **Establish Governance:** Formalize the key governance policies (Section 8.3) and communicate the RACI matrix (Table 8\) to ensure clear processes and responsibilities. 5. **Secure the Lab:** Implement security best practices for the BeSLab host OS, the GitLab instance (user management, network access), and ensure components are kept patched and updated. -* **10.3 Continuous Improvement Roadmap** +### **6.3 Continuous Improvement Roadmap** An effective AI Security Lab requires ongoing maintenance and evolution : * **Expand Plugin Coverage:** Continuously identify and integrate new BeSPlugins to cover more languages, frameworks, vulnerability types, and AI-specific risks. * **Refine Playbooks:** Optimize existing BeSPlaybooks and create new ones tailored to specific organizational needs, risk profiles, or compliance requirements. @@ -569,7 +569,7 @@ The following diagrams, referenced by their original file names in the source do By following this guide to establish the initial BeSLab instance and committing to its continuous improvement, organizations can build a powerful internal capability to manage the security risks associated with open source software and artificial intelligence. -**11\. Works Cited** +## **7. Works Cited** 1. Empowering Open Source Project Security , This Repository includes BeS Environment Scripts to launch an instance of BeSLab \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/BeSLab](https://github.com/Be-Secure/BeSLab) 2. Be-Secure/BeSLighthouse: Community dashboard for security assessment of open source projects of interest for BeSecure community. Various visualizations on Projects of Interest and Vulnerabilities of interest are available in the dashboard \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/BeSLighthouse](https://github.com/Be-Secure/BeSLighthouse) From 406c0adaae2e2ca9ee25c972d2f3201239ab020c Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Thu, 1 May 2025 23:07:41 +0530 Subject: [PATCH 27/30] Update AISecurityLabSetupGuide.md Fixed links --- AISecurityLabSetupGuide.md | 88 +++++++++++++++++++------------------- 1 file changed, 45 insertions(+), 43 deletions(-) diff --git a/AISecurityLabSetupGuide.md b/AISecurityLabSetupGuide.md index 2a872cb..148ab61 100644 --- a/AISecurityLabSetupGuide.md +++ b/AISecurityLabSetupGuide.md @@ -106,7 +106,7 @@ ## **Part 1: Understanding BeSLab** -### **1\. Introduction: Your AI Security Lab** +### **1. Introduction: Your AI Security Lab** #### **1.1.1 What is BeSLab and Why Use It?** In today's digital world, organizations heavily rely on Open Source Software (OSS) and Artificial Intelligence (AI) / Machine Learning (ML) models. While these components accelerate innovation, they also introduce security risks from potential vulnerabilities within them and the unique ways AI models can be attacked. Effectively managing these risks demands a structured and proactive strategy. @@ -124,7 +124,7 @@ #### **1.1.4 Scope of This Guide** This document serves as a comprehensive user guide focused specifically on setting up, configuring, and operating a *private* AI Security Lab using the BeSLab blueprint within an enterprise setting. It details the *'Lite Mode'* deployment, which consolidates essential components onto a single host machine, and covers integration with GitLab Community Edition (CE) as the code collaboration platform . The guide walks through the entire lifecycle: understanding the architecture, meeting prerequisites, installation steps, onboarding users, projects, models, and tools, defining operational workflows for security assessments, generating reports (OSARs), establishing governance (RACI), and configuring default components. -### **1.2\. How BeSLab Works: Architecture and Concepts** +### **1.2 How BeSLab Works: Architecture and Concepts** #### **1.2.1 The Blueprint Explained: Core Components** The BeSLab architecture, being a blueprint, defines how various components interact to form a working security lab . It integrates existing open-source tools with specific Be-Secure utilities and data structures to build a cohesive system for security assessment . A typical private BeSLab instance deployed in Lite Mode, as covered in this guide, includes these core parts : @@ -162,7 +162,7 @@ ### **2.1.1 Before You Begin: Prerequisites Checklist** Ensuring the target environment meets all requirements before starting installation is crucial for avoiding common setup problems. A dedicated host machine (a Virtual Machine is recommended for easier management and snapshots) is needed . The following table summarizes the key prerequisites for deploying a private BeSLab Lite Mode instance. Meeting the recommended specifications is advisable for enterprise use to ensure adequate performance, especially for GitLab and concurrent assessments. Sufficient disk space is particularly important for storing Git repository data, container images, and potentially large assessment artifacts or logs. @@ -187,7 +187,7 @@ This guide assumes GitLab CE will be installed by the BLIman \`launchlab\` process . Using an existing GitLab instance requires significant manual configuration beyond this standard guide. -#### **2.1.2 Step-by-Step Installation using BLIman** +#### **2.1.2 Step-by-Step Installation using BLIman** Follow these steps to install a private BeSLab instance in 'Lite Mode' using the BLIman CLI tool . Lite Mode installs core components like GitLab CE and BeSLighthouse onto the single prepared host . The installation is driven by the genesis.yaml configuration file. 1. **Prepare Host:** Log in to the designated host machine (which meets all prerequisites) using an account with sudo privileges . 2. **Install BLIman:** Install the BeSLab Lifecycle Management tool. Always refer to the official Be-Secure/BLIman repository for the most current installation instructions . Example commands (verify URLs): @@ -253,7 +253,7 @@ This guide assumes GitLab CE will be installed by the BLIman \`launchlab\` proce Bash bli launchlab This command downloads Docker images, configures and starts containers (GitLab, BeSLighthouse), sets up networking/volumes, and potentially seeds initial GitLab structures . This step can take significant time. Monitor the console output for errors. -#### **2.1.3 Initial Verification: Checking Your Setup** +#### **2.1.3 Initial Verification: Checking Your Setup** Once bli launchlab finishes successfully, verify the installation : 1. **Access GitLab UI:** Open a web browser and go to the gitlab.host\_url defined in genesis.yaml. 2. **Login to GitLab:** Use username root and the initial\_root\_password from genesis.yaml. @@ -264,14 +264,14 @@ This guide assumes GitLab CE will be installed by the BLIman \`launchlab\` proce Successful completion of these checks indicates the core BeSLab infrastructure is operational. -### **2.2\. Configuring Your BeSLab Instance** +### **2.2 Configuring Your BeSLab Instance** -#### **2.2.1 Essential GitLab Configuration** +#### **2.2.1 Essential GitLab Configuration** After the initial setup and password change, configure these GitLab settings relevant for BeSLab : * **User Sign-up Restrictions:** Navigate to Admin Area \-\> Settings \-\> General \-\> Sign-up restrictions. It is strongly recommended to *disable* new sign-ups (uncheck "Sign-up enabled") to prevent unauthorized access. If self-registration is needed later, enable admin approval. * **Group/Project Creation Permissions:** Go to Admin Area \-\> Settings \-\> General \-\> Account and limit settings. Review who can create top-level groups and projects. Restricting this to Administrators initially is advisable for better control. * **(Future Use) Runner Configuration:** If planning to automate assessment workflows using GitLab CI/CD pipelines later, GitLab Runners will need to be configured. This is an advanced step involving setting up agents that can execute jobs, potentially interacting with Docker or the BeSLab host. -#### **2.2.2 Setting Up Be-Secure Repositories in GitLab** +#### **2.2.2 Setting Up Be-Secure Repositories in GitLab** BeSLab relies on a specific structure of Git repositories within GitLab to store its data and configurations . While bli launchlab might perform some setup, manually creating or verifying these core repositories is often necessary. The precise naming and structure are important, as tools like BeSLighthouse often expect specific repository names and locations to function correctly . Deviating from expected conventions might prevent the dashboard or other tools from finding and processing data. 1. **Login to GitLab:** Log in as the root user or another administrator. 2. **Create a Top-Level Group:** Create a new group (e.g., besecure-lab) to logically organize all BeSLab-related repositories. @@ -281,7 +281,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i * BeSAssessment: Stores assessment output reports (OSARs) and metadata. * besecure-assets-store (or the name expected by BeSLighthouse's configuration): Stores lists/definitions of OSSPoI, OSSMoI, etc. . * Potentially others depending on specific configurations or extensions. -#### **2.2.3 Connecting BeSLighthouse to Your Data** +#### **2.2.3 Connecting BeSLighthouse to Your Data** BeSLighthouse needs to be configured to find the data repositories within your private GitLab instance . This step activates the dashboard by linking the visualization front-end to the Git-based data back-end. 1. **Locate datastore.ts:** Access the BeSLab host machine (e.g., via SSH). Find the BeSLighthouse installation directory. The exact path depends on the deployment, potentially within a Docker volume mount (check docker inspect \ for volume details) or a location like /opt/BeSLighthouse or /usr/local/share/beslighthouse. Inside this directory, locate the configuration file, typically src/config/datastore.ts . 2. **Edit datastore.ts:** Open the file using a text editor (like nano or vim). Find the variables defining the URLs for the datastore repositories. Update these URLs to point to the repositories created in **your private GitLab instance** within the besecure-lab group . @@ -306,11 +306,11 @@ Successful completion of these checks indicates the core BeSLab infrastructure i 4. **Verify Connection:** Refresh the BeSLighthouse UI in your browser. Although the lists will still be empty until data is added, check the browser's developer tools (Network tab) or the container logs (sudo docker logs \) for any errors related to accessing the configured GitLab repository URLs. Successful connection means BeSLighthouse can now read data once it's populated in the repositories. -## **Part 3: Populating and Operating Your Lab** +## **Part 3: Populating and Operating Your Lab** -### **3.1\. Populating Your Lab: Onboarding Guide** +### **3.1\. Populating Your Lab: Onboarding Guide** -#### **3.1.1 Managing User Access and Roles** +#### **3.1.1 Managing User Access and Roles** Properly managing user access is crucial for security and operational efficiency. Define roles within the BeSLab context and map them to GitLab's permission model to control who can perform specific actions . * **Typical Roles:** * **Lab Administrator:** Installs, configures, maintains, and upgrades BeSLab; manages users; integrates core tools. Requires high-level privileges. @@ -328,7 +328,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i 3. Creates new user accounts as needed (assuming sign-up is restricted). 4. Navigates to the besecure-lab group \-\> Group information \-\> Members. 5. Invites users to the group, assigning the appropriate role based on the mapping above. Permissions can be further refined on individual sub-projects (repositories) if necessary. -#### **3.1.2 Adding Projects (OSSPoI) for Assessment** +#### **3.1.2 Adding Projects (OSSPoI) for Assessment** Onboarding Open Source Projects of Interest (OSSPoI) means adding the software projects your organization relies on to the lab's tracking system so they can be assessed . * **Definition:** OSSPoI are specific open-source software projects deemed important or critical enough by the organization to warrant regular security assessment. * **Process:** The process leverages the GitOps workflow: @@ -353,7 +353,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i **Table 2: Example OSSPoI Candidates** -#### **3.1.3 Adding AI Models (OSSMoI) for Assessment** +#### **3.1.3 Adding AI Models (OSSMoI) for Assessment** Similar to software projects, Open Source Models of Interest (OSSMoI) need to be onboarded for tracking and security/safety assessment . * **Definition:** OSSMoI are specific open-source AI/ML models used or being considered for use by the organization. * **Process:** This follows the same Git-based workflow used for OSSPoI. An analyst or administrator clones the asset tracking repository (or a dedicated model repository), edits the designated list file (e.g., ossmoi\_list.yaml), adds the new model with relevant metadata (Model Name, Source URL/Identifier like Hugging Face Hub ID, Version, Base Model if fine-tuned, License information), commits, and pushes the changes. @@ -369,7 +369,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i **Table 3: Example OSSMoI Candidates** -#### **3.1.4 Integrating Security Tools (BeSPlugins)** +#### **3.1.4 Integrating Security Tools (BeSPlugins)** The actual security assessment capabilities of the BeSLab depend entirely on the integrated security tools, made available via BeSPlugins . Integrating these tools is therefore a fundamental task. * **Definition:** A BeSPlugin acts as the integration layer or wrapper that allows a BeSPlaybook to invoke a specific security tool (like a scanner or linter) within the BeSLab framework . * **Integration Process:** @@ -397,18 +397,18 @@ Successful completion of these checks indicates the core BeSLab infrastructure i **Table 4: Example Default BeSPlugins** -### **3.2\. Operating Your BeSLab: Workflows in Action** +### **3.2. Operating Your BeSLab: Workflows in Action** -#### **3.2.1 Submitting Assets for Assessment** +#### **3.2.1 Submitting Assets for Assessment** Define a clear process for how new projects (OSSPoI) and models (OSSMoI) are submitted for tracking and assessment : * **Manual Git Update:** Authorized users (e.g., Security Analysts) directly clone the asset repository, edit the list file, commit, and push the changes. This is the simplest method and aligns directly with the GitOps model. * **GitLab Merge Request (MR):** Developers or other stakeholders can submit changes to the asset list file via a GitLab Merge Request. This allows Security Analysts to review and approve the submission before it's merged into the main branch, providing an approval gate. * **API Integration (Advanced):** For more sophisticated integration, scripts or internal tools could interact with the GitLab API to update the asset lists, potentially triggered by events in other systems (e.g., a new project created in an internal registry). -*Diagram Reference:* The Git-based submission process, whether manual or via MR, is conceptually illustrated in **Diagram 3: Project/Model Onboarding Flow** +The Git-based submission process, whether manual or via MR, is conceptually illustrated in **Diagram 3: Project/Model Onboarding Flow** ![Project/Model Onboarding Flow (Git-based)](./docs/images/Diagram3BeSLabProjectModelOnboardingWorkflow.png) -#### **3.2.2 Running Security Assessments** +#### **3.2.2 Running Security Assessments** Assessments are executed using the defined BeSPlaybooks, which orchestrate the use of BeSEnvironments and BeSPlugins . The separation of these components provides modularity—allowing environments to be reused across playbooks, or playbooks to run different sets of plugins—but requires careful coordination to ensure they work together correctly. * **Triggering Mechanisms:** Assessments can be initiated in several ways: * **Manual:** Security Analysts can trigger specific playbooks on demand, often via CLI commands or custom scripts interacting with BeSman or potentially GitLab CI. @@ -420,20 +420,20 @@ Successful completion of these checks indicates the core BeSLab infrastructure i 3. The playbook then executes the sequence of defined BeSPlugins (security tools) within that environment, passing the target asset (e.g., code repository path, model file location) as input to each plugin. 4. The playbook collects the results from each plugin. -*Diagram Reference:* This sequence of a playbook orchestrating environments and plugins is visually depicted in **Diagram 4: Assessment Execution Flow** +This sequence of a playbook orchestrating environments and plugins is visually depicted in **Diagram 4: Assessment Execution Flow** ![Assessment Execution Flow](./docs/images/Diagram4AssessmentExecutionWorkflow.png) -#### **3.2.3 Generating and Storing Reports (OSARs)** +#### **3.2.3 Generating and Storing Reports (OSARs)** After the plugins within a playbook have run, the results need to be formalized into a standard report . * **Aggregation & Formatting:** The BeSPlaybook script is responsible for aggregating the findings from the various BeSPlugins executed during the run. It should format these findings into a structured Open Source Assessment Report (OSAR). Adhering to the BeS Schema for the OSAR format is highly recommended for consistency and easier automated processing . * **Storage:** The generated OSAR file (commonly in JSON or YAML format) is then committed back to the designated BeSAssessment Git repository . The commit message or metadata associated with the file should link the OSAR to the specific asset (OSSPoI/OSSMoI), the version assessed (e.g., Git commit hash, model version tag), the playbook used, and the timestamp of the assessment run. This creates an immutable, version-controlled audit trail of all assessment activities. -#### **3.2.4 Visualizing Results with BeSLighthouse** +#### **3.2.4 Visualizing Results with BeSLighthouse** The BeSLighthouse dashboard serves as the primary interface for monitoring the lab's activities and results . Users interact with BeSLighthouse to: * View the lists of currently tracked assets (OSSPoI and OSSMoI) as read from the asset repositories . * Check the status and history of assessment runs for each asset. * Visualize aggregated vulnerability data (OSSVoI) associated with the tracked assets . * Access direct links to the detailed OSAR files stored in the BeSAssessment Git repository for deeper investigation. -#### **3.2.5 Tracking Vulnerabilities (OSSVoI)** +#### **3.2.5 Tracking Vulnerabilities (OSSVoI)** A key function of the lab is to identify and track specific vulnerabilities (OSSVoI) within the monitored assets . * **Identification & Extraction:** BeSPlugins (especially SCA, SAST, and DAST tools) identify potential vulnerabilities, often providing standard identifiers like CVE numbers. This information is captured by the playbook and included in the OSAR . Key details like the vulnerability ID (CVE), severity level, affected component/file, and location should be extracted and structured within the OSAR . * **Storage:** Structured OSSVoI data is stored as part of the OSAR in the BeSAssessment repository, or potentially in a separate linked file or database if more complex tracking is implemented. @@ -443,19 +443,19 @@ Successful completion of these checks indicates the core BeSLab infrastructure i The flow of identifying vulnerabilities during scans and tracking them as OSSVoI is outlined in **Diagram 5: BeSLab Vulnerability Tracking Workflow** ![Vulnerability Tracking Flow (OSSVoI)](./docs/images/Diagram5BeSLabVulnerabilityTrackingWorkflow.png) -#### **3.2.6 Engagement Options (Beyond Private Use)** +#### **3.2.6 Engagement Options (Beyond Private Use)** While this guide focuses on a private, internal BeSLab instance functioning as an internal OSAP , the Be-Secure ecosystem allows for potential future interactions: * **Contribute Back:** Share identified vulnerabilities or patches securely with the upstream open source projects. * **Data Sharing:** If appropriate agreements are in place, share anonymized vulnerability data (using the BeS Schema for interoperability ) with trusted partners, industry groups, or security communities . * **Consume External Data:** Integrate external threat intelligence or vulnerability feeds to enrich the findings identified internally and provide broader context. -## **Part 4: Defaults and Governance** +## **Part 4: Defaults and Governance** -### **4.1 Getting Started Quickly: Default Configurations** +### **4.1 Getting Started Quickly: Default Configurations** -#### **4.1.1 Why Defaults Matter** +#### **4.1.1 Why Defaults Matter** Establishing a set of default configurations for environments, playbooks, and plugins provides immediate value after the initial BeSLab setup . These defaults offer foundational security checks for common types of assets, allowing the team to start performing basic assessments quickly without needing extensive customization upfront. -#### **4.1.2 Default Assessment Environments (BeSEnvironments)** +#### **4.1.2 Default Assessment Environments (BeSEnvironments)** Define a baseline set of reusable runtime environments in the BeSEnvironment repository. These typically encapsulate the dependencies needed for common categories of security tools . Examples often use Dockerfiles for definition. | BeSEnvironment Name | Key Components Included | Purpose | @@ -468,7 +468,7 @@ The flow of identifying vulnerabilities during scans and tracking them as OSSVoI **Table 5: Example Default BeSEnvironments** -#### **4.1.3 Default Assessment Workflows (BeSPlaybooks)** +#### **4.1.3 Default Assessment Workflows (BeSPlaybooks)** Create standard assessment workflows (playbooks) in the BeSPlaybook repository by combining the default environments and plugins for common tasks . These serve as templates that can be used directly or adapted. | BeSPlaybook Name | BeSEnvironment Used | BeSPlugins Invoked (Example) | Suggested Frequency | Purpose | @@ -481,12 +481,12 @@ The flow of identifying vulnerabilities during scans and tracking them as OSSVoI **Table 6: Example Default BeSPlaybooks** -#### **4.1.4 Recap: Default Security Tools (BeSPlugins)** +#### **4.1.4 Recap: Default Security Tools (BeSPlugins)** The default playbooks listed above would typically utilize the core set of BeSPlugins recommended earlier (refer back to **Table 4: Example Default BeSPlugins**). Ensuring these foundational plugins (e.g., Semgrep, Trivy, Bandit, Gitleaks, an AI model scanner, potentially OWASP ZAP) are integrated and functional is key to making the default playbooks operational. -### **4.2 Reporting and Governance for Your Lab** +### **4.2 Reporting and Governance for Your Lab** -#### **4.2.1 Standard Assessment Reports (OSAR Structure)** +#### **4.2.1 Standard Assessment Reports (OSAR Structure)** Consistent and comprehensive reporting is vital for communicating assessment results effectively. Open Source Assessment Reports (OSARs) should be standardized, ideally aligning with the principles of the BeS Schema . A well-structured OSAR ensures that all necessary information is captured and presented clearly. | OSAR Section | Content Description | Purpose | @@ -501,7 +501,7 @@ The flow of identifying vulnerabilities during scans and tracking them as OSSVoI **Table 7: OSAR Sample Structure** -#### **4.2.2 Defining Roles and Responsibilities (RACI Matrix)** +#### **4.2.2 Defining Roles and Responsibilities (RACI Matrix)** A RACI (Responsible, Accountable, Consulted, Informed) matrix helps clarify roles and responsibilities for various BeSLab activities, preventing confusion and ensuring tasks are owned. | Activity | CISO | Lab Admin | Security Analyst | Dev Lead / App Owner | Legal / Compliance | @@ -520,7 +520,7 @@ The flow of identifying vulnerabilities during scans and tracking them as OSSVoI **Table 8: RACI Matrix** \*(R=Responsible, A=Accountable, C=Consulted, I=Informed) -#### **4.2.3 Key Governance Policies to Establish** +#### **4.2.3 Key Governance Policies to Establish** Implementing the BeSLab technology is only part of the solution. Establishing clear governance processes and policies is crucial to ensure the lab operates effectively and contributes meaningfully to risk reduction . Without governance, scan results might be inconsistent, ignored, or overwhelming. Key areas requiring formal policies include : * **Onboarding Criteria:** Define clear rules for which types of OSS projects and AI models *must* be onboarded into the lab (e.g., based on criticality, external facing, handling sensitive data). * **Assessment Frequency:** Establish minimum scanning schedules based on asset criticality and type of scan (e.g., critical web frameworks scanned daily with SCA, less critical libraries weekly; SAST on every commit). @@ -529,37 +529,39 @@ The flow of identifying vulnerabilities during scans and tracking them as OSSVoI * **Tool Validation & Updates:** Implement a process for regularly reviewing the effectiveness of integrated BeSPlugins, updating the underlying tools to their latest stable versions, and validating parser logic. * **Reporting Cadence:** Define how and when assessment results and overall risk posture summaries are reported to different stakeholders (e.g., immediate alerts for critical findings, monthly summaries for management). -## **Part 5: Visual Aids and Conclusion** +## **Part 5: Visual Aids and Conclusion** -### **5.1. Visualizing the Setup** +### **5.1. Visualizing the Setup** The following diagrams, referenced by their original file names in the source documentation, provide visual context for the BeSLab architecture and workflows. While the images themselves are not embedded here, understanding their purpose can aid comprehension: -#### **5.1.1 High-Level Enterprise View:** This diagram illustrates how the private BeSLab instance fits within the broader enterprise IT environment, showing potential interactions with development teams, CI/CD pipelines, and vulnerability management systems. +#### **5.1.1 High-Level Enterprise View:** +This diagram illustrates how the private BeSLab instance fits within the broader enterprise IT environment, showing potential interactions with development teams, CI/CD pipelines, and vulnerability management systems. ![High-Level Enterprise Deployment](./docs/images/Diagram1HighlevelEnterpriseDeployment.png) -#### **5.1.2 Detailed Component Layout:** This diagram provides a closer look at the components running on the single host machine in the Lite Mode deployment described in this guide, showing GitLab CE, BeSLighthouse, the underlying container runtime, and their basic connections. +#### **5.1.2 Detailed Component Layout:** +This diagram provides a closer look at the components running on the single host machine in the Lite Mode deployment described in this guide, showing GitLab CE, BeSLighthouse, the underlying container runtime, and their basic connections. * ![Detailed BeSLab Component Layout (Lite Mode Host)](./docs/images/Diagram2BeSLabComponentsLayout.png) -## **6 Conclusion and Next Steps** +## **6 Conclusion and Next Steps** -### **6.1 Summary of Benefits** +### **6.1 Summary of Benefits** Establishing and operating an AI Security Lab using the BeSLab blueprint offers significant advantages for strengthening an organization's security posture regarding open source software and AI models : * **Standardized Assurance:** Implements consistent, automated, and repeatable security assessment processes. * **Visibility & Control:** Provides centralized tracking and visualization of monitored assets (OSSPoI/MoI) and their associated vulnerabilities (OSSVoI) through the BeSLighthouse dashboard . * **Reduced Risk:** Enables the early identification and facilitates the timely remediation of vulnerabilities before they can be exploited. * **Internal Trust:** Creates a mechanism (TAVOSS) for establishing and communicating internal trust levels for assessed components . * **Extensibility:** Offers a modular architecture allowing the integration of new tools, techniques, and assessment types over time . -### **6.2 Immediate Actions After Setup** +### **6.2 Immediate Actions After Setup** Once the initial installation and configuration described in this guide are complete, focus on these next steps to make the lab operational : 1. **Onboard Initial Assets:** Begin by onboarding a small set of high-priority or representative OSS projects (OSSPoI) and AI models (OSSMoI). 2. **Configure & Test Defaults:** Ensure the default BeSEnvironments, BeSPlaybooks, and BeSPlugins (Tables 4, 5, 6\) are correctly configured and functioning as expected by running test assessments. 3. **User Training:** Provide training to Security Analysts, relevant Developers, and other stakeholders on how to use the lab (submitting assets, running scans, interpreting reports, using BeSLighthouse). 4. **Establish Governance:** Formalize the key governance policies (Section 8.3) and communicate the RACI matrix (Table 8\) to ensure clear processes and responsibilities. 5. **Secure the Lab:** Implement security best practices for the BeSLab host OS, the GitLab instance (user management, network access), and ensure components are kept patched and updated. -### **6.3 Continuous Improvement Roadmap** +### **6.3 Continuous Improvement Roadmap** An effective AI Security Lab requires ongoing maintenance and evolution : * **Expand Plugin Coverage:** Continuously identify and integrate new BeSPlugins to cover more languages, frameworks, vulnerability types, and AI-specific risks. * **Refine Playbooks:** Optimize existing BeSPlaybooks and create new ones tailored to specific organizational needs, risk profiles, or compliance requirements. @@ -569,7 +571,7 @@ The following diagrams, referenced by their original file names in the source do By following this guide to establish the initial BeSLab instance and committing to its continuous improvement, organizations can build a powerful internal capability to manage the security risks associated with open source software and artificial intelligence. -## **7. Works Cited** +## **7. Works Cited** 1. Empowering Open Source Project Security , This Repository includes BeS Environment Scripts to launch an instance of BeSLab \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/BeSLab](https://github.com/Be-Secure/BeSLab) 2. Be-Secure/BeSLighthouse: Community dashboard for security assessment of open source projects of interest for BeSecure community. Various visualizations on Projects of Interest and Vulnerabilities of interest are available in the dashboard \- GitHub, accessed May 1, 2025, [https://github.com/Be-Secure/BeSLighthouse](https://github.com/Be-Secure/BeSLighthouse) From 9e46e731902fb564dc8dadaf7618528bd68031f2 Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Fri, 2 May 2025 08:44:26 +0530 Subject: [PATCH 28/30] Update AISecurityLabSetupGuide.md Link fixes in BeSlab --- AISecurityLabSetupGuide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AISecurityLabSetupGuide.md b/AISecurityLabSetupGuide.md index 148ab61..294c4b9 100644 --- a/AISecurityLabSetupGuide.md +++ b/AISecurityLabSetupGuide.md @@ -160,7 +160,7 @@ ## **Part 2: Setting Up and Configuring Your Lab** -### "**2.1 Setting Up Your Private BeSLab (Lite Mode)** #### **2.1.1 Before You Begin: Prerequisites Checklist** Ensuring the target environment meets all requirements before starting installation is crucial for avoiding common setup problems. A dedicated host machine (a Virtual Machine is recommended for easier management and snapshots) is needed . From d041cd5e3ae72c8e5955b057df14f37a161fb22b Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Fri, 2 May 2025 08:52:52 +0530 Subject: [PATCH 29/30] Update AISecurityLabSetupGuide.md --- AISecurityLabSetupGuide.md | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/AISecurityLabSetupGuide.md b/AISecurityLabSetupGuide.md index 294c4b9..d7010a3 100644 --- a/AISecurityLabSetupGuide.md +++ b/AISecurityLabSetupGuide.md @@ -242,14 +242,14 @@ This guide assumes GitLab CE will be installed by the BLIman \`launchlab\` proce Bash bli initmode lite - 6. **Initialize BeSman:** Initialize the BeS Environment Manager, usually installed by bli initmode : + 6. **Initialize BeSman:** Initialize the BeS Environment Manager, usually installed by bli initmode : Bash source $HOME/.besman/bin/besman-init.sh Verify initialization by checking its help command : Bash bes help - 7. **Launch the Lab:** Start the main deployment process : + 8. **Launch the Lab:** Start the main deployment process : Bash bli launchlab This command downloads Docker images, configures and starts containers (GitLab, BeSLighthouse), sets up networking/volumes, and potentially seeds initial GitLab structures . This step can take significant time. Monitor the console output for errors. @@ -284,7 +284,8 @@ Successful completion of these checks indicates the core BeSLab infrastructure i #### **2.2.3 Connecting BeSLighthouse to Your Data** BeSLighthouse needs to be configured to find the data repositories within your private GitLab instance . This step activates the dashboard by linking the visualization front-end to the Git-based data back-end. 1. **Locate datastore.ts:** Access the BeSLab host machine (e.g., via SSH). Find the BeSLighthouse installation directory. The exact path depends on the deployment, potentially within a Docker volume mount (check docker inspect \ for volume details) or a location like /opt/BeSLighthouse or /usr/local/share/beslighthouse. Inside this directory, locate the configuration file, typically src/config/datastore.ts . - 2. **Edit datastore.ts:** Open the file using a text editor (like nano or vim). Find the variables defining the URLs for the datastore repositories. Update these URLs to point to the repositories created in **your private GitLab instance** within the besecure-lab group . + 2. **Edit datastore.ts:** Open the file using a text editor (like nano or vim). Find the variables defining the URLs for the datastore repositories. Update these URLs to point to the repositories created in **your private GitLab instance** within the besecure-lab group . + * Example modification: TypeScript // Before modification (example pointing to public GitHub) @@ -296,15 +297,16 @@ Successful completion of these checks indicates the core BeSLab infrastructure i export const Assessment\_Repo\_URL \= "http://\/besecure-lab/BeSAssessment.git"; // Update other relevant repository URLs (MoI, ML assessments, etc.) similarly - 3. **Restart BeSLighthouse:** Apply the changes by restarting the BeSLighthouse service or container. If using Docker: - Bash + 4. **Restart BeSLighthouse:** Apply the changes by restarting the BeSLighthouse service or container. If using Docker: + + Bash \# Find the BeSLighthouse container ID or name sudo docker ps \# Restart the container sudo docker restart \ - 4. **Verify Connection:** Refresh the BeSLighthouse UI in your browser. Although the lists will still be empty until data is added, check the browser's developer tools (Network tab) or the container logs (sudo docker logs \) for any errors related to accessing the configured GitLab repository URLs. Successful connection means BeSLighthouse can now read data once it's populated in the repositories. + 5. **Verify Connection:** Refresh the BeSLighthouse UI in your browser. Although the lists will still be empty until data is added, check the browser's developer tools (Network tab) or the container logs (sudo docker logs \) for any errors related to accessing the configured GitLab repository URLs. Successful connection means BeSLighthouse can now read data once it's populated in the repositories. ## **Part 3: Populating and Operating Your Lab** @@ -351,7 +353,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i | Node.js Express | Common web framework for Node.js | SCA (npm), SAST (JavaScript/TS) | | Internal Shared Library X | Critical internal component used by many apps | SAST, SCA, Secrets Scan | - **Table 2: Example OSSPoI Candidates** +**Table 2: Example OSSPoI Candidates** #### **3.1.3 Adding AI Models (OSSMoI) for Assessment** Similar to software projects, Open Source Models of Interest (OSSMoI) need to be onboarded for tracking and security/safety assessment . @@ -367,7 +369,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i | GPT-2 | Foundational LLM, often used for experiments | Model Scanning, Provenance Checks | | Internally Fine-tuned Model Y | Model derived from OSSMoI, used in production | Model Scanning, Fine-tuning Data Privacy Review, Robustness Testing | - **Table 3: Example OSSMoI Candidates** +**Table 3: Example OSSMoI Candidates** #### **3.1.4 Integrating Security Tools (BeSPlugins)** The actual security assessment capabilities of the BeSLab depend entirely on the integrated security tools, made available via BeSPlugins . Integrating these tools is therefore a fundamental task. @@ -395,7 +397,7 @@ Successful completion of these checks indicates the core BeSLab infrastructure i | OWASP-ZAP-Plugin | OWASP ZAP | DAST | Dynamic analysis of web application vulnerabilities via crawling/attacking. | | ModelScan-Plugin | ModelScan (or similar) | AI Model Security | Scans ML models for unsafe operators, serialization issues, etc. | - **Table 4: Example Default BeSPlugins** +**Table 4: Example Default BeSPlugins** ### **3.2. Operating Your BeSLab: Workflows in Action** @@ -405,8 +407,9 @@ Successful completion of these checks indicates the core BeSLab infrastructure i * **GitLab Merge Request (MR):** Developers or other stakeholders can submit changes to the asset list file via a GitLab Merge Request. This allows Security Analysts to review and approve the submission before it's merged into the main branch, providing an approval gate. * **API Integration (Advanced):** For more sophisticated integration, scripts or internal tools could interact with the GitLab API to update the asset lists, potentially triggered by events in other systems (e.g., a new project created in an internal registry). -The Git-based submission process, whether manual or via MR, is conceptually illustrated in **Diagram 3: Project/Model Onboarding Flow** +The Git-based submission process, whether manual or via MR, is conceptually illustrated in **Diagram 3** ![Project/Model Onboarding Flow (Git-based)](./docs/images/Diagram3BeSLabProjectModelOnboardingWorkflow.png) +**Diagram 3: Project/Model Onboarding Flow** #### **3.2.2 Running Security Assessments** Assessments are executed using the defined BeSPlaybooks, which orchestrate the use of BeSEnvironments and BeSPlugins . The separation of these components provides modularity—allowing environments to be reused across playbooks, or playbooks to run different sets of plugins—but requires careful coordination to ensure they work together correctly. @@ -420,8 +423,9 @@ The Git-based submission process, whether manual or via MR, is conceptually illu 3. The playbook then executes the sequence of defined BeSPlugins (security tools) within that environment, passing the target asset (e.g., code repository path, model file location) as input to each plugin. 4. The playbook collects the results from each plugin. -This sequence of a playbook orchestrating environments and plugins is visually depicted in **Diagram 4: Assessment Execution Flow** +This sequence of a playbook orchestrating environments and plugins is visually depicted in **Diagram 4** ![Assessment Execution Flow](./docs/images/Diagram4AssessmentExecutionWorkflow.png) +**Diagram 4: Assessment Execution Flow** #### **3.2.3 Generating and Storing Reports (OSARs)** After the plugins within a playbook have run, the results need to be formalized into a standard report . @@ -440,8 +444,9 @@ This sequence of a playbook orchestrating environments and plugins is visually d * **Visualization:** BeSLighthouse reads the OSSVoI data from the assessment results and presents aggregated views, such as counts of vulnerabilities by severity per project . * **Triage & Remediation:** Security Analysts use the OSARs and the BeSLighthouse dashboard to review new findings, validate their authenticity, prioritize them based on severity and context, assign remediation tasks (e.g., creating tickets in an issue tracker), and track the progress of fixes. -The flow of identifying vulnerabilities during scans and tracking them as OSSVoI is outlined in **Diagram 5: BeSLab Vulnerability Tracking Workflow** +The flow of identifying vulnerabilities during scans and tracking them as OSSVoI is outlined in **Diagram 5** ![Vulnerability Tracking Flow (OSSVoI)](./docs/images/Diagram5BeSLabVulnerabilityTrackingWorkflow.png) +**Diagram 5: BeSLab Vulnerability Tracking Workflow** #### **3.2.6 Engagement Options (Beyond Private Use)** While this guide focuses on a private, internal BeSLab instance functioning as an internal OSAP , the Be-Secure ecosystem allows for potential future interactions: @@ -537,11 +542,12 @@ The following diagrams, referenced by their original file names in the source do #### **5.1.1 High-Level Enterprise View:** This diagram illustrates how the private BeSLab instance fits within the broader enterprise IT environment, showing potential interactions with development teams, CI/CD pipelines, and vulnerability management systems. + ![High-Level Enterprise Deployment](./docs/images/Diagram1HighlevelEnterpriseDeployment.png) #### **5.1.2 Detailed Component Layout:** This diagram provides a closer look at the components running on the single host machine in the Lite Mode deployment described in this guide, showing GitLab CE, BeSLighthouse, the underlying container runtime, and their basic connections. -* + ![Detailed BeSLab Component Layout (Lite Mode Host)](./docs/images/Diagram2BeSLabComponentsLayout.png) From edfb607c79d027fd6e8fbfd14d3768a8fb86a6bc Mon Sep 17 00:00:00 2001 From: Vinod Panicker Date: Fri, 2 May 2025 08:53:40 +0530 Subject: [PATCH 30/30] Update AISecurityLabSetupGuide.md --- AISecurityLabSetupGuide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AISecurityLabSetupGuide.md b/AISecurityLabSetupGuide.md index d7010a3..ce704e4 100644 --- a/AISecurityLabSetupGuide.md +++ b/AISecurityLabSetupGuide.md @@ -160,7 +160,7 @@ ## **Part 2: Setting Up and Configuring Your Lab** -### +### **2.1 Setting Up Your Private BeSLab (Lite Mode)** #### **2.1.1 Before You Begin: Prerequisites Checklist** Ensuring the target environment meets all requirements before starting installation is crucial for avoiding common setup problems. A dedicated host machine (a Virtual Machine is recommended for easier management and snapshots) is needed .