From 578186aa40e43d654a1c42680bde1eea1ae35d10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pedro=20Mart=C3=ADn?= <pedromarting3@gmail.com>
Date: Thu, 30 Apr 2026 13:49:00 +0200
Subject: [PATCH 01/29] feat(sdk): integrate universal compliance into CLI
 pipeline (#10301)

---
 prowler/CHANGELOG.md                          |   2 +
 prowler/__main__.py                           |  54 +-
 prowler/config/config.py                      |   8 +-
 prowler/lib/check/check.py                    |  37 +-
 prowler/lib/check/checks_loader.py            |  20 +-
 prowler/lib/outputs/compliance/compliance.py  | 191 +++--
 .../outputs/compliance/compliance_check.py    |  48 ++
 .../compliance/universal/ocsf_compliance.py   |  58 +-
 .../compliance/universal/universal_output.py  | 294 +++++++
 prowler/lib/outputs/finding.py                |   2 +-
 tests/config/config_test.py                   |  27 +
 tests/lib/check/check_loader_test.py          | 174 +++++
 .../lib/outputs/compliance/compliance_test.py | 120 +++
 .../display_compliance_table_test.py          | 244 ++++++
 .../compliance/process_universal_test.py      | 730 ++++++++++++++++++
 .../universal/ocsf_compliance_test.py         | 158 ++++
 .../universal/universal_output_test.py        | 568 ++++++++++++++
 17 files changed, 2634 insertions(+), 101 deletions(-)
 create mode 100644 prowler/lib/outputs/compliance/compliance_check.py
 create mode 100644 prowler/lib/outputs/compliance/universal/universal_output.py
 create mode 100644 tests/lib/outputs/compliance/display_compliance_table_test.py
 create mode 100644 tests/lib/outputs/compliance/process_universal_test.py
 create mode 100644 tests/lib/outputs/compliance/universal/universal_output_test.py

diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index a66c4fef68..283b9508a9 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -7,12 +7,14 @@ All notable changes to the **Prowler SDK** are documented in this file.
 ### 🚀 Added
 
 - `bedrock_guardrails_configured` check for AWS provider [(#10844)](https://github.com/prowler-cloud/prowler/pull/10844)
+- Universal compliance pipeline integrated into the CLI: `--list-compliance` and `--list-compliance-requirements` show universal frameworks, and CSV plus OCSF outputs are generated for any framework declaring a `TableConfig` [(#10301)](https://github.com/prowler-cloud/prowler/pull/10301)
 
 ### 🔄 Changed
 
 - `route53_dangling_ip_subdomain_takeover` now also flags `CNAME` records pointing to S3 website endpoints whose buckets are missing from the account [(#10920)](https://github.com/prowler-cloud/prowler/pull/10920)
 - Azure Network Watcher flow log checks now require workspace-backed Traffic Analytics for `network_flow_log_captured_sent` and align metadata with VNet-compatible flow log guidance [(#10645)](https://github.com/prowler-cloud/prowler/pull/10645)
 - Azure compliance entries for legacy Network Watcher flow log controls now use retirement-aware guidance and point new deployments to VNet flow logs
+- `display_compliance_table` dispatch switched from substring `in` checks to `startswith` to prevent false matches between similarly named frameworks (e.g. `cisa` vs `cis`) [(#10301)](https://github.com/prowler-cloud/prowler/pull/10301)
 
 ### 🐞 Fixed
 
diff --git a/prowler/__main__.py b/prowler/__main__.py
index 119c10dd0e..da2b339b27 100644
--- a/prowler/__main__.py
+++ b/prowler/__main__.py
@@ -45,7 +45,10 @@ from prowler.lib.check.check import (
 )
 from prowler.lib.check.checks_loader import load_checks_to_execute
 from prowler.lib.check.compliance import update_checks_metadata_with_compliance
-from prowler.lib.check.compliance_models import Compliance
+from prowler.lib.check.compliance_models import (
+    Compliance,
+    get_bulk_compliance_frameworks_universal,
+)
 from prowler.lib.check.custom_checks_metadata import (
     parse_custom_checks_metadata_file,
     update_checks_metadata,
@@ -75,7 +78,10 @@ from prowler.lib.outputs.compliance.cis.cis_oraclecloud import OracleCloudCIS
 from prowler.lib.outputs.compliance.cisa_scuba.cisa_scuba_googleworkspace import (
     GoogleWorkspaceCISASCuBA,
 )
-from prowler.lib.outputs.compliance.compliance import display_compliance_table
+from prowler.lib.outputs.compliance.compliance import (
+    display_compliance_table,
+    process_universal_compliance_frameworks,
+)
 from prowler.lib.outputs.compliance.csa.csa_alibabacloud import AlibabaCloudCSA
 from prowler.lib.outputs.compliance.csa.csa_aws import AWSCSA
 from prowler.lib.outputs.compliance.csa.csa_azure import AzureCSA
@@ -235,6 +241,8 @@ def prowler():
     # Load compliance frameworks
     logger.debug("Loading compliance frameworks from .json files")
 
+    universal_frameworks = {}
+
     # Skip compliance frameworks for external-tool providers
     if provider not in EXTERNAL_TOOL_PROVIDERS:
         bulk_compliance_frameworks = Compliance.get_bulk(provider)
@@ -242,6 +250,8 @@ def prowler():
         bulk_checks_metadata = update_checks_metadata_with_compliance(
             bulk_compliance_frameworks, bulk_checks_metadata
         )
+        # Load universal compliance frameworks for new rendering pipeline
+        universal_frameworks = get_bulk_compliance_frameworks_universal(provider)
 
     # Update checks metadata if the --custom-checks-metadata-file is present
     custom_checks_metadata = None
@@ -254,12 +264,12 @@ def prowler():
         )
 
     if args.list_compliance:
-        print_compliance_frameworks(bulk_compliance_frameworks)
+        all_frameworks = {**bulk_compliance_frameworks, **universal_frameworks}
+        print_compliance_frameworks(all_frameworks)
         sys.exit()
     if args.list_compliance_requirements:
-        print_compliance_requirements(
-            bulk_compliance_frameworks, args.list_compliance_requirements
-        )
+        all_frameworks = {**bulk_compliance_frameworks, **universal_frameworks}
+        print_compliance_requirements(all_frameworks, args.list_compliance_requirements)
         sys.exit()
 
     # Load checks to execute
@@ -276,6 +286,7 @@ def prowler():
         provider=provider,
         list_checks=getattr(args, "list_checks", False)
         or getattr(args, "list_checks_json", False),
+        universal_frameworks=universal_frameworks,
     )
 
     # if --list-checks-json, dump a json file and exit
@@ -624,15 +635,29 @@ def prowler():
                 )
 
     # Compliance Frameworks
-    # Source the framework listing from `bulk_compliance_frameworks.keys()`
-    # so it is by construction a subset of what the bulk loader can resolve.
-    # `get_available_compliance_frameworks(provider)` also discovers top-level
-    # multi-provider universal JSONs (e.g. `prowler/compliance/csa_ccm_4.0.json`)
-    # which `Compliance.get_bulk(provider)` does not load, and which the legacy
-    # output handlers below cannot consume — using it as the source produced
+    # Source the framework listing from the union of `bulk_compliance_frameworks`
+    # and `universal_frameworks` so universal-only frameworks (e.g.
+    # `prowler/compliance/csa_ccm_4.0.json`) — which `Compliance.get_bulk(provider)`
+    # does not load — still reach `process_universal_compliance_frameworks` below.
+    # The provider-specific block subtracts the names handled by the universal
+    # processor so the legacy per-provider handlers only see frameworks that the
+    # bulk loader actually resolved.
     input_compliance_frameworks = set(output_options.output_modes).intersection(
-        bulk_compliance_frameworks.keys()
+        set(bulk_compliance_frameworks.keys()) | set(universal_frameworks.keys())
     )
+
+    # ── Universal compliance frameworks (provider-agnostic) ──
+    universal_processed = process_universal_compliance_frameworks(
+        input_compliance_frameworks=input_compliance_frameworks,
+        universal_frameworks=universal_frameworks,
+        finding_outputs=finding_outputs,
+        output_directory=output_options.output_directory,
+        output_filename=output_options.output_filename,
+        provider=provider,
+        generated_outputs=generated_outputs,
+    )
+    input_compliance_frameworks -= universal_processed
+
     if provider == "aws":
         for compliance_name in input_compliance_frameworks:
             if compliance_name.startswith("cis_"):
@@ -1402,6 +1427,9 @@ def prowler():
                     output_options.output_filename,
                     output_options.output_directory,
                     compliance_overview,
+                    universal_frameworks=universal_frameworks,
+                    provider=provider,
+                    output_formats=args.output_formats,
                 )
             if compliance_overview:
                 print(
diff --git a/prowler/config/config.py b/prowler/config/config.py
index f80f1f3df9..aa81e81136 100644
--- a/prowler/config/config.py
+++ b/prowler/config/config.py
@@ -87,8 +87,8 @@ def get_available_compliance_frameworks(provider=None):
     providers = [p.value for p in Provider]
     if provider:
         providers = [provider]
-    for provider in providers:
-        compliance_dir = f"{actual_directory}/../compliance/{provider}"
+    for current_provider in providers:
+        compliance_dir = f"{actual_directory}/../compliance/{current_provider}"
         if not os.path.isdir(compliance_dir):
             continue
         with os.scandir(compliance_dir) as files:
@@ -97,7 +97,9 @@ def get_available_compliance_frameworks(provider=None):
                     available_compliance_frameworks.append(
                         file.name.removesuffix(".json")
                     )
-    # Also scan top-level compliance/ for multi-provider JSONs
+    # Also scan top-level compliance/ for multi-provider (universal) JSONs.
+    # When a specific provider was requested, only include the framework if it
+    # declares support for that provider; otherwise include all universal frameworks.
     compliance_root = f"{actual_directory}/../compliance"
     if os.path.isdir(compliance_root):
         with os.scandir(compliance_root) as files:
diff --git a/prowler/lib/check/check.py b/prowler/lib/check/check.py
index 8e365acedc..b15cf8bfbe 100644
--- a/prowler/lib/check/check.py
+++ b/prowler/lib/check/check.py
@@ -299,12 +299,22 @@ def print_compliance_frameworks(
 def print_compliance_requirements(
     bulk_compliance_frameworks: dict, compliance_frameworks: list
 ):
+    from prowler.lib.check.compliance_models import ComplianceFramework
+
     for compliance_framework in compliance_frameworks:
         for key in bulk_compliance_frameworks.keys():
-            framework = bulk_compliance_frameworks[key].Framework
-            provider = bulk_compliance_frameworks[key].Provider
-            version = bulk_compliance_frameworks[key].Version
-            requirements = bulk_compliance_frameworks[key].Requirements
+            entry = bulk_compliance_frameworks[key]
+            is_universal = isinstance(entry, ComplianceFramework)
+            if is_universal:
+                framework = entry.framework
+                provider = entry.provider or "Multi-provider"
+                version = entry.version
+                requirements = entry.requirements
+            else:
+                framework = entry.Framework
+                provider = entry.Provider or "Multi-provider"
+                version = entry.Version
+                requirements = entry.Requirements
             # We can list the compliance requirements for a given framework using the
             # bulk_compliance_frameworks keys since they are the compliance specification file name
             if compliance_framework == key:
@@ -313,10 +323,23 @@ def print_compliance_requirements(
                 )
                 for requirement in requirements:
                     checks = ""
-                    for check in requirement.Checks:
-                        checks += f" {Fore.YELLOW}\t\t{check}\n{Style.RESET_ALL}"
+                    if is_universal:
+                        req_checks = requirement.checks
+                        req_id = requirement.id
+                        req_description = requirement.description
+                    else:
+                        req_checks = requirement.Checks
+                        req_id = requirement.Id
+                        req_description = requirement.Description
+                    if isinstance(req_checks, dict):
+                        for prov, check_list in req_checks.items():
+                            for check in check_list:
+                                checks += f" {Fore.YELLOW}\t\t[{prov}] {check}\n{Style.RESET_ALL}"
+                    else:
+                        for check in req_checks:
+                            checks += f" {Fore.YELLOW}\t\t{check}\n{Style.RESET_ALL}"
                     print(
-                        f"Requirement Id: {Fore.MAGENTA}{requirement.Id}{Style.RESET_ALL}\n\t- Description: {requirement.Description}\n\t- Checks:\n{checks}"
+                        f"Requirement Id: {Fore.MAGENTA}{req_id}{Style.RESET_ALL}\n\t- Description: {req_description}\n\t- Checks:\n{checks}"
                     )
 
 
diff --git a/prowler/lib/check/checks_loader.py b/prowler/lib/check/checks_loader.py
index 5737c0b232..9ef672df6b 100644
--- a/prowler/lib/check/checks_loader.py
+++ b/prowler/lib/check/checks_loader.py
@@ -22,6 +22,7 @@ def load_checks_to_execute(
     categories: set = None,
     resource_groups: set = None,
     list_checks: bool = False,
+    universal_frameworks: dict = None,
 ) -> set:
     """Generate the list of checks to execute based on the cloud provider and the input arguments given"""
     try:
@@ -155,12 +156,21 @@ def load_checks_to_execute(
             if not bulk_compliance_frameworks:
                 bulk_compliance_frameworks = Compliance.get_bulk(provider=provider)
             for compliance_framework in compliance_frameworks:
-                checks_to_execute.update(
-                    CheckMetadata.list(
-                        bulk_compliance_frameworks=bulk_compliance_frameworks,
-                        compliance_framework=compliance_framework,
+                # Try universal frameworks first (snake_case dict-keyed checks)
+                if (
+                    universal_frameworks
+                    and compliance_framework in universal_frameworks
+                ):
+                    fw = universal_frameworks[compliance_framework]
+                    for req in fw.requirements:
+                        checks_to_execute.update(req.checks.get(provider.lower(), []))
+                elif compliance_framework in bulk_compliance_frameworks:
+                    checks_to_execute.update(
+                        CheckMetadata.list(
+                            bulk_compliance_frameworks=bulk_compliance_frameworks,
+                            compliance_framework=compliance_framework,
+                        )
                     )
-                )
 
         # Handle if there are categories passed using --categories
         elif categories:
diff --git a/prowler/lib/outputs/compliance/compliance.py b/prowler/lib/outputs/compliance/compliance.py
index db657063fa..0d743a4d25 100644
--- a/prowler/lib/outputs/compliance/compliance.py
+++ b/prowler/lib/outputs/compliance/compliance.py
@@ -1,10 +1,12 @@
 import sys
 
-from prowler.lib.check.models import Check_Report
 from prowler.lib.logger import logger
 from prowler.lib.outputs.compliance.c5.c5 import get_c5_table
 from prowler.lib.outputs.compliance.ccc.ccc import get_ccc_table
 from prowler.lib.outputs.compliance.cis.cis import get_cis_table
+from prowler.lib.outputs.compliance.compliance_check import (  # noqa: F401 - re-export for backward compatibility
+    get_check_compliance,
+)
 from prowler.lib.outputs.compliance.csa.csa import get_csa_table
 from prowler.lib.outputs.compliance.ens.ens import get_ens_table
 from prowler.lib.outputs.compliance.generic.generic_table import (
@@ -17,6 +19,94 @@ from prowler.lib.outputs.compliance.mitre_attack.mitre_attack import (
 from prowler.lib.outputs.compliance.prowler_threatscore.prowler_threatscore import (
     get_prowler_threatscore_table,
 )
+from prowler.lib.outputs.compliance.universal.universal_table import get_universal_table
+
+
+def process_universal_compliance_frameworks(
+    input_compliance_frameworks: set,
+    universal_frameworks: dict,
+    finding_outputs: list,
+    output_directory: str,
+    output_filename: str,
+    provider: str,
+    generated_outputs: dict,
+) -> set:
+    """Process universal compliance frameworks, generating CSV and OCSF outputs.
+
+    For each framework in *input_compliance_frameworks* that exists in
+    *universal_frameworks* and has an outputs.table_config, this function
+    creates both a CSV (UniversalComplianceOutput) and an OCSF JSON
+    (OCSFComplianceOutput) file.  OCSF is always generated regardless of
+    the user's ``--output-formats`` flag.
+
+    The function is idempotent: it tracks already-created writers via
+    ``generated_outputs["compliance"]`` keyed by ``file_path``. If invoked
+    again for the same framework (e.g. once per streaming batch), it
+    reuses the existing writer instead of recreating it. This guarantees
+    one output writer per framework for the whole execution and keeps
+    the OCSF JSON array valid across multiple calls.
+
+    Returns the set of framework names that were processed so the caller
+    can remove them before entering the legacy per-provider output loop.
+    """
+    from prowler.lib.outputs.compliance.universal.ocsf_compliance import (
+        OCSFComplianceOutput,
+    )
+    from prowler.lib.outputs.compliance.universal.universal_output import (
+        UniversalComplianceOutput,
+    )
+
+    existing_writers = {
+        getattr(out, "file_path", None): out
+        for out in generated_outputs.get("compliance", [])
+        if isinstance(out, (UniversalComplianceOutput, OCSFComplianceOutput))
+    }
+
+    processed = set()
+    for compliance_name in input_compliance_frameworks:
+        if not (
+            compliance_name in universal_frameworks
+            and universal_frameworks[compliance_name].outputs
+            and universal_frameworks[compliance_name].outputs.table_config
+        ):
+            continue
+
+        fw = universal_frameworks[compliance_name]
+
+        # CSV output
+        csv_path = (
+            f"{output_directory}/compliance/" f"{output_filename}_{compliance_name}.csv"
+        )
+        if csv_path not in existing_writers:
+            output = UniversalComplianceOutput(
+                findings=finding_outputs,
+                framework=fw,
+                file_path=csv_path,
+                provider=provider,
+            )
+            generated_outputs["compliance"].append(output)
+            existing_writers[csv_path] = output
+            output.batch_write_data_to_file()
+
+        # OCSF output (always generated for universal frameworks)
+        ocsf_path = (
+            f"{output_directory}/compliance/"
+            f"{output_filename}_{compliance_name}.ocsf.json"
+        )
+        if ocsf_path not in existing_writers:
+            ocsf_output = OCSFComplianceOutput(
+                findings=finding_outputs,
+                framework=fw,
+                file_path=ocsf_path,
+                provider=provider,
+            )
+            generated_outputs["compliance"].append(ocsf_output)
+            existing_writers[ocsf_path] = ocsf_output
+            ocsf_output.batch_write_data_to_file()
+
+        processed.add(compliance_name)
+
+    return processed
 
 
 def display_compliance_table(
@@ -26,6 +116,9 @@ def display_compliance_table(
     output_filename: str,
     output_directory: str,
     compliance_overview: bool,
+    universal_frameworks: dict = None,
+    provider: str = None,
+    output_formats: list = None,
 ) -> None:
     """
     display_compliance_table generates the compliance table for the given compliance framework.
@@ -37,6 +130,9 @@ def display_compliance_table(
         output_filename (str): The output filename
         output_directory (str): The output directory
         compliance_overview (bool): The compliance
+        universal_frameworks (dict): Optional universal ComplianceFramework objects
+        provider (str): The current provider (e.g. "aws") for multi-provider filtering
+        output_formats (list): The output formats to generate
 
     Returns:
         None
@@ -45,16 +141,24 @@ def display_compliance_table(
     findings = [f for f in findings if f.check_metadata.CheckID in bulk_checks_metadata]
 
     try:
-        if "ens_" in compliance_framework:
-            get_ens_table(
-                findings,
-                bulk_checks_metadata,
-                compliance_framework,
-                output_filename,
-                output_directory,
-                compliance_overview,
-            )
-        elif "cis_" in compliance_framework:
+        # Universal path: if the framework has TableConfig, use the universal renderer
+        if universal_frameworks and compliance_framework in universal_frameworks:
+            fw = universal_frameworks[compliance_framework]
+            if fw.outputs and fw.outputs.table_config:
+                get_universal_table(
+                    findings,
+                    bulk_checks_metadata,
+                    compliance_framework,
+                    output_filename,
+                    output_directory,
+                    compliance_overview,
+                    framework=fw,
+                    provider=provider,
+                    output_formats=output_formats,
+                )
+                return
+
+        if compliance_framework.startswith("cis_"):
             get_cis_table(
                 findings,
                 bulk_checks_metadata,
@@ -63,7 +167,16 @@ def display_compliance_table(
                 output_directory,
                 compliance_overview,
             )
-        elif "mitre_attack" in compliance_framework:
+        elif compliance_framework.startswith("ens_"):
+            get_ens_table(
+                findings,
+                bulk_checks_metadata,
+                compliance_framework,
+                output_filename,
+                output_directory,
+                compliance_overview,
+            )
+        elif compliance_framework.startswith("mitre_attack"):
             get_mitre_attack_table(
                 findings,
                 bulk_checks_metadata,
@@ -72,7 +185,7 @@ def display_compliance_table(
                 output_directory,
                 compliance_overview,
             )
-        elif "kisa_isms_" in compliance_framework:
+        elif compliance_framework.startswith("kisa"):
             get_kisa_ismsp_table(
                 findings,
                 bulk_checks_metadata,
@@ -81,7 +194,7 @@ def display_compliance_table(
                 output_directory,
                 compliance_overview,
             )
-        elif "threatscore_" in compliance_framework:
+        elif compliance_framework.startswith("prowler_threatscore_"):
             get_prowler_threatscore_table(
                 findings,
                 bulk_checks_metadata,
@@ -90,7 +203,7 @@ def display_compliance_table(
                 output_directory,
                 compliance_overview,
             )
-        elif "csa_ccm_" in compliance_framework:
+        elif compliance_framework.startswith("csa_ccm_"):
             get_csa_table(
                 findings,
                 bulk_checks_metadata,
@@ -99,7 +212,7 @@ def display_compliance_table(
                 output_directory,
                 compliance_overview,
             )
-        elif "c5_" in compliance_framework:
+        elif compliance_framework.startswith("c5_"):
             get_c5_table(
                 findings,
                 bulk_checks_metadata,
@@ -131,49 +244,3 @@ def display_compliance_table(
             f"{error.__class__.__name__}:{error.__traceback__.tb_lineno} -- {error}"
         )
         sys.exit(1)
-
-
-# TODO: this should be in the Check class
-def get_check_compliance(
-    finding: Check_Report, provider_type: str, bulk_checks_metadata: dict
-) -> dict:
-    """get_check_compliance returns a map with the compliance framework as key and the requirements where the finding's check is present.
-
-        Example:
-
-    {
-        "CIS-1.4": ["2.1.3"],
-        "CIS-1.5": ["2.1.3"],
-    }
-
-    Args:
-        finding (Any): The Check_Report finding
-        provider_type (str): The provider type
-        bulk_checks_metadata (dict): The bulk checks metadata
-
-    Returns:
-        dict: The compliance framework as key and the requirements where the finding's check is present.
-    """
-    try:
-        check_compliance = {}
-        # We have to retrieve all the check's compliance requirements
-        if finding.check_metadata.CheckID in bulk_checks_metadata:
-            for compliance in bulk_checks_metadata[
-                finding.check_metadata.CheckID
-            ].Compliance:
-                compliance_fw = compliance.Framework
-                if compliance.Version:
-                    compliance_fw = f"{compliance_fw}-{compliance.Version}"
-                # compliance.Provider == "Azure" or "Kubernetes"
-                # provider_type == "azure" or "kubernetes"
-                if compliance.Provider.upper() == provider_type.upper():
-                    if compliance_fw not in check_compliance:
-                        check_compliance[compliance_fw] = []
-                    for requirement in compliance.Requirements:
-                        check_compliance[compliance_fw].append(requirement.Id)
-        return check_compliance
-    except Exception as error:
-        logger.error(
-            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
-        )
-        return {}
diff --git a/prowler/lib/outputs/compliance/compliance_check.py b/prowler/lib/outputs/compliance/compliance_check.py
new file mode 100644
index 0000000000..85de5faed0
--- /dev/null
+++ b/prowler/lib/outputs/compliance/compliance_check.py
@@ -0,0 +1,48 @@
+from prowler.lib.check.models import Check_Report
+from prowler.lib.logger import logger
+
+
+# TODO: this should be in the Check class
+def get_check_compliance(
+    finding: Check_Report, provider_type: str, bulk_checks_metadata: dict
+) -> dict:
+    """get_check_compliance returns a map with the compliance framework as key and the requirements where the finding's check is present.
+
+        Example:
+
+    {
+        "CIS-1.4": ["2.1.3"],
+        "CIS-1.5": ["2.1.3"],
+    }
+
+    Args:
+        finding (Any): The Check_Report finding
+        provider_type (str): The provider type
+        bulk_checks_metadata (dict): The bulk checks metadata
+
+    Returns:
+        dict: The compliance framework as key and the requirements where the finding's check is present.
+    """
+    try:
+        check_compliance = {}
+        # We have to retrieve all the check's compliance requirements
+        if finding.check_metadata.CheckID in bulk_checks_metadata:
+            for compliance in bulk_checks_metadata[
+                finding.check_metadata.CheckID
+            ].Compliance:
+                compliance_fw = compliance.Framework
+                if compliance.Version:
+                    compliance_fw = f"{compliance_fw}-{compliance.Version}"
+                # compliance.Provider == "Azure" or "Kubernetes"
+                # provider_type == "azure" or "kubernetes"
+                if compliance.Provider.upper() == provider_type.upper():
+                    if compliance_fw not in check_compliance:
+                        check_compliance[compliance_fw] = []
+                    for requirement in compliance.Requirements:
+                        check_compliance[compliance_fw].append(requirement.Id)
+        return check_compliance
+    except Exception as error:
+        logger.error(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
+        )
+        return {}
diff --git a/prowler/lib/outputs/compliance/universal/ocsf_compliance.py b/prowler/lib/outputs/compliance/universal/ocsf_compliance.py
index 3760549cd5..2ce69412e1 100644
--- a/prowler/lib/outputs/compliance/universal/ocsf_compliance.py
+++ b/prowler/lib/outputs/compliance/universal/ocsf_compliance.py
@@ -1,6 +1,7 @@
+import json
 import os
 from datetime import datetime
-from typing import List
+from typing import TYPE_CHECKING, List
 
 from py_ocsf_models.events.base_event import SeverityID
 from py_ocsf_models.events.base_event import StatusID as EventStatusID
@@ -20,11 +21,12 @@ from py_ocsf_models.objects.resource_details import ResourceDetails
 from prowler.config.config import prowler_version
 from prowler.lib.check.compliance_models import ComplianceFramework
 from prowler.lib.logger import logger
-from prowler.lib.outputs.finding import Finding
-from prowler.lib.outputs.ocsf.ocsf import OCSF
 from prowler.lib.outputs.utils import unroll_dict_to_list
 from prowler.lib.utils.utils import open_file
 
+if TYPE_CHECKING:
+    from prowler.lib.outputs.finding import Finding
+
 PROWLER_TO_COMPLIANCE_STATUS = {
     "PASS": ComplianceStatusID.Pass,
     "FAIL": ComplianceStatusID.Fail,
@@ -32,6 +34,40 @@ PROWLER_TO_COMPLIANCE_STATUS = {
 }
 
 
+def _sanitize_resource_data(resource_details, resource_metadata) -> dict:
+    """Ensure resource data is JSON-serializable.
+
+    Service resource_metadata may carry non-serializable objects (e.g. raw
+    Pydantic models or service classes such as ``Trail`` / ``LifecyclePolicy``).
+    Convert them to plain dicts and roundtrip through JSON so the resulting
+    ComplianceFinding can be serialized without errors.
+    """
+
+    def _make_serializable(obj):
+        if hasattr(obj, "model_dump") and callable(obj.model_dump):
+            return _make_serializable(obj.model_dump())
+        if hasattr(obj, "dict") and callable(obj.dict):
+            return _make_serializable(obj.dict())
+        if isinstance(obj, dict):
+            return {str(k): _make_serializable(v) for k, v in obj.items()}
+        if isinstance(obj, (list, tuple)):
+            return [_make_serializable(v) for v in obj]
+        return obj
+
+    try:
+        converted = _make_serializable(resource_metadata)
+        sanitized_metadata = json.loads(json.dumps(converted, default=str))
+    except (TypeError, ValueError, RecursionError) as error:
+        logger.warning(
+            f"Failed to serialize resource metadata, defaulting to empty: {error}"
+        )
+        sanitized_metadata = {}
+    return {
+        "details": resource_details,
+        "metadata": sanitized_metadata,
+    }
+
+
 def _to_snake_case(name: str) -> str:
     """Convert a PascalCase or camelCase string to snake_case."""
     import re
@@ -108,7 +144,7 @@ class OCSFComplianceOutput:
 
     def _transform(
         self,
-        findings: List[Finding],
+        findings: List["Finding"],
         framework: ComplianceFramework,
         compliance_name: str,
     ) -> None:
@@ -177,7 +213,7 @@ class OCSFComplianceOutput:
 
     def _build_compliance_finding(
         self,
-        finding: Finding,
+        finding: "Finding",
         framework: ComplianceFramework,
         requirement,
         compliance_name: str,
@@ -195,7 +231,9 @@ class OCSFComplianceOutput:
                 finding.metadata.Severity.capitalize(),
                 SeverityID.Unknown,
             )
-            event_status = OCSF.get_finding_status_id(finding.muted)
+            event_status = (
+                EventStatusID.Suppressed if finding.muted else EventStatusID.New
+            )
 
             time_value = (
                 int(finding.timestamp.timestamp())
@@ -268,10 +306,10 @@ class OCSFComplianceOutput:
                             if finding.provider == "kubernetes"
                             else None
                         ),
-                        data={
-                            "details": finding.resource_details,
-                            "metadata": finding.resource_metadata,
-                        },
+                        data=_sanitize_resource_data(
+                            finding.resource_details,
+                            finding.resource_metadata,
+                        ),
                     )
                 ],
                 severity_id=finding_severity.value,
diff --git a/prowler/lib/outputs/compliance/universal/universal_output.py b/prowler/lib/outputs/compliance/universal/universal_output.py
new file mode 100644
index 0000000000..5f99f05755
--- /dev/null
+++ b/prowler/lib/outputs/compliance/universal/universal_output.py
@@ -0,0 +1,294 @@
+from csv import DictWriter
+from pathlib import Path
+from typing import TYPE_CHECKING, Optional
+
+from pydantic.v1 import create_model
+
+from prowler.config.config import timestamp
+from prowler.lib.check.compliance_models import ComplianceFramework
+from prowler.lib.logger import logger
+from prowler.lib.utils.utils import open_file
+
+if TYPE_CHECKING:
+    from prowler.lib.outputs.finding import Finding
+
+PROVIDER_HEADER_MAP = {
+    "aws": ("AccountId", "account_uid", "Region", "region"),
+    "azure": ("SubscriptionId", "account_uid", "Location", "region"),
+    "gcp": ("ProjectId", "account_uid", "Location", "region"),
+    "kubernetes": ("Context", "account_name", "Namespace", "region"),
+    "m365": ("TenantId", "account_uid", "Location", "region"),
+    "github": ("Account_Name", "account_name", "Account_Id", "account_uid"),
+    "oraclecloud": ("TenancyId", "account_uid", "Region", "region"),
+    "alibabacloud": ("AccountId", "account_uid", "Region", "region"),
+    "nhn": ("AccountId", "account_uid", "Region", "region"),
+}
+_DEFAULT_HEADERS = ("AccountId", "account_uid", "Region", "region")
+
+
+class UniversalComplianceOutput:
+    """Universal compliance CSV output driven by ComplianceFramework metadata.
+
+    Dynamically builds a Pydantic row model from attributes_metadata so that
+    CSV columns match the framework's declared attribute fields.
+    """
+
+    def __init__(
+        self,
+        findings: list,
+        framework: ComplianceFramework,
+        file_path: str = None,
+        from_cli: bool = True,
+        provider: str = None,
+    ) -> None:
+        self._data = []
+        self._file_descriptor = None
+        self.file_path = file_path
+        self._from_cli = from_cli
+        self._provider = provider
+        self.close_file = False
+
+        if file_path:
+            path_obj = Path(file_path)
+            self._file_extension = path_obj.suffix if path_obj.suffix else ""
+
+        if findings:
+            self._row_model = self._build_row_model(framework)
+            compliance_name = (
+                framework.framework + "-" + framework.version
+                if framework.version
+                else framework.framework
+            )
+            self._transform(findings, framework, compliance_name)
+            if not self._file_descriptor and file_path:
+                self._create_file_descriptor(file_path)
+
+    @property
+    def data(self):
+        return self._data
+
+    def _build_row_model(self, framework: ComplianceFramework):
+        """Build a dynamic Pydantic model from attributes_metadata."""
+        acct_header, acct_field, loc_header, loc_field = PROVIDER_HEADER_MAP.get(
+            (self._provider or "").lower(), _DEFAULT_HEADERS
+        )
+        self._acct_header = acct_header
+        self._acct_field = acct_field
+        self._loc_header = loc_header
+        self._loc_field = loc_field
+
+        # Base fields present in every compliance CSV
+        fields = {
+            "Provider": (str, ...),
+            "Description": (str, ...),
+            acct_header: (str, ...),
+            loc_header: (str, ...),
+            "AssessmentDate": (str, ...),
+            "Requirements_Id": (str, ...),
+            "Requirements_Description": (str, ...),
+        }
+
+        # Dynamic attribute columns from metadata
+        if framework.attributes_metadata:
+            for attr_meta in framework.attributes_metadata:
+                if not attr_meta.output_formats.csv:
+                    continue
+                field_name = f"Requirements_Attributes_{attr_meta.key}"
+                # Map type strings to Python types
+                type_map = {
+                    "str": Optional[str],
+                    "int": Optional[int],
+                    "float": Optional[float],
+                    "bool": Optional[bool],
+                    "list_str": Optional[str],  # Serialized as joined string
+                    "list_dict": Optional[str],  # Serialized as string
+                }
+                py_type = type_map.get(attr_meta.type, Optional[str])
+                fields[field_name] = (py_type, None)
+
+        # Check if any requirement has MITRE fields
+        has_mitre = any(req.tactics for req in framework.requirements if req.tactics)
+        if has_mitre:
+            fields["Requirements_Tactics"] = (Optional[str], None)
+            fields["Requirements_SubTechniques"] = (Optional[str], None)
+            fields["Requirements_Platforms"] = (Optional[str], None)
+            fields["Requirements_TechniqueURL"] = (Optional[str], None)
+
+        # Trailing fields
+        fields["Status"] = (str, ...)
+        fields["StatusExtended"] = (str, ...)
+        fields["ResourceId"] = (str, ...)
+        fields["ResourceName"] = (str, ...)
+        fields["CheckId"] = (str, ...)
+        fields["Muted"] = (bool, ...)
+        fields["Framework"] = (str, ...)
+        fields["Name"] = (str, ...)
+
+        return create_model("UniversalComplianceRow", **fields)
+
+    def _serialize_attr_value(self, value):
+        """Serialize attribute values for CSV."""
+        if isinstance(value, list):
+            if value and isinstance(value[0], dict):
+                return str(value)
+            return " | ".join(str(v) for v in value)
+        return value
+
+    def _build_row(self, finding, framework, requirement, is_manual=False):
+        """Build a single row dict for a finding + requirement combination."""
+        row = {
+            "Provider": (
+                finding.provider
+                if not is_manual
+                else (framework.provider or self._provider or "").lower()
+            ),
+            "Description": framework.description,
+            self._acct_header: (
+                getattr(finding, self._acct_field, "") if not is_manual else ""
+            ),
+            self._loc_header: (
+                getattr(finding, self._loc_field, "") if not is_manual else ""
+            ),
+            "AssessmentDate": str(timestamp),
+            "Requirements_Id": requirement.id,
+            "Requirements_Description": requirement.description,
+        }
+
+        # Add dynamic attribute columns
+        if framework.attributes_metadata:
+            for attr_meta in framework.attributes_metadata:
+                if not attr_meta.output_formats.csv:
+                    continue
+                field_name = f"Requirements_Attributes_{attr_meta.key}"
+                raw_val = requirement.attributes.get(attr_meta.key)
+                row[field_name] = (
+                    self._serialize_attr_value(raw_val) if raw_val is not None else None
+                )
+
+        # MITRE fields
+        if requirement.tactics:
+            row["Requirements_Tactics"] = (
+                " | ".join(requirement.tactics) if requirement.tactics else None
+            )
+            row["Requirements_SubTechniques"] = (
+                " | ".join(requirement.sub_techniques)
+                if requirement.sub_techniques
+                else None
+            )
+            row["Requirements_Platforms"] = (
+                " | ".join(requirement.platforms) if requirement.platforms else None
+            )
+            row["Requirements_TechniqueURL"] = requirement.technique_url
+
+        row["Status"] = finding.status if not is_manual else "MANUAL"
+        row["StatusExtended"] = (
+            finding.status_extended if not is_manual else "Manual check"
+        )
+        row["ResourceId"] = finding.resource_uid if not is_manual else "manual_check"
+        row["ResourceName"] = finding.resource_name if not is_manual else "Manual check"
+        row["CheckId"] = finding.check_id if not is_manual else "manual"
+        row["Muted"] = finding.muted if not is_manual else False
+        row["Framework"] = framework.framework
+        row["Name"] = framework.name
+
+        return row
+
+    def _transform(
+        self,
+        findings: list["Finding"],
+        framework: ComplianceFramework,
+        compliance_name: str,
+    ) -> None:
+        """Transform findings into universal compliance CSV rows."""
+        # Build check -> requirements map (filtered by provider for dict checks)
+        check_req_map = {}
+        for req in framework.requirements:
+            checks = req.checks
+            if self._provider:
+                all_checks = checks.get(self._provider.lower(), [])
+            else:
+                all_checks = []
+                for check_list in checks.values():
+                    all_checks.extend(check_list)
+            for check_id in all_checks:
+                if check_id not in check_req_map:
+                    check_req_map[check_id] = []
+                check_req_map[check_id].append(req)
+
+        # Process findings using the provider-filtered check_req_map.
+        # This ensures that for multi-provider dict checks, only the checks
+        # belonging to the current provider produce output rows.
+        for finding in findings:
+            check_id = finding.check_id
+            if check_id in check_req_map:
+                for req in check_req_map[check_id]:
+                    row = self._build_row(finding, framework, req)
+                    try:
+                        self._data.append(self._row_model(**row))
+                    except Exception as e:
+                        logger.debug(f"Skipping row for {req.id}: {e}")
+
+        # Manual requirements (no checks or empty dict)
+        for req in framework.requirements:
+            checks = req.checks
+            if self._provider:
+                has_checks = bool(checks.get(self._provider.lower(), []))
+            else:
+                has_checks = any(checks.values())
+
+            if not has_checks:
+                # Use a dummy finding-like namespace for manual rows
+                row = self._build_row(
+                    _ManualFindingStub(), framework, req, is_manual=True
+                )
+                try:
+                    self._data.append(self._row_model(**row))
+                except Exception as e:
+                    logger.debug(f"Skipping manual row for {req.id}: {e}")
+
+    def _create_file_descriptor(self, file_path: str) -> None:
+        try:
+            self._file_descriptor = open_file(file_path, "a")
+        except Exception as error:
+            logger.error(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
+    def batch_write_data_to_file(self) -> None:
+        """Write findings data to CSV."""
+        try:
+            if (
+                getattr(self, "_file_descriptor", None)
+                and not self._file_descriptor.closed
+                and self._data
+            ):
+                csv_writer = DictWriter(
+                    self._file_descriptor,
+                    fieldnames=[field.upper() for field in self._data[0].dict().keys()],
+                    delimiter=";",
+                )
+                if self._file_descriptor.tell() == 0:
+                    csv_writer.writeheader()
+                for row in self._data:
+                    csv_writer.writerow({k.upper(): v for k, v in row.dict().items()})
+                if self.close_file or self._from_cli:
+                    self._file_descriptor.close()
+        except Exception as error:
+            logger.error(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
+
+class _ManualFindingStub:
+    """Minimal stub to satisfy _build_row for manual requirements."""
+
+    provider = ""
+    account_uid = ""
+    account_name = ""
+    region = ""
+    status = "MANUAL"
+    status_extended = "Manual check"
+    resource_uid = "manual_check"
+    resource_name = "Manual check"
+    check_id = "manual"
+    muted = False
diff --git a/prowler/lib/outputs/finding.py b/prowler/lib/outputs/finding.py
index 3da2f0d7d3..95a634c85f 100644
--- a/prowler/lib/outputs/finding.py
+++ b/prowler/lib/outputs/finding.py
@@ -15,7 +15,7 @@ from prowler.lib.check.models import (
 )
 from prowler.lib.logger import logger
 from prowler.lib.outputs.common import Status, fill_common_finding_data
-from prowler.lib.outputs.compliance.compliance import get_check_compliance
+from prowler.lib.outputs.compliance.compliance_check import get_check_compliance
 from prowler.lib.outputs.utils import unroll_tags
 from prowler.lib.utils.utils import dict_to_lowercase, get_nested_attribute
 from prowler.providers.common.provider import Provider
diff --git a/tests/config/config_test.py b/tests/config/config_test.py
index 8bf7755267..f7349d2004 100644
--- a/tests/config/config_test.py
+++ b/tests/config/config_test.py
@@ -436,6 +436,33 @@ class Test_Config:
         assert "csa_ccm_4.0" in aws_frameworks
         assert "csa_ccm_4.0" not in kubernetes_frameworks
 
+    def test_get_available_compliance_frameworks_no_provider_includes_universals(self):
+        """Regression test for the variable shadowing bug.
+
+        Previously, the inner ``for provider in providers`` loop shadowed
+        the outer ``provider`` parameter. When called without a provider,
+        the post-loop ``if provider:`` branch wrongly applied
+        ``framework.supports_provider(<last provider iterated>)`` and
+        excluded universal frameworks from the result.
+
+        Result: the parser-level ``available_compliance_frameworks``
+        constant was missing universal frameworks like ``csa_ccm_4.0``,
+        which made ``--compliance csa_ccm_4.0`` reject the choice.
+        """
+        all_frameworks = get_available_compliance_frameworks()
+        assert "csa_ccm_4.0" in all_frameworks
+
+    def test_get_available_compliance_frameworks_does_not_mutate_provider_param(self):
+        """Calling with a specific provider must not affect a subsequent
+        call without provider. Validates that the loop variable rename
+        prevents leaking state between calls."""
+        # Force an iteration over multiple providers first
+        get_available_compliance_frameworks("kubernetes")
+        # Then a no-provider call must still include universals supported
+        # by ANY provider (not filtered by some leaked value)
+        all_frameworks = get_available_compliance_frameworks()
+        assert "csa_ccm_4.0" in all_frameworks
+
     def test_load_and_validate_config_file_aws(self):
         path = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))
         config_test_file = f"{path}/fixtures/config.yaml"
diff --git a/tests/lib/check/check_loader_test.py b/tests/lib/check/check_loader_test.py
index 5650ee17ab..24cc93bac0 100644
--- a/tests/lib/check/check_loader_test.py
+++ b/tests/lib/check/check_loader_test.py
@@ -675,3 +675,177 @@ class TestCheckLoader:
         )
         assert CLOUDTRAIL_THREAT_DETECTION_ENUMERATION_NAME not in result
         assert S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME in result
+
+    def test_load_checks_to_execute_universal_framework_takes_precedence(self):
+        """When ``--compliance <fw>`` matches a universal framework, the
+        loader must source checks from ``universal_frameworks[fw].requirements[*]
+        .checks[provider]`` and NOT fall through to ``bulk_compliance_frameworks``.
+
+        This is the path added by PR #10301 in checks_loader.py.
+        """
+        from prowler.lib.check.compliance_models import (
+            ComplianceFramework,
+            UniversalComplianceRequirement,
+        )
+
+        bulk_checks_metadata = {
+            S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
+        }
+
+        universal_framework = ComplianceFramework(
+            framework="csa_ccm",
+            name="CSA CCM 4.0",
+            version="4.0",
+            description="Cloud Controls Matrix",
+            requirements=[
+                UniversalComplianceRequirement(
+                    id="A&A-01",
+                    description="Audit & Assurance",
+                    attributes={},
+                    checks={"aws": [S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME]},
+                ),
+            ],
+        )
+
+        with patch(
+            "prowler.lib.check.checks_loader.CheckMetadata.get_bulk",
+            return_value=bulk_checks_metadata,
+        ):
+            result = load_checks_to_execute(
+                bulk_checks_metadata=bulk_checks_metadata,
+                bulk_compliance_frameworks={},  # legacy empty
+                compliance_frameworks=["csa_ccm_4.0"],
+                provider=self.provider,
+                universal_frameworks={"csa_ccm_4.0": universal_framework},
+            )
+
+        assert result == {S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME}
+
+    def test_load_checks_to_execute_universal_filters_by_provider(self):
+        """A universal requirement may declare checks for several
+        providers; the loader must only return those for the active
+        provider key (lowercased)."""
+        from prowler.lib.check.compliance_models import (
+            ComplianceFramework,
+            UniversalComplianceRequirement,
+        )
+
+        bulk_checks_metadata = {
+            S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
+        }
+
+        # The same requirement maps a different check per provider.
+        # Only the AWS one must be returned for provider="aws".
+        universal_framework = ComplianceFramework(
+            framework="csa_ccm",
+            name="CSA CCM 4.0",
+            version="4.0",
+            description="Cloud Controls Matrix",
+            requirements=[
+                UniversalComplianceRequirement(
+                    id="A&A-02",
+                    description="Multi-provider req",
+                    attributes={},
+                    checks={
+                        "aws": [S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME],
+                        "azure": ["azure_only_check"],
+                        "gcp": ["gcp_only_check"],
+                    },
+                ),
+            ],
+        )
+
+        with patch(
+            "prowler.lib.check.checks_loader.CheckMetadata.get_bulk",
+            return_value=bulk_checks_metadata,
+        ):
+            result = load_checks_to_execute(
+                bulk_checks_metadata=bulk_checks_metadata,
+                bulk_compliance_frameworks={},
+                compliance_frameworks=["csa_ccm_4.0"],
+                provider=self.provider,  # "aws"
+                universal_frameworks={"csa_ccm_4.0": universal_framework},
+            )
+
+        assert S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME in result
+        assert "azure_only_check" not in result
+        assert "gcp_only_check" not in result
+
+    def test_load_checks_to_execute_universal_no_match_falls_back_to_legacy(self):
+        """If the requested compliance framework is not present in
+        ``universal_frameworks``, the loader must fall back to the
+        legacy ``bulk_compliance_frameworks`` lookup."""
+        bulk_checks_metadata = {
+            S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
+        }
+        bulk_compliance_frameworks = {
+            "soc2_aws": Compliance(
+                Framework="SOC2",
+                Name="SOC2",
+                Provider="aws",
+                Version="2.0",
+                Description="x",
+                Requirements=[
+                    Compliance_Requirement(
+                        Checks=[S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME],
+                        Id="",
+                        Description="",
+                        Attributes=[],
+                    )
+                ],
+            ),
+        }
+
+        with patch(
+            "prowler.lib.check.checks_loader.CheckMetadata.get_bulk",
+            return_value=bulk_checks_metadata,
+        ):
+            result = load_checks_to_execute(
+                bulk_checks_metadata=bulk_checks_metadata,
+                bulk_compliance_frameworks=bulk_compliance_frameworks,
+                compliance_frameworks=["soc2_aws"],
+                provider=self.provider,
+                universal_frameworks={"some_other_universal_fw": object()},
+            )
+
+        assert result == {S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME}
+
+    def test_load_checks_to_execute_universal_unknown_provider_returns_empty(self):
+        """If the universal requirement has no checks for the active
+        provider, no checks are picked up for that requirement."""
+        from prowler.lib.check.compliance_models import (
+            ComplianceFramework,
+            UniversalComplianceRequirement,
+        )
+
+        bulk_checks_metadata = {
+            S3_BUCKET_LEVEL_PUBLIC_ACCESS_BLOCK_NAME: self.get_custom_check_s3_metadata()
+        }
+        universal_framework = ComplianceFramework(
+            framework="csa_ccm",
+            name="CSA CCM 4.0",
+            version="4.0",
+            description="Cloud Controls Matrix",
+            requirements=[
+                UniversalComplianceRequirement(
+                    id="A&A-03",
+                    description="Only Azure",
+                    attributes={},
+                    checks={"azure": ["azure_only_check"]},
+                ),
+            ],
+        )
+
+        with patch(
+            "prowler.lib.check.checks_loader.CheckMetadata.get_bulk",
+            return_value=bulk_checks_metadata,
+        ):
+            result = load_checks_to_execute(
+                bulk_checks_metadata=bulk_checks_metadata,
+                bulk_compliance_frameworks={},
+                compliance_frameworks=["csa_ccm_4.0"],
+                provider=self.provider,  # "aws" — no checks declared
+                universal_frameworks={"csa_ccm_4.0": universal_framework},
+            )
+
+        assert result == set()
diff --git a/tests/lib/outputs/compliance/compliance_test.py b/tests/lib/outputs/compliance/compliance_test.py
index bb6a7e4089..f38c783d42 100644
--- a/tests/lib/outputs/compliance/compliance_test.py
+++ b/tests/lib/outputs/compliance/compliance_test.py
@@ -442,3 +442,123 @@ class TestComplianceOutput:
         )
 
         assert compliance_output.file_extension == ".csv"
+
+
+class TestComplianceCheckHelperModule:
+    """Tests for the new ``compliance_check`` leaf module that hosts
+    ``get_check_compliance``.
+
+    This module exists to break the cyclic import chain
+    ``finding -> compliance.compliance -> universal.* -> finding`` that
+    CodeQL flagged. It must be:
+      - importable directly without pulling in the universal pipeline
+      - re-exported by ``compliance.compliance`` for backward compatibility
+      - the SAME function object, regardless of import path
+    """
+
+    def test_module_is_importable_directly(self):
+        """The helper module must be importable on its own — it is the
+        leaf used by ``finding.py`` to break the cyclic import chain."""
+        from prowler.lib.outputs.compliance import compliance_check
+
+        assert hasattr(compliance_check, "get_check_compliance")
+        assert callable(compliance_check.get_check_compliance)
+
+    def test_helper_module_only_depends_on_check_models_and_logger(self):
+        """The helper must not pull in universal pipeline modules; that
+        was the whole point of extracting it. Inspecting the module's
+        own imports keeps it honest without polluting ``sys.modules``."""
+        import inspect
+
+        from prowler.lib.outputs.compliance import compliance_check
+
+        source = inspect.getsource(compliance_check)
+        # Only these two prowler imports are allowed in the leaf module
+        assert "from prowler.lib.check.models import Check_Report" in source
+        assert "from prowler.lib.logger import logger" in source
+        # And NOT these (would re-introduce the cycle):
+        assert "from prowler.lib.outputs.compliance.universal" not in source
+        assert "from prowler.lib.outputs.finding" not in source
+        assert "from prowler.lib.outputs.ocsf" not in source
+
+    def test_re_export_from_compliance_compliance(self):
+        """``compliance.compliance.get_check_compliance`` must point to
+        the same function as ``compliance.compliance_check.get_check_compliance``."""
+        from prowler.lib.outputs.compliance.compliance import (
+            get_check_compliance as via_compliance,
+        )
+        from prowler.lib.outputs.compliance.compliance_check import (
+            get_check_compliance as via_helper,
+        )
+
+        assert via_compliance is via_helper
+
+    def test_re_export_from_finding_module(self):
+        """``finding.get_check_compliance`` must point to the same
+        function. Test mocks rely on this attribute existing on the
+        ``prowler.lib.outputs.finding`` module."""
+        from prowler.lib.outputs.compliance.compliance_check import (
+            get_check_compliance as via_helper,
+        )
+        from prowler.lib.outputs.finding import get_check_compliance as via_finding
+
+        assert via_finding is via_helper
+
+    def test_returns_empty_dict_on_unknown_check(self):
+        """Sanity test of the function logic via the helper module."""
+        from prowler.lib.outputs.compliance.compliance_check import (
+            get_check_compliance,
+        )
+
+        finding = mock.MagicMock()
+        finding.check_metadata.CheckID = "unknown_check_id"
+        result = get_check_compliance(finding, "aws", {})
+        assert result == {}
+
+    def test_filters_by_provider(self):
+        """The function returns frameworks only for the matching provider."""
+        from prowler.lib.outputs.compliance.compliance_check import (
+            get_check_compliance,
+        )
+
+        compliance_aws = mock.MagicMock(
+            Framework="CIS",
+            Version="1.4",
+            Provider="AWS",
+            Requirements=[mock.MagicMock(Id="2.1.3")],
+        )
+        compliance_azure = mock.MagicMock(
+            Framework="CIS",
+            Version="2.0",
+            Provider="Azure",
+            Requirements=[mock.MagicMock(Id="9.1")],
+        )
+        finding = mock.MagicMock()
+        finding.check_metadata.CheckID = "shared_check"
+        bulk = {
+            "shared_check": mock.MagicMock(
+                Compliance=[compliance_aws, compliance_azure]
+            )
+        }
+
+        # Only AWS frameworks come back
+        result = get_check_compliance(finding, "aws", bulk)
+        assert "CIS-1.4" in result
+        assert "CIS-2.0" not in result
+
+    def test_returns_empty_dict_on_exception(self):
+        """If iteration raises, the function logs the error and returns
+        an empty dict (defensive behaviour)."""
+        from prowler.lib.outputs.compliance.compliance_check import (
+            get_check_compliance,
+        )
+
+        # bulk_checks_metadata that raises when accessed → defensive path
+        class Boom:
+            def __contains__(self, _key):
+                raise RuntimeError("boom")
+
+        finding = mock.MagicMock()
+        finding.check_metadata.CheckID = "any"
+        result = get_check_compliance(finding, "aws", Boom())
+        assert result == {}
diff --git a/tests/lib/outputs/compliance/display_compliance_table_test.py b/tests/lib/outputs/compliance/display_compliance_table_test.py
new file mode 100644
index 0000000000..0d2cd5313b
--- /dev/null
+++ b/tests/lib/outputs/compliance/display_compliance_table_test.py
@@ -0,0 +1,244 @@
+"""Tests for display_compliance_table dispatch logic.
+
+Validates that each compliance framework name is routed to the correct
+table renderer via startswith matching, and that the universal early-return
+takes precedence when applicable.
+"""
+
+from unittest.mock import patch
+
+import pytest
+
+from prowler.lib.check.compliance_models import (
+    ComplianceFramework,
+    OutputsConfig,
+    TableConfig,
+    UniversalComplianceRequirement,
+)
+from prowler.lib.outputs.compliance.compliance import display_compliance_table
+
+MODULE = "prowler.lib.outputs.compliance.compliance"
+
+# Common args shared by every call — the actual values don't matter
+# because we mock the downstream renderers.
+_COMMON = dict(
+    findings=[],
+    bulk_checks_metadata={},
+    output_filename="out",
+    output_directory="/tmp",
+    compliance_overview=False,
+)
+
+
+# ── Dispatch to legacy table renderers ───────────────────────────────
+
+
+class TestDispatchStartswith:
+    """Each framework prefix must route to exactly one renderer."""
+
+    @pytest.mark.parametrize(
+        "framework_name",
+        [
+            "cis_1.4_aws",
+            "cis_2.0_azure",
+            "cis_3.0_gcp",
+            "cis_6.0_m365",
+            "cis_1.10_kubernetes",
+        ],
+    )
+    @patch(f"{MODULE}.get_cis_table")
+    def test_cis_dispatch(self, mock_fn, framework_name):
+        display_compliance_table(compliance_framework=framework_name, **_COMMON)
+        mock_fn.assert_called_once()
+
+    @pytest.mark.parametrize(
+        "framework_name",
+        ["ens_rd2022_aws", "ens_rd2022_azure", "ens_rd2022_gcp"],
+    )
+    @patch(f"{MODULE}.get_ens_table")
+    def test_ens_dispatch(self, mock_fn, framework_name):
+        display_compliance_table(compliance_framework=framework_name, **_COMMON)
+        mock_fn.assert_called_once()
+
+    @pytest.mark.parametrize(
+        "framework_name",
+        ["mitre_attack_aws", "mitre_attack_azure", "mitre_attack_gcp"],
+    )
+    @patch(f"{MODULE}.get_mitre_attack_table")
+    def test_mitre_dispatch(self, mock_fn, framework_name):
+        display_compliance_table(compliance_framework=framework_name, **_COMMON)
+        mock_fn.assert_called_once()
+
+    @pytest.mark.parametrize(
+        "framework_name",
+        ["kisa_isms_p_2023_aws", "kisa_isms_p_2023_korean_aws"],
+    )
+    @patch(f"{MODULE}.get_kisa_ismsp_table")
+    def test_kisa_dispatch(self, mock_fn, framework_name):
+        display_compliance_table(compliance_framework=framework_name, **_COMMON)
+        mock_fn.assert_called_once()
+
+    @pytest.mark.parametrize(
+        "framework_name",
+        [
+            "prowler_threatscore_aws",
+            "prowler_threatscore_azure",
+            "prowler_threatscore_gcp",
+            "prowler_threatscore_kubernetes",
+            "prowler_threatscore_m365",
+            "prowler_threatscore_alibabacloud",
+        ],
+    )
+    @patch(f"{MODULE}.get_prowler_threatscore_table")
+    def test_threatscore_dispatch(self, mock_fn, framework_name):
+        display_compliance_table(compliance_framework=framework_name, **_COMMON)
+        mock_fn.assert_called_once()
+
+    @pytest.mark.parametrize(
+        "framework_name",
+        [
+            "csa_ccm_4.0_aws",
+            "csa_ccm_4.0_azure",
+            "csa_ccm_4.0_gcp",
+            "csa_ccm_4.0_oraclecloud",
+            "csa_ccm_4.0_alibabacloud",
+        ],
+    )
+    @patch(f"{MODULE}.get_csa_table")
+    def test_csa_dispatch(self, mock_fn, framework_name):
+        display_compliance_table(compliance_framework=framework_name, **_COMMON)
+        mock_fn.assert_called_once()
+
+    @pytest.mark.parametrize(
+        "framework_name",
+        ["c5_aws", "c5_azure", "c5_gcp"],
+    )
+    @patch(f"{MODULE}.get_c5_table")
+    def test_c5_dispatch(self, mock_fn, framework_name):
+        display_compliance_table(compliance_framework=framework_name, **_COMMON)
+        mock_fn.assert_called_once()
+
+    @pytest.mark.parametrize(
+        "framework_name",
+        [
+            "soc2_aws",
+            "hipaa_aws",
+            "gdpr_aws",
+            "nist_800_53_revision_4_aws",
+            "pci_3.2.1_aws",
+            "iso27001_2013_aws",
+            "aws_well_architected_framework_security_pillar_aws",
+            "fedramp_low_revision_4_aws",
+            "cisa_aws",
+        ],
+    )
+    @patch(f"{MODULE}.get_generic_compliance_table")
+    def test_generic_dispatch(self, mock_fn, framework_name):
+        display_compliance_table(compliance_framework=framework_name, **_COMMON)
+        mock_fn.assert_called_once()
+
+
+# ── No false matches (the old `in` bug) ─────────────────────────────
+
+
+class TestNoFalseSubstringMatches:
+    """Frameworks that previously could false-match with `in` must NOT
+    be routed to the wrong renderer now that we use startswith."""
+
+    @patch(f"{MODULE}.get_ens_table")
+    @patch(f"{MODULE}.get_generic_compliance_table")
+    def test_cisa_does_not_match_cis(self, mock_generic, mock_cis):
+        """'cisa_aws' must NOT match startswith('cis_')."""
+        display_compliance_table(compliance_framework="cisa_aws", **_COMMON)
+        mock_generic.assert_called_once()
+        mock_cis.assert_not_called()
+
+    @patch(f"{MODULE}.get_prowler_threatscore_table")
+    @patch(f"{MODULE}.get_generic_compliance_table")
+    def test_threatscore_prefix_not_partial(self, mock_generic, mock_ts):
+        """A hypothetical 'threatscore_custom_aws' must NOT match
+        startswith('prowler_threatscore_')."""
+        display_compliance_table(
+            compliance_framework="threatscore_custom_aws", **_COMMON
+        )
+        mock_generic.assert_called_once()
+        mock_ts.assert_not_called()
+
+    @patch(f"{MODULE}.get_ens_table")
+    @patch(f"{MODULE}.get_prowler_threatscore_table")
+    def test_prowler_threatscore_does_not_match_ens(self, mock_ts, mock_ens):
+        """'prowler_threatscore_aws' must hit threatscore, never ens."""
+        display_compliance_table(
+            compliance_framework="prowler_threatscore_aws", **_COMMON
+        )
+        mock_ts.assert_called_once()
+        mock_ens.assert_not_called()
+
+
+# ── Universal early-return ───────────────────────────────────────────
+
+
+class TestUniversalEarlyReturn:
+    """The universal path must take precedence over the elif chain."""
+
+    @staticmethod
+    def _make_fw():
+        return ComplianceFramework(
+            framework="CIS",
+            name="CIS",
+            provider="AWS",
+            version="5.0",
+            description="d",
+            requirements=[
+                UniversalComplianceRequirement(
+                    id="1.1",
+                    description="d",
+                    attributes={},
+                    checks={"aws": ["check_a"]},
+                ),
+            ],
+            outputs=OutputsConfig(table_config=TableConfig(group_by="_default")),
+        )
+
+    @patch(f"{MODULE}.get_universal_table")
+    @patch(f"{MODULE}.get_cis_table")
+    def test_universal_takes_precedence_over_cis(self, mock_cis, mock_universal):
+        """A CIS framework in universal_frameworks with TableConfig must
+        use the universal renderer, not get_cis_table."""
+        fw = self._make_fw()
+        display_compliance_table(
+            compliance_framework="cis_5.0_aws",
+            universal_frameworks={"cis_5.0_aws": fw},
+            **_COMMON,
+        )
+        mock_universal.assert_called_once()
+        mock_cis.assert_not_called()
+
+    @patch(f"{MODULE}.get_universal_table")
+    @patch(f"{MODULE}.get_cis_table")
+    def test_falls_through_without_table_config(self, mock_cis, mock_universal):
+        """If the universal framework has no TableConfig, fall through
+        to the legacy elif chain."""
+        fw = self._make_fw()
+        fw.outputs = None
+        display_compliance_table(
+            compliance_framework="cis_5.0_aws",
+            universal_frameworks={"cis_5.0_aws": fw},
+            **_COMMON,
+        )
+        mock_cis.assert_called_once()
+        mock_universal.assert_not_called()
+
+    @patch(f"{MODULE}.get_universal_table")
+    @patch(f"{MODULE}.get_generic_compliance_table")
+    def test_falls_through_when_not_in_universal_dict(
+        self, mock_generic, mock_universal
+    ):
+        """If universal_frameworks is empty, fall through to legacy."""
+        display_compliance_table(
+            compliance_framework="soc2_aws",
+            universal_frameworks={},
+            **_COMMON,
+        )
+        mock_generic.assert_called_once()
+        mock_universal.assert_not_called()
diff --git a/tests/lib/outputs/compliance/process_universal_test.py b/tests/lib/outputs/compliance/process_universal_test.py
new file mode 100644
index 0000000000..fa8b737ddd
--- /dev/null
+++ b/tests/lib/outputs/compliance/process_universal_test.py
@@ -0,0 +1,730 @@
+"""Tests for process_universal_compliance_frameworks and --list-compliance fixes.
+
+Validates that the pre-processing step:
+ - generates both CSV and OCSF outputs for universal frameworks
+ - always generates OCSF (no output-format gate)
+ - skips frameworks without outputs or table_config
+ - skips frameworks not in universal_frameworks
+ - returns the set of processed names for removal from the legacy loop
+ - works across different providers
+
+Also validates that print_compliance_frameworks and print_compliance_requirements
+work with universal ComplianceFramework objects (dict checks, None provider).
+"""
+
+import json
+import os
+from datetime import datetime, timezone
+from types import SimpleNamespace
+
+import pytest
+
+from prowler.lib.check.check import (
+    print_compliance_frameworks,
+    print_compliance_requirements,
+)
+from prowler.lib.check.compliance_models import (
+    AttributeMetadata,
+    ComplianceFramework,
+    OutputsConfig,
+    TableConfig,
+    UniversalComplianceRequirement,
+)
+from prowler.lib.outputs.compliance.compliance import (
+    process_universal_compliance_frameworks,
+)
+from prowler.lib.outputs.compliance.universal.ocsf_compliance import (
+    OCSFComplianceOutput,
+)
+from prowler.lib.outputs.compliance.universal.universal_output import (
+    UniversalComplianceOutput,
+)
+
+
+@pytest.fixture(autouse=True)
+def _create_compliance_dir(tmp_path):
+    """Ensure the compliance/ subdirectory exists before each test."""
+    os.makedirs(tmp_path / "compliance", exist_ok=True)
+
+
+# ── Helpers ──────────────────────────────────────────────────────────
+
+
+def _make_finding(check_id, status="PASS", provider="aws"):
+    """Create a mock Finding with all fields needed by both output classes."""
+    finding = SimpleNamespace()
+    finding.provider = provider
+    finding.account_uid = "123456789012"
+    finding.account_name = "test-account"
+    finding.account_email = ""
+    finding.account_organization_uid = "org-123"
+    finding.account_organization_name = "test-org"
+    finding.account_tags = {"env": "test"}
+    finding.region = "us-east-1"
+    finding.status = status
+    finding.status_extended = f"{check_id} is {status}"
+    finding.resource_uid = f"arn:aws:iam::123456789012:{check_id}"
+    finding.resource_name = check_id
+    finding.resource_details = "some details"
+    finding.resource_metadata = {}
+    finding.resource_tags = {"Name": "test"}
+    finding.partition = "aws"
+    finding.muted = False
+    finding.check_id = check_id
+    finding.uid = "test-finding-uid"
+    finding.timestamp = datetime(2025, 1, 15, 12, 0, 0, tzinfo=timezone.utc)
+    finding.prowler_version = "5.0.0"
+    finding.compliance = {"TestFW-1.0": ["1.1"]}
+    finding.metadata = SimpleNamespace(
+        Provider=provider,
+        CheckID=check_id,
+        CheckTitle=f"Title for {check_id}",
+        CheckType=["test-type"],
+        Description=f"Description for {check_id}",
+        Severity="medium",
+        ServiceName="iam",
+        ResourceType="aws-iam-role",
+        Risk="test-risk",
+        RelatedUrl="https://example.com",
+        Remediation=SimpleNamespace(
+            Recommendation=SimpleNamespace(Text="Fix it", Url="https://fix.com"),
+        ),
+        DependsOn=[],
+        RelatedTo=[],
+        Categories=["test"],
+        Notes="",
+        AdditionalURLs=[],
+    )
+    return finding
+
+
+def _make_universal_framework(name="TestFW", version="1.0", with_table_config=True):
+    """Build a ComplianceFramework with optional table_config."""
+    reqs = [
+        UniversalComplianceRequirement(
+            id="1.1",
+            description="Test requirement",
+            attributes={"Section": "IAM"},
+            checks={"aws": ["check_a"]},
+        ),
+    ]
+    metadata = [AttributeMetadata(key="Section", type="str")]
+    outputs = None
+    if with_table_config:
+        outputs = OutputsConfig(table_config=TableConfig(group_by="Section"))
+    return ComplianceFramework(
+        framework=name,
+        name=f"{name} Framework",
+        provider="AWS",
+        version=version,
+        description="Test framework",
+        requirements=reqs,
+        attributes_metadata=metadata,
+        outputs=outputs,
+    )
+
+
+# ── Tests ────────────────────────────────────────────────────────────
+
+
+class TestProcessUniversalComplianceFrameworks:
+    """Core tests for the extracted pre-processing function."""
+
+    def test_generates_csv_and_ocsf_outputs(self, tmp_path):
+        """Both CSV and OCSF outputs are appended to generated_outputs."""
+        fw = _make_universal_framework()
+        generated = {"compliance": []}
+
+        processed = process_universal_compliance_frameworks(
+            input_compliance_frameworks={"test_fw_1.0"},
+            universal_frameworks={"test_fw_1.0": fw},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="prowler_output",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        assert processed == {"test_fw_1.0"}
+        assert len(generated["compliance"]) == 2
+        assert isinstance(generated["compliance"][0], UniversalComplianceOutput)
+        assert isinstance(generated["compliance"][1], OCSFComplianceOutput)
+
+    def test_ocsf_always_generated_no_format_gate(self, tmp_path):
+        """OCSF output is generated regardless of output_formats — no gate."""
+        fw = _make_universal_framework()
+        generated = {"compliance": []}
+        process_universal_compliance_frameworks(
+            input_compliance_frameworks={"test_fw_1.0"},
+            universal_frameworks={"test_fw_1.0": fw},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="prowler_output",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        ocsf_outputs = [
+            o for o in generated["compliance"] if isinstance(o, OCSFComplianceOutput)
+        ]
+        assert len(ocsf_outputs) == 1
+
+    def test_csv_file_written(self, tmp_path):
+        """CSV file is created with expected content."""
+        fw = _make_universal_framework()
+        generated = {"compliance": []}
+        process_universal_compliance_frameworks(
+            input_compliance_frameworks={"test_fw_1.0"},
+            universal_frameworks={"test_fw_1.0": fw},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="prowler_output",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        csv_path = tmp_path / "compliance" / "prowler_output_test_fw_1.0.csv"
+        assert csv_path.exists()
+        content = csv_path.read_text()
+        assert "PROVIDER" in content
+        assert "REQUIREMENTS_ATTRIBUTES_SECTION" in content
+
+    def test_ocsf_file_written(self, tmp_path):
+        """OCSF JSON file is created with valid content."""
+        fw = _make_universal_framework()
+        generated = {"compliance": []}
+        process_universal_compliance_frameworks(
+            input_compliance_frameworks={"test_fw_1.0"},
+            universal_frameworks={"test_fw_1.0": fw},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="prowler_output",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        ocsf_path = tmp_path / "compliance" / "prowler_output_test_fw_1.0.ocsf.json"
+        assert ocsf_path.exists()
+        data = json.loads(ocsf_path.read_text())
+        assert isinstance(data, list)
+        assert len(data) >= 1
+        assert data[0]["class_uid"] == 2003
+
+    def test_returns_processed_names(self, tmp_path):
+        """Returns the set of framework names that were processed."""
+        fw = _make_universal_framework()
+        generated = {"compliance": []}
+
+        processed = process_universal_compliance_frameworks(
+            input_compliance_frameworks={"test_fw_1.0", "legacy_fw"},
+            universal_frameworks={"test_fw_1.0": fw},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="out",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        assert processed == {"test_fw_1.0"}
+        assert "legacy_fw" not in processed
+
+
+class TestSkipConditions:
+    """Tests for frameworks that should NOT be processed."""
+
+    def test_skips_framework_not_in_universal(self, tmp_path):
+        """Frameworks not in universal_frameworks dict are skipped."""
+        generated = {"compliance": []}
+
+        processed = process_universal_compliance_frameworks(
+            input_compliance_frameworks={"cis_aws_1.4"},
+            universal_frameworks={},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="out",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        assert processed == set()
+        assert len(generated["compliance"]) == 0
+
+    def test_skips_framework_without_outputs(self, tmp_path):
+        """Frameworks with outputs=None are skipped."""
+        fw = _make_universal_framework(with_table_config=False)
+        # outputs is None since with_table_config=False
+        assert fw.outputs is None
+        generated = {"compliance": []}
+
+        processed = process_universal_compliance_frameworks(
+            input_compliance_frameworks={"test_fw_1.0"},
+            universal_frameworks={"test_fw_1.0": fw},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="out",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        assert processed == set()
+        assert len(generated["compliance"]) == 0
+
+    def test_skips_framework_with_outputs_but_no_table_config(self, tmp_path):
+        """Frameworks with outputs but table_config=None are skipped."""
+        fw = _make_universal_framework()
+        # Manually set table_config to None while keeping outputs
+        fw.outputs = OutputsConfig(table_config=None)
+        generated = {"compliance": []}
+
+        processed = process_universal_compliance_frameworks(
+            input_compliance_frameworks={"test_fw_1.0"},
+            universal_frameworks={"test_fw_1.0": fw},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="out",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        assert processed == set()
+        assert len(generated["compliance"]) == 0
+
+    def test_empty_input_frameworks(self, tmp_path):
+        """No processing when input set is empty."""
+        fw = _make_universal_framework()
+        generated = {"compliance": []}
+
+        processed = process_universal_compliance_frameworks(
+            input_compliance_frameworks=set(),
+            universal_frameworks={"test_fw_1.0": fw},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="out",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        assert processed == set()
+        assert len(generated["compliance"]) == 0
+
+
+class TestMixedFrameworks:
+    """Tests with a mix of universal and legacy frameworks."""
+
+    def test_only_universal_processed_legacy_untouched(self, tmp_path):
+        """Only universal frameworks are processed; legacy names are not returned."""
+        universal_fw = _make_universal_framework()
+        generated = {"compliance": []}
+
+        all_frameworks = {"test_fw_1.0", "cis_aws_1.4", "nist_800_53_aws"}
+        processed = process_universal_compliance_frameworks(
+            input_compliance_frameworks=all_frameworks,
+            universal_frameworks={"test_fw_1.0": universal_fw},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="out",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        assert processed == {"test_fw_1.0"}
+        # 2 outputs for the one universal framework (CSV + OCSF)
+        assert len(generated["compliance"]) == 2
+
+    def test_removal_from_input_set(self, tmp_path):
+        """Caller can subtract processed set from input to get legacy-only frameworks."""
+        universal_fw = _make_universal_framework()
+        generated = {"compliance": []}
+
+        input_frameworks = {"test_fw_1.0", "cis_aws_1.4", "nist_800_53_aws"}
+        processed = process_universal_compliance_frameworks(
+            input_compliance_frameworks=input_frameworks,
+            universal_frameworks={"test_fw_1.0": universal_fw},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="out",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        remaining = input_frameworks - processed
+        assert remaining == {"cis_aws_1.4", "nist_800_53_aws"}
+
+    def test_multiple_universal_frameworks(self, tmp_path):
+        """Multiple universal frameworks each get CSV + OCSF."""
+        fw1 = _make_universal_framework(name="FW1", version="1.0")
+        fw2 = _make_universal_framework(name="FW2", version="2.0")
+        generated = {"compliance": []}
+
+        processed = process_universal_compliance_frameworks(
+            input_compliance_frameworks={"fw1_1.0", "fw2_2.0", "legacy"},
+            universal_frameworks={"fw1_1.0": fw1, "fw2_2.0": fw2},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="out",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        assert processed == {"fw1_1.0", "fw2_2.0"}
+        # 2 frameworks × 2 outputs each = 4
+        assert len(generated["compliance"]) == 4
+        csv_outputs = [
+            o
+            for o in generated["compliance"]
+            if isinstance(o, UniversalComplianceOutput)
+        ]
+        ocsf_outputs = [
+            o for o in generated["compliance"] if isinstance(o, OCSFComplianceOutput)
+        ]
+        assert len(csv_outputs) == 2
+        assert len(ocsf_outputs) == 2
+
+
+class TestProviderVariants:
+    """Verify the function works for different providers."""
+
+    @pytest.mark.parametrize(
+        "provider",
+        [
+            "aws",
+            "azure",
+            "gcp",
+            "kubernetes",
+            "m365",
+            "github",
+            "oraclecloud",
+            "alibabacloud",
+            "nhn",
+        ],
+    )
+    def test_all_providers_produce_outputs(self, tmp_path, provider):
+        """Each provider generates CSV + OCSF when given a universal framework."""
+        fw = _make_universal_framework()
+        generated = {"compliance": []}
+
+        processed = process_universal_compliance_frameworks(
+            input_compliance_frameworks={"test_fw_1.0"},
+            universal_frameworks={"test_fw_1.0": fw},
+            finding_outputs=[_make_finding("check_a", provider=provider)],
+            output_directory=str(tmp_path),
+            output_filename="out",
+            provider=provider,
+            generated_outputs=generated,
+        )
+
+        assert processed == {"test_fw_1.0"}
+        assert len(generated["compliance"]) == 2
+        assert isinstance(generated["compliance"][0], UniversalComplianceOutput)
+        assert isinstance(generated["compliance"][1], OCSFComplianceOutput)
+
+
+class TestEmptyFindings:
+    """Test behavior when there are no findings."""
+
+    def test_still_processed_with_empty_findings(self, tmp_path):
+        """Framework is still marked as processed even with no findings."""
+        fw = _make_universal_framework()
+        generated = {"compliance": []}
+
+        processed = process_universal_compliance_frameworks(
+            input_compliance_frameworks={"test_fw_1.0"},
+            universal_frameworks={"test_fw_1.0": fw},
+            finding_outputs=[],
+            output_directory=str(tmp_path),
+            output_filename="out",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        assert processed == {"test_fw_1.0"}
+        # Outputs are still appended (they'll just have empty data)
+        assert len(generated["compliance"]) == 2
+
+
+class TestFilePaths:
+    """Verify correct file path construction."""
+
+    def test_csv_path_format(self, tmp_path):
+        """CSV output has the correct file path."""
+        fw = _make_universal_framework()
+        generated = {"compliance": []}
+
+        process_universal_compliance_frameworks(
+            input_compliance_frameworks={"csa_ccm_4.0"},
+            universal_frameworks={"csa_ccm_4.0": fw},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="prowler_report",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        csv_output = generated["compliance"][0]
+        assert csv_output.file_path == (
+            f"{tmp_path}/compliance/prowler_report_csa_ccm_4.0.csv"
+        )
+
+    def test_ocsf_path_format(self, tmp_path):
+        """OCSF output has the correct file path."""
+        fw = _make_universal_framework()
+        generated = {"compliance": []}
+
+        process_universal_compliance_frameworks(
+            input_compliance_frameworks={"csa_ccm_4.0"},
+            universal_frameworks={"csa_ccm_4.0": fw},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="prowler_report",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        ocsf_output = generated["compliance"][1]
+        assert ocsf_output.file_path == (
+            f"{tmp_path}/compliance/prowler_report_csa_ccm_4.0.ocsf.json"
+        )
+
+
+# ── Tests for --list-compliance fix ──────────────────────────────────
+
+
+def _make_legacy_compliance():
+    """Create a mock legacy Compliance-like object with the expected attributes."""
+    return SimpleNamespace(
+        Framework="CIS",
+        Provider="AWS",
+        Version="1.4",
+        Requirements=[
+            SimpleNamespace(
+                Id="2.1.3",
+                Description="Ensure MFA Delete is enabled",
+                Checks=["s3_bucket_mfa_delete"],
+            ),
+        ],
+    )
+
+
+class TestPrintComplianceFrameworks:
+    """Tests for print_compliance_frameworks with universal frameworks."""
+
+    def test_includes_universal_frameworks(self, capsys):
+        """Universal frameworks appear in the listing."""
+        legacy = {"cis_1.4_aws": _make_legacy_compliance()}
+        universal = {"csa_ccm_4.0": _make_universal_framework()}
+        merged = {**legacy, **universal}
+
+        print_compliance_frameworks(merged)
+        captured = capsys.readouterr().out
+
+        assert "cis_1.4_aws" in captured
+        assert "csa_ccm_4.0" in captured
+
+    def test_count_includes_both(self, capsys):
+        """Framework count includes both legacy and universal."""
+        legacy = {"cis_1.4_aws": _make_legacy_compliance()}
+        universal = {"csa_ccm_4.0": _make_universal_framework()}
+        merged = {**legacy, **universal}
+
+        print_compliance_frameworks(merged)
+        captured = capsys.readouterr().out
+
+        assert "2" in captured
+
+    def test_universal_only(self, capsys):
+        """Works when only universal frameworks are present."""
+        universal = {"csa_ccm_4.0": _make_universal_framework()}
+
+        print_compliance_frameworks(universal)
+        captured = capsys.readouterr().out
+
+        assert "csa_ccm_4.0" in captured
+        assert "1" in captured
+
+
+class TestPrintComplianceRequirements:
+    """Tests for print_compliance_requirements with universal frameworks."""
+
+    def test_list_checks_universal_framework(self, capsys):
+        """Requirements with dict checks are printed correctly."""
+        fw = _make_universal_framework()
+        all_fw = {"test_fw_1.0": fw}
+
+        print_compliance_requirements(all_fw, ["test_fw_1.0"])
+        captured = capsys.readouterr().out
+
+        assert "1.1" in captured
+        assert "check_a" in captured
+
+    def test_dict_checks_universal_framework(self, capsys):
+        """Requirements with dict checks show provider-prefixed checks."""
+        reqs = [
+            UniversalComplianceRequirement(
+                id="A&A-01",
+                description="Audit & Assurance",
+                attributes={"Section": "A&A"},
+                checks={"aws": ["check_a", "check_b"], "azure": ["check_c"]},
+            ),
+        ]
+        fw = ComplianceFramework(
+            framework="CSA_CCM",
+            name="CSA CCM 4.0",
+            version="4.0",
+            description="Cloud Controls Matrix",
+            requirements=reqs,
+        )
+        all_fw = {"csa_ccm_4.0": fw}
+
+        print_compliance_requirements(all_fw, ["csa_ccm_4.0"])
+        captured = capsys.readouterr().out
+
+        assert "A&A-01" in captured
+        assert "[aws] check_a" in captured
+        assert "[aws] check_b" in captured
+        assert "[azure] check_c" in captured
+
+    def test_none_provider_shows_multi_provider(self, capsys):
+        """Frameworks with provider=None show 'Multi-provider'."""
+        fw = ComplianceFramework(
+            framework="CSA_CCM",
+            name="CSA CCM 4.0",
+            version="4.0",
+            description="Cloud Controls Matrix",
+            requirements=[
+                UniversalComplianceRequirement(
+                    id="1.1",
+                    description="test",
+                    attributes={},
+                    checks={"aws": ["check_a"]},
+                ),
+            ],
+        )
+        all_fw = {"csa_ccm_4.0": fw}
+
+        print_compliance_requirements(all_fw, ["csa_ccm_4.0"])
+        captured = capsys.readouterr().out
+
+        assert "Multi-provider" in captured
+
+
+# ── Idempotency tests ────────────────────────────────────────────────
+
+
+class TestIdempotency:
+    """The function must be safe to invoke multiple times for the same
+    framework. Repeated calls must reuse writers tracked in
+    ``generated_outputs["compliance"]`` instead of recreating them.
+
+    This guards against:
+      - duplicate writer entries in generated_outputs (regular pipeline
+        treats one writer per framework)
+      - the OCSF append-bug where a second writer would emit
+        ``[...]<new>...]`` and break the JSON array.
+    """
+
+    def test_second_call_does_not_duplicate_writers(self, tmp_path):
+        fw = _make_universal_framework()
+        generated = {"compliance": []}
+        kwargs = dict(
+            input_compliance_frameworks={"test_fw_1.0"},
+            universal_frameworks={"test_fw_1.0": fw},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="prowler_output",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        first = process_universal_compliance_frameworks(**kwargs)
+        first_count = len(generated["compliance"])
+        second = process_universal_compliance_frameworks(**kwargs)
+        second_count = len(generated["compliance"])
+
+        assert first == {"test_fw_1.0"}
+        assert second == {"test_fw_1.0"}  # still reported as processed
+        assert first_count == 2  # CSV + OCSF
+        assert second_count == 2  # NO duplication
+
+    def test_second_call_keeps_ocsf_json_valid(self, tmp_path):
+        """End-to-end: after two calls the OCSF JSON file must still be
+        a single, valid JSON array — not the broken ``[...]...]`` form."""
+        fw = _make_universal_framework()
+        generated = {"compliance": []}
+        kwargs = dict(
+            input_compliance_frameworks={"test_fw_1.0"},
+            universal_frameworks={"test_fw_1.0": fw},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="prowler_output",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        process_universal_compliance_frameworks(**kwargs)
+        process_universal_compliance_frameworks(**kwargs)
+
+        ocsf_path = tmp_path / "compliance" / "prowler_output_test_fw_1.0.ocsf.json"
+        data = json.loads(ocsf_path.read_text())  # Will raise on invalid JSON
+        assert isinstance(data, list)
+        assert len(data) >= 1
+
+    def test_reuses_existing_writer_object(self, tmp_path):
+        """The CSV/OCSF writer instances appended on first call must be
+        the SAME objects after a second call — not fresh ones."""
+        fw = _make_universal_framework()
+        generated = {"compliance": []}
+        kwargs = dict(
+            input_compliance_frameworks={"test_fw_1.0"},
+            universal_frameworks={"test_fw_1.0": fw},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="prowler_output",
+            provider="aws",
+            generated_outputs=generated,
+        )
+
+        process_universal_compliance_frameworks(**kwargs)
+        first_writers = list(generated["compliance"])
+        process_universal_compliance_frameworks(**kwargs)
+        second_writers = list(generated["compliance"])
+
+        # Same identity, same length — reused, not recreated.
+        assert len(first_writers) == len(second_writers)
+        for a, b in zip(first_writers, second_writers):
+            assert a is b
+
+    def test_idempotency_across_mixed_frameworks(self, tmp_path):
+        """When the second call adds a new framework, the new one is
+        created while existing ones are NOT recreated."""
+        fw1 = _make_universal_framework(name="FW1", version="1.0")
+        fw2 = _make_universal_framework(name="FW2", version="2.0")
+        generated = {"compliance": []}
+
+        # First call: only FW1
+        process_universal_compliance_frameworks(
+            input_compliance_frameworks={"fw1_1.0"},
+            universal_frameworks={"fw1_1.0": fw1, "fw2_2.0": fw2},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="out",
+            provider="aws",
+            generated_outputs=generated,
+        )
+        first_writers = list(generated["compliance"])
+        assert len(first_writers) == 2
+
+        # Second call: includes both. FW1 must be reused, FW2 created fresh.
+        process_universal_compliance_frameworks(
+            input_compliance_frameworks={"fw1_1.0", "fw2_2.0"},
+            universal_frameworks={"fw1_1.0": fw1, "fw2_2.0": fw2},
+            finding_outputs=[_make_finding("check_a")],
+            output_directory=str(tmp_path),
+            output_filename="out",
+            provider="aws",
+            generated_outputs=generated,
+        )
+        second_writers = list(generated["compliance"])
+        assert len(second_writers) == 4  # 2 (FW1 reused) + 2 new (FW2)
+        # FW1 writer instances unchanged
+        assert second_writers[0] is first_writers[0]
+        assert second_writers[1] is first_writers[1]
diff --git a/tests/lib/outputs/compliance/universal/ocsf_compliance_test.py b/tests/lib/outputs/compliance/universal/ocsf_compliance_test.py
index 39bce5cb20..71429fc1ca 100644
--- a/tests/lib/outputs/compliance/universal/ocsf_compliance_test.py
+++ b/tests/lib/outputs/compliance/universal/ocsf_compliance_test.py
@@ -2,6 +2,7 @@ import json
 from datetime import datetime, timezone
 from types import SimpleNamespace
 
+from py_ocsf_models.events.base_event import StatusID as EventStatusID
 from py_ocsf_models.events.findings.compliance_finding import ComplianceFinding
 from py_ocsf_models.events.findings.compliance_finding_type_id import (
     ComplianceFindingTypeID,
@@ -18,6 +19,7 @@ from prowler.lib.check.compliance_models import (
 )
 from prowler.lib.outputs.compliance.universal.ocsf_compliance import (
     OCSFComplianceOutput,
+    _sanitize_resource_data,
 )
 
 
@@ -473,3 +475,159 @@ class TestOCSFComplianceOutput:
         cf = output.data[0]
         assert cf.unmapped["requirement_attributes"]["section"] == "Logging"
         assert "internal_note" not in cf.unmapped["requirement_attributes"]
+
+
+class TestSanitizeResourceData:
+    """Unit tests for the _sanitize_resource_data helper.
+
+    Service resources may carry non-JSON-serializable objects (e.g. raw
+    Pydantic models such as ``Trail`` or ``LifecyclePolicy``). The helper
+    must convert them so the resulting ComplianceFinding can be serialized.
+    """
+
+    def test_dict_passthrough(self):
+        result = _sanitize_resource_data("details", {"a": 1, "b": "two"})
+        assert result == {"details": "details", "metadata": {"a": 1, "b": "two"}}
+
+    def test_none_metadata(self):
+        result = _sanitize_resource_data("details", None)
+        assert result == {"details": "details", "metadata": None}
+
+    def test_pydantic_v2_model_dump(self):
+        class FakeV2Model:
+            def model_dump(self):
+                return {"name": "trail-1", "region": "us-east-1"}
+
+        result = _sanitize_resource_data("d", {"trail": FakeV2Model()})
+        assert result["metadata"]["trail"] == {
+            "name": "trail-1",
+            "region": "us-east-1",
+        }
+
+    def test_pydantic_v1_dict(self):
+        class FakeV1Model:
+            def dict(self):
+                return {"name": "policy-1", "schedule": "daily"}
+
+        result = _sanitize_resource_data("d", {"policy": FakeV1Model()})
+        assert result["metadata"]["policy"] == {
+            "name": "policy-1",
+            "schedule": "daily",
+        }
+
+    def test_nested_pydantic_in_list(self):
+        class FakeModel:
+            def model_dump(self):
+                return {"id": "x"}
+
+        result = _sanitize_resource_data("d", {"items": [FakeModel(), FakeModel()]})
+        assert result["metadata"]["items"] == [{"id": "x"}, {"id": "x"}]
+
+    def test_nested_dict_recursion(self):
+        class FakeInner:
+            def model_dump(self):
+                return {"k": "v"}
+
+        result = _sanitize_resource_data(
+            "d", {"outer": {"inner": FakeInner(), "x": [1, 2]}}
+        )
+        assert result["metadata"]["outer"]["inner"] == {"k": "v"}
+        assert result["metadata"]["outer"]["x"] == [1, 2]
+
+    def test_tuple_to_list(self):
+        result = _sanitize_resource_data("d", {"t": (1, 2, "three")})
+        assert result["metadata"]["t"] == [1, 2, "three"]
+
+    def test_non_string_dict_keys_coerced(self):
+        result = _sanitize_resource_data("d", {1: "a", 2: "b"})
+        assert result["metadata"] == {"1": "a", "2": "b"}
+
+    def test_unknown_object_falls_back_to_str(self):
+        class Opaque:
+            def __str__(self):
+                return "opaque-repr"
+
+        result = _sanitize_resource_data("d", {"thing": Opaque()})
+        assert result["metadata"]["thing"] == "opaque-repr"
+
+    def test_circular_reference_falls_back_to_empty(self):
+        a = {}
+        a["self"] = a
+        # json.dumps raises ValueError on recursion → fallback to empty metadata
+        result = _sanitize_resource_data("d", a)
+        assert result == {"details": "d", "metadata": {}}
+
+    def test_serializes_via_full_finding_pipeline(self):
+        """End-to-end: a finding with a non-serializable resource_metadata
+        produces a JSON-serializable ComplianceFinding."""
+
+        class TrailLike:
+            def __init__(self):
+                self.name = "trail-A"
+                self.kms_key_id = "arn:aws:kms:..."
+
+            def model_dump(self):
+                return {"name": self.name, "kms_key_id": self.kms_key_id}
+
+        finding = _make_finding("check_a")
+        finding.resource_metadata = {"trail": TrailLike()}
+        req = _simple_requirement()
+        fw = _make_framework([req])
+
+        output = OCSFComplianceOutput(findings=[finding], framework=fw, provider="aws")
+
+        # Serialize the resulting ComplianceFinding — must NOT raise
+        cf = output.data[0]
+        if hasattr(cf, "model_dump_json"):
+            json_output = cf.model_dump_json(exclude_none=True)
+        else:
+            json_output = cf.json(exclude_none=True)
+        payload = json.loads(json_output)
+
+        # Confirm the trail object made it through as a plain dict
+        assert payload["resources"][0]["data"]["metadata"]["trail"]["name"] == "trail-A"
+
+
+class TestEventStatusInline:
+    """Tests for the inlined event_status logic that replaced
+    OCSF.get_finding_status_id() to break the cyclic import."""
+
+    def test_unmuted_finding_status_new(self):
+        finding = _make_finding("check_a")
+        finding.muted = False
+        req = _simple_requirement()
+        fw = _make_framework([req])
+
+        output = OCSFComplianceOutput(findings=[finding], framework=fw, provider="aws")
+        cf = output.data[0]
+
+        assert cf.status_id == EventStatusID.New.value
+        assert cf.status == EventStatusID.New.name
+
+    def test_muted_finding_status_suppressed(self):
+        finding = _make_finding("check_a")
+        finding.muted = True
+        req = _simple_requirement()
+        fw = _make_framework([req])
+
+        output = OCSFComplianceOutput(findings=[finding], framework=fw, provider="aws")
+        cf = output.data[0]
+
+        assert cf.status_id == EventStatusID.Suppressed.value
+        assert cf.status == EventStatusID.Suppressed.name
+
+
+class TestNoTopLevelOCSFImport:
+    """Regression test: the top-level OCSF/Finding imports were removed
+    to break the CodeQL cyclic-import warnings. Ensure they stay out of
+    the runtime namespace of the module (TYPE_CHECKING block only)."""
+
+    def test_finding_not_in_runtime_namespace(self):
+        import prowler.lib.outputs.compliance.universal.ocsf_compliance as mod
+
+        assert "Finding" not in dir(mod)
+
+    def test_ocsf_class_not_imported(self):
+        import prowler.lib.outputs.compliance.universal.ocsf_compliance as mod
+
+        assert "OCSF" not in dir(mod)
diff --git a/tests/lib/outputs/compliance/universal/universal_output_test.py b/tests/lib/outputs/compliance/universal/universal_output_test.py
new file mode 100644
index 0000000000..391a9015d7
--- /dev/null
+++ b/tests/lib/outputs/compliance/universal/universal_output_test.py
@@ -0,0 +1,568 @@
+from types import SimpleNamespace
+
+from prowler.lib.check.compliance_models import (
+    AttributeMetadata,
+    ComplianceFramework,
+    OutputFormats,
+    OutputsConfig,
+    TableConfig,
+    UniversalComplianceRequirement,
+)
+from prowler.lib.outputs.compliance.universal.universal_output import (
+    UniversalComplianceOutput,
+)
+
+
+def _make_finding(check_id, status="PASS", compliance_map=None):
+    """Create a mock Finding for output tests."""
+    finding = SimpleNamespace()
+    finding.provider = "aws"
+    finding.account_uid = "123456789012"
+    finding.account_name = "test-account"
+    finding.region = "us-east-1"
+    finding.status = status
+    finding.status_extended = f"{check_id} is {status}"
+    finding.resource_uid = f"arn:aws:iam::123456789012:{check_id}"
+    finding.resource_name = check_id
+    finding.muted = False
+    finding.check_id = check_id
+    finding.metadata = SimpleNamespace(
+        Provider="aws",
+        CheckID=check_id,
+        Severity="medium",
+    )
+    finding.compliance = compliance_map or {}
+    return finding
+
+
+def _make_framework(requirements, attrs_metadata=None, table_config=None):
+    return ComplianceFramework(
+        framework="TestFW",
+        name="Test Framework",
+        provider="AWS",
+        version="1.0",
+        description="Test framework",
+        requirements=requirements,
+        attributes_metadata=attrs_metadata,
+        outputs=OutputsConfig(table_config=table_config) if table_config else None,
+    )
+
+
+class TestDynamicCSVColumns:
+    def test_columns_match_metadata(self, tmp_path):
+        reqs = [
+            UniversalComplianceRequirement(
+                id="1.1",
+                description="test",
+                attributes={"Section": "IAM", "SubSection": "Auth"},
+                checks={"aws": ["check_a"]},
+            ),
+        ]
+        metadata = [
+            AttributeMetadata(key="Section", type="str"),
+            AttributeMetadata(key="SubSection", type="str"),
+        ]
+        fw = _make_framework(reqs, metadata, TableConfig(group_by="Section"))
+
+        findings = [
+            _make_finding("check_a", "PASS", {"TestFW-1.0": ["1.1"]}),
+        ]
+        filepath = str(tmp_path / "test.csv")
+
+        output = UniversalComplianceOutput(
+            findings=findings,
+            framework=fw,
+            file_path=filepath,
+        )
+
+        assert len(output.data) == 1
+        row_dict = output.data[0].dict()
+        assert "Requirements_Attributes_Section" in row_dict
+        assert "Requirements_Attributes_SubSection" in row_dict
+        assert row_dict["Requirements_Attributes_Section"] == "IAM"
+        assert row_dict["Requirements_Attributes_SubSection"] == "Auth"
+
+
+class TestManualRequirements:
+    def test_manual_status(self, tmp_path):
+        reqs = [
+            UniversalComplianceRequirement(
+                id="1.1",
+                description="test",
+                attributes={"Section": "IAM"},
+                checks={"aws": ["check_a"]},
+            ),
+            UniversalComplianceRequirement(
+                id="manual-1",
+                description="manual check",
+                attributes={"Section": "Governance"},
+                checks={},
+            ),
+        ]
+        metadata = [
+            AttributeMetadata(key="Section", type="str"),
+        ]
+        fw = _make_framework(reqs, metadata, TableConfig(group_by="Section"))
+
+        findings = [
+            _make_finding("check_a", "PASS", {"TestFW-1.0": ["1.1"]}),
+        ]
+        filepath = str(tmp_path / "test.csv")
+
+        output = UniversalComplianceOutput(
+            findings=findings,
+            framework=fw,
+            file_path=filepath,
+        )
+
+        # Should have 1 real finding + 1 manual
+        assert len(output.data) == 2
+        manual_rows = [r for r in output.data if r.dict()["Status"] == "MANUAL"]
+        assert len(manual_rows) == 1
+        assert manual_rows[0].dict()["Requirements_Id"] == "manual-1"
+        assert manual_rows[0].dict()["ResourceId"] == "manual_check"
+
+
+class TestMITREExtraColumns:
+    def test_mitre_columns_present(self, tmp_path):
+        reqs = [
+            UniversalComplianceRequirement(
+                id="T1190",
+                description="Exploit",
+                attributes={},
+                checks={"aws": ["check_a"]},
+                tactics=["Initial Access"],
+                sub_techniques=[],
+                platforms=["IaaS"],
+                technique_url="https://attack.mitre.org/techniques/T1190/",
+            ),
+        ]
+        fw = _make_framework(reqs, None, TableConfig(group_by="_Tactics"))
+
+        findings = [
+            _make_finding("check_a", "PASS", {"TestFW-1.0": ["T1190"]}),
+        ]
+        filepath = str(tmp_path / "test.csv")
+
+        output = UniversalComplianceOutput(
+            findings=findings,
+            framework=fw,
+            file_path=filepath,
+        )
+
+        assert len(output.data) == 1
+        row_dict = output.data[0].dict()
+        assert "Requirements_Tactics" in row_dict
+        assert row_dict["Requirements_Tactics"] == "Initial Access"
+        assert "Requirements_TechniqueURL" in row_dict
+
+
+class TestCSVFileWrite:
+    def test_batch_write(self, tmp_path):
+        reqs = [
+            UniversalComplianceRequirement(
+                id="1.1",
+                description="test",
+                attributes={"Section": "IAM"},
+                checks={"aws": ["check_a"]},
+            ),
+        ]
+        metadata = [
+            AttributeMetadata(key="Section", type="str"),
+        ]
+        fw = _make_framework(reqs, metadata, TableConfig(group_by="Section"))
+
+        findings = [
+            _make_finding("check_a", "PASS", {"TestFW-1.0": ["1.1"]}),
+        ]
+        filepath = str(tmp_path / "test.csv")
+
+        output = UniversalComplianceOutput(
+            findings=findings,
+            framework=fw,
+            file_path=filepath,
+        )
+        output.batch_write_data_to_file()
+
+        # Verify file was created and has content
+        with open(filepath, "r") as f:
+            content = f.read()
+        assert "PROVIDER" in content  # Headers are uppercase
+        assert "REQUIREMENTS_ATTRIBUTES_SECTION" in content
+        assert "IAM" in content
+
+
+class TestNoFindings:
+    def test_empty_findings_no_data(self, tmp_path):
+        reqs = [
+            UniversalComplianceRequirement(
+                id="1.1",
+                description="test",
+                attributes={"Section": "IAM"},
+                checks={"aws": ["check_a"]},
+            ),
+        ]
+        fw = _make_framework(reqs, None, TableConfig(group_by="Section"))
+        filepath = str(tmp_path / "test.csv")
+
+        output = UniversalComplianceOutput(
+            findings=[],
+            framework=fw,
+            file_path=filepath,
+        )
+        assert len(output.data) == 0
+
+
+class TestMultiProviderOutput:
+    def test_dict_checks_filtered_by_provider(self, tmp_path):
+        """Only checks for the given provider appear in CSV output."""
+        reqs = [
+            UniversalComplianceRequirement(
+                id="1.1",
+                description="test",
+                attributes={"Section": "IAM"},
+                checks={"aws": ["check_a"], "azure": ["check_b"]},
+            ),
+        ]
+        metadata = [
+            AttributeMetadata(key="Section", type="str"),
+        ]
+        fw = ComplianceFramework(
+            framework="MultiCloud",
+            name="Multi",
+            version="1.0",
+            description="Test multi-provider",
+            requirements=reqs,
+            attributes_metadata=metadata,
+            outputs=OutputsConfig(table_config=TableConfig(group_by="Section")),
+        )
+
+        findings = [
+            _make_finding("check_a", "PASS", {"MultiCloud-1.0": ["1.1"]}),
+            _make_finding("check_b", "FAIL", {"MultiCloud-1.0": ["1.1"]}),
+        ]
+        filepath = str(tmp_path / "test.csv")
+
+        output = UniversalComplianceOutput(
+            findings=findings,
+            framework=fw,
+            file_path=filepath,
+            provider="aws",
+        )
+
+        # Only check_a should match (it's the AWS check)
+        assert len(output.data) == 1
+        row_dict = output.data[0].dict()
+        assert row_dict["Requirements_Attributes_Section"] == "IAM"
+
+    def test_no_provider_includes_all(self, tmp_path):
+        """Without provider filter, all checks from all providers are included."""
+        reqs = [
+            UniversalComplianceRequirement(
+                id="1.1",
+                description="test",
+                attributes={"Section": "IAM"},
+                checks={"aws": ["check_a"], "azure": ["check_b"]},
+            ),
+        ]
+        metadata = [
+            AttributeMetadata(key="Section", type="str"),
+        ]
+        fw = ComplianceFramework(
+            framework="MultiCloud",
+            name="Multi",
+            version="1.0",
+            description="Test multi-provider",
+            requirements=reqs,
+            attributes_metadata=metadata,
+            outputs=OutputsConfig(table_config=TableConfig(group_by="Section")),
+        )
+
+        findings = [
+            _make_finding("check_a", "PASS", {"MultiCloud-1.0": ["1.1"]}),
+            _make_finding("check_b", "FAIL", {"MultiCloud-1.0": ["1.1"]}),
+        ]
+        filepath = str(tmp_path / "test.csv")
+
+        output = UniversalComplianceOutput(
+            findings=findings,
+            framework=fw,
+            file_path=filepath,
+        )
+
+        # Both checks should be included without provider filter
+        assert len(output.data) == 2
+
+    def test_empty_dict_checks_is_manual(self, tmp_path):
+        """Requirement with empty dict checks is treated as manual."""
+        reqs = [
+            UniversalComplianceRequirement(
+                id="manual-1",
+                description="manual check",
+                attributes={"Section": "Governance"},
+                checks={},
+            ),
+        ]
+        metadata = [
+            AttributeMetadata(key="Section", type="str"),
+        ]
+        fw = ComplianceFramework(
+            framework="MultiCloud",
+            name="Multi",
+            version="1.0",
+            description="Test",
+            requirements=reqs,
+            attributes_metadata=metadata,
+            outputs=OutputsConfig(table_config=TableConfig(group_by="Section")),
+        )
+
+        filepath = str(tmp_path / "test.csv")
+
+        output = UniversalComplianceOutput(
+            findings=[_make_finding("other_check", "PASS", {})],
+            framework=fw,
+            file_path=filepath,
+            provider="aws",
+        )
+
+        manual_rows = [r for r in output.data if r.dict()["Status"] == "MANUAL"]
+        assert len(manual_rows) == 1
+        assert manual_rows[0].dict()["Requirements_Id"] == "manual-1"
+
+
+class TestCSVExclude:
+    def test_csv_false_excludes_column(self, tmp_path):
+        reqs = [
+            UniversalComplianceRequirement(
+                id="1.1",
+                description="test",
+                attributes={"Section": "IAM", "Internal": "hidden"},
+                checks={"aws": ["check_a"]},
+            ),
+        ]
+        metadata = [
+            AttributeMetadata(
+                key="Section", type="str", output_formats=OutputFormats(csv=True)
+            ),
+            AttributeMetadata(
+                key="Internal", type="str", output_formats=OutputFormats(csv=False)
+            ),
+        ]
+        fw = _make_framework(reqs, metadata, TableConfig(group_by="Section"))
+
+        findings = [
+            _make_finding("check_a", "PASS", {"TestFW-1.0": ["1.1"]}),
+        ]
+        filepath = str(tmp_path / "test.csv")
+
+        output = UniversalComplianceOutput(
+            findings=findings,
+            framework=fw,
+            file_path=filepath,
+        )
+
+        row_dict = output.data[0].dict()
+        assert "Requirements_Attributes_Section" in row_dict
+        assert "Requirements_Attributes_Internal" not in row_dict
+
+
+def _make_provider_finding(provider, check_id="check_a", status="PASS"):
+    """Create a mock Finding with a specific provider."""
+    finding = _make_finding(check_id, status, {"TestFW-1.0": ["1.1"]})
+    finding.provider = provider
+    return finding
+
+
+def _simple_framework():
+    all_providers = [
+        "aws",
+        "azure",
+        "gcp",
+        "kubernetes",
+        "m365",
+        "github",
+        "oraclecloud",
+        "alibabacloud",
+        "nhn",
+        "unknown",
+    ]
+    reqs = [
+        UniversalComplianceRequirement(
+            id="1.1",
+            description="test",
+            attributes={"Section": "IAM"},
+            checks={p: ["check_a"] for p in all_providers},
+        ),
+    ]
+    metadata = [
+        AttributeMetadata(key="Section", type="str"),
+    ]
+    return _make_framework(reqs, metadata, TableConfig(group_by="Section"))
+
+
+class TestProviderHeaders:
+    def test_aws_headers(self, tmp_path):
+        fw = _simple_framework()
+        findings = [_make_provider_finding("aws")]
+        output = UniversalComplianceOutput(
+            findings=findings,
+            framework=fw,
+            file_path=str(tmp_path / "test.csv"),
+            provider="aws",
+        )
+        row_dict = output.data[0].dict()
+        assert "AccountId" in row_dict
+        assert "Region" in row_dict
+        assert row_dict["AccountId"] == "123456789012"
+        assert row_dict["Region"] == "us-east-1"
+
+    def test_azure_headers(self, tmp_path):
+        fw = _simple_framework()
+        findings = [_make_provider_finding("azure")]
+        output = UniversalComplianceOutput(
+            findings=findings,
+            framework=fw,
+            file_path=str(tmp_path / "test.csv"),
+            provider="azure",
+        )
+        row_dict = output.data[0].dict()
+        assert "SubscriptionId" in row_dict
+        assert "Location" in row_dict
+        assert row_dict["SubscriptionId"] == "123456789012"
+        assert row_dict["Location"] == "us-east-1"
+
+    def test_gcp_headers(self, tmp_path):
+        fw = _simple_framework()
+        findings = [_make_provider_finding("gcp")]
+        output = UniversalComplianceOutput(
+            findings=findings,
+            framework=fw,
+            file_path=str(tmp_path / "test.csv"),
+            provider="gcp",
+        )
+        row_dict = output.data[0].dict()
+        assert "ProjectId" in row_dict
+        assert "Location" in row_dict
+        assert row_dict["ProjectId"] == "123456789012"
+
+    def test_kubernetes_headers(self, tmp_path):
+        fw = _simple_framework()
+        findings = [_make_provider_finding("kubernetes")]
+        output = UniversalComplianceOutput(
+            findings=findings,
+            framework=fw,
+            file_path=str(tmp_path / "test.csv"),
+            provider="kubernetes",
+        )
+        row_dict = output.data[0].dict()
+        assert "Context" in row_dict
+        assert "Namespace" in row_dict
+        # Kubernetes Context maps to account_name
+        assert row_dict["Context"] == "test-account"
+        assert row_dict["Namespace"] == "us-east-1"
+
+    def test_github_headers(self, tmp_path):
+        fw = _simple_framework()
+        findings = [_make_provider_finding("github")]
+        output = UniversalComplianceOutput(
+            findings=findings,
+            framework=fw,
+            file_path=str(tmp_path / "test.csv"),
+            provider="github",
+        )
+        row_dict = output.data[0].dict()
+        assert "Account_Name" in row_dict
+        assert "Account_Id" in row_dict
+        # GitHub: Account_Name (pos 3) from account_name, Account_Id (pos 4) from account_uid
+        assert row_dict["Account_Name"] == "test-account"
+        assert row_dict["Account_Id"] == "123456789012"
+        # Verify column order matches legacy (Account_Name before Account_Id)
+        keys = list(row_dict.keys())
+        assert keys.index("Account_Name") < keys.index("Account_Id")
+
+    def test_unknown_provider_defaults(self, tmp_path):
+        fw = _simple_framework()
+        findings = [_make_provider_finding("unknown")]
+        output = UniversalComplianceOutput(
+            findings=findings,
+            framework=fw,
+            file_path=str(tmp_path / "test.csv"),
+            provider="unknown",
+        )
+        row_dict = output.data[0].dict()
+        assert "AccountId" in row_dict
+        assert "Region" in row_dict
+
+    def test_none_provider_defaults(self, tmp_path):
+        fw = _simple_framework()
+        findings = [_make_provider_finding("aws")]
+        output = UniversalComplianceOutput(
+            findings=findings,
+            framework=fw,
+            file_path=str(tmp_path / "test.csv"),
+        )
+        row_dict = output.data[0].dict()
+        assert "AccountId" in row_dict
+        assert "Region" in row_dict
+
+    def test_csv_write_azure_headers(self, tmp_path):
+        fw = _simple_framework()
+        findings = [_make_provider_finding("azure")]
+        filepath = str(tmp_path / "test.csv")
+        output = UniversalComplianceOutput(
+            findings=findings,
+            framework=fw,
+            file_path=filepath,
+            provider="azure",
+        )
+        output.batch_write_data_to_file()
+
+        with open(filepath, "r") as f:
+            content = f.read()
+        assert "SUBSCRIPTIONID" in content
+        assert "LOCATION" in content
+        # Should NOT have the default AccountId/Region headers
+        assert "ACCOUNTID" not in content
+
+    def test_column_order_matches_legacy(self, tmp_path):
+        """Verify that the base column order matches the legacy per-provider models.
+
+        Legacy models all define: Provider, Description, <col3>, <col4>, AssessmentDate, ...
+        The universal output must preserve this exact order for backward compatibility.
+        """
+        # Expected column order per provider (positions 3 and 4 after Provider, Description)
+        legacy_order = {
+            "aws": ("AccountId", "Region"),
+            "azure": ("SubscriptionId", "Location"),
+            "gcp": ("ProjectId", "Location"),
+            "kubernetes": ("Context", "Namespace"),
+            "m365": ("TenantId", "Location"),
+            "github": ("Account_Name", "Account_Id"),
+            "oraclecloud": ("TenancyId", "Region"),
+            "alibabacloud": ("AccountId", "Region"),
+            "nhn": ("AccountId", "Region"),
+        }
+
+        for provider_name, (expected_col3, expected_col4) in legacy_order.items():
+            fw = _simple_framework()
+            findings = [_make_provider_finding(provider_name)]
+            output = UniversalComplianceOutput(
+                findings=findings,
+                framework=fw,
+                file_path=str(tmp_path / f"test_{provider_name}.csv"),
+                provider=provider_name,
+            )
+            keys = list(output.data[0].dict().keys())
+            assert keys[0] == "Provider", f"{provider_name}: col 1 should be Provider"
+            assert (
+                keys[1] == "Description"
+            ), f"{provider_name}: col 2 should be Description"
+            assert (
+                keys[2] == expected_col3
+            ), f"{provider_name}: col 3 should be {expected_col3}, got {keys[2]}"
+            assert (
+                keys[3] == expected_col4
+            ), f"{provider_name}: col 4 should be {expected_col4}, got {keys[3]}"
+            assert (
+                keys[4] == "AssessmentDate"
+            ), f"{provider_name}: col 5 should be AssessmentDate"

From 228fe6d57995c5b98671f0f5657b05c4e69e3825 Mon Sep 17 00:00:00 2001
From: Boon <boonchuan@singapore.to>
Date: Thu, 30 Apr 2026 19:49:08 +0800
Subject: [PATCH 02/29] feat: add ASD Essential Eight compliance framework for
 AWS (#10808)

Co-authored-by: Boon <boon@security8.work>
Co-authored-by: pedrooot <pedromarting3@gmail.com>
---
 prowler/CHANGELOG.md                          |    3 +
 prowler/__main__.py                           |   15 +
 .../compliance/aws/essential_eight_aws.json   | 1282 +++++++++++++++++
 prowler/lib/check/compliance_models.py        |   43 +
 prowler/lib/outputs/compliance/compliance.py  |   12 +
 .../compliance/essential_eight/__init__.py    |    0
 .../essential_eight/essential_eight.py        |   98 ++
 .../essential_eight/essential_eight_aws.py    |  111 ++
 .../compliance/essential_eight/models.py      |   35 +
 .../compliance/essential_eight/__init__.py    |    0
 .../essential_eight_aws_test.py               |  128 ++
 tests/lib/outputs/compliance/fixtures.py      |   56 +
 12 files changed, 1783 insertions(+)
 create mode 100644 prowler/compliance/aws/essential_eight_aws.json
 create mode 100644 prowler/lib/outputs/compliance/essential_eight/__init__.py
 create mode 100644 prowler/lib/outputs/compliance/essential_eight/essential_eight.py
 create mode 100644 prowler/lib/outputs/compliance/essential_eight/essential_eight_aws.py
 create mode 100644 prowler/lib/outputs/compliance/essential_eight/models.py
 create mode 100644 tests/lib/outputs/compliance/essential_eight/__init__.py
 create mode 100644 tests/lib/outputs/compliance/essential_eight/essential_eight_aws_test.py

diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index 283b9508a9..649ae60c5a 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -9,6 +9,9 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `bedrock_guardrails_configured` check for AWS provider [(#10844)](https://github.com/prowler-cloud/prowler/pull/10844)
 - Universal compliance pipeline integrated into the CLI: `--list-compliance` and `--list-compliance-requirements` show universal frameworks, and CSV plus OCSF outputs are generated for any framework declaring a `TableConfig` [(#10301)](https://github.com/prowler-cloud/prowler/pull/10301)
 
+### 🚀 Added
+- ASD Essential Eight Maturity Model compliance framework for AWS provider, mapping 64 checks across all 8 controls [(#10808)](https://github.com/prowler-cloud/prowler/pull/10808)
+
 ### 🔄 Changed
 
 - `route53_dangling_ip_subdomain_takeover` now also flags `CNAME` records pointing to S3 website endpoints whose buckets are missing from the account [(#10920)](https://github.com/prowler-cloud/prowler/pull/10920)
diff --git a/prowler/__main__.py b/prowler/__main__.py
index da2b339b27..e10c9c745b 100644
--- a/prowler/__main__.py
+++ b/prowler/__main__.py
@@ -90,6 +90,9 @@ from prowler.lib.outputs.compliance.csa.csa_oraclecloud import OracleCloudCSA
 from prowler.lib.outputs.compliance.ens.ens_aws import AWSENS
 from prowler.lib.outputs.compliance.ens.ens_azure import AzureENS
 from prowler.lib.outputs.compliance.ens.ens_gcp import GCPENS
+from prowler.lib.outputs.compliance.essential_eight.essential_eight_aws import (
+    EssentialEightAWS,
+)
 from prowler.lib.outputs.compliance.generic.generic import GenericCompliance
 from prowler.lib.outputs.compliance.iso27001.iso27001_aws import AWSISO27001
 from prowler.lib.outputs.compliance.iso27001.iso27001_azure import AzureISO27001
@@ -673,6 +676,18 @@ def prowler():
                 )
                 generated_outputs["compliance"].append(cis)
                 cis.batch_write_data_to_file()
+            elif compliance_name.startswith("essential_eight"):
+                filename = (
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
+                )
+                essential_eight = EssentialEightAWS(
+                    findings=finding_outputs,
+                    compliance=bulk_compliance_frameworks[compliance_name],
+                    file_path=filename,
+                )
+                generated_outputs["compliance"].append(essential_eight)
+                essential_eight.batch_write_data_to_file()
             elif compliance_name == "mitre_attack_aws":
                 # Generate MITRE ATT&CK Finding Object
                 filename = (
diff --git a/prowler/compliance/aws/essential_eight_aws.json b/prowler/compliance/aws/essential_eight_aws.json
new file mode 100644
index 0000000000..46164ebba5
--- /dev/null
+++ b/prowler/compliance/aws/essential_eight_aws.json
@@ -0,0 +1,1282 @@
+{
+  "Framework": "Essential-Eight",
+  "Name": "ASD Essential Eight Maturity Model - Maturity Level One (AWS)",
+  "Version": "Nov 2023",
+  "Provider": "AWS",
+  "Description": "Literal mapping of the Australian Signals Directorate (ASD) Essential Eight Maturity Model (Last updated November 2023, Appendix A: Maturity Level One) to AWS infrastructure checks. Each Requirement is one literal clause from the ASD document, in canonical document order: (1) Patch applications, (2) Patch operating systems, (3) Multi-factor authentication, (4) Restrict administrative privileges, (5) Application control, (6) Restrict Microsoft Office macros, (7) User application hardening, (8) Regular backups. The Essential Eight is designed to protect internet-connected information technology networks (workstations, internet-facing servers, online services). Several controls are inherently endpoint or procedural and have no AWS infrastructure equivalent - those clauses are flagged with CloudApplicability `non-applicable` and AssessmentStatus `Manual`. ML2 and ML3 are out of scope of this framework.",
+  "Requirements": [
+    {
+      "Id": "E8-1.1",
+      "Description": "An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.",
+      "Checks": [
+        "ec2_instance_managed_by_ssm",
+        "config_recorder_all_regions_enabled",
+        "inspector2_is_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "1 Patch applications",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Automated",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Shadow IT",
+            "Unmanaged vulnerable assets"
+          ],
+          "Description": "Asset discovery in AWS is delivered by AWS Config (resource recorder), SSM Inventory and Inspector v2's continuous coverage. The fortnightly cadence itself is not directly observable from AWS APIs - what is observable is whether the discovery mechanisms are enabled.",
+          "RationaleStatement": "Vulnerability scanning is only as good as the asset coverage it has. Continuous AWS-native discovery is the cloud equivalent of fortnightly asset discovery.",
+          "ImpactStatement": "Cadence verification is procedural - Prowler verifies the discovery mechanism is enabled, not that it ran in the last fortnight.",
+          "RemediationProcedure": "Enable AWS Config recorders in every region. Ensure all EC2 instances are managed by SSM. Enable Inspector v2.",
+          "AuditProcedure": "Verify the listed checks pass.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch applications - clause 1.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-1.2",
+      "Description": "A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.",
+      "Checks": [
+        "inspector2_is_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "1 Patch applications",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Automated",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Stale vulnerability data",
+            "Missed CVE coverage"
+          ],
+          "Description": "Inspector v2 is AWS's managed vulnerability scanner; AWS keeps its vulnerability database up to date.",
+          "RationaleStatement": "An out-of-date scanner cannot detect newly disclosed vulnerabilities.",
+          "ImpactStatement": "Coverage is limited to AWS-resident workloads (EC2, ECR, Lambda). Endpoints (workstations, browsers, Office) are out of scope.",
+          "RemediationProcedure": "Enable Inspector v2 across all regions and ensure all eligible resources are enrolled.",
+          "AuditProcedure": "Verify Inspector v2 is enabled.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch applications - clause 2.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-1.3",
+      "Description": "A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services.",
+      "Checks": [
+        "inspector2_is_enabled",
+        "inspector2_active_findings_exist"
+      ],
+      "Attributes": [
+        {
+          "Section": "1 Patch applications",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Late detection of internet-facing vulnerabilities"
+          ],
+          "Description": "Inspector v2 performs continuous scanning of AWS-hosted online services (Lambda, ECR-backed containers, EC2 with internet exposure). The 'at least daily' cadence is implicit in continuous scanning.",
+          "RationaleStatement": "Internet-facing services are weaponised fastest after a vulnerability is disclosed.",
+          "ImpactStatement": "Cadence cannot be evidenced by a single scan; requires Inspector audit history.",
+          "RemediationProcedure": "Enable Inspector v2 with all scan types relevant to the service surface (EC2, ECR, Lambda).",
+          "AuditProcedure": "Verify Inspector v2 enabled and review finding age distribution.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch applications - clause 3.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-1.4",
+      "Description": "A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "1 Patch applications",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Endpoint application exploitation"
+          ],
+          "Description": "This clause targets endpoint-resident applications (Office, browsers, email, PDF, security products). AWS infrastructure scans cannot evidence endpoint vulnerability scanning.",
+          "RationaleStatement": "Endpoint applications are major attack vectors but live outside AWS infrastructure scope.",
+          "ImpactStatement": "Evidence must come from endpoint-management vulnerability scanners (e.g. Defender, Qualys, Tenable).",
+          "RemediationProcedure": "Run an endpoint vulnerability scanner with weekly cadence covering Office, browsers, email, PDF and security products.",
+          "AuditProcedure": "Manual review of endpoint vulnerability scanning evidence.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch applications - clause 4. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-1.5",
+      "Description": "Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.",
+      "Checks": [
+        "inspector2_active_findings_exist",
+        "awslambda_function_using_supported_runtimes",
+        "rds_instance_deprecated_engine_version",
+        "rds_instance_extended_support"
+      ],
+      "Attributes": [
+        {
+          "Section": "1 Patch applications",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Active exploitation of disclosed CVEs",
+            "N-day exploit kits"
+          ],
+          "Description": "AWS managed services (RDS, ElastiCache, Lambda, ECS Fargate, etc.) consume vendor patches transparently when auto-upgrade is enabled. The 48-hour SLA itself cannot be evidenced from AWS APIs - it requires correlating Inspector v2 first-seen timestamps with remediation timestamps.",
+          "RationaleStatement": "Critical vulnerabilities with working exploits are weaponised within hours.",
+          "ImpactStatement": "Prowler verifies the absence of active critical findings (a proxy outcome) and the absence of unsupported runtimes (a precondition); SLA timing requires manual correlation.",
+          "RemediationProcedure": "Maintain auto-upgrade flags on managed services. Configure Inspector v2 alerting for critical findings on internet-facing resources with 48-hour escalation.",
+          "AuditProcedure": "Manual review of Inspector finding age + remediation timestamps for internet-facing critical findings.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch applications - clause 5. SLA timing out of Prowler scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-1.6",
+      "Description": "Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.",
+      "Checks": [
+        "ssm_managed_compliant_patching",
+        "awslambda_function_using_supported_runtimes",
+        "rds_instance_minor_version_upgrade_enabled",
+        "rds_cluster_minor_version_upgrade_enabled",
+        "elasticache_redis_cluster_auto_minor_version_upgrades",
+        "memorydb_cluster_auto_minor_version_upgrades",
+        "dms_instance_minor_version_upgrade_enabled",
+        "mq_broker_auto_minor_version_upgrades",
+        "redshift_cluster_automatic_upgrades",
+        "kafka_cluster_uses_latest_version",
+        "opensearch_service_domains_updated_to_the_latest_service_software_version",
+        "ecs_service_fargate_latest_platform_version"
+      ],
+      "Attributes": [
+        {
+          "Section": "1 Patch applications",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Accumulated technical debt",
+            "Eventual exploitation of stale CVEs"
+          ],
+          "Description": "Auto-upgrade flags on AWS managed services (RDS, Aurora, ElastiCache, MemoryDB, DMS, MQ, Redshift, OpenSearch, MSK, Fargate) and SSM Patch Manager for self-managed compute deliver the underlying capability. SLA timing itself is not surfaced.",
+          "RationaleStatement": "Two weeks is the standard ASD cadence for non-critical patching of internet-facing services.",
+          "ImpactStatement": "SLA window evidence requires patch logs / change-management correlation, not in Prowler scope.",
+          "RemediationProcedure": "Enable auto minor version upgrade on all managed data services. Enable SSM Patch Manager on all EC2.",
+          "AuditProcedure": "Run all listed checks. Manually review patch deployment timeline.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch applications - clause 6.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-1.7",
+      "Description": "Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "1 Patch applications",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Endpoint application exploitation"
+          ],
+          "Description": "Endpoint-resident applications (Office, browsers, email clients, PDF, security products) are out of AWS infrastructure scope.",
+          "RationaleStatement": "Same as 1.4 - this is endpoint-management territory.",
+          "ImpactStatement": "Evidence must come from endpoint patch-management tooling.",
+          "RemediationProcedure": "Use endpoint patch-management (Intune, SCCM, third-party MDM) to enforce two-week SLA on these application classes.",
+          "AuditProcedure": "Manual review of endpoint patch reports.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch applications - clause 7. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-1.8",
+      "Description": "Online services that are no longer supported by vendors are removed.",
+      "Checks": [
+        "awslambda_function_using_supported_runtimes",
+        "rds_instance_deprecated_engine_version",
+        "rds_instance_extended_support",
+        "eks_cluster_uses_a_supported_version",
+        "ecs_service_fargate_latest_platform_version",
+        "kafka_cluster_uses_latest_version",
+        "opensearch_service_domains_updated_to_the_latest_service_software_version"
+      ],
+      "Attributes": [
+        {
+          "Section": "1 Patch applications",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Automated",
+          "CloudApplicability": "full",
+          "MitigatedThreats": [
+            "Use of unsupported software",
+            "Long-tail vulnerability accumulation"
+          ],
+          "Description": "Online services in AWS scope: Lambda runtimes, RDS engines, EKS Kubernetes versions, ECS/Fargate platform versions, Kafka, OpenSearch. Prowler can detect deprecated/unsupported versions across all of these.",
+          "RationaleStatement": "Unsupported services no longer receive security patches.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "Migrate Lambda functions off deprecated runtimes; remove RDS instances on Extended Support or deprecated engines; upgrade EKS clusters to supported Kubernetes versions; use latest Fargate platform version; keep Kafka and OpenSearch at supported versions.",
+          "AuditProcedure": "Run all listed checks.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch applications - clause 8.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-1.9",
+      "Description": "Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "1 Patch applications",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Endpoint compromise via unsupported applications"
+          ],
+          "Description": "Endpoint-resident applications. Out of AWS infrastructure scope.",
+          "RationaleStatement": "Adobe Flash Player end-of-life is the canonical example - removal must be enforced at the endpoint.",
+          "ImpactStatement": "Evidence must come from endpoint software inventory.",
+          "RemediationProcedure": "Inventory endpoint applications; enforce removal of EOL software via endpoint management.",
+          "AuditProcedure": "Manual review of endpoint inventory.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch applications - clause 9. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-2.1",
+      "Description": "An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.",
+      "Checks": [
+        "ec2_instance_managed_by_ssm",
+        "config_recorder_all_regions_enabled",
+        "inspector2_is_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "2 Patch operating systems",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Automated",
+          "CloudApplicability": "full",
+          "MitigatedThreats": [
+            "Unmanaged hosts",
+            "OS-level shadow IT"
+          ],
+          "Description": "Same asset-discovery clause as 1.1, applied here to operating systems. AWS Config + SSM Inventory continuously discovers EC2 instances and their OS metadata; Inspector v2 enrols them automatically.",
+          "RationaleStatement": "OS vulnerability scanning depends on asset coverage.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "Enable AWS Config in every region; ensure all EC2 are SSM-managed; enable Inspector v2.",
+          "AuditProcedure": "Run all listed checks.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch operating systems - clause 1.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-2.2",
+      "Description": "A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.",
+      "Checks": [
+        "inspector2_is_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "2 Patch operating systems",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Automated",
+          "CloudApplicability": "full",
+          "MitigatedThreats": [
+            "Stale OS vulnerability data"
+          ],
+          "Description": "Inspector v2 is AWS's managed OS vulnerability scanner with continuously updated database.",
+          "RationaleStatement": "Same rationale as 1.2 applied to OS scanning.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "Enable Inspector v2 in all regions.",
+          "AuditProcedure": "Verify Inspector v2 is enabled.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch operating systems - clause 2.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-2.3",
+      "Description": "A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices.",
+      "Checks": [
+        "inspector2_is_enabled",
+        "inspector2_active_findings_exist"
+      ],
+      "Attributes": [
+        {
+          "Section": "2 Patch operating systems",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Late detection of OS vulnerabilities on exposed hosts"
+          ],
+          "Description": "Internet-facing servers in AWS map to EC2 with public IP / behind public ALB / NLB. Inspector v2 performs continuous OS scanning. Network devices (firewalls, routers) inside customer VPC are typically appliance AMIs - scanned by Inspector when SSM-managed.",
+          "RationaleStatement": "Internet-facing OS surface is the primary entry point for opportunistic attacks.",
+          "ImpactStatement": "Daily cadence implicit in continuous scanning; not directly verifiable.",
+          "RemediationProcedure": "Enable Inspector v2 EC2 scanning. Ensure network appliances are SSM-managed where possible.",
+          "AuditProcedure": "Verify Inspector v2 enabled with EC2 scan type. Manually verify cadence via finding history.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch operating systems - clause 3.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-2.4",
+      "Description": "A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices.",
+      "Checks": [
+        "inspector2_is_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "2 Patch operating systems",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Lateral movement via unpatched internal hosts"
+          ],
+          "Description": "Workstations are out of AWS infrastructure scope. Non-internet-facing EC2 servers and appliance AMIs are scanned by Inspector v2 when SSM-managed.",
+          "RationaleStatement": "Internal hosts still carry lateral-movement risk.",
+          "ImpactStatement": "Workstation scanning is endpoint-management territory.",
+          "RemediationProcedure": "Ensure internal EC2 are SSM-managed and Inspector v2 covers them. For workstations, use endpoint vulnerability tooling.",
+          "AuditProcedure": "Manual review.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch operating systems - clause 4.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-2.5",
+      "Description": "Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.",
+      "Checks": [
+        "inspector2_active_findings_exist"
+      ],
+      "Attributes": [
+        {
+          "Section": "2 Patch operating systems",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Active exploitation of OS-level CVEs",
+            "Public-facing intrusion"
+          ],
+          "Description": "SLA for critical OS patches on internet-facing hosts. AWS APIs do not surface time-to-patch.",
+          "RationaleStatement": "Critical OS CVEs on internet-facing surface are weaponised fastest.",
+          "ImpactStatement": "Requires correlation between Inspector finding age and SSM patch logs.",
+          "RemediationProcedure": "Configure Inspector v2 critical-finding alerting; route to a 48-hour remediation queue. Configure SSM Patch Manager with appropriate baselines.",
+          "AuditProcedure": "Manual: review patch deployment timestamps for internet-facing critical OS findings.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch operating systems - clause 5. SLA timing out of Prowler scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-2.6",
+      "Description": "Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.",
+      "Checks": [
+        "ssm_managed_compliant_patching",
+        "ec2_instance_managed_by_ssm"
+      ],
+      "Attributes": [
+        {
+          "Section": "2 Patch operating systems",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Stale OS exposure",
+            "Background CVE accumulation"
+          ],
+          "Description": "Two-week SLA for non-critical OS patches on internet-facing hosts. SSM Patch Manager delivers the capability; SLA evidence is procedural.",
+          "RationaleStatement": "Two-week cadence is the ASD baseline for non-critical OS patching of internet-facing hosts.",
+          "ImpactStatement": "SLA window evidence requires patch logs.",
+          "RemediationProcedure": "Configure SSM Patch Manager with a fortnightly maintenance window for internet-facing EC2.",
+          "AuditProcedure": "Verify SSM patch compliance + manually verify deployment cadence.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch operating systems - clause 6.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-2.7",
+      "Description": "Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release.",
+      "Checks": [
+        "ssm_managed_compliant_patching",
+        "ec2_instance_managed_by_ssm"
+      ],
+      "Attributes": [
+        {
+          "Section": "2 Patch operating systems",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Lateral movement",
+            "Internal compromise"
+          ],
+          "Description": "One-month SLA for OS patches on workstations and non-internet-facing hosts. AWS infrastructure covers non-internet-facing EC2 via SSM Patch Manager. Workstations are endpoint-management territory.",
+          "RationaleStatement": "Internal hosts have a longer SLA but still need regular patching.",
+          "ImpactStatement": "Workstation patch evidence is endpoint-side.",
+          "RemediationProcedure": "Configure SSM Patch Manager with a monthly maintenance window for non-internet-facing EC2.",
+          "AuditProcedure": "Verify SSM patch compliance for non-internet-facing instances.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch operating systems - clause 7.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-2.8",
+      "Description": "Operating systems that are no longer supported by vendors are replaced.",
+      "Checks": [
+        "ec2_instance_with_outdated_ami",
+        "ec2_instance_older_than_specific_days",
+        "ec2_ami_public",
+        "eks_cluster_uses_a_supported_version"
+      ],
+      "Attributes": [
+        {
+          "Section": "2 Patch operating systems",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Automated",
+          "CloudApplicability": "full",
+          "MitigatedThreats": [
+            "Use of unsupported operating systems",
+            "Loss of security updates"
+          ],
+          "Description": "Detect EC2 instances on outdated AMIs, EKS clusters on unsupported Kubernetes versions, and AMIs that may be unsupported.",
+          "RationaleStatement": "Unsupported OS receives no further security updates.",
+          "ImpactStatement": "Prowler verifies AMI freshness and EKS version; the operator must define the policy threshold for `ec2_instance_older_than_specific_days`.",
+          "RemediationProcedure": "Replace EC2 instances on unsupported AMIs. Upgrade EKS clusters to supported Kubernetes versions.",
+          "AuditProcedure": "Run all listed checks.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Patch operating systems - clause 8.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-3.1",
+      "Description": "Multi-factor authentication is used to authenticate users to their organisation's online services that process, store or communicate their organisation's sensitive data.",
+      "Checks": [
+        "iam_root_mfa_enabled",
+        "iam_root_hardware_mfa_enabled",
+        "iam_user_mfa_enabled_console_access",
+        "iam_user_hardware_mfa_enabled",
+        "iam_administrator_access_with_mfa",
+        "directoryservice_supported_mfa_radius_enabled",
+        "cloudwatch_log_metric_filter_sign_in_without_mfa"
+      ],
+      "Attributes": [
+        {
+          "Section": "3 Multi-factor authentication",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Credential stuffing",
+            "Password reuse compromise",
+            "Unauthorised access to internal services"
+          ],
+          "Description": "MFA on the organisation's own AWS-hosted online services that handle sensitive data. Prowler verifies MFA on root, IAM users with console access, IAM admins and Directory Service. Whether a given service handles 'sensitive data' is a classification call the operator must make.",
+          "RationaleStatement": "MFA prevents credential-only compromise.",
+          "ImpactStatement": "Sensitive-data classification is procedural; Prowler verifies MFA presence on the underlying identity surface.",
+          "RemediationProcedure": "Enable hardware MFA on root and admin IAM users. Require MFA for all IAM users with console access. Enable MFA on Directory Service. Configure CloudWatch metric filter for non-MFA sign-ins.",
+          "AuditProcedure": "Run the listed checks. Manually classify which services hold sensitive data and confirm MFA coverage.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Multi-factor authentication - clause 1.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-3.2",
+      "Description": "Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate their organisation's sensitive data.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "3 Multi-factor authentication",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Third-party SaaS account compromise",
+            "Sensitive data leakage via SaaS"
+          ],
+          "Description": "Third-party online services (SaaS providers, external platforms) are outside the AWS account. AWS infrastructure scans cannot evidence MFA enforcement on those services.",
+          "RationaleStatement": "Third-party services are a major data-exfiltration vector.",
+          "ImpactStatement": "Evidence must come from each third-party provider's IAM / SSO configuration.",
+          "RemediationProcedure": "Enforce MFA in the third-party service's identity provider or SSO upstream (e.g. via AWS IAM Identity Center or external IdP).",
+          "AuditProcedure": "Manual review of third-party service IdP / SSO configuration.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Multi-factor authentication - clause 2. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-3.3",
+      "Description": "Multi-factor authentication (where available) is used to authenticate users to third-party online services that process, store or communicate their organisation's non-sensitive data.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "3 Multi-factor authentication",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Account compromise on lower-sensitivity SaaS"
+          ],
+          "Description": "Same as 3.2, applied to non-sensitive third-party services. Out of AWS infrastructure scope.",
+          "RationaleStatement": "Defence in depth - even non-sensitive services can be staging ground for further attacks.",
+          "ImpactStatement": "Evidence must come from each third-party provider.",
+          "RemediationProcedure": "Where the third-party service supports it, enforce MFA upstream via SSO.",
+          "AuditProcedure": "Manual review.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Multi-factor authentication - clause 3. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-3.4",
+      "Description": "Multi-factor authentication is used to authenticate users to their organisation's online customer services that process, store or communicate their organisation's sensitive customer data.",
+      "Checks": [
+        "cognito_user_pool_mfa_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "3 Multi-factor authentication",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Customer-data exposure via account takeover"
+          ],
+          "Description": "Online customer services hosted by the organisation in AWS typically use Cognito. Whether a Cognito user pool serves users handling sensitive customer data is an operator classification.",
+          "RationaleStatement": "Insider users of customer-facing services need MFA when they handle sensitive customer data.",
+          "ImpactStatement": "Sensitive-data classification is procedural.",
+          "RemediationProcedure": "Enable MFA on every Cognito user pool that serves users handling sensitive customer data.",
+          "AuditProcedure": "Verify Cognito MFA per pool.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Multi-factor authentication - clause 4.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-3.5",
+      "Description": "Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or communicate their organisation's sensitive customer data.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "3 Multi-factor authentication",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Customer-data exposure via third-party platform"
+          ],
+          "Description": "Third-party customer-facing services. Out of AWS infrastructure scope.",
+          "RationaleStatement": "Sensitive customer data on third-party platforms still needs MFA.",
+          "ImpactStatement": "Evidence must come from the third-party provider.",
+          "RemediationProcedure": "Enforce MFA in the third-party customer service's IdP.",
+          "AuditProcedure": "Manual review.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Multi-factor authentication - clause 5. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-3.6",
+      "Description": "Multi-factor authentication is used to authenticate customers to online customer services that process, store or communicate sensitive customer data.",
+      "Checks": [
+        "cognito_user_pool_mfa_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "3 Multi-factor authentication",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Automated",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Customer account takeover",
+            "Customer-data theft"
+          ],
+          "Description": "Customer-facing AWS-hosted services typically use Cognito user pools. Prowler can verify MFA is enabled on the pool.",
+          "RationaleStatement": "Customers handling sensitive data benefit from MFA the same as employees.",
+          "ImpactStatement": "Cognito MFA can be enforced or optional - the check verifies it is at least configured.",
+          "RemediationProcedure": "Enable MFA on customer-facing Cognito user pools.",
+          "AuditProcedure": "Verify Cognito MFA configuration.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Multi-factor authentication - clause 6.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-3.7",
+      "Description": "Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.",
+      "Checks": [
+        "iam_user_hardware_mfa_enabled",
+        "iam_root_hardware_mfa_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "3 Multi-factor authentication",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "limited",
+          "MitigatedThreats": [
+            "Single-factor compromise",
+            "Knowledge-only authentication"
+          ],
+          "Description": "MFA factor type. AWS IAM API does not surface the underlying authenticator type granularly, only whether MFA is virtual or hardware. Hardware MFA on root + admin is the strongest signal Prowler can give.",
+          "RationaleStatement": "MFA must combine factor categories - knowledge alone doesn't qualify.",
+          "ImpactStatement": "Prowler cannot universally verify factor type for every identity. Hardware MFA detection is the closest proxy.",
+          "RemediationProcedure": "Prefer hardware MFA on privileged identities.",
+          "AuditProcedure": "Run the listed checks. Manually review IdP audit feed for factor distribution.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Multi-factor authentication - clause 7.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-4.1",
+      "Description": "Requests for privileged access to systems, applications and data repositories are validated when first requested.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "4 Restrict administrative privileges",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Unauthorised privilege grant",
+            "Insider misuse"
+          ],
+          "Description": "Procedural control: privileged-access requests must go through a validation workflow. Prowler does not evaluate change-management workflows.",
+          "RationaleStatement": "Privileged access without validation is a primary insider-risk vector.",
+          "ImpactStatement": "Evidence comes from access-review tickets, change management or AWS IAM Identity Center request workflows.",
+          "RemediationProcedure": "Implement a request/approve workflow for AWS privileged role assumption (e.g. IAM Identity Center permission sets with approval) or rely on an external ITSM workflow.",
+          "AuditProcedure": "Manual review of change-management evidence.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Restrict administrative privileges - clause 1. Procedural.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-4.2",
+      "Description": "Privileged users are assigned a dedicated privileged user account to be used solely for duties requiring privileged access.",
+      "Checks": [
+        "iam_user_administrator_access_policy",
+        "iam_user_two_active_access_key",
+        "iam_user_no_setup_initial_access_key"
+      ],
+      "Attributes": [
+        {
+          "Section": "4 Restrict administrative privileges",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Compromise of dual-purpose accounts",
+            "Privilege accumulation"
+          ],
+          "Description": "Privileged AWS access should be exercised through dedicated identities (separate IAM users / dedicated permission sets), not through a daily-driver identity. Prowler can detect IAM users carrying admin policies but cannot infer whether they are dedicated.",
+          "RationaleStatement": "Dual-purpose accounts (admin + daily) increase blast radius of credential theft.",
+          "ImpactStatement": "Prowler flags admin-bearing identities; the operator must verify each is dedicated to privileged duties.",
+          "RemediationProcedure": "Use IAM Identity Center permission sets or dedicated IAM users with admin policies, separated from daily-driver identities.",
+          "AuditProcedure": "Run listed checks; manually verify each admin identity is dedicated.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Restrict administrative privileges - clause 2.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-4.3",
+      "Description": "Privileged user accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "4 Restrict administrative privileges",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "limited",
+          "MitigatedThreats": [
+            "Drive-by compromise of privileged accounts",
+            "Phishing-driven privileged compromise"
+          ],
+          "Description": "Network-level control: privileged accounts must not browse the internet or access email. In AWS this would map to SCPs / VPC egress controls / dedicated jump-host architecture - none directly verifiable by a posture scan.",
+          "RationaleStatement": "If a privileged account never touches the internet, it cannot be phished or drive-by compromised.",
+          "ImpactStatement": "Evidence comes from network architecture and SCP review.",
+          "RemediationProcedure": "Restrict privileged AWS sessions to a hardened bastion / Cloud Workspace with no general internet egress. Apply SCPs that deny privileged roles from launching workloads with unrestricted internet egress.",
+          "AuditProcedure": "Manual review of SCPs and network architecture.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Restrict administrative privileges - clause 3.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-4.4",
+      "Description": "Privileged user accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties.",
+      "Checks": [
+        "iam_aws_attached_policy_no_administrative_privileges",
+        "iam_customer_attached_policy_no_administrative_privileges",
+        "iam_customer_unattached_policy_no_administrative_privileges",
+        "iam_inline_policy_no_administrative_privileges",
+        "iam_inline_policy_allows_privilege_escalation",
+        "iam_policy_allows_privilege_escalation",
+        "iam_policy_attached_only_to_group_or_roles",
+        "iam_policy_no_full_access_to_kms",
+        "iam_policy_no_full_access_to_cloudtrail",
+        "iam_inline_policy_no_full_access_to_cloudtrail",
+        "iam_inline_policy_no_full_access_to_kms",
+        "iam_role_cross_account_readonlyaccess_policy",
+        "iam_role_cross_service_confused_deputy_prevention",
+        "accessanalyzer_enabled",
+        "accessanalyzer_enabled_without_findings"
+      ],
+      "Attributes": [
+        {
+          "Section": "4 Restrict administrative privileges",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Automated",
+          "CloudApplicability": "full",
+          "MitigatedThreats": [
+            "Excessive standing privilege",
+            "Privilege escalation",
+            "Confused deputy"
+          ],
+          "Description": "Least-privilege enforcement on AWS IAM. This is the cleanest cloud-native mapping in the entire framework: Prowler can verify policy scoping, privilege escalation paths and Access Analyzer findings.",
+          "RationaleStatement": "Strictly-scoped privileged access reduces blast radius of compromise.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "Audit and tighten managed/inline policies; remove privilege-escalation paths; attach policies only to groups/roles; enable Access Analyzer and resolve findings.",
+          "AuditProcedure": "Run all listed checks.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Restrict administrative privileges - clause 4.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-4.5",
+      "Description": "Privileged users use separate privileged and unprivileged operating environments.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "4 Restrict administrative privileges",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Cross-environment compromise",
+            "Privileged session hijack"
+          ],
+          "Description": "Operating-environment separation is an endpoint / virtualisation control (privileged jump host vs daily workstation). Out of AWS infrastructure scope.",
+          "RationaleStatement": "Operating-environment isolation prevents malware on the unprivileged side from attacking privileged sessions.",
+          "ImpactStatement": "Evidence comes from endpoint architecture (PAW / privileged jump hosts / WorkSpaces partitioning).",
+          "RemediationProcedure": "Provide privileged users with a dedicated PAW or privileged WorkSpaces image.",
+          "AuditProcedure": "Manual review of endpoint architecture.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Restrict administrative privileges - clause 5. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-4.6",
+      "Description": "Unprivileged user accounts cannot logon to privileged operating environments.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "4 Restrict administrative privileges",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Privileged-environment lateral access"
+          ],
+          "Description": "Endpoint logon-policy control. Out of AWS infrastructure scope.",
+          "RationaleStatement": "Even read-only access to a privileged environment is a foothold.",
+          "ImpactStatement": "Evidence comes from endpoint logon policy / Active Directory.",
+          "RemediationProcedure": "Enforce logon restrictions on privileged endpoints.",
+          "AuditProcedure": "Manual review.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Restrict administrative privileges - clause 6. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-4.7",
+      "Description": "Privileged user accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "4 Restrict administrative privileges",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Privileged-credential exposure on unprivileged hosts"
+          ],
+          "Description": "Endpoint logon-policy control. Out of AWS infrastructure scope.",
+          "RationaleStatement": "Privileged credentials must never be entered on potentially-compromised unprivileged endpoints.",
+          "ImpactStatement": "Evidence comes from endpoint logon policy / Active Directory.",
+          "RemediationProcedure": "Enforce that privileged accounts can only logon to PAWs / jump hosts.",
+          "AuditProcedure": "Manual review.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Restrict administrative privileges - clause 7. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-5.1",
+      "Description": "Application control is implemented on workstations.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "5 Application control",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Malware execution on workstations"
+          ],
+          "Description": "Application control is fundamentally an endpoint allowlist. AWS infrastructure has no direct equivalent for workstation app control.",
+          "RationaleStatement": "Application control on workstations is the highest-impact mitigation against malware.",
+          "ImpactStatement": "Evidence comes from endpoint allowlist tooling (AppLocker, WDAC, third-party EDR).",
+          "RemediationProcedure": "Deploy AppLocker / Windows Defender Application Control / equivalent on every workstation.",
+          "AuditProcedure": "Manual review of endpoint app-control coverage.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Application control - clause 1. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-5.2",
+      "Description": "Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "5 Application control",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Drop-and-execute from user profile",
+            "Browser-cache execution",
+            "Email-attachment execution"
+          ],
+          "Description": "Endpoint app-control scope (user profiles, temp folders). Out of AWS infrastructure scope.",
+          "RationaleStatement": "User-writable folders are the most common malware drop locations.",
+          "ImpactStatement": "Evidence comes from endpoint app-control configuration.",
+          "RemediationProcedure": "Configure AppLocker / WDAC rules to cover %APPDATA%, %TEMP%, browser caches, email-client temp folders.",
+          "AuditProcedure": "Manual review.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Application control - clause 2. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-5.3",
+      "Description": "Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "5 Application control",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Unauthorised executable execution",
+            "Library hijacking",
+            "Script-based malware",
+            "HTA / CHM payload execution"
+          ],
+          "Description": "Endpoint allowlisting of executable file types. Out of AWS infrastructure scope.",
+          "RationaleStatement": "An effective allowlist must cover all execution surfaces, not only .exe.",
+          "ImpactStatement": "Evidence comes from endpoint app-control rule set.",
+          "RemediationProcedure": "Define an organisation-approved allowlist covering all listed file types and enforce it in AppLocker / WDAC / equivalent.",
+          "AuditProcedure": "Manual review of allowlist contents.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Application control - clause 3. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-6.1",
+      "Description": "Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "6 Restrict Microsoft Office macros",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Macro-based malware delivery"
+          ],
+          "Description": "Endpoint / Microsoft 365 control. Out of AWS infrastructure scope.",
+          "RationaleStatement": "Most users never need Office macros. Disabling by default removes a major delivery vector.",
+          "ImpactStatement": "Evidence comes from Microsoft 365 / Group Policy.",
+          "RemediationProcedure": "Disable macros via Group Policy / Intune / M365 admin policies, with explicit allowlist for business-justified users.",
+          "AuditProcedure": "Manual review of M365 macro policy.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Restrict Microsoft Office macros - clause 1. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-6.2",
+      "Description": "Microsoft Office macros in files originating from the internet are blocked.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "6 Restrict Microsoft Office macros",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Internet-sourced macro malware"
+          ],
+          "Description": "Endpoint / Microsoft 365 control (Mark-of-the-Web macro blocking). Out of AWS infrastructure scope.",
+          "RationaleStatement": "Internet-sourced documents are the primary macro-delivery vector.",
+          "ImpactStatement": "Evidence comes from Microsoft 365 / Group Policy.",
+          "RemediationProcedure": "Enable 'Block macros from running in Office files from the internet' via Group Policy / Intune.",
+          "AuditProcedure": "Manual review.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Restrict Microsoft Office macros - clause 2. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-6.3",
+      "Description": "Microsoft Office macro antivirus scanning is enabled.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "6 Restrict Microsoft Office macros",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Macro-borne malware not detected at file-open time"
+          ],
+          "Description": "Endpoint / Microsoft 365 control (AMSI integration with macros). Out of AWS infrastructure scope.",
+          "RationaleStatement": "Antivirus scanning of macros at run-time catches polymorphic payloads that static analysis misses.",
+          "ImpactStatement": "Evidence comes from endpoint AV / AMSI configuration.",
+          "RemediationProcedure": "Enable AMSI macro scanning via Group Policy.",
+          "AuditProcedure": "Manual review.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Restrict Microsoft Office macros - clause 3. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-6.4",
+      "Description": "Microsoft Office macro security settings cannot be changed by users.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "6 Restrict Microsoft Office macros",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "User-driven macro policy bypass"
+          ],
+          "Description": "Endpoint / Microsoft 365 control. Out of AWS infrastructure scope.",
+          "RationaleStatement": "If users can change macro security settings, the previous controls become advisory.",
+          "ImpactStatement": "Evidence comes from Group Policy lockdown.",
+          "RemediationProcedure": "Apply Group Policy that prevents users from changing Office macro security settings.",
+          "AuditProcedure": "Manual review.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Restrict Microsoft Office macros - clause 4. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-7.1",
+      "Description": "Internet Explorer 11 is disabled or removed.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "7 User application hardening",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Legacy-browser exploitation"
+          ],
+          "Description": "Endpoint browser control. Out of AWS infrastructure scope.",
+          "RationaleStatement": "Internet Explorer 11 is end-of-life and a recurring entry vector.",
+          "ImpactStatement": "Evidence comes from endpoint software inventory.",
+          "RemediationProcedure": "Remove or disable IE 11 via endpoint management.",
+          "AuditProcedure": "Manual review.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - User application hardening - clause 1. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-7.2",
+      "Description": "Web browsers do not process Java from the internet.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "7 User application hardening",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Java-applet exploitation"
+          ],
+          "Description": "Endpoint browser control. Out of AWS infrastructure scope.",
+          "RationaleStatement": "Java in browsers is a long-standing exploitation surface.",
+          "ImpactStatement": "Evidence comes from browser policy enforced via endpoint management.",
+          "RemediationProcedure": "Block Java in browsers via Group Policy / browser policy templates.",
+          "AuditProcedure": "Manual review.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - User application hardening - clause 2. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-7.3",
+      "Description": "Web browsers do not process web advertisements from the internet.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "7 User application hardening",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Malvertising delivery"
+          ],
+          "Description": "Endpoint browser control. Out of AWS infrastructure scope.",
+          "RationaleStatement": "Malicious advertising is a passive infection vector.",
+          "ImpactStatement": "Evidence comes from browser ad-blocking enforcement.",
+          "RemediationProcedure": "Deploy enterprise ad-blocking via browser policy or upstream DNS filtering.",
+          "AuditProcedure": "Manual review.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - User application hardening - clause 3. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-7.4",
+      "Description": "Web browser security settings cannot be changed by users.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "7 User application hardening",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "User-driven browser hardening bypass"
+          ],
+          "Description": "Endpoint browser control. Out of AWS infrastructure scope.",
+          "RationaleStatement": "If users can change browser security settings, the previous controls become advisory.",
+          "ImpactStatement": "Evidence comes from browser policy enforcement.",
+          "RemediationProcedure": "Lock browser security settings via Group Policy / browser policy templates.",
+          "AuditProcedure": "Manual review.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - User application hardening - clause 4. Out of AWS infrastructure scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-8.1",
+      "Description": "Backups of data, applications and settings are performed and retained in accordance with business criticality and business continuity requirements.",
+      "Checks": [
+        "backup_plans_exist",
+        "backup_vaults_exist",
+        "backup_reportplans_exist",
+        "rds_cluster_protected_by_backup_plan",
+        "rds_instance_protected_by_backup_plan",
+        "rds_instance_backup_enabled",
+        "dynamodb_tables_pitr_enabled",
+        "dynamodb_table_protected_by_backup_plan",
+        "efs_have_backup_enabled",
+        "ec2_ebs_volume_protected_by_backup_plan",
+        "ec2_ebs_volume_snapshots_exists",
+        "elasticache_redis_cluster_backup_enabled",
+        "documentdb_cluster_backup_enabled",
+        "neptune_cluster_backup_enabled",
+        "redshift_cluster_automated_snapshot",
+        "dlm_ebs_snapshot_lifecycle_policy_exists"
+      ],
+      "Attributes": [
+        {
+          "Section": "8 Regular backups",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Ransomware",
+            "Data destruction",
+            "Recovery failure"
+          ],
+          "Description": "Backup coverage across AWS data services. Whether the backup frequency and retention align with business criticality is an operator classification.",
+          "RationaleStatement": "Backups must exist and align with the criticality of the data they protect.",
+          "ImpactStatement": "Prowler verifies backup mechanisms exist; criticality alignment is procedural.",
+          "RemediationProcedure": "Define AWS Backup plans + vaults covering critical services; enable engine-native backups on RDS / ElastiCache / DocumentDB / Neptune / Redshift; enable EFS Backup, EBS Backup, DynamoDB PITR; configure DLM lifecycle.",
+          "AuditProcedure": "Run all listed checks. Manually verify cadence and retention match criticality.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Regular backups - clause 1.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-8.2",
+      "Description": "Backups of data, applications and settings are synchronised to enable restoration to a common point in time.",
+      "Checks": [
+        "dynamodb_tables_pitr_enabled",
+        "rds_cluster_backtrack_enabled",
+        "s3_bucket_object_versioning",
+        "rds_instance_backup_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "8 Regular backups",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Automated",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Inconsistent recovery state",
+            "Application-level corruption from partial restore"
+          ],
+          "Description": "Common-point-in-time recovery is delivered by DynamoDB PITR, Aurora backtrack, RDS automated backups and S3 versioning.",
+          "RationaleStatement": "Without coordinated PIT, restoration produces an inconsistent state across services.",
+          "ImpactStatement": "Coordinated multi-service PIT remains an architectural decision.",
+          "RemediationProcedure": "Enable DynamoDB PITR, Aurora backtrack, RDS automated backups and S3 versioning on all critical data stores.",
+          "AuditProcedure": "Run listed checks.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Regular backups - clause 2.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-8.3",
+      "Description": "Backups of data, applications and settings are retained in a secure and resilient manner.",
+      "Checks": [
+        "backup_vaults_encrypted",
+        "backup_recovery_point_encrypted",
+        "rds_snapshots_encrypted",
+        "rds_snapshots_public_access",
+        "ec2_ebs_public_snapshot",
+        "ec2_ebs_snapshot_account_block_public_access",
+        "documentdb_cluster_public_snapshot",
+        "neptune_cluster_public_snapshot",
+        "neptune_cluster_copy_tags_to_snapshots",
+        "rds_cluster_copy_tags_to_snapshots",
+        "rds_instance_copy_tags_to_snapshots",
+        "s3_bucket_cross_region_replication"
+      ],
+      "Attributes": [
+        {
+          "Section": "8 Regular backups",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Automated",
+          "CloudApplicability": "full",
+          "MitigatedThreats": [
+            "Backup tampering",
+            "Backup exfiltration",
+            "Regional outage destroying backups"
+          ],
+          "Description": "Secure: encryption + no public exposure. Resilient: cross-region replication / multi-AZ vault placement / lifecycle. Prowler covers both.",
+          "RationaleStatement": "A public or unencrypted backup is a data breach in waiting.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "Enforce encryption on Backup vaults and recovery points, RDS snapshots. Block public access on EBS / RDS / DocumentDB / Neptune snapshots account-wide. Enable S3 cross-region replication for critical buckets.",
+          "AuditProcedure": "Run all listed checks.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Regular backups - clause 3.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-8.4",
+      "Description": "Restoration of data, applications and settings from backups to a common point in time is tested as part of disaster recovery exercises.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "8 Regular backups",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "non-applicable",
+          "MitigatedThreats": [
+            "Untested recovery path",
+            "Disaster recovery failure"
+          ],
+          "Description": "Restoration testing is a procedural / operational control. AWS APIs do not surface evidence that a restoration test occurred.",
+          "RationaleStatement": "Untested backups are unreliable backups.",
+          "ImpactStatement": "Evidence comes from DR exercise reports.",
+          "RemediationProcedure": "Schedule and execute DR exercises that include backup restoration to a common point in time. Record results.",
+          "AuditProcedure": "Manual review of DR exercise evidence (last 12 months).",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Regular backups - clause 4. Procedural; out of Prowler scope.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-8.5",
+      "Description": "Unprivileged user accounts cannot access backups belonging to other user accounts.",
+      "Checks": [
+        "rds_snapshots_public_access",
+        "ec2_ebs_public_snapshot",
+        "ec2_ebs_snapshot_account_block_public_access",
+        "documentdb_cluster_public_snapshot",
+        "neptune_cluster_public_snapshot"
+      ],
+      "Attributes": [
+        {
+          "Section": "8 Regular backups",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Cross-tenant backup access",
+            "Backup exfiltration via permissive IAM"
+          ],
+          "Description": "Cross-account / cross-user backup isolation. Public-snapshot blocking is the strongest cloud-side signal Prowler surfaces. Fine-grained per-user backup access scoping requires manual IAM/Vault policy review.",
+          "RationaleStatement": "Backups containing other users' data must never be readable by general users.",
+          "ImpactStatement": "Public-access blocks are partial - true 'cannot access other users' backups' requires IAM scoping review.",
+          "RemediationProcedure": "Block public access on EBS / RDS / DocumentDB / Neptune snapshots. Apply IAM policies that restrict backup-read APIs to dedicated backup-operator roles.",
+          "AuditProcedure": "Run listed checks. Manually review backup IAM scoping.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Regular backups - clause 5.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    },
+    {
+      "Id": "E8-8.6",
+      "Description": "Unprivileged user accounts are prevented from modifying and deleting backups.",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "8 Regular backups",
+          "MaturityLevel": "ML1",
+          "AssessmentStatus": "Manual",
+          "CloudApplicability": "partial",
+          "MitigatedThreats": [
+            "Backup deletion by compromised user",
+            "Ransomware-driven backup destruction"
+          ],
+          "Description": "Backup immutability against unprivileged accounts. Cloud-native delivery: AWS Backup Vault Lock + IAM/SCP scoping. Prowler does not currently surface Vault Lock state, so this clause is largely operator-evidenced.",
+          "RationaleStatement": "Without write protection, ransomware that compromises any user can erase backups.",
+          "ImpactStatement": "Vault Lock is the strongest cloud control here but is not surfaced by Prowler today.",
+          "RemediationProcedure": "Apply AWS Backup Vault Lock with retention enforcement. Use SCPs to deny `backup:Delete*`, `rds:DeleteDB*Snapshot`, `s3:DeleteObjectVersion`, etc. for non-backup-operator principals.",
+          "AuditProcedure": "Manual review of Vault Lock + SCP coverage.",
+          "AdditionalInformation": "ASD Essential Eight ML1 - Regular backups - clause 6.",
+          "References": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model"
+        }
+      ]
+    }
+  ]
+}
diff --git a/prowler/lib/check/compliance_models.py b/prowler/lib/check/compliance_models.py
index 136b49f83b..226af6ec36 100644
--- a/prowler/lib/check/compliance_models.py
+++ b/prowler/lib/check/compliance_models.py
@@ -102,6 +102,48 @@ class CIS_Requirement_Attribute(BaseModel):
     References: str
 
 
+class EssentialEight_Requirement_Attribute_MaturityLevel(str, Enum):
+    """ASD Essential Eight Maturity Level"""
+
+    ML1 = "ML1"
+    ML2 = "ML2"
+    ML3 = "ML3"
+
+
+class EssentialEight_Requirement_Attribute_AssessmentStatus(str, Enum):
+    """Essential Eight Requirement Attribute Assessment Status"""
+
+    Manual = "Manual"
+    Automated = "Automated"
+
+
+class EssentialEight_Requirement_Attribute_CloudApplicability(str, Enum):
+    """How well the ASD control maps to AWS cloud infrastructure."""
+
+    Full = "full"
+    Partial = "partial"
+    Limited = "limited"
+    NonApplicable = "non-applicable"
+
+
+# Essential Eight Requirement Attribute
+class EssentialEight_Requirement_Attribute(BaseModel):
+    """ASD Essential Eight Requirement Attribute"""
+
+    Section: str
+    MaturityLevel: EssentialEight_Requirement_Attribute_MaturityLevel
+    AssessmentStatus: EssentialEight_Requirement_Attribute_AssessmentStatus
+    CloudApplicability: EssentialEight_Requirement_Attribute_CloudApplicability
+    MitigatedThreats: list[str]
+    Description: str
+    RationaleStatement: str
+    ImpactStatement: str
+    RemediationProcedure: str
+    AuditProcedure: str
+    AdditionalInformation: str
+    References: str
+
+
 # Well Architected Requirement Attribute
 class AWS_Well_Architected_Requirement_Attribute(BaseModel):
     """AWS Well Architected Requirement Attribute"""
@@ -250,6 +292,7 @@ class Compliance_Requirement(BaseModel):
     Name: Optional[str] = None
     Attributes: list[
         Union[
+            EssentialEight_Requirement_Attribute,
             CIS_Requirement_Attribute,
             ENS_Requirement_Attribute,
             ISO27001_2013_Requirement_Attribute,
diff --git a/prowler/lib/outputs/compliance/compliance.py b/prowler/lib/outputs/compliance/compliance.py
index 0d743a4d25..7fe2330550 100644
--- a/prowler/lib/outputs/compliance/compliance.py
+++ b/prowler/lib/outputs/compliance/compliance.py
@@ -9,6 +9,9 @@ from prowler.lib.outputs.compliance.compliance_check import (  # noqa: F401 - re
 )
 from prowler.lib.outputs.compliance.csa.csa import get_csa_table
 from prowler.lib.outputs.compliance.ens.ens import get_ens_table
+from prowler.lib.outputs.compliance.essential_eight.essential_eight import (
+    get_essential_eight_table,
+)
 from prowler.lib.outputs.compliance.generic.generic_table import (
     get_generic_compliance_table,
 )
@@ -230,6 +233,15 @@ def display_compliance_table(
                 output_directory,
                 compliance_overview,
             )
+        elif "essential_eight" in compliance_framework:
+            get_essential_eight_table(
+                findings,
+                bulk_checks_metadata,
+                compliance_framework,
+                output_filename,
+                output_directory,
+                compliance_overview,
+            )
         else:
             get_generic_compliance_table(
                 findings,
diff --git a/prowler/lib/outputs/compliance/essential_eight/__init__.py b/prowler/lib/outputs/compliance/essential_eight/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/prowler/lib/outputs/compliance/essential_eight/essential_eight.py b/prowler/lib/outputs/compliance/essential_eight/essential_eight.py
new file mode 100644
index 0000000000..9438a613f8
--- /dev/null
+++ b/prowler/lib/outputs/compliance/essential_eight/essential_eight.py
@@ -0,0 +1,98 @@
+from colorama import Fore, Style
+from tabulate import tabulate
+
+from prowler.config.config import orange_color
+
+
+def get_essential_eight_table(
+    findings: list,
+    bulk_checks_metadata: dict,
+    compliance_framework: str,
+    output_filename: str,
+    output_directory: str,
+    compliance_overview: bool,
+):
+    sections = {}
+    essential_eight_compliance_table = {
+        "Provider": [],
+        "Section": [],
+        "Status": [],
+        "Muted": [],
+    }
+    pass_count = []
+    fail_count = []
+    muted_count = []
+    for index, finding in enumerate(findings):
+        check = bulk_checks_metadata[finding.check_metadata.CheckID]
+        check_compliances = check.Compliance
+        for compliance in check_compliances:
+            if compliance.Framework == "Essential-Eight":
+                for requirement in compliance.Requirements:
+                    for attribute in requirement.Attributes:
+                        section = attribute.Section
+                        if section not in sections:
+                            sections[section] = {
+                                "FAIL": 0,
+                                "PASS": 0,
+                                "Muted": 0,
+                            }
+                        if finding.muted:
+                            if index not in muted_count:
+                                muted_count.append(index)
+                                sections[section]["Muted"] += 1
+                        else:
+                            if finding.status == "FAIL" and index not in fail_count:
+                                fail_count.append(index)
+                                sections[section]["FAIL"] += 1
+                            elif finding.status == "PASS" and index not in pass_count:
+                                pass_count.append(index)
+                                sections[section]["PASS"] += 1
+
+    sections = dict(sorted(sections.items()))
+    for section in sections:
+        essential_eight_compliance_table["Provider"].append(compliance.Provider)
+        essential_eight_compliance_table["Section"].append(section)
+        if sections[section]["FAIL"] > 0:
+            essential_eight_compliance_table["Status"].append(
+                f"{Fore.RED}FAIL({sections[section]['FAIL']}){Style.RESET_ALL}"
+            )
+        elif sections[section]["PASS"] > 0:
+            essential_eight_compliance_table["Status"].append(
+                f"{Fore.GREEN}PASS({sections[section]['PASS']}){Style.RESET_ALL}"
+            )
+        else:
+            essential_eight_compliance_table["Status"].append("-")
+        essential_eight_compliance_table["Muted"].append(
+            f"{orange_color}{sections[section]['Muted']}{Style.RESET_ALL}"
+        )
+    if len(fail_count) + len(pass_count) + len(muted_count) > 1:
+        print(
+            f"\nCompliance Status of {Fore.YELLOW}{compliance_framework.upper()}{Style.RESET_ALL} Framework:"
+        )
+        total_findings_count = len(fail_count) + len(pass_count) + len(muted_count)
+        overview_table = [
+            [
+                f"{Fore.RED}{round(len(fail_count) / total_findings_count * 100, 2)}% ({len(fail_count)}) FAIL{Style.RESET_ALL}",
+                f"{Fore.GREEN}{round(len(pass_count) / total_findings_count * 100, 2)}% ({len(pass_count)}) PASS{Style.RESET_ALL}",
+                f"{orange_color}{round(len(muted_count) / total_findings_count * 100, 2)}% ({len(muted_count)}) MUTED{Style.RESET_ALL}",
+            ]
+        ]
+        print(tabulate(overview_table, tablefmt="rounded_grid"))
+        if not compliance_overview:
+            print(
+                f"\nFramework {Fore.YELLOW}{compliance_framework.upper()}{Style.RESET_ALL} Results:"
+            )
+            print(
+                tabulate(
+                    essential_eight_compliance_table,
+                    headers="keys",
+                    tablefmt="rounded_grid",
+                )
+            )
+            print(
+                f"{Style.BRIGHT}* Only sections containing results appear.{Style.RESET_ALL}"
+            )
+            print(f"\nDetailed results of {compliance_framework.upper()} are in:")
+            print(
+                f" - CSV: {output_directory}/compliance/{output_filename}_{compliance_framework}.csv\n"
+            )
diff --git a/prowler/lib/outputs/compliance/essential_eight/essential_eight_aws.py b/prowler/lib/outputs/compliance/essential_eight/essential_eight_aws.py
new file mode 100644
index 0000000000..198e3ab331
--- /dev/null
+++ b/prowler/lib/outputs/compliance/essential_eight/essential_eight_aws.py
@@ -0,0 +1,111 @@
+from prowler.config.config import timestamp
+from prowler.lib.check.compliance_models import Compliance
+from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
+from prowler.lib.outputs.compliance.essential_eight.models import (
+    EssentialEightAWSModel,
+)
+from prowler.lib.outputs.finding import Finding
+
+
+class EssentialEightAWS(ComplianceOutput):
+    """
+    This class represents the AWS ASD Essential Eight compliance output.
+
+    Attributes:
+        - _data (list): A list to store transformed data from findings.
+        - _file_descriptor (TextIOWrapper): A file descriptor to write data to a file.
+
+    Methods:
+        - transform: Transforms findings into AWS Essential Eight compliance format.
+    """
+
+    def transform(
+        self,
+        findings: list[Finding],
+        compliance: Compliance,
+        compliance_name: str,
+    ) -> None:
+        """
+        Transforms a list of findings into AWS Essential Eight compliance format.
+
+        Parameters:
+            - findings (list): A list of findings.
+            - compliance (Compliance): A compliance model.
+            - compliance_name (str): The name of the compliance model.
+
+        Returns:
+            - None
+        """
+        for finding in findings:
+            finding_requirements = finding.compliance.get(compliance_name, [])
+            for requirement in compliance.Requirements:
+                if requirement.Id in finding_requirements:
+                    for attribute in requirement.Attributes:
+                        compliance_row = EssentialEightAWSModel(
+                            Provider=finding.provider,
+                            Description=compliance.Description,
+                            AccountId=finding.account_uid,
+                            Region=finding.region,
+                            AssessmentDate=str(timestamp),
+                            Requirements_Id=requirement.Id,
+                            Requirements_Description=requirement.Description,
+                            Requirements_Attributes_Section=attribute.Section,
+                            Requirements_Attributes_MaturityLevel=attribute.MaturityLevel,
+                            Requirements_Attributes_AssessmentStatus=attribute.AssessmentStatus,
+                            Requirements_Attributes_CloudApplicability=attribute.CloudApplicability,
+                            Requirements_Attributes_MitigatedThreats=", ".join(
+                                attribute.MitigatedThreats
+                            ),
+                            Requirements_Attributes_Description=attribute.Description,
+                            Requirements_Attributes_RationaleStatement=attribute.RationaleStatement,
+                            Requirements_Attributes_ImpactStatement=attribute.ImpactStatement,
+                            Requirements_Attributes_RemediationProcedure=attribute.RemediationProcedure,
+                            Requirements_Attributes_AuditProcedure=attribute.AuditProcedure,
+                            Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation,
+                            Requirements_Attributes_References=attribute.References,
+                            Status=finding.status,
+                            StatusExtended=finding.status_extended,
+                            ResourceId=finding.resource_uid,
+                            ResourceName=finding.resource_name,
+                            CheckId=finding.check_id,
+                            Muted=finding.muted,
+                            Framework=compliance.Framework,
+                            Name=compliance.Name,
+                        )
+                        self._data.append(compliance_row)
+        # Add manual requirements to the compliance output
+        for requirement in compliance.Requirements:
+            if not requirement.Checks:
+                for attribute in requirement.Attributes:
+                    compliance_row = EssentialEightAWSModel(
+                        Provider=compliance.Provider.lower(),
+                        Description=compliance.Description,
+                        AccountId="",
+                        Region="",
+                        AssessmentDate=str(timestamp),
+                        Requirements_Id=requirement.Id,
+                        Requirements_Description=requirement.Description,
+                        Requirements_Attributes_Section=attribute.Section,
+                        Requirements_Attributes_MaturityLevel=attribute.MaturityLevel,
+                        Requirements_Attributes_AssessmentStatus=attribute.AssessmentStatus,
+                        Requirements_Attributes_CloudApplicability=attribute.CloudApplicability,
+                        Requirements_Attributes_MitigatedThreats=", ".join(
+                            attribute.MitigatedThreats
+                        ),
+                        Requirements_Attributes_Description=attribute.Description,
+                        Requirements_Attributes_RationaleStatement=attribute.RationaleStatement,
+                        Requirements_Attributes_ImpactStatement=attribute.ImpactStatement,
+                        Requirements_Attributes_RemediationProcedure=attribute.RemediationProcedure,
+                        Requirements_Attributes_AuditProcedure=attribute.AuditProcedure,
+                        Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation,
+                        Requirements_Attributes_References=attribute.References,
+                        Status="MANUAL",
+                        StatusExtended="Manual check",
+                        ResourceId="manual_check",
+                        ResourceName="Manual check",
+                        CheckId="manual",
+                        Muted=False,
+                        Framework=compliance.Framework,
+                        Name=compliance.Name,
+                    )
+                    self._data.append(compliance_row)
diff --git a/prowler/lib/outputs/compliance/essential_eight/models.py b/prowler/lib/outputs/compliance/essential_eight/models.py
new file mode 100644
index 0000000000..89e0191dac
--- /dev/null
+++ b/prowler/lib/outputs/compliance/essential_eight/models.py
@@ -0,0 +1,35 @@
+from pydantic.v1 import BaseModel
+
+
+class EssentialEightAWSModel(BaseModel):
+    """
+    EssentialEightAWSModel generates a finding's output in AWS ASD Essential Eight Compliance format.
+    """
+
+    Provider: str
+    Description: str
+    AccountId: str
+    Region: str
+    AssessmentDate: str
+    Requirements_Id: str
+    Requirements_Description: str
+    Requirements_Attributes_Section: str
+    Requirements_Attributes_MaturityLevel: str
+    Requirements_Attributes_AssessmentStatus: str
+    Requirements_Attributes_CloudApplicability: str
+    Requirements_Attributes_MitigatedThreats: str
+    Requirements_Attributes_Description: str
+    Requirements_Attributes_RationaleStatement: str
+    Requirements_Attributes_ImpactStatement: str
+    Requirements_Attributes_RemediationProcedure: str
+    Requirements_Attributes_AuditProcedure: str
+    Requirements_Attributes_AdditionalInformation: str
+    Requirements_Attributes_References: str
+    Status: str
+    StatusExtended: str
+    ResourceId: str
+    ResourceName: str
+    CheckId: str
+    Muted: bool
+    Framework: str
+    Name: str
diff --git a/tests/lib/outputs/compliance/essential_eight/__init__.py b/tests/lib/outputs/compliance/essential_eight/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/tests/lib/outputs/compliance/essential_eight/essential_eight_aws_test.py b/tests/lib/outputs/compliance/essential_eight/essential_eight_aws_test.py
new file mode 100644
index 0000000000..2abbdadb9c
--- /dev/null
+++ b/tests/lib/outputs/compliance/essential_eight/essential_eight_aws_test.py
@@ -0,0 +1,128 @@
+from io import StringIO
+from unittest import mock
+
+from freezegun import freeze_time
+from mock import patch
+
+from prowler.lib.outputs.compliance.essential_eight.essential_eight_aws import (
+    EssentialEightAWS,
+)
+from prowler.lib.outputs.compliance.essential_eight.models import (
+    EssentialEightAWSModel,
+)
+from tests.lib.outputs.compliance.fixtures import ESSENTIAL_EIGHT_AWS
+from tests.lib.outputs.fixtures.fixtures import generate_finding_output
+from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1
+
+# The fixture's first Requirement maps clause "E8-1.8" (Patch applications,
+# clause 8: removal of unsupported online services). The second Requirement is
+# E8-6.1 (Restrict Office macros, clause 1) which has no Checks and is therefore
+# emitted as a manual row.
+COMPLIANCE_NAME = "Essential-Eight-Nov 2023"
+
+
+class TestEssentialEightAWS:
+    def test_output_transform(self):
+        findings = [generate_finding_output(compliance={COMPLIANCE_NAME: "E8-1.8"})]
+
+        output = EssentialEightAWS(findings, ESSENTIAL_EIGHT_AWS)
+        output_data = output.data[0]
+        assert isinstance(output_data, EssentialEightAWSModel)
+        assert output_data.Provider == "aws"
+        assert output_data.Framework == ESSENTIAL_EIGHT_AWS.Framework
+        assert output_data.Name == ESSENTIAL_EIGHT_AWS.Name
+        assert output_data.Description == ESSENTIAL_EIGHT_AWS.Description
+        assert output_data.AccountId == AWS_ACCOUNT_NUMBER
+        assert output_data.Region == AWS_REGION_EU_WEST_1
+        assert output_data.Requirements_Id == "E8-1.8"
+        assert (
+            output_data.Requirements_Description
+            == ESSENTIAL_EIGHT_AWS.Requirements[0].Description
+        )
+        assert output_data.Requirements_Attributes_Section == "1 Patch applications"
+        assert output_data.Requirements_Attributes_MaturityLevel == "ML1"
+        assert output_data.Requirements_Attributes_AssessmentStatus == "Automated"
+        assert output_data.Requirements_Attributes_CloudApplicability == "full"
+        assert (
+            output_data.Requirements_Attributes_MitigatedThreats
+            == "Use of unsupported software, Long-tail vulnerability accumulation"
+        )
+        assert (
+            output_data.Requirements_Attributes_Description
+            == ESSENTIAL_EIGHT_AWS.Requirements[0].Attributes[0].Description
+        )
+        assert output_data.Status == "PASS"
+        assert output_data.StatusExtended == ""
+        assert output_data.ResourceId == ""
+        assert output_data.ResourceName == ""
+        assert output_data.CheckId == "service_test_check_id"
+        assert not output_data.Muted
+
+    def test_manual_requirement(self):
+        findings = [generate_finding_output(compliance={COMPLIANCE_NAME: "E8-1.8"})]
+        output = EssentialEightAWS(findings, ESSENTIAL_EIGHT_AWS)
+
+        # E8-6.1 (macros) has no Checks -> emitted as a manual row, non-applicable
+        manual_rows = [row for row in output.data if row.Status == "MANUAL"]
+        assert len(manual_rows) == 1
+
+        manual = manual_rows[0]
+        assert manual.Provider == "aws"
+        assert manual.AccountId == ""
+        assert manual.Region == ""
+        assert manual.Requirements_Id == "E8-6.1"
+        assert (
+            manual.Requirements_Attributes_Section
+            == "6 Restrict Microsoft Office macros"
+        )
+        assert manual.Requirements_Attributes_MaturityLevel == "ML1"
+        assert manual.Requirements_Attributes_AssessmentStatus == "Manual"
+        assert manual.Requirements_Attributes_CloudApplicability == "non-applicable"
+        assert (
+            manual.Requirements_Attributes_MitigatedThreats
+            == "Macro-based malware delivery"
+        )
+        assert manual.StatusExtended == "Manual check"
+        assert manual.ResourceId == "manual_check"
+        assert manual.ResourceName == "Manual check"
+        assert manual.CheckId == "manual"
+        assert not manual.Muted
+
+    @freeze_time("2025-01-01 00:00:00")
+    @mock.patch(
+        "prowler.lib.outputs.compliance.essential_eight.essential_eight_aws.timestamp",
+        "2025-01-01 00:00:00",
+    )
+    def test_batch_write_data_to_file(self):
+        mock_file = StringIO()
+        findings = [generate_finding_output(compliance={COMPLIANCE_NAME: "E8-1.8"})]
+        output = EssentialEightAWS(findings, ESSENTIAL_EIGHT_AWS)
+        output._file_descriptor = mock_file
+
+        with patch.object(mock_file, "close", return_value=None):
+            output.batch_write_data_to_file()
+
+        mock_file.seek(0)
+        content = mock_file.read()
+
+        # Validate header carries the E8-specific column names
+        first_line = content.split("\r\n", 1)[0]
+        for column in (
+            "REQUIREMENTS_ATTRIBUTES_MATURITYLEVEL",
+            "REQUIREMENTS_ATTRIBUTES_ASSESSMENTSTATUS",
+            "REQUIREMENTS_ATTRIBUTES_CLOUDAPPLICABILITY",
+            "REQUIREMENTS_ATTRIBUTES_MITIGATEDTHREATS",
+            "REQUIREMENTS_ATTRIBUTES_RATIONALESTATEMENT",
+            "REQUIREMENTS_ATTRIBUTES_REMEDIATIONPROCEDURE",
+            "REQUIREMENTS_ATTRIBUTES_AUDITPROCEDURE",
+        ):
+            assert column in first_line, f"missing column {column} in CSV header"
+
+        # rows: header + matched + manual
+        rows = [r for r in content.split("\r\n") if r]
+        assert len(rows) == 3
+        assert rows[1].split(";")[0] == "aws"
+        assert "ML1" in rows[1]
+        assert ";PASS;" in rows[1]
+        assert ";MANUAL;" in rows[2]
+        assert ";manual_check;" in rows[2]
diff --git a/tests/lib/outputs/compliance/fixtures.py b/tests/lib/outputs/compliance/fixtures.py
index 41c68d148f..9aac01392f 100644
--- a/tests/lib/outputs/compliance/fixtures.py
+++ b/tests/lib/outputs/compliance/fixtures.py
@@ -7,6 +7,7 @@ from prowler.lib.check.compliance_models import (
     ENS_Requirement_Attribute,
     ENS_Requirement_Attribute_Nivel,
     ENS_Requirement_Attribute_Tipos,
+    EssentialEight_Requirement_Attribute,
     Generic_Compliance_Requirement_Attribute,
     ISO27001_2013_Requirement_Attribute,
     KISA_ISMSP_Requirement_Attribute,
@@ -1189,3 +1190,58 @@ CCC_GCP_FIXTURE = Compliance(
         ),
     ],
 )
+
+ESSENTIAL_EIGHT_AWS = Compliance(
+    Framework="Essential-Eight",
+    Name="ASD Essential Eight Maturity Model - Maturity Level One (AWS)",
+    Version="Nov 2023",
+    Provider="AWS",
+    Description="Literal mapping of the Australian Signals Directorate (ASD) Essential Eight Maturity Model ML1 to AWS infrastructure checks.",
+    Requirements=[
+        Compliance_Requirement(
+            Id="E8-1.8",
+            Description="Online services that are no longer supported by vendors are removed.",
+            Attributes=[
+                EssentialEight_Requirement_Attribute(
+                    Section="1 Patch applications",
+                    MaturityLevel="ML1",
+                    AssessmentStatus="Automated",
+                    CloudApplicability="full",
+                    MitigatedThreats=[
+                        "Use of unsupported software",
+                        "Long-tail vulnerability accumulation",
+                    ],
+                    Description="Detect and remove unsupported AWS-hosted online services (Lambda runtimes, RDS engines, EKS, Fargate, Kafka, OpenSearch).",
+                    RationaleStatement="Unsupported services no longer receive security patches.",
+                    ImpactStatement="",
+                    RemediationProcedure="Migrate Lambda off deprecated runtimes; remove RDS Extended Support; upgrade EKS.",
+                    AuditProcedure="Run all listed checks.",
+                    AdditionalInformation="ASD Essential Eight ML1 - Patch applications - clause 8.",
+                    References="https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model",
+                )
+            ],
+            Checks=["service_test_check_id"],
+        ),
+        Compliance_Requirement(
+            Id="E8-6.1",
+            Description="Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.",
+            Attributes=[
+                EssentialEight_Requirement_Attribute(
+                    Section="6 Restrict Microsoft Office macros",
+                    MaturityLevel="ML1",
+                    AssessmentStatus="Manual",
+                    CloudApplicability="non-applicable",
+                    MitigatedThreats=["Macro-based malware delivery"],
+                    Description="Endpoint / Microsoft 365 control. Out of AWS infrastructure scope.",
+                    RationaleStatement="Most users never need Office macros.",
+                    ImpactStatement="",
+                    RemediationProcedure="Disable macros via Group Policy / Intune / M365 admin policies.",
+                    AuditProcedure="Manual review of M365 macro policy.",
+                    AdditionalInformation="ASD Essential Eight ML1 - Restrict Microsoft Office macros - clause 1. Out of AWS infrastructure scope.",
+                    References="https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model",
+                )
+            ],
+            Checks=[],
+        ),
+    ],
+)

From e821e07d7d2d79e544c5bd850e8c85e58c0e0cbd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pedro=20Mart=C3=ADn?= <pedromarting3@gmail.com>
Date: Thu, 30 Apr 2026 13:58:17 +0200
Subject: [PATCH 03/29] docs(rbac): add Manage Alerts permission (#10947)

---
 docs/user-guide/tutorials/prowler-app-rbac.mdx | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/user-guide/tutorials/prowler-app-rbac.mdx b/docs/user-guide/tutorials/prowler-app-rbac.mdx
index 8ac3a9f07b..31fd4a730e 100644
--- a/docs/user-guide/tutorials/prowler-app-rbac.mdx
+++ b/docs/user-guide/tutorials/prowler-app-rbac.mdx
@@ -227,6 +227,7 @@ Assign administrative permissions by selecting from the following options:
 | Manage Integrations | All | Add or modify the Prowler Integrations. |
 | Manage Ingestions | Prowler Cloud | Allow or deny the ability to submit findings ingestion batches via the API. |
 | Manage Billing | Prowler Cloud | Access and manage billing settings and subscription information. |
+| Manage Alerts | Prowler Cloud | Create, edit, and delete alert rules and recipients. |
 
 <Note>
 The **Scope** column indicates where each permission applies. **All** means the permission is available in both Prowler Cloud and Self-Managed deployments. **Prowler Cloud** indicates permissions that are specific to [Prowler Cloud](https://cloud.prowler.com/sign-in).
@@ -241,3 +242,5 @@ The following permissions are available exclusively in **Prowler Cloud**:
 **Manage Ingestions:** Submit and manage findings ingestion jobs via the API. Required to upload OCSF scan results using the `--push-to-cloud` CLI flag or the ingestion endpoints. See [Import Findings](/user-guide/tutorials/prowler-app-import-findings) for details.
 
 **Manage Billing:** Access and manage billing settings, subscription plans, and payment methods.
+
+**Manage Alerts:** Create, edit, and delete alert rules and recipients used to deliver scan-result digests via email.

From 36b8aa1b79d65162347e51adc160dede335805fa Mon Sep 17 00:00:00 2001
From: Pepe Fagoaga <pepe@prowler.com>
Date: Thu, 30 Apr 2026 14:11:29 +0200
Subject: [PATCH 04/29] fix(boto3): pass config to clients (#10944)

---
 prowler/CHANGELOG.md                          |  1 +
 prowler/providers/aws/aws_provider.py         | 55 +++++++++++++------
 prowler/providers/aws/config.py               |  9 +++
 .../lib/quick_inventory/quick_inventory.py    | 12 ++--
 prowler/providers/aws/lib/s3/s3.py            | 13 ++++-
 .../aws/lib/security_hub/security_hub.py      | 12 +++-
 prowler/providers/aws/lib/service/service.py  | 10 +++-
 .../aws/lib/session/aws_set_up_session.py     |  4 +-
 .../globalaccelerator_service.py              | 12 ++--
 .../aws/services/route53/route53_service.py   | 10 ++--
 .../trustedadvisor/trustedadvisor_service.py  | 36 ++++++------
 .../providers/aws/services/waf/waf_service.py |  8 +--
 .../aws/services/wafv2/wafv2_service.py       |  8 +--
 tests/providers/aws/aws_provider_test.py      |  7 +++
 .../lib/organizations/organizations_test.py   | 16 ++++++
 .../providers/aws/lib/service/service_test.py | 10 ++++
 tests/providers/aws/utils.py                  |  6 +-
 17 files changed, 153 insertions(+), 76 deletions(-)

diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index 649ae60c5a..cc5e6d47c8 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -22,6 +22,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 ### 🐞 Fixed
 
 - AWS SDK test isolation: autouse `mock_aws` fixture and leak detector in `conftest.py` to prevent tests from hitting real AWS endpoints, with idempotent organization setup for tests calling `set_mocked_aws_provider` multiple times [(#10605)](https://github.com/prowler-cloud/prowler/pull/10605)
+- AWS `boto` user agent extra is now applied to every client [(#10944)](https://github.com/prowler-cloud/prowler/pull/10944)
 
 ### 🔐 Security
 
diff --git a/prowler/providers/aws/aws_provider.py b/prowler/providers/aws/aws_provider.py
index c0f1a1ef01..cf6cbdd73a 100644
--- a/prowler/providers/aws/aws_provider.py
+++ b/prowler/providers/aws/aws_provider.py
@@ -25,8 +25,8 @@ from prowler.lib.utils.utils import open_file, parse_json_file, print_boxes
 from prowler.providers.aws.config import (
     AWS_REGION_US_EAST_1,
     AWS_STS_GLOBAL_ENDPOINT_REGION,
-    BOTO3_USER_AGENT_EXTRA,
     ROLE_SESSION_NAME,
+    get_default_session_config,
 )
 from prowler.providers.aws.exceptions.exceptions import (
     AWSAccessKeyIDInvalidError,
@@ -227,14 +227,15 @@ class AwsProvider(Provider):
 
         # TODO: Use AwsSetUpSession ?????
         # Configure the initial AWS Session using the local credentials: profile or environment variables
+        session_config = self.set_session_config(retries_max_attempts)
         aws_session = self.setup_session(
             mfa=mfa,
             profile=profile,
             aws_access_key_id=aws_access_key_id,
             aws_secret_access_key=aws_secret_access_key,
             aws_session_token=aws_session_token,
+            session_config=session_config,
         )
-        session_config = self.set_session_config(retries_max_attempts)
         # Current session and the original session points to the same session object until we get a new one, if needed
         self._session = AWSSession(
             current_session=aws_session,
@@ -630,6 +631,7 @@ class AwsProvider(Provider):
         aws_access_key_id: str = None,
         aws_secret_access_key: str = None,
         aws_session_token: Optional[str] = None,
+        session_config: Optional[Config] = None,
     ) -> Session:
         """
         setup_session sets up an AWS session using the provided credentials.
@@ -640,6 +642,9 @@ class AwsProvider(Provider):
             - aws_access_key_id: The AWS access key ID.
             - aws_secret_access_key: The AWS secret access key.
             - aws_session_token: The AWS session token, optional.
+            - session_config: Botocore Config applied as the session's default
+              client config so every client created from the session inherits
+              the Prowler user agent and retry settings.
 
         Returns:
             - Session: The AWS session.
@@ -650,6 +655,9 @@ class AwsProvider(Provider):
         try:
             logger.debug("Creating original session ...")
 
+            if session_config is None:
+                session_config = AwsProvider.set_session_config(None)
+
             session_arguments = {}
             if profile:
                 session_arguments["profile_name"] = profile
@@ -661,6 +669,7 @@ class AwsProvider(Provider):
 
             if mfa:
                 session = Session(**session_arguments)
+                session._session.set_default_client_config(session_config)
                 sts_client = session.client("sts")
 
                 # TODO: pass values from the input
@@ -673,7 +682,7 @@ class AwsProvider(Provider):
                 session_credentials = sts_client.get_session_token(
                     **get_session_token_arguments
                 )
-                return Session(
+                mfa_session = Session(
                     aws_access_key_id=session_credentials["Credentials"]["AccessKeyId"],
                     aws_secret_access_key=session_credentials["Credentials"][
                         "SecretAccessKey"
@@ -682,8 +691,12 @@ class AwsProvider(Provider):
                         "SessionToken"
                     ],
                 )
+                mfa_session._session.set_default_client_config(session_config)
+                return mfa_session
             else:
-                return Session(**session_arguments)
+                session = Session(**session_arguments)
+                session._session.set_default_client_config(session_config)
+                return session
         except Exception as error:
             logger.critical(
                 f"AWSSetUpSessionError[{error.__traceback__.tb_lineno}]: {error}"
@@ -698,6 +711,7 @@ class AwsProvider(Provider):
         identity: AWSIdentityInfo,
         assumed_role_configuration: AWSAssumeRoleConfiguration,
         session: AWSSession,
+        session_config: Optional[Config] = None,
     ) -> Session:
         """
         Sets up an assumed session using the provided assumed role credentials.
@@ -742,6 +756,13 @@ class AwsProvider(Provider):
             assumed_session = BotocoreSession()
             assumed_session._credentials = assumed_refreshable_credentials
             assumed_session.set_config_variable("region", identity.profile_region)
+            if session_config is None:
+                session_config = (
+                    session.session_config
+                    if session is not None
+                    else AwsProvider.set_session_config(None)
+                )
+            assumed_session.set_default_client_config(session_config)
             return Session(
                 profile_name=identity.profile,
                 botocore_session=assumed_session,
@@ -870,7 +891,7 @@ class AwsProvider(Provider):
 
             for region in enabled_regions:
                 regional_client = self._session.current_session.client(
-                    service, region_name=region, config=self._session.session_config
+                    service, region_name=region
                 )
                 regional_client.region = region
                 regional_clients[region] = regional_client
@@ -1140,21 +1161,16 @@ class AwsProvider(Provider):
         Returns:
             - Config: The botocore Config object
         """
-        # Set the maximum retries for the standard retrier config
-        default_session_config = Config(
-            retries={"max_attempts": 3, "mode": "standard"},
-            user_agent_extra=BOTO3_USER_AGENT_EXTRA,
-        )
+        default_session_config = get_default_session_config()
         if retries_max_attempts:
-            # Create the new config
-            config = Config(
-                retries={
-                    "max_attempts": retries_max_attempts,
-                    "mode": "standard",
-                },
+            default_session_config = default_session_config.merge(
+                Config(
+                    retries={
+                        "max_attempts": retries_max_attempts,
+                        "mode": "standard",
+                    },
+                )
             )
-            # Merge the new configuration
-            default_session_config = default_session_config.merge(config)
 
         return default_session_config
 
@@ -1425,6 +1441,9 @@ class AwsProvider(Provider):
                     region_name=aws_region,
                     profile_name=profile,
                 )
+                session._session.set_default_client_config(
+                    AwsProvider.set_session_config(None)
+                )
 
             caller_identity = AwsProvider.validate_credentials(session, aws_region)
             # Do an extra validation if the AWS account ID is provided
diff --git a/prowler/providers/aws/config.py b/prowler/providers/aws/config.py
index 216c16e70b..ea55d1a314 100644
--- a/prowler/providers/aws/config.py
+++ b/prowler/providers/aws/config.py
@@ -1,6 +1,15 @@
 import os
 
+from botocore.config import Config
+
 AWS_STS_GLOBAL_ENDPOINT_REGION = "us-east-1"
 AWS_REGION_US_EAST_1 = "us-east-1"
 BOTO3_USER_AGENT_EXTRA = os.getenv("PROWLER_AWS_BOTO3_USER_AGENT_EXTRA", "APN_1826889")
 ROLE_SESSION_NAME = "ProwlerAssessmentSession"
+
+
+def get_default_session_config() -> Config:
+    return Config(
+        user_agent_extra=BOTO3_USER_AGENT_EXTRA,
+        retries={"max_attempts": 3, "mode": "standard"},
+    )
diff --git a/prowler/providers/aws/lib/quick_inventory/quick_inventory.py b/prowler/providers/aws/lib/quick_inventory/quick_inventory.py
index 95e9aea7bb..8ffdd80e7b 100644
--- a/prowler/providers/aws/lib/quick_inventory/quick_inventory.py
+++ b/prowler/providers/aws/lib/quick_inventory/quick_inventory.py
@@ -56,9 +56,7 @@ def quick_inventory(provider: AwsProvider, args):
                 try:
                     # Scan IAM only once
                     if not iam_was_scanned:
-                        global_resources.extend(
-                            get_iam_resources(provider.session.current_session)
-                        )
+                        global_resources.extend(get_iam_resources(provider))
                         iam_was_scanned = True
 
                     # Get regional S3 buckets since none-tagged buckets are not supported by the resourcegroupstaggingapi
@@ -312,8 +310,8 @@ def create_output(resources: list, provider: AwsProvider, args):
             if args.output_bucket:
                 output_bucket = args.output_bucket
                 bucket_session = provider.session.current_session
-            # Check if -D was input
-            elif args.output_bucket_no_assume:
+            # The outer condition guarantees -D was input when -B was not
+            else:
                 output_bucket = args.output_bucket_no_assume
                 bucket_session = provider.session.original_session
 
@@ -375,9 +373,9 @@ def get_regional_buckets(provider: AwsProvider, region: str) -> list:
     return regional_buckets
 
 
-def get_iam_resources(session) -> list:
+def get_iam_resources(provider: AwsProvider) -> list:
     iam_resources = []
-    iam_client = session.client("iam")
+    iam_client = provider.session.current_session.client("iam")
     try:
         get_roles_paginator = iam_client.get_paginator("list_roles")
         for page in get_roles_paginator.paginate():
diff --git a/prowler/providers/aws/lib/s3/s3.py b/prowler/providers/aws/lib/s3/s3.py
index ae609e67c6..a4bbb42cc7 100644
--- a/prowler/providers/aws/lib/s3/s3.py
+++ b/prowler/providers/aws/lib/s3/s3.py
@@ -111,6 +111,13 @@ class S3:
         - None
         """
         if session:
+            # Preserve the caller's existing default config (and the
+            # retries_max_attempts already baked into it) instead of clobbering
+            # it with a freshly built one.
+            if session._session.get_default_client_config() is None:
+                session._session.set_default_client_config(
+                    AwsProvider.set_session_config(retries_max_attempts)
+                )
             self._session = session.client(__class__.__name__.lower())
         else:
             aws_setup_session = AwsSetUpSession(
@@ -127,8 +134,7 @@ class S3:
                 regions=regions,
             )
             self._session = aws_setup_session._session.current_session.client(
-                __class__.__name__.lower(),
-                config=aws_setup_session._session.session_config,
+                __class__.__name__.lower()
             )
 
         self._bucket_name = bucket_name
@@ -313,6 +319,9 @@ class S3:
                     region_name=aws_region,
                     profile_name=profile,
                 )
+                session._session.set_default_client_config(
+                    AwsProvider.set_session_config(None)
+                )
             s3_client = session.client(__class__.__name__.lower())
             if "s3://" in bucket_name:
                 bucket_name = bucket_name.removeprefix("s3://")
diff --git a/prowler/providers/aws/lib/security_hub/security_hub.py b/prowler/providers/aws/lib/security_hub/security_hub.py
index a45d36c2fd..bc372d1ddd 100644
--- a/prowler/providers/aws/lib/security_hub/security_hub.py
+++ b/prowler/providers/aws/lib/security_hub/security_hub.py
@@ -148,6 +148,13 @@ class SecurityHub:
                 regions=regions,
             )
             self._session = aws_setup_session._session.current_session
+        # Only install the Prowler default config when the caller-supplied
+        # session does not already carry one — overwriting would drop the
+        # provider's retries_max_attempts value.
+        if aws_session and self._session._session.get_default_client_config() is None:
+            self._session._session.set_default_client_config(
+                AwsProvider.set_session_config(retries_max_attempts)
+            )
         self._aws_account_id = aws_account_id
         if not aws_partition:
             aws_partition = AwsProvider.validate_credentials(
@@ -235,7 +242,7 @@ class SecurityHub:
 
         Args:
             region (str): AWS region to check.
-            session (Session): AWS session object.
+            session (Session): AWS session object. Expected to carry the Prowler default client config.
             aws_account_id (str): AWS account ID.
             aws_partition (str): AWS partition.
 
@@ -540,6 +547,9 @@ class SecurityHub:
                     region_name=aws_region,
                     profile_name=profile,
                 )
+                session._session.set_default_client_config(
+                    AwsProvider.set_session_config(None)
+                )
 
             all_regions = AwsProvider.get_available_aws_service_regions(
                 service="securityhub", partition=aws_partition
diff --git a/prowler/providers/aws/lib/service/service.py b/prowler/providers/aws/lib/service/service.py
index 1044a21881..ac241c64a2 100644
--- a/prowler/providers/aws/lib/service/service.py
+++ b/prowler/providers/aws/lib/service/service.py
@@ -32,7 +32,13 @@ class AWSService:
     def is_failed_check(cls, check_id, arn):
         return (check_id.split(".")[-1], arn) in cls.failed_checks
 
-    def __init__(self, service: str, provider: AwsProvider, global_service=False):
+    def __init__(
+        self,
+        service: str,
+        provider: AwsProvider,
+        global_service=False,
+        region: str = None,
+    ):
         # Audit Information
         # Do we need to store the whole provider?
         self.provider = provider
@@ -61,7 +67,7 @@ class AWSService:
         # Get a single region and client if the service needs it (e.g. AWS Global Service)
         # We cannot include this within an else because some services needs both the regional_clients
         # and a single client like S3
-        self.region = provider.get_default_region(
+        self.region = region or provider.get_default_region(
             self.service, global_service=global_service
         )
         self.client = self.session.client(self.service, self.region)
diff --git a/prowler/providers/aws/lib/session/aws_set_up_session.py b/prowler/providers/aws/lib/session/aws_set_up_session.py
index 9246c0a9eb..3189400040 100644
--- a/prowler/providers/aws/lib/session/aws_set_up_session.py
+++ b/prowler/providers/aws/lib/session/aws_set_up_session.py
@@ -73,15 +73,15 @@ class AwsSetUpSession:
             aws_access_key_id=aws_access_key_id,
             aws_secret_access_key=aws_secret_access_key,
         )
-        # Setup the AWS session
+        session_config = AwsProvider.set_session_config(retries_max_attempts)
         aws_session = AwsProvider.setup_session(
             mfa=mfa,
             profile=profile,
             aws_access_key_id=aws_access_key_id,
             aws_secret_access_key=aws_secret_access_key,
             aws_session_token=aws_session_token,
+            session_config=session_config,
         )
-        session_config = AwsProvider.set_session_config(retries_max_attempts)
         self._session = AWSSession(
             current_session=aws_session,
             session_config=session_config,
diff --git a/prowler/providers/aws/services/globalaccelerator/globalaccelerator_service.py b/prowler/providers/aws/services/globalaccelerator/globalaccelerator_service.py
index 0a767cafed..f49ac1ceba 100644
--- a/prowler/providers/aws/services/globalaccelerator/globalaccelerator_service.py
+++ b/prowler/providers/aws/services/globalaccelerator/globalaccelerator_service.py
@@ -9,15 +9,13 @@ from prowler.providers.aws.lib.service.service import AWSService
 
 class GlobalAccelerator(AWSService):
     def __init__(self, provider):
-        # Call AWSService's __init__
-        super().__init__(__class__.__name__, provider)
+        # Global Accelerator is a global service that supports endpoints in multiple AWS Regions
+        # but you must specify the US West (Oregon) Region to create, update, or otherwise work with accelerators.
+        # That is, for example, specify --region us-west-2 on AWS CLI commands.
+        region = "us-west-2" if provider.identity.partition == "aws" else None
+        super().__init__(__class__.__name__, provider, region=region)
         self.accelerators = {}
         if self.audited_partition == "aws":
-            # Global Accelerator is a global service that supports endpoints in multiple AWS Regions
-            # but you must specify the US West (Oregon) Region to create, update, or otherwise work with accelerators.
-            # That is, for example, specify --region us-west-2 on AWS CLI commands.
-            self.region = "us-west-2"
-            self.client = self.session.client(self.service, self.region)
             self._list_accelerators()
             self.__threading_call__(self._list_tags, self.accelerators.values())
 
diff --git a/prowler/providers/aws/services/route53/route53_service.py b/prowler/providers/aws/services/route53/route53_service.py
index c3ec37d9a3..54de22440d 100644
--- a/prowler/providers/aws/services/route53/route53_service.py
+++ b/prowler/providers/aws/services/route53/route53_service.py
@@ -176,14 +176,12 @@ class RecordSet(BaseModel):
 
 class Route53Domains(AWSService):
     def __init__(self, provider):
-        # Call AWSService's __init__
-        super().__init__(__class__.__name__, provider)
+        # Route53Domains is a global service that supports endpoints in multiple AWS Regions
+        # but you must specify the US East (N. Virginia) Region to create, update, or otherwise work with domains.
+        region = "us-east-1" if provider.identity.partition == "aws" else None
+        super().__init__(__class__.__name__, provider, region=region)
         self.domains = {}
         if self.audited_partition == "aws":
-            # Route53Domains is a global service that supports endpoints in multiple AWS Regions
-            # but you must specify the US East (N. Virginia) Region to create, update, or otherwise work with domains.
-            self.region = "us-east-1"
-            self.client = self.session.client(self.service, self.region)
             self._list_domains()
             self._get_domain_detail()
             self._list_tags_for_domain()
diff --git a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_service.py b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_service.py
index bad30341b2..5569569290 100644
--- a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_service.py
+++ b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_service.py
@@ -9,20 +9,20 @@ from prowler.providers.aws.lib.service.service import AWSService
 
 class TrustedAdvisor(AWSService):
     def __init__(self, provider):
-        # Call AWSService's __init__
-        super().__init__("support", provider)
+        # Support API is not available in China Partition
+        # But only in us-east-1 or us-gov-west-1 https://docs.aws.amazon.com/general/latest/gr/awssupport.html
+        partition = provider.identity.partition
+        if partition == "aws":
+            support_region = "us-east-1"
+        elif partition == "aws-cn":
+            support_region = None
+        else:
+            support_region = "us-gov-west-1"
+        super().__init__("support", provider, region=support_region)
         self.account_arn_template = f"arn:{self.audited_partition}:trusted-advisor:{self.region}:{self.audited_account}:account"
         self.checks = []
         self.premium_support = PremiumSupport(enabled=False)
-        # Support API is not available in China Partition
-        # But only in us-east-1 or us-gov-west-1 https://docs.aws.amazon.com/general/latest/gr/awssupport.html
         if self.audited_partition != "aws-cn":
-            if self.audited_partition == "aws":
-                support_region = "us-east-1"
-            else:
-                support_region = "us-gov-west-1"
-            self.client = self.session.client(self.service, region_name=support_region)
-            self.client.region = support_region
             self._describe_services()
             if getattr(self.premium_support, "enabled", False):
                 self._describe_trusted_advisor_checks()
@@ -34,13 +34,13 @@ class TrustedAdvisor(AWSService):
             for check in self.client.describe_trusted_advisor_checks(language="en").get(
                 "checks", []
             ):
-                check_arn = f"arn:{self.audited_partition}:trusted-advisor:{self.client.region}:{self.audited_account}:check/{check['id']}"
+                check_arn = f"arn:{self.audited_partition}:trusted-advisor:{self.region}:{self.audited_account}:check/{check['id']}"
                 self.checks.append(
                     Check(
                         id=check["id"],
                         name=check["name"],
                         arn=check_arn,
-                        region=self.client.region,
+                        region=self.region,
                     )
                 )
         except ClientError as error:
@@ -50,22 +50,22 @@ class TrustedAdvisor(AWSService):
                 == "Amazon Web Services Premium Support Subscription is required to use this service."
             ):
                 logger.warning(
-                    f"{self.client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                    f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
                 )
             else:
                 logger.error(
-                    f"{self.client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                    f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
                 )
         except Exception as error:
             logger.error(
-                f"{self.client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
 
     def _describe_trusted_advisor_check_result(self):
         logger.info("TrustedAdvisor - Describing Check Result...")
         try:
             for check in self.checks:
-                if check.region == self.client.region:
+                if check.region == self.region:
                     try:
                         response = self.client.describe_trusted_advisor_check_result(
                             checkId=check.id
@@ -78,11 +78,11 @@ class TrustedAdvisor(AWSService):
                             == "InvalidParameterValueException"
                         ):
                             logger.warning(
-                                f"{self.client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
                             )
         except Exception as error:
             logger.error(
-                f"{self.client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
 
     def _describe_services(self):
diff --git a/prowler/providers/aws/services/waf/waf_service.py b/prowler/providers/aws/services/waf/waf_service.py
index b1fda19c50..25476e6858 100644
--- a/prowler/providers/aws/services/waf/waf_service.py
+++ b/prowler/providers/aws/services/waf/waf_service.py
@@ -9,15 +9,13 @@ from prowler.providers.aws.lib.service.service import AWSService
 
 class WAF(AWSService):
     def __init__(self, provider):
-        # Call AWSService's __init__
-        super().__init__("waf", provider)
+        # AWS WAF is available globally for CloudFront distributions, but you must use the Region US East (N. Virginia) to create your web ACL and any resources used in the web ACL, such as rule groups, IP sets, and regex pattern sets.
+        region = "us-east-1" if provider.identity.partition == "aws" else None
+        super().__init__("waf", provider, region=region)
         self.rules = {}
         self.rule_groups = {}
         self.web_acls = {}
         if self.audited_partition == "aws":
-            # AWS WAF is available globally for CloudFront distributions, but you must use the Region US East (N. Virginia) to create your web ACL and any resources used in the web ACL, such as rule groups, IP sets, and regex pattern sets.
-            self.region = "us-east-1"
-            self.client = self.session.client(self.service, self.region)
             self._list_rules()
             self.__threading_call__(self._get_rule, self.rules.values())
             self._list_rule_groups()
diff --git a/prowler/providers/aws/services/wafv2/wafv2_service.py b/prowler/providers/aws/services/wafv2/wafv2_service.py
index 6a9d3ca5b8..5682502ae3 100644
--- a/prowler/providers/aws/services/wafv2/wafv2_service.py
+++ b/prowler/providers/aws/services/wafv2/wafv2_service.py
@@ -11,13 +11,11 @@ from prowler.providers.aws.lib.service.service import AWSService
 
 class WAFv2(AWSService):
     def __init__(self, provider):
-        # Call AWSService's __init__
-        super().__init__(__class__.__name__, provider)
+        # AWS WAFv2 is available globally for CloudFront distributions, but you must use the Region US East (N. Virginia) to create your web ACL.
+        region = "us-east-1" if provider.identity.partition == "aws" else None
+        super().__init__(__class__.__name__, provider, region=region)
         self.web_acls = {}
         if self.audited_partition == "aws":
-            # AWS WAFv2 is available globally for CloudFront distributions, but you must use the Region US East (N. Virginia) to create your web ACL.
-            self.region = "us-east-1"
-            self.client = self.session.client(self.service, self.region)
             self._list_web_acls_global()
         self.__threading_call__(self._list_web_acls_regional)
         self.__threading_call__(self._get_web_acl, self.web_acls.values())
diff --git a/tests/providers/aws/aws_provider_test.py b/tests/providers/aws/aws_provider_test.py
index ea37e58e82..f874ca8812 100644
--- a/tests/providers/aws/aws_provider_test.py
+++ b/tests/providers/aws/aws_provider_test.py
@@ -21,6 +21,7 @@ from prowler.providers.aws.config import (
     AWS_STS_GLOBAL_ENDPOINT_REGION,
     BOTO3_USER_AGENT_EXTRA,
     ROLE_SESSION_NAME,
+    get_default_session_config,
 )
 from prowler.providers.aws.exceptions.exceptions import (
     AWSArgumentTypeValidationError,
@@ -2242,6 +2243,12 @@ aws:
         assert session_config.user_agent_extra == BOTO3_USER_AGENT_EXTRA
         assert session_config.retries == {"max_attempts": 10, "mode": "standard"}
 
+    def test_get_default_session_config(self):
+        config = get_default_session_config()
+
+        assert config.user_agent_extra == BOTO3_USER_AGENT_EXTRA
+        assert config.retries == {"max_attempts": 3, "mode": "standard"}
+
     @mock_aws
     @patch(
         "prowler.lib.check.utils.recover_checks_from_provider",
diff --git a/tests/providers/aws/lib/organizations/organizations_test.py b/tests/providers/aws/lib/organizations/organizations_test.py
index 8c0def64ac..a2d8ad0441 100644
--- a/tests/providers/aws/lib/organizations/organizations_test.py
+++ b/tests/providers/aws/lib/organizations/organizations_test.py
@@ -4,6 +4,8 @@ import boto3
 from botocore.exceptions import ClientError
 from moto import mock_aws
 
+from prowler.providers.aws.aws_provider import AwsProvider
+from prowler.providers.aws.config import BOTO3_USER_AGENT_EXTRA
 from prowler.providers.aws.lib.organizations.organizations import (
     _get_ou_metadata,
     get_organizations_metadata,
@@ -222,6 +224,20 @@ class Test_AWS_Organizations:
         assert tags == {}
         assert ou_metadata == {}
 
+    def test_get_organizations_metadata_uses_user_agent_extra(self):
+        real_session = boto3.Session()
+        real_session._session.set_default_client_config(
+            AwsProvider.set_session_config(None)
+        )
+        wrapper = MagicMock(wraps=real_session)
+
+        get_organizations_metadata("123456789012", wrapper)
+
+        wrapper.client.assert_called_once()
+        default_config = real_session._session.get_default_client_config()
+        assert default_config is not None
+        assert BOTO3_USER_AGENT_EXTRA in default_config.user_agent_extra
+
     def test_parse_organizations_metadata_with_empty_ou_metadata(self):
         tags = {"Tags": []}
         metadata = {
diff --git a/tests/providers/aws/lib/service/service_test.py b/tests/providers/aws/lib/service/service_test.py
index 452a2a93ff..c1cd4b05bc 100644
--- a/tests/providers/aws/lib/service/service_test.py
+++ b/tests/providers/aws/lib/service/service_test.py
@@ -1,5 +1,6 @@
 from mock import patch
 
+from prowler.providers.aws.config import BOTO3_USER_AGENT_EXTRA
 from prowler.providers.aws.lib.service.service import AWSService
 from tests.providers.aws.utils import (
     AWS_ACCOUNT_ARN,
@@ -189,6 +190,15 @@ class TestAWSService:
             == f"arn:{service.audited_partition}:{service_name}::{AWS_ACCOUNT_NUMBER}:bucket/unknown"
         )
 
+    def test_AWSService_clients_carry_user_agent_extra(self):
+        provider = set_mocked_aws_provider()
+
+        service = AWSService("s3", provider)
+        ad_hoc_client = service.session.client("ec2", AWS_REGION_US_EAST_1)
+
+        assert BOTO3_USER_AGENT_EXTRA in service.client._client_config.user_agent_extra
+        assert BOTO3_USER_AGENT_EXTRA in ad_hoc_client._client_config.user_agent_extra
+
     def test_AWSService_get_unknown_arn_resource_type_set_region(self):
         service_name = "s3"
         provider = set_mocked_aws_provider()
diff --git a/tests/providers/aws/utils.py b/tests/providers/aws/utils.py
index 2341b6b5fd..0b11798e1f 100644
--- a/tests/providers/aws/utils.py
+++ b/tests/providers/aws/utils.py
@@ -2,7 +2,6 @@ from argparse import Namespace
 from json import dumps
 
 from boto3 import client, session
-from botocore.config import Config
 from moto import mock_aws
 
 from prowler.config.config import (
@@ -133,10 +132,11 @@ def set_mocked_aws_provider(
     provider = AwsProvider()
 
     # Mock Session
-    provider._session.session_config = None
+    session_config = AwsProvider.set_session_config(None)
+    provider._session.session_config = session_config
     provider._session.original_session = original_session
     provider._session.current_session = audit_session
-    provider._session.session_config = Config()
+    audit_session._session.set_default_client_config(session_config)
     # Mock Identity
     provider._identity.account = audited_account
     provider._identity.account_arn = audited_account_arn

From 3ab9a4efa535008bf2f4fc96e17947a12b93e408 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pedro=20Mart=C3=ADn?= <pedromarting3@gmail.com>
Date: Thu, 30 Apr 2026 14:13:40 +0200
Subject: [PATCH 05/29] chore(changelog): update with latest changes (#10948)

---
 prowler/CHANGELOG.md | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index cc5e6d47c8..4a017a47e2 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -8,9 +8,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 - `bedrock_guardrails_configured` check for AWS provider [(#10844)](https://github.com/prowler-cloud/prowler/pull/10844)
 - Universal compliance pipeline integrated into the CLI: `--list-compliance` and `--list-compliance-requirements` show universal frameworks, and CSV plus OCSF outputs are generated for any framework declaring a `TableConfig` [(#10301)](https://github.com/prowler-cloud/prowler/pull/10301)
-
-### 🚀 Added
-- ASD Essential Eight Maturity Model compliance framework for AWS provider, mapping 64 checks across all 8 controls [(#10808)](https://github.com/prowler-cloud/prowler/pull/10808)
+- ASD Essential Eight Maturity Model compliance framework for AWS (Maturity Level One, Nov 2023) [(#10808)](https://github.com/prowler-cloud/prowler/pull/10808)
 
 ### 🔄 Changed
 

From c802dc8a362d6b72ae2c56ed9cab847120f78272 Mon Sep 17 00:00:00 2001
From: Danny Lyubenov <23269399+DannyLyubenov@users.noreply.github.com>
Date: Thu, 30 Apr 2026 16:19:21 +0100
Subject: [PATCH 06/29] feat(codebuild): use batched API calls to prevent
 throttling and false positives (#10639)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
---
 prowler/CHANGELOG.md                          |   1 +
 .../services/codebuild/codebuild_service.py   | 112 ++++++++++++++----
 .../codebuild/codebuild_service_test.py       |  97 ++++++++++++++-
 3 files changed, 188 insertions(+), 22 deletions(-)

diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index 4a017a47e2..cdf166674b 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -15,6 +15,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `route53_dangling_ip_subdomain_takeover` now also flags `CNAME` records pointing to S3 website endpoints whose buckets are missing from the account [(#10920)](https://github.com/prowler-cloud/prowler/pull/10920)
 - Azure Network Watcher flow log checks now require workspace-backed Traffic Analytics for `network_flow_log_captured_sent` and align metadata with VNet-compatible flow log guidance [(#10645)](https://github.com/prowler-cloud/prowler/pull/10645)
 - Azure compliance entries for legacy Network Watcher flow log controls now use retirement-aware guidance and point new deployments to VNet flow logs
+- AWS CodeBuild service now batches `BatchGetProjects` and `BatchGetBuilds` calls per region (up to 100 items per call) to reduce API call volume and prevent throttling-induced false positives in `codebuild_project_not_publicly_accessible` [(#10639)](https://github.com/prowler-cloud/prowler/pull/10639)
 - `display_compliance_table` dispatch switched from substring `in` checks to `startswith` to prevent false matches between similarly named frameworks (e.g. `cisa` vs `cis`) [(#10301)](https://github.com/prowler-cloud/prowler/pull/10301)
 
 ### 🐞 Fixed
diff --git a/prowler/providers/aws/services/codebuild/codebuild_service.py b/prowler/providers/aws/services/codebuild/codebuild_service.py
index 361002aa65..d4d085065d 100644
--- a/prowler/providers/aws/services/codebuild/codebuild_service.py
+++ b/prowler/providers/aws/services/codebuild/codebuild_service.py
@@ -1,4 +1,5 @@
 import datetime
+from concurrent.futures import as_completed
 from typing import List, Optional
 
 from pydantic.v1 import BaseModel
@@ -14,9 +15,9 @@ class Codebuild(AWSService):
         super().__init__(__class__.__name__, provider)
         self.projects = {}
         self.__threading_call__(self._list_projects)
-        self.__threading_call__(self._list_builds_for_project, self.projects.values())
-        self.__threading_call__(self._batch_get_builds, self.projects.values())
-        self.__threading_call__(self._batch_get_projects, self.projects.values())
+        self.__threading_call__(self._list_builds_for_project)
+        self.__threading_call__(self._batch_get_builds)
+        self.__threading_call__(self._batch_get_projects)
         self.report_groups = {}
         self.__threading_call__(self._list_report_groups)
         self.__threading_call__(
@@ -44,10 +45,8 @@ class Codebuild(AWSService):
                 f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
 
-    def _list_builds_for_project(self, project):
-        logger.info("Codebuild - Listing builds...")
+    def _fetch_project_last_build(self, regional_client, project):
         try:
-            regional_client = self.regional_clients[project.region]
             build_ids = regional_client.list_builds_for_project(
                 projectName=project.name
             ).get("ids", [])
@@ -58,28 +57,99 @@ class Codebuild(AWSService):
                 f"{project.region}: {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
 
-    def _batch_get_builds(self, project):
-        logger.info("Codebuild - Getting builds...")
+    def _list_builds_for_project(self, regional_client):
+        logger.info("Codebuild - Listing builds...")
         try:
-            if project.last_build and project.last_build.id:
-                regional_client = self.regional_clients[project.region]
-                builds_by_id = regional_client.batch_get_builds(
-                    ids=[project.last_build.id]
-                ).get("builds", [])
-                if len(builds_by_id) > 0:
-                    project.last_invoked_time = builds_by_id[0].get("endTime")
+            regional_projects = [
+                project
+                for project in self.projects.values()
+                if project.region == regional_client.region
+            ]
+
+            # list_builds_for_project has no batch API equivalent, so reuse the
+            # shared thread pool to issue per-project calls in parallel within
+            # this region — preserving the wall-clock performance of the
+            # previous implementation.
+            futures = [
+                self.thread_pool.submit(
+                    self._fetch_project_last_build, regional_client, project
+                )
+                for project in regional_projects
+            ]
+            for future in as_completed(futures):
+                try:
+                    future.result()
+                except Exception:
+                    pass
         except Exception as error:
             logger.error(
-                f"{regional_client.region}: {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
 
-    def _batch_get_projects(self, project):
+    def _batch_get_builds(self, regional_client):
+        logger.info("Codebuild - Getting builds...")
+        try:
+            # Collect all build IDs for this region
+            build_id_to_project = {}
+            for project in self.projects.values():
+                if (
+                    project.region == regional_client.region
+                    and project.last_build
+                    and project.last_build.id
+                ):
+                    build_id_to_project[project.last_build.id] = project
+
+            if not build_id_to_project:
+                return
+
+            build_ids = list(build_id_to_project.keys())
+
+            # batch_get_builds supports up to 100 IDs per call
+            for i in range(0, len(build_ids), 100):
+                batch = build_ids[i : i + 100]
+                response = regional_client.batch_get_builds(ids=batch)
+                for build_info in response.get("builds", []):
+                    build_id = build_info.get("id")
+                    if build_id in build_id_to_project:
+                        end_time = build_info.get("endTime")
+                        if end_time:
+                            build_id_to_project[build_id].last_invoked_time = end_time
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
+    def _batch_get_projects(self, regional_client):
         logger.info("Codebuild - Getting projects...")
         try:
-            regional_client = self.regional_clients[project.region]
-            project_info = regional_client.batch_get_projects(names=[project.name])[
-                "projects"
-            ][0]
+            # Collect all project names for this region
+            regional_projects = {
+                arn: project
+                for arn, project in self.projects.items()
+                if project.region == regional_client.region
+            }
+            if not regional_projects:
+                return
+
+            project_names = [project.name for project in regional_projects.values()]
+
+            # batch_get_projects supports up to 100 names per call
+            for i in range(0, len(project_names), 100):
+                batch = project_names[i : i + 100]
+                response = regional_client.batch_get_projects(names=batch)
+                for project_info in response.get("projects", []):
+                    project_arn = project_info.get("arn")
+                    if project_arn in regional_projects:
+                        self._parse_project_info(
+                            regional_projects[project_arn], project_info
+                        )
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
+    def _parse_project_info(self, project, project_info):
+        try:
             project.buildspec = project_info["source"].get("buildspec")
             if project_info["source"]["type"] != "NO_SOURCE":
                 project.source = Source(
diff --git a/tests/providers/aws/services/codebuild/codebuild_service_test.py b/tests/providers/aws/services/codebuild/codebuild_service_test.py
index 13bf7b31fb..5b9820cc47 100644
--- a/tests/providers/aws/services/codebuild/codebuild_service_test.py
+++ b/tests/providers/aws/services/codebuild/codebuild_service_test.py
@@ -45,11 +45,12 @@ def mock_make_api_call(self, operation_name, kwarg):
     elif operation_name == "ListBuildsForProject":
         return {"ids": [build_id]}
     elif operation_name == "BatchGetBuilds":
-        return {"builds": [{"endTime": last_invoked_time}]}
+        return {"builds": [{"id": build_id, "endTime": last_invoked_time}]}
     elif operation_name == "BatchGetProjects":
         return {
             "projects": [
                 {
+                    "arn": project_arn,
                     "source": {
                         "type": source_type,
                         "location": bitbucket_url,
@@ -230,3 +231,97 @@ class Test_Codebuild_Service:
         assert (
             codebuild.report_groups[report_group_arn].tags[0]["value"] == project_name
         )
+
+
+# Module-level state and helpers used by the chunking/out-of-order test below.
+# Kept at module level so the API-call mock is a plain function rather than a
+# closure defined inside the test method.
+TOTAL_PROJECTS = 150
+many_project_names = [f"project-{i}" for i in range(TOTAL_PROJECTS)]
+many_project_arns = [
+    f"arn:{AWS_COMMERCIAL_PARTITION}:codebuild:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:project/{name}"
+    for name in many_project_names
+]
+many_build_ids_for = {name: f"{name}:build-id" for name in many_project_names}
+many_end_times_for = {
+    name: datetime.now() - timedelta(days=i)
+    for i, name in enumerate(many_project_names)
+}
+many_name_by_build_id = {v: k for k, v in many_build_ids_for.items()}
+many_batch_call_sizes = {"BatchGetProjects": [], "BatchGetBuilds": []}
+
+
+def mock_make_api_call_many_projects(self, operation_name, kwarg):
+    if operation_name == "ListProjects":
+        return {"projects": many_project_names}
+    if operation_name == "ListBuildsForProject":
+        return {"ids": [many_build_ids_for[kwarg["projectName"]]]}
+    if operation_name == "BatchGetBuilds":
+        ids = kwarg["ids"]
+        many_batch_call_sizes["BatchGetBuilds"].append(len(ids))
+        # Reverse the response order to verify id->project mapping does not
+        # depend on response ordering.
+        builds = [
+            {"id": bid, "endTime": many_end_times_for[many_name_by_build_id[bid]]}
+            for bid in reversed(ids)
+        ]
+        return {"builds": builds}
+    if operation_name == "BatchGetProjects":
+        names = kwarg["names"]
+        many_batch_call_sizes["BatchGetProjects"].append(len(names))
+        # Reverse the response order to verify arn->project mapping does not
+        # depend on response ordering.
+        projects = [
+            {
+                "arn": f"arn:{AWS_COMMERCIAL_PARTITION}:codebuild:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:project/{name}",
+                "source": {"type": "NO_SOURCE"},
+                "logsConfig": {},
+                "tags": [],
+                "projectVisibility": "PRIVATE",
+            }
+            for name in reversed(names)
+        ]
+        return {"projects": projects}
+    if operation_name == "ListReportGroups":
+        return {"reportGroups": []}
+    return make_api_call(self, operation_name, kwarg)
+
+
+class Test_Codebuild_Service_Batching:
+    @patch(
+        "botocore.client.BaseClient._make_api_call",
+        new=mock_make_api_call_many_projects,
+    )
+    @patch(
+        "prowler.providers.aws.aws_provider.AwsProvider.generate_regional_clients",
+        new=mock_generate_regional_clients,
+    )
+    @mock_aws
+    def test_codebuild_batches_chunks_over_100_projects_and_maps_out_of_order_responses(
+        self,
+    ):
+        """Verify _batch_get_projects/_batch_get_builds chunk in groups of 100
+        and correctly map out-of-order batch responses back to the right
+        project using `arn`/`id`.
+        """
+        # Reset the per-test recorder (module-level state survives across runs).
+        many_batch_call_sizes["BatchGetProjects"].clear()
+        many_batch_call_sizes["BatchGetBuilds"].clear()
+
+        codebuild = Codebuild(set_mocked_aws_provider([AWS_REGION_EU_WEST_1]))
+
+        # Verify chunking: 150 items -> two batches of 100 and 50.
+        assert sorted(many_batch_call_sizes["BatchGetProjects"]) == [50, 100]
+        assert sorted(many_batch_call_sizes["BatchGetBuilds"]) == [50, 100]
+
+        # Verify all projects were tracked.
+        assert len(codebuild.projects) == TOTAL_PROJECTS
+
+        # Verify out-of-order responses were correctly mapped back to the
+        # right project by `arn` (projects) and `id` (builds).
+        for name, arn in zip(many_project_names, many_project_arns):
+            project = codebuild.projects[arn]
+            assert project.name == name
+            assert project.project_visibility == "PRIVATE"
+            assert project.last_build == Build(id=many_build_ids_for[name])
+            assert project.last_invoked_time == many_end_times_for[name]

From 8db3a896697e3e5d79b8f5cef1c885a3f5f5b954 Mon Sep 17 00:00:00 2001
From: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com>
Date: Thu, 30 Apr 2026 17:07:25 +0100
Subject: [PATCH 07/29] ci: remove andoniaf from prowler-cloud (#10926)

---
 .github/workflows/labeler.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 621a763da5..d55e60ae88 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -62,7 +62,7 @@ jobs:
             "Alan-TheGentleman"
             "alejandrobailo"
             "amitsharm"
-            "andoniaf"
+            # "andoniaf"
             "cesararroba"
             "danibarranqueroo"
             "HugoPBrito"

From 40dd0e640b72ee2b9990c86e62103dc745c6bf7a Mon Sep 17 00:00:00 2001
From: Andoni Alonso <14891798+andoniaf@users.noreply.github.com>
Date: Mon, 4 May 2026 08:37:46 +0200
Subject: [PATCH 08/29] fix(sdk): strip http(s):// scheme from image registry
 URLs (#10950)

---
 prowler/CHANGELOG.md                         |  1 +
 prowler/providers/image/image_provider.py    | 20 ++++--
 tests/providers/image/image_provider_test.py | 69 +++++++++++++++++++-
 3 files changed, 84 insertions(+), 6 deletions(-)

diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index cdf166674b..d49c7eb43c 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -22,6 +22,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 - AWS SDK test isolation: autouse `mock_aws` fixture and leak detector in `conftest.py` to prevent tests from hitting real AWS endpoints, with idempotent organization setup for tests calling `set_mocked_aws_provider` multiple times [(#10605)](https://github.com/prowler-cloud/prowler/pull/10605)
 - AWS `boto` user agent extra is now applied to every client [(#10944)](https://github.com/prowler-cloud/prowler/pull/10944)
+- Image provider connection check no longer fails with a misleading `host='https'` resolution error when the registry URL includes an `http://` or `https://` scheme prefix [(#10950)](https://github.com/prowler-cloud/prowler/pull/10950)
 
 ### 🔐 Security
 
diff --git a/prowler/providers/image/image_provider.py b/prowler/providers/image/image_provider.py
index 7c9a9cbb08..07d02c04c9 100644
--- a/prowler/providers/image/image_provider.py
+++ b/prowler/providers/image/image_provider.py
@@ -329,12 +329,21 @@ class ImageProvider(Provider):
         """Image provider doesn't need a session since it uses Trivy directly"""
         return None
 
+    @staticmethod
+    def _strip_scheme(value: str) -> str:
+        """Remove a leading http:// or https:// scheme from a registry input."""
+        for prefix in ("https://", "http://"):
+            if value.lower().startswith(prefix):
+                return value[len(prefix) :]
+        return value
+
     @staticmethod
     def _extract_registry(image: str) -> str | None:
         """Extract registry hostname from an image reference.
 
         Returns None for Docker Hub images (no registry prefix).
         """
+        image = ImageProvider._strip_scheme(image)
         parts = image.split("/")
         if len(parts) >= 2 and ("." in parts[0] or ":" in parts[0]):
             return parts[0]
@@ -348,6 +357,7 @@ class ImageProvider(Provider):
         or "myregistry.com:5000" are registry URLs (dots in host, no slash).
         Image references like "alpine:3.18" or "nginx" are not.
         """
+        image_uid = ImageProvider._strip_scheme(image_uid)
         if "/" not in image_uid:
             host_part = image_uid.split(":")[0]
             if "." in host_part:
@@ -835,11 +845,9 @@ class ImageProvider(Provider):
                     image_ref = f"{repo}:{tag}"
                 else:
                     # OCI registries need the full host/repo:tag reference
-                    registry_host = self.registry.rstrip("/")
-                    for prefix in ("https://", "http://"):
-                        if registry_host.startswith(prefix):
-                            registry_host = registry_host[len(prefix) :]
-                            break
+                    registry_host = ImageProvider._strip_scheme(
+                        self.registry.rstrip("/")
+                    )
                     image_ref = f"{registry_host}/{repo}:{tag}"
                 discovered_images.append(image_ref)
 
@@ -977,6 +985,8 @@ class ImageProvider(Provider):
             if not image:
                 return Connection(is_connected=False, error="Image name is required")
 
+            image = ImageProvider._strip_scheme(image)
+
             # Registry URL (bare hostname) → test via OCI catalog
             if ImageProvider._is_registry_url(image):
                 return ImageProvider._test_registry_connection(
diff --git a/tests/providers/image/image_provider_test.py b/tests/providers/image/image_provider_test.py
index 68b0c5d7a2..4462df6beb 100644
--- a/tests/providers/image/image_provider_test.py
+++ b/tests/providers/image/image_provider_test.py
@@ -7,6 +7,7 @@ from unittest.mock import MagicMock, patch
 import pytest
 
 from prowler.lib.check.models import CheckReportImage
+from prowler.providers.common.provider import Provider
 from prowler.providers.image.exceptions.exceptions import (
     ImageInvalidConfigScannerError,
     ImageInvalidNameError,
@@ -20,7 +21,6 @@ from prowler.providers.image.exceptions.exceptions import (
     ImageScanError,
     ImageTrivyBinaryNotFoundError,
 )
-from prowler.providers.common.provider import Provider
 from prowler.providers.image.image_provider import ImageProvider
 from tests.providers.image.image_fixtures import (
     SAMPLE_IMAGE_SHA,
@@ -345,6 +345,24 @@ class TestImageProvider:
         )
         mock_adapter.list_repositories.assert_called_once()
 
+    @patch("prowler.providers.image.image_provider.create_registry_adapter")
+    def test_test_connection_registry_url_with_https_scheme(self, mock_factory):
+        """Registry URL with https:// scheme is normalised before adapter creation."""
+        mock_adapter = MagicMock()
+        mock_adapter.list_repositories.return_value = ["repo1"]
+        mock_factory.return_value = mock_adapter
+
+        result = ImageProvider.test_connection(image="https://my-registry.example.com")
+
+        assert result.is_connected is True
+        mock_factory.assert_called_once_with(
+            registry_url="my-registry.example.com",
+            username=None,
+            password=None,
+            token=None,
+        )
+        mock_adapter.list_repositories.assert_called_once()
+
     def test_build_status_extended(self):
         """Test status message content for different finding types."""
         provider = _make_provider()
@@ -659,6 +677,27 @@ class TestImageProviderRegistryAuth:
             assert "Docker login" in output
 
 
+class TestStripScheme:
+    @pytest.mark.parametrize(
+        "raw,expected",
+        [
+            ("https://my-registry.example.com", "my-registry.example.com"),
+            ("http://my-registry.example.com", "my-registry.example.com"),
+            ("HTTPS://My-Registry.Example.Com", "My-Registry.Example.Com"),
+            ("Http://localhost:5000", "localhost:5000"),
+            ("my-registry.example.com", "my-registry.example.com"),
+            ("https://", ""),
+            ("https://https://nested.example.com", "https://nested.example.com"),
+            (
+                "ftp://not-a-supported-scheme.example.com",
+                "ftp://not-a-supported-scheme.example.com",
+            ),
+        ],
+    )
+    def test_strip_scheme(self, raw, expected):
+        assert ImageProvider._strip_scheme(raw) == expected
+
+
 class TestExtractRegistry:
     def test_docker_hub_simple(self):
         assert ImageProvider._extract_registry("alpine:3.18") is None
@@ -698,6 +737,24 @@ class TestExtractRegistry:
     def test_bare_image_name(self):
         assert ImageProvider._extract_registry("nginx") is None
 
+    def test_https_scheme_bare_hostname_returns_none(self):
+        """Bare scheme-prefixed hostname has no image path, so no registry is extracted."""
+        assert (
+            ImageProvider._extract_registry("https://my-registry.example.com") is None
+        )
+
+    def test_http_scheme_with_port_stripped(self):
+        assert (
+            ImageProvider._extract_registry("http://localhost:5000/myimage:latest")
+            == "localhost:5000"
+        )
+
+    def test_https_scheme_with_path_stripped(self):
+        assert (
+            ImageProvider._extract_registry("https://ghcr.io/org/image:tag")
+            == "ghcr.io"
+        )
+
 
 class TestIsRegistryUrl:
     def test_bare_ecr_hostname(self):
@@ -728,6 +785,16 @@ class TestIsRegistryUrl:
     def test_dockerhub_namespace(self):
         assert not ImageProvider._is_registry_url("library/alpine")
 
+    def test_https_scheme_bare_hostname(self):
+        assert ImageProvider._is_registry_url("https://my-registry.example.com")
+
+    def test_http_scheme_bare_hostname_with_port(self):
+        assert ImageProvider._is_registry_url("http://my-registry.example.com:5000")
+
+    def test_https_scheme_image_reference_not_registry(self):
+        """A scheme-prefixed full image reference is still an image, not a registry URL."""
+        assert not ImageProvider._is_registry_url("https://ghcr.io/myorg/repo:tag")
+
 
 class TestTestRegistryConnection:
     @patch("prowler.providers.image.image_provider.create_registry_adapter")

From 86449fb99d0b4ffdbce827e69965422e4e7d21d5 Mon Sep 17 00:00:00 2001
From: Daniel Barranquero <74871504+danibarranqueroo@users.noreply.github.com>
Date: Mon, 4 May 2026 08:56:50 +0200
Subject: [PATCH 09/29] chore(vercel): add disclaimer for checks depending on
 billing plan (#10663)

---
 .../check-metadata-guidelines.mdx             |  3 +
 docs/developer-guide/checks.mdx               |  2 +-
 .../vercel/getting-started-vercel.mdx         | 22 +++++
 prowler/CHANGELOG.md                          |  1 +
 prowler/lib/check/models.py                   | 28 +++---
 prowler/providers/vercel/lib/billing.py       | 27 ++++++
 .../providers/vercel/lib/service/service.py   |  6 +-
 prowler/providers/vercel/models.py            | 19 ++++
 ...thentication_no_stale_tokens.metadata.json |  3 +-
 ...entication_token_not_expired.metadata.json |  3 +-
 ...roduction_uses_stable_target.metadata.json |  3 +-
 ...main_dns_properly_configured.metadata.json |  3 +-
 ...domain_ssl_certificate_valid.metadata.json |  3 +-
 .../domain_verified.metadata.json             |  3 +-
 ...o_expose_system_env_disabled.metadata.json |  3 +-
 ...eployment_protection_enabled.metadata.json |  3 +-
 ...t_directory_listing_disabled.metadata.json |  3 +-
 ...nment_no_overly_broad_target.metadata.json |  3 +-
 ...ent_no_secrets_in_plain_type.metadata.json |  3 +-
 ...oduction_vars_not_in_preview.metadata.json |  3 +-
 ..._git_fork_protection_enabled.metadata.json |  3 +-
 ..._password_protection_enabled.metadata.json |  5 +-
 .../project_password_protection_enabled.py    |  2 +
 ...eployment_protection_enabled.metadata.json |  5 +-
 ...roduction_deployment_protection_enabled.py |  2 +
 .../services/project/project_service.py       | 11 ++-
 ...ject_skew_protection_enabled.metadata.json |  5 +-
 .../project_skew_protection_enabled.py        |  2 +
 ...rity_custom_rules_configured.metadata.json |  5 +-
 .../security_custom_rules_configured.py       | 12 ++-
 ...ip_blocking_rules_configured.metadata.json |  5 +-
 .../security_ip_blocking_rules_configured.py  | 12 ++-
 ...ity_managed_rulesets_enabled.metadata.json | 11 ++-
 .../security_managed_rulesets_enabled.py      | 13 ++-
 ...ity_rate_limiting_configured.metadata.json |  5 +-
 .../security_rate_limiting_configured.py      | 12 ++-
 .../services/security/security_service.py     | 12 ++-
 .../security_waf_enabled.metadata.json        |  5 +-
 .../security_waf_enabled.py                   |  9 +-
 .../team_directory_sync_enabled.metadata.json |  5 +-
 .../team_directory_sync_enabled.py            |  2 +
 ..._member_role_least_privilege.metadata.json |  3 +-
 .../team_no_stale_invitations.metadata.json   |  3 +-
 .../team_saml_sso_enabled.metadata.json       |  5 +-
 .../team_saml_sso_enabled.py                  |  2 +
 .../team_saml_sso_enforced.metadata.json      |  5 +-
 .../team_saml_sso_enforced.py                 |  2 +
 .../vercel/services/team/team_service.py      |  3 +
 prowler/providers/vercel/vercel_provider.py   |  5 +
 tests/lib/check/models_test.py                | 46 ++++++++-
 .../vercel/lib/service/vercel_service_test.py | 29 ++++++
 ...roject_password_protection_enabled_test.py | 38 ++++++++
 ...tion_deployment_protection_enabled_test.py | 38 ++++++++
 .../services/project/project_service_test.py  | 67 +++++++++++++
 .../project_skew_protection_enabled_test.py   | 38 ++++++++
 .../security_custom_rules_configured_test.py  | 38 ++++++++
 ...urity_ip_blocking_rules_configured_test.py | 38 ++++++++
 .../security_managed_rulesets_enabled_test.py | 42 +++++++-
 .../security_rate_limiting_configured_test.py | 38 ++++++++
 .../security/security_service_test.py         |  8 +-
 .../security_waf_enabled_test.py              | 80 +++++++++++++++
 .../team_directory_sync_enabled_test.py       | 38 ++++++++
 .../team_saml_sso_enabled_test.py             | 39 ++++++++
 .../team_saml_sso_enforced_test.py            | 38 ++++++++
 tests/providers/vercel/vercel_fixtures.py     | 19 +++-
 .../providers/vercel/vercel_metadata_test.py  | 97 +++++++++++++++++++
 66 files changed, 968 insertions(+), 78 deletions(-)
 create mode 100644 prowler/providers/vercel/lib/billing.py
 create mode 100644 tests/providers/vercel/lib/service/vercel_service_test.py
 create mode 100644 tests/providers/vercel/vercel_metadata_test.py

diff --git a/docs/developer-guide/check-metadata-guidelines.mdx b/docs/developer-guide/check-metadata-guidelines.mdx
index bac16f6fc0..85b84620d5 100644
--- a/docs/developer-guide/check-metadata-guidelines.mdx
+++ b/docs/developer-guide/check-metadata-guidelines.mdx
@@ -215,3 +215,6 @@ Also is important to keep all code examples as short as possible, including the
 | e5                      | M365 and Azure Entra checks enabled by or dependent on an E5 license (e.g., advanced threat protection, audit, DLP, and eDiscovery)                                                                    |
 | privilege-escalation    | Detects IAM policies or permissions that allow identities to elevate their privileges beyond their intended scope, potentially gaining administrator or higher-level access through specific action combinations |
 | ec2-imdsv1              | Identifies EC2 instances using Instance Metadata Service version 1 (IMDSv1), which is vulnerable to SSRF attacks and should be replaced with IMDSv2 for enhanced security                        |
+| vercel-hobby-plan       | Vercel checks whose audited feature is available on the Hobby plan (and therefore also on Pro and Enterprise plans)                                                                                   |
+| vercel-pro-plan         | Vercel checks whose audited feature requires a Pro plan or higher, including features also available on Enterprise or via supported paid add-ons for Pro plans                                        |
+| vercel-enterprise-plan  | Vercel checks whose audited feature requires the Enterprise plan                                                                                                                                    |
diff --git a/docs/developer-guide/checks.mdx b/docs/developer-guide/checks.mdx
index da469678fa..956dc293d1 100644
--- a/docs/developer-guide/checks.mdx
+++ b/docs/developer-guide/checks.mdx
@@ -387,7 +387,7 @@ Provides both code examples and best practice recommendations for addressing the
 
 #### Categories
 
-One or more functional groupings used for execution filtering (e.g., `internet-exposed`). You can define new categories just by adding to this field.
+One or more functional groupings used for execution filtering (e.g., `internet-exposed`). Categories must match the predefined values enforced by `CheckMetadata`; adding a new category requires updating the validator and the metadata documentation.
 
 For the complete list of available categories, see [Categories Guidelines](/developer-guide/check-metadata-guidelines#categories-guidelines).
 
diff --git a/docs/user-guide/providers/vercel/getting-started-vercel.mdx b/docs/user-guide/providers/vercel/getting-started-vercel.mdx
index ddec26e6dc..8a6fdecc22 100644
--- a/docs/user-guide/providers/vercel/getting-started-vercel.mdx
+++ b/docs/user-guide/providers/vercel/getting-started-vercel.mdx
@@ -160,3 +160,25 @@ Prowler for Vercel includes security checks across the following services:
 | **Project** | Deployment protection, environment variable security, fork protection, and skew protection |
 | **Security** | Web Application Firewall (WAF), rate limiting, IP blocking, and managed rulesets |
 | **Team** | SSO enforcement, directory sync, member access, and invitation hygiene |
+
+## Checks With Explicit Plan-Based Behavior
+
+Prowler currently includes 26 Vercel checks. The 11 checks below have explicit billing-plan handling in the provider metadata or check logic. When the scanned scope reports a billing plan, Prowler adds plan-aware context to findings for these checks. If the API does not expose the required configuration, Prowler may return `MANUAL` and require verification in the Vercel dashboard.
+
+| Check ID | Hobby | Pro | Enterprise | Notes |
+|----------|-------|-----|------------|-------|
+| `project_password_protection_enabled` | Not available | Available as a paid add-on | Available | Checks password protection for deployments |
+| `project_production_deployment_protection_enabled` | Not available | Available with supported paid deployment protection options | Available | Checks protection for production deployments |
+| `project_skew_protection_enabled` | Not available | Available | Available | Checks skew protection during rollouts |
+| `security_custom_rules_configured` | Not available | Available | Available | Returns `MANUAL` when the firewall configuration cannot be assessed from the API |
+| `security_ip_blocking_rules_configured` | Not available | Available | Available | Returns `MANUAL` when the firewall configuration cannot be assessed from the API |
+| `team_saml_sso_enabled` | Not available | Available | Available | Checks team SAML SSO configuration |
+| `team_saml_sso_enforced` | Not available | Available | Available | Checks SAML SSO enforcement for all team members |
+| `team_directory_sync_enabled` | Not available | Not available | Available | Checks SCIM directory sync |
+| `security_managed_rulesets_enabled` | Bot Protection and AI Bots managed rulesets | Bot Protection and AI Bots managed rulesets | All managed rulesets, including OWASP Core Ruleset | Returns `MANUAL` when the firewall configuration cannot be assessed from the API |
+| `security_rate_limiting_configured` | Not available | Available | Available | Returns `MANUAL` when the firewall configuration cannot be assessed from the API |
+| `security_waf_enabled` | Not available | Available | Available | Returns `MANUAL` when the firewall configuration cannot be assessed from the API |
+
+<Note>
+The five firewall-related checks (`security_waf_enabled`, `security_custom_rules_configured`, `security_ip_blocking_rules_configured`, `security_rate_limiting_configured`, and `security_managed_rulesets_enabled`) return `MANUAL` when the firewall configuration endpoint is not accessible from the API. The other 15 current Vercel checks do not currently include plan-specific handling in provider logic, but every Vercel check includes exactly one billing-plan metadata category (`vercel-hobby-plan`, `vercel-pro-plan`, or `vercel-enterprise-plan`) alongside its functional security category.
+</Note>
diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index d49c7eb43c..643aeb518e 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -9,6 +9,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `bedrock_guardrails_configured` check for AWS provider [(#10844)](https://github.com/prowler-cloud/prowler/pull/10844)
 - Universal compliance pipeline integrated into the CLI: `--list-compliance` and `--list-compliance-requirements` show universal frameworks, and CSV plus OCSF outputs are generated for any framework declaring a `TableConfig` [(#10301)](https://github.com/prowler-cloud/prowler/pull/10301)
 - ASD Essential Eight Maturity Model compliance framework for AWS (Maturity Level One, Nov 2023) [(#10808)](https://github.com/prowler-cloud/prowler/pull/10808)
+- Update Vercel checks to return personalized finding status extended depending on billing plan and classify them with billing-plan categories [(#10663)](https://github.com/prowler-cloud/prowler/pull/10663)
 
 ### 🔄 Changed
 
diff --git a/prowler/lib/check/models.py b/prowler/lib/check/models.py
index dba664d298..f5f0ff87e8 100644
--- a/prowler/lib/check/models.py
+++ b/prowler/lib/check/models.py
@@ -62,6 +62,9 @@ VALID_CATEGORIES = frozenset(
         "e5",
         "privilege-escalation",
         "ec2-imdsv1",
+        "vercel-hobby-plan",
+        "vercel-pro-plan",
+        "vercel-enterprise-plan",
     }
 )
 
@@ -244,14 +247,15 @@ class CheckMetadata(BaseModel):
     # store the compliance later if supplied
     Compliance: Optional[list[Any]] = Field(default_factory=list)
 
+    # TODO: Remove noqa and fix cls vulture errors
     @validator("Categories", each_item=True, pre=True, always=True)
-    def valid_category(cls, value, values):
+    def valid_category(cls, value, values):  # noqa: F841
         if not isinstance(value, str):
             raise ValueError("Categories must be a list of strings")
         value_lower = value.lower()
         if not re.match("^[a-z0-9-]+$", value_lower):
             raise ValueError(
-                f"Invalid category: {value}. Categories can only contain lowercase letters, numbers and hyphen '-'"
+                f"Invalid category: {value}. Categories can only contain lowercase letters, numbers, and hyphen '-'"
             )
         if (
             value_lower not in VALID_CATEGORIES
@@ -279,7 +283,7 @@ class CheckMetadata(BaseModel):
         return resource_type
 
     @validator("ServiceName", pre=True, always=True)
-    def validate_service_name(cls, service_name, values):
+    def validate_service_name(cls, service_name, values):  # noqa: F841
         if not service_name:
             raise ValueError("ServiceName must be a non-empty string")
 
@@ -296,7 +300,7 @@ class CheckMetadata(BaseModel):
         return service_name
 
     @validator("CheckID", pre=True, always=True)
-    def valid_check_id(cls, check_id, values):
+    def valid_check_id(cls, check_id, values):  # noqa: F841
         if not check_id:
             raise ValueError("CheckID must be a non-empty string")
 
@@ -309,7 +313,7 @@ class CheckMetadata(BaseModel):
         return check_id
 
     @validator("CheckTitle", pre=True, always=True)
-    def validate_check_title(cls, check_title, values):
+    def validate_check_title(cls, check_title, values):  # noqa: F841
         if values.get("Provider") not in EXTERNAL_TOOL_PROVIDERS:
             if len(check_title) > 150:
                 raise ValueError(
@@ -322,13 +326,13 @@ class CheckMetadata(BaseModel):
         return check_title
 
     @validator("RelatedUrl", pre=True, always=True)
-    def validate_related_url(cls, related_url, values):
+    def validate_related_url(cls, related_url, values):  # noqa: F841
         if related_url and values.get("Provider") not in EXTERNAL_TOOL_PROVIDERS:
             raise ValueError("RelatedUrl must be empty. This field is deprecated.")
         return related_url
 
     @validator("Remediation")
-    def validate_recommendation_url(cls, remediation, values):
+    def validate_recommendation_url(cls, remediation, values):  # noqa: F841
         if values.get("Provider") not in EXTERNAL_TOOL_PROVIDERS:
             url = remediation.Recommendation.Url
             if url and not url.startswith("https://hub.prowler.com/"):
@@ -338,7 +342,7 @@ class CheckMetadata(BaseModel):
         return remediation
 
     @validator("CheckType", pre=True, always=True)
-    def validate_check_type(cls, check_type, values):
+    def validate_check_type(cls, check_type, values):  # noqa: F841
         provider = values.get("Provider", "").lower()
 
         # Non-AWS providers must have an empty CheckType list
@@ -367,7 +371,7 @@ class CheckMetadata(BaseModel):
         return check_type
 
     @validator("Description", pre=True, always=True)
-    def validate_description(cls, description, values):
+    def validate_description(cls, description, values):  # noqa: F841
         if values.get("Provider") not in EXTERNAL_TOOL_PROVIDERS:
             if len(description) > 400:
                 raise ValueError(
@@ -376,7 +380,7 @@ class CheckMetadata(BaseModel):
         return description
 
     @validator("Risk", pre=True, always=True)
-    def validate_risk(cls, risk, values):
+    def validate_risk(cls, risk, values):  # noqa: F841
         if values.get("Provider") not in EXTERNAL_TOOL_PROVIDERS:
             if len(risk) > 400:
                 raise ValueError(
@@ -385,7 +389,7 @@ class CheckMetadata(BaseModel):
         return risk
 
     @validator("ResourceGroup", pre=True, always=True)
-    def validate_resource_group(cls, resource_group):
+    def validate_resource_group(cls, resource_group):  # noqa: F841
         if resource_group and resource_group not in VALID_RESOURCE_GROUPS:
             raise ValueError(
                 f"Invalid ResourceGroup: '{resource_group}'. Must be one of: {', '.join(sorted(VALID_RESOURCE_GROUPS))} or empty string."
@@ -393,7 +397,7 @@ class CheckMetadata(BaseModel):
         return resource_group
 
     @validator("AdditionalURLs", pre=True, always=True)
-    def validate_additional_urls(cls, additional_urls):
+    def validate_additional_urls(cls, additional_urls):  # noqa: F841
         if not isinstance(additional_urls, list):
             raise ValueError("AdditionalURLs must be a list")
 
diff --git a/prowler/providers/vercel/lib/billing.py b/prowler/providers/vercel/lib/billing.py
new file mode 100644
index 0000000000..4e7170dbe6
--- /dev/null
+++ b/prowler/providers/vercel/lib/billing.py
@@ -0,0 +1,27 @@
+from typing import Optional
+
+
+def extract_billing_plan(data: Optional[dict]) -> Optional[str]:
+    """Return the Vercel billing plan from a user or team payload.
+
+    Vercel's REST API consistently returns the plan identifier at
+    ``data["billing"]["plan"]`` (e.g. ``"hobby"``, ``"pro"``, ``"enterprise"``)
+    on both ``GET /v2/user`` and ``GET /v2/teams`` responses, even though the
+    field is not part of the public OpenAPI schema.
+    """
+    if not isinstance(data, dict):
+        return None
+    billing = data.get("billing")
+    if not isinstance(billing, dict):
+        return None
+    plan = billing.get("plan")
+    return plan.lower() if isinstance(plan, str) else None
+
+
+def plan_reason_suffix(
+    billing_plan: Optional[str], unsupported_plans: set[str], explanation: str
+) -> str:
+    """Return a plan-based explanation suffix only when the plan proves it."""
+    if billing_plan in unsupported_plans:
+        return f" This may be expected because {explanation}"
+    return ""
diff --git a/prowler/providers/vercel/lib/service/service.py b/prowler/providers/vercel/lib/service/service.py
index aaf4d2625c..7fd9ced264 100644
--- a/prowler/providers/vercel/lib/service/service.py
+++ b/prowler/providers/vercel/lib/service/service.py
@@ -84,10 +84,10 @@ class VercelService:
                     )
 
                 if response.status_code == 403:
-                    # Plan limitation or permission error — return None for graceful handling
-                    logger.warning(
+                    # Endpoint unavailable for this token/scope; let checks handle it gracefully
+                    logger.info(
                         f"{self.service} - Access denied for {path} (403). "
-                        "This may be a plan limitation."
+                        "This may be caused by plan or permission restrictions."
                     )
                     return None
 
diff --git a/prowler/providers/vercel/models.py b/prowler/providers/vercel/models.py
index 5f0e207f19..5f730bde76 100644
--- a/prowler/providers/vercel/models.py
+++ b/prowler/providers/vercel/models.py
@@ -21,6 +21,7 @@ class VercelTeamInfo(BaseModel):
     id: str
     name: str
     slug: str
+    billing_plan: Optional[str] = None
 
 
 class VercelIdentityInfo(BaseModel):
@@ -29,9 +30,27 @@ class VercelIdentityInfo(BaseModel):
     user_id: Optional[str] = None
     username: Optional[str] = None
     email: Optional[str] = None
+    billing_plan: Optional[str] = None
     team: Optional[VercelTeamInfo] = None
     teams: list[VercelTeamInfo] = Field(default_factory=list)
 
+    def get_billing_plan_for(self, scope_id: Optional[str]) -> Optional[str]:
+        """Return the billing plan for an explicit user or team scope."""
+        if not scope_id:
+            return None
+
+        if self.team and self.team.id == scope_id and self.team.billing_plan:
+            return self.team.billing_plan
+
+        for team in self.teams:
+            if team.id == scope_id:
+                return team.billing_plan
+
+        if self.user_id == scope_id:
+            return self.billing_plan
+
+        return None
+
 
 class VercelOutputOptions(ProviderOutputOptions):
     """Customize output filenames for Vercel scans."""
diff --git a/prowler/providers/vercel/services/authentication/authentication_no_stale_tokens/authentication_no_stale_tokens.metadata.json b/prowler/providers/vercel/services/authentication/authentication_no_stale_tokens/authentication_no_stale_tokens.metadata.json
index f4863ada5f..d2292216f3 100644
--- a/prowler/providers/vercel/services/authentication/authentication_no_stale_tokens/authentication_no_stale_tokens.metadata.json
+++ b/prowler/providers/vercel/services/authentication/authentication_no_stale_tokens/authentication_no_stale_tokens.metadata.json
@@ -28,7 +28,8 @@
     }
   },
   "Categories": [
-    "trust-boundaries"
+    "trust-boundaries",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
diff --git a/prowler/providers/vercel/services/authentication/authentication_token_not_expired/authentication_token_not_expired.metadata.json b/prowler/providers/vercel/services/authentication/authentication_token_not_expired/authentication_token_not_expired.metadata.json
index 47e5087cf5..c3288d968d 100644
--- a/prowler/providers/vercel/services/authentication/authentication_token_not_expired/authentication_token_not_expired.metadata.json
+++ b/prowler/providers/vercel/services/authentication/authentication_token_not_expired/authentication_token_not_expired.metadata.json
@@ -28,7 +28,8 @@
     }
   },
   "Categories": [
-    "trust-boundaries"
+    "trust-boundaries",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
diff --git a/prowler/providers/vercel/services/deployment/deployment_production_uses_stable_target/deployment_production_uses_stable_target.metadata.json b/prowler/providers/vercel/services/deployment/deployment_production_uses_stable_target/deployment_production_uses_stable_target.metadata.json
index 25416e6882..bb9b1a3b60 100644
--- a/prowler/providers/vercel/services/deployment/deployment_production_uses_stable_target/deployment_production_uses_stable_target.metadata.json
+++ b/prowler/providers/vercel/services/deployment/deployment_production_uses_stable_target/deployment_production_uses_stable_target.metadata.json
@@ -28,7 +28,8 @@
     }
   },
   "Categories": [
-    "trust-boundaries"
+    "trust-boundaries",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [],
diff --git a/prowler/providers/vercel/services/domain/domain_dns_properly_configured/domain_dns_properly_configured.metadata.json b/prowler/providers/vercel/services/domain/domain_dns_properly_configured/domain_dns_properly_configured.metadata.json
index e2450da8f1..28f151b2e6 100644
--- a/prowler/providers/vercel/services/domain/domain_dns_properly_configured/domain_dns_properly_configured.metadata.json
+++ b/prowler/providers/vercel/services/domain/domain_dns_properly_configured/domain_dns_properly_configured.metadata.json
@@ -28,7 +28,8 @@
     }
   },
   "Categories": [
-    "trust-boundaries"
+    "trust-boundaries",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
diff --git a/prowler/providers/vercel/services/domain/domain_ssl_certificate_valid/domain_ssl_certificate_valid.metadata.json b/prowler/providers/vercel/services/domain/domain_ssl_certificate_valid/domain_ssl_certificate_valid.metadata.json
index ac683cd71f..ae8d2750a8 100644
--- a/prowler/providers/vercel/services/domain/domain_ssl_certificate_valid/domain_ssl_certificate_valid.metadata.json
+++ b/prowler/providers/vercel/services/domain/domain_ssl_certificate_valid/domain_ssl_certificate_valid.metadata.json
@@ -28,7 +28,8 @@
     }
   },
   "Categories": [
-    "encryption"
+    "encryption",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
diff --git a/prowler/providers/vercel/services/domain/domain_verified/domain_verified.metadata.json b/prowler/providers/vercel/services/domain/domain_verified/domain_verified.metadata.json
index 1e79a433ba..f5f1aace08 100644
--- a/prowler/providers/vercel/services/domain/domain_verified/domain_verified.metadata.json
+++ b/prowler/providers/vercel/services/domain/domain_verified/domain_verified.metadata.json
@@ -28,7 +28,8 @@
     }
   },
   "Categories": [
-    "trust-boundaries"
+    "trust-boundaries",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
diff --git a/prowler/providers/vercel/services/project/project_auto_expose_system_env_disabled/project_auto_expose_system_env_disabled.metadata.json b/prowler/providers/vercel/services/project/project_auto_expose_system_env_disabled/project_auto_expose_system_env_disabled.metadata.json
index 21c3f118e1..36e128caae 100644
--- a/prowler/providers/vercel/services/project/project_auto_expose_system_env_disabled/project_auto_expose_system_env_disabled.metadata.json
+++ b/prowler/providers/vercel/services/project/project_auto_expose_system_env_disabled/project_auto_expose_system_env_disabled.metadata.json
@@ -28,7 +28,8 @@
     }
   },
   "Categories": [
-    "trust-boundaries"
+    "trust-boundaries",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [],
diff --git a/prowler/providers/vercel/services/project/project_deployment_protection_enabled/project_deployment_protection_enabled.metadata.json b/prowler/providers/vercel/services/project/project_deployment_protection_enabled/project_deployment_protection_enabled.metadata.json
index 521610c617..55b5fc917c 100644
--- a/prowler/providers/vercel/services/project/project_deployment_protection_enabled/project_deployment_protection_enabled.metadata.json
+++ b/prowler/providers/vercel/services/project/project_deployment_protection_enabled/project_deployment_protection_enabled.metadata.json
@@ -28,7 +28,8 @@
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
diff --git a/prowler/providers/vercel/services/project/project_directory_listing_disabled/project_directory_listing_disabled.metadata.json b/prowler/providers/vercel/services/project/project_directory_listing_disabled/project_directory_listing_disabled.metadata.json
index b477a5984f..a2558ed667 100644
--- a/prowler/providers/vercel/services/project/project_directory_listing_disabled/project_directory_listing_disabled.metadata.json
+++ b/prowler/providers/vercel/services/project/project_directory_listing_disabled/project_directory_listing_disabled.metadata.json
@@ -28,7 +28,8 @@
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [],
diff --git a/prowler/providers/vercel/services/project/project_environment_no_overly_broad_target/project_environment_no_overly_broad_target.metadata.json b/prowler/providers/vercel/services/project/project_environment_no_overly_broad_target/project_environment_no_overly_broad_target.metadata.json
index c9a418a503..5dc15b12aa 100644
--- a/prowler/providers/vercel/services/project/project_environment_no_overly_broad_target/project_environment_no_overly_broad_target.metadata.json
+++ b/prowler/providers/vercel/services/project/project_environment_no_overly_broad_target/project_environment_no_overly_broad_target.metadata.json
@@ -28,7 +28,8 @@
     }
   },
   "Categories": [
-    "secrets"
+    "secrets",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
diff --git a/prowler/providers/vercel/services/project/project_environment_no_secrets_in_plain_type/project_environment_no_secrets_in_plain_type.metadata.json b/prowler/providers/vercel/services/project/project_environment_no_secrets_in_plain_type/project_environment_no_secrets_in_plain_type.metadata.json
index 90fea53eea..0e3e654f93 100644
--- a/prowler/providers/vercel/services/project/project_environment_no_secrets_in_plain_type/project_environment_no_secrets_in_plain_type.metadata.json
+++ b/prowler/providers/vercel/services/project/project_environment_no_secrets_in_plain_type/project_environment_no_secrets_in_plain_type.metadata.json
@@ -28,7 +28,8 @@
     }
   },
   "Categories": [
-    "secrets"
+    "secrets",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
diff --git a/prowler/providers/vercel/services/project/project_environment_production_vars_not_in_preview/project_environment_production_vars_not_in_preview.metadata.json b/prowler/providers/vercel/services/project/project_environment_production_vars_not_in_preview/project_environment_production_vars_not_in_preview.metadata.json
index 6fc3e3af79..5b99fe00d6 100644
--- a/prowler/providers/vercel/services/project/project_environment_production_vars_not_in_preview/project_environment_production_vars_not_in_preview.metadata.json
+++ b/prowler/providers/vercel/services/project/project_environment_production_vars_not_in_preview/project_environment_production_vars_not_in_preview.metadata.json
@@ -28,7 +28,8 @@
     }
   },
   "Categories": [
-    "secrets"
+    "secrets",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
diff --git a/prowler/providers/vercel/services/project/project_git_fork_protection_enabled/project_git_fork_protection_enabled.metadata.json b/prowler/providers/vercel/services/project/project_git_fork_protection_enabled/project_git_fork_protection_enabled.metadata.json
index 8e3db04fcd..37bbc7b8c6 100644
--- a/prowler/providers/vercel/services/project/project_git_fork_protection_enabled/project_git_fork_protection_enabled.metadata.json
+++ b/prowler/providers/vercel/services/project/project_git_fork_protection_enabled/project_git_fork_protection_enabled.metadata.json
@@ -28,7 +28,8 @@
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [],
diff --git a/prowler/providers/vercel/services/project/project_password_protection_enabled/project_password_protection_enabled.metadata.json b/prowler/providers/vercel/services/project/project_password_protection_enabled/project_password_protection_enabled.metadata.json
index 2db77410d9..edd12c67f0 100644
--- a/prowler/providers/vercel/services/project/project_password_protection_enabled/project_password_protection_enabled.metadata.json
+++ b/prowler/providers/vercel/services/project/project_password_protection_enabled/project_password_protection_enabled.metadata.json
@@ -28,11 +28,12 @@
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "vercel-pro-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
     "project_deployment_protection_enabled"
   ],
-  "Notes": ""
+  "Notes": "Required billing plan: Enterprise, or as a paid add-on for Pro plans."
 }
diff --git a/prowler/providers/vercel/services/project/project_password_protection_enabled/project_password_protection_enabled.py b/prowler/providers/vercel/services/project/project_password_protection_enabled/project_password_protection_enabled.py
index 86c0778408..e5313c6182 100644
--- a/prowler/providers/vercel/services/project/project_password_protection_enabled/project_password_protection_enabled.py
+++ b/prowler/providers/vercel/services/project/project_password_protection_enabled/project_password_protection_enabled.py
@@ -1,6 +1,7 @@
 from typing import List
 
 from prowler.lib.check.models import Check, CheckReportVercel
+from prowler.providers.vercel.lib.billing import plan_reason_suffix
 from prowler.providers.vercel.services.project.project_client import project_client
 
 
@@ -38,6 +39,7 @@ class project_password_protection_enabled(Check):
                 report.status_extended = (
                     f"Project {project.name} does not have password protection "
                     f"configured for deployments."
+                    f"{plan_reason_suffix(project.billing_plan, {'hobby'}, 'password protection is not available on the Vercel Hobby plan.')}"
                 )
 
             findings.append(report)
diff --git a/prowler/providers/vercel/services/project/project_production_deployment_protection_enabled/project_production_deployment_protection_enabled.metadata.json b/prowler/providers/vercel/services/project/project_production_deployment_protection_enabled/project_production_deployment_protection_enabled.metadata.json
index 3760eefb57..20c1fac713 100644
--- a/prowler/providers/vercel/services/project/project_production_deployment_protection_enabled/project_production_deployment_protection_enabled.metadata.json
+++ b/prowler/providers/vercel/services/project/project_production_deployment_protection_enabled/project_production_deployment_protection_enabled.metadata.json
@@ -28,11 +28,12 @@
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "vercel-pro-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
     "project_deployment_protection_enabled"
   ],
-  "Notes": ""
+  "Notes": "Protecting production deployments requires Enterprise, or Pro plans with supported paid deployment protection options."
 }
diff --git a/prowler/providers/vercel/services/project/project_production_deployment_protection_enabled/project_production_deployment_protection_enabled.py b/prowler/providers/vercel/services/project/project_production_deployment_protection_enabled/project_production_deployment_protection_enabled.py
index ccbfd15325..bb0924266e 100644
--- a/prowler/providers/vercel/services/project/project_production_deployment_protection_enabled/project_production_deployment_protection_enabled.py
+++ b/prowler/providers/vercel/services/project/project_production_deployment_protection_enabled/project_production_deployment_protection_enabled.py
@@ -1,6 +1,7 @@
 from typing import List
 
 from prowler.lib.check.models import Check, CheckReportVercel
+from prowler.providers.vercel.lib.billing import plan_reason_suffix
 from prowler.providers.vercel.services.project.project_client import project_client
 
 
@@ -38,6 +39,7 @@ class project_production_deployment_protection_enabled(Check):
                 report.status_extended = (
                     f"Project {project.name} does not have deployment protection "
                     f"enabled on production deployments."
+                    f"{plan_reason_suffix(project.billing_plan, {'hobby'}, 'protecting production deployments is not available on the Vercel Hobby plan.')}"
                 )
 
             findings.append(report)
diff --git a/prowler/providers/vercel/services/project/project_service.py b/prowler/providers/vercel/services/project/project_service.py
index e139a2a939..6cc3a36418 100644
--- a/prowler/providers/vercel/services/project/project_service.py
+++ b/prowler/providers/vercel/services/project/project_service.py
@@ -20,6 +20,7 @@ class Project(VercelService):
         """List all projects, optionally filtered by --project argument."""
         try:
             raw_projects = self._paginate("/v9/projects", "projects")
+            identity = getattr(self.provider, "identity", None)
 
             filter_projects = self.provider.filter_projects
             seen_ids: set[str] = set()
@@ -57,10 +58,17 @@ class Project(VercelService):
                 pwd_protection = proj.get("passwordProtection")
                 security = proj.get("security", {}) or {}
 
+                project_team_id = proj.get("accountId") or self.provider.session.team_id
+
                 self.projects[project_id] = VercelProject(
                     id=project_id,
                     name=project_name,
-                    team_id=proj.get("accountId") or self.provider.session.team_id,
+                    team_id=project_team_id,
+                    billing_plan=(
+                        identity.get_billing_plan_for(project_team_id)
+                        if identity
+                        else None
+                    ),
                     framework=proj.get("framework"),
                     node_version=proj.get("nodeVersion"),
                     auto_expose_system_envs=proj.get("autoExposeSystemEnvs", False),
@@ -160,6 +168,7 @@ class VercelProject(BaseModel):
     id: str
     name: str
     team_id: Optional[str] = None
+    billing_plan: Optional[str] = None
     framework: Optional[str] = None
     node_version: Optional[str] = None
     auto_expose_system_envs: bool = False
diff --git a/prowler/providers/vercel/services/project/project_skew_protection_enabled/project_skew_protection_enabled.metadata.json b/prowler/providers/vercel/services/project/project_skew_protection_enabled/project_skew_protection_enabled.metadata.json
index a0a4f70cee..01e38c03c4 100644
--- a/prowler/providers/vercel/services/project/project_skew_protection_enabled/project_skew_protection_enabled.metadata.json
+++ b/prowler/providers/vercel/services/project/project_skew_protection_enabled/project_skew_protection_enabled.metadata.json
@@ -28,9 +28,10 @@
     }
   },
   "Categories": [
-    "resilience"
+    "resilience",
+    "vercel-pro-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": ""
+  "Notes": "Required billing plan: Pro or Enterprise."
 }
diff --git a/prowler/providers/vercel/services/project/project_skew_protection_enabled/project_skew_protection_enabled.py b/prowler/providers/vercel/services/project/project_skew_protection_enabled/project_skew_protection_enabled.py
index f4e878ba5c..3f7a2d0ddb 100644
--- a/prowler/providers/vercel/services/project/project_skew_protection_enabled/project_skew_protection_enabled.py
+++ b/prowler/providers/vercel/services/project/project_skew_protection_enabled/project_skew_protection_enabled.py
@@ -1,6 +1,7 @@
 from typing import List
 
 from prowler.lib.check.models import Check, CheckReportVercel
+from prowler.providers.vercel.lib.billing import plan_reason_suffix
 from prowler.providers.vercel.services.project.project_client import project_client
 
 
@@ -34,6 +35,7 @@ class project_skew_protection_enabled(Check):
                 report.status_extended = (
                     f"Project {project.name} does not have skew protection enabled, "
                     f"which may cause version mismatches during deployments."
+                    f"{plan_reason_suffix(project.billing_plan, {'hobby'}, 'skew protection is not available on the Vercel Hobby plan.')}"
                 )
 
             findings.append(report)
diff --git a/prowler/providers/vercel/services/security/security_custom_rules_configured/security_custom_rules_configured.metadata.json b/prowler/providers/vercel/services/security/security_custom_rules_configured/security_custom_rules_configured.metadata.json
index a4b53baf4f..615f40843a 100644
--- a/prowler/providers/vercel/services/security/security_custom_rules_configured/security_custom_rules_configured.metadata.json
+++ b/prowler/providers/vercel/services/security/security_custom_rules_configured/security_custom_rules_configured.metadata.json
@@ -28,11 +28,12 @@
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "vercel-pro-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
     "security_waf_enabled"
   ],
-  "Notes": ""
+  "Notes": "Required billing plan: Pro or Enterprise."
 }
diff --git a/prowler/providers/vercel/services/security/security_custom_rules_configured/security_custom_rules_configured.py b/prowler/providers/vercel/services/security/security_custom_rules_configured/security_custom_rules_configured.py
index 6ec7f8834f..a525c93f0a 100644
--- a/prowler/providers/vercel/services/security/security_custom_rules_configured/security_custom_rules_configured.py
+++ b/prowler/providers/vercel/services/security/security_custom_rules_configured/security_custom_rules_configured.py
@@ -1,6 +1,7 @@
 from typing import List
 
 from prowler.lib.check.models import Check, CheckReportVercel
+from prowler.providers.vercel.lib.billing import plan_reason_suffix
 from prowler.providers.vercel.services.security.security_client import security_client
 
 
@@ -24,7 +25,16 @@ class security_custom_rules_configured(Check):
         for config in security_client.firewall_configs.values():
             report = CheckReportVercel(metadata=self.metadata(), resource=config)
 
-            if config.custom_rules:
+            if not config.firewall_config_accessible:
+                report.status = "MANUAL"
+                report.status_extended = (
+                    f"Project {config.project_name} ({config.project_id}) "
+                    f"could not be assessed for custom firewall rules because the "
+                    f"firewall configuration endpoint was not accessible. "
+                    f"Manual verification is required."
+                    f"{plan_reason_suffix(config.billing_plan, {'hobby'}, 'custom firewall rules are not available on the Vercel Hobby plan.')}"
+                )
+            elif config.custom_rules:
                 report.status = "PASS"
                 report.status_extended = (
                     f"Project {config.project_name} ({config.project_id}) "
diff --git a/prowler/providers/vercel/services/security/security_ip_blocking_rules_configured/security_ip_blocking_rules_configured.metadata.json b/prowler/providers/vercel/services/security/security_ip_blocking_rules_configured/security_ip_blocking_rules_configured.metadata.json
index a02cd35324..88c609e742 100644
--- a/prowler/providers/vercel/services/security/security_ip_blocking_rules_configured/security_ip_blocking_rules_configured.metadata.json
+++ b/prowler/providers/vercel/services/security/security_ip_blocking_rules_configured/security_ip_blocking_rules_configured.metadata.json
@@ -28,11 +28,12 @@
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "vercel-pro-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
     "security_waf_enabled"
   ],
-  "Notes": ""
+  "Notes": "Required billing plan: Pro or Enterprise."
 }
diff --git a/prowler/providers/vercel/services/security/security_ip_blocking_rules_configured/security_ip_blocking_rules_configured.py b/prowler/providers/vercel/services/security/security_ip_blocking_rules_configured/security_ip_blocking_rules_configured.py
index 0b89c8d111..443c052354 100644
--- a/prowler/providers/vercel/services/security/security_ip_blocking_rules_configured/security_ip_blocking_rules_configured.py
+++ b/prowler/providers/vercel/services/security/security_ip_blocking_rules_configured/security_ip_blocking_rules_configured.py
@@ -1,6 +1,7 @@
 from typing import List
 
 from prowler.lib.check.models import Check, CheckReportVercel
+from prowler.providers.vercel.lib.billing import plan_reason_suffix
 from prowler.providers.vercel.services.security.security_client import security_client
 
 
@@ -25,7 +26,16 @@ class security_ip_blocking_rules_configured(Check):
         for config in security_client.firewall_configs.values():
             report = CheckReportVercel(metadata=self.metadata(), resource=config)
 
-            if config.ip_blocking_rules:
+            if not config.firewall_config_accessible:
+                report.status = "MANUAL"
+                report.status_extended = (
+                    f"Project {config.project_name} ({config.project_id}) "
+                    f"could not be assessed for IP blocking rules because the "
+                    f"firewall configuration endpoint was not accessible. "
+                    f"Manual verification is required."
+                    f"{plan_reason_suffix(config.billing_plan, {'hobby'}, 'IP blocking rules are not available on the Vercel Hobby plan.')}"
+                )
+            elif config.ip_blocking_rules:
                 report.status = "PASS"
                 report.status_extended = (
                     f"Project {config.project_name} ({config.project_id}) "
diff --git a/prowler/providers/vercel/services/security/security_managed_rulesets_enabled/security_managed_rulesets_enabled.metadata.json b/prowler/providers/vercel/services/security/security_managed_rulesets_enabled/security_managed_rulesets_enabled.metadata.json
index ee66a3be21..cbd956cd52 100644
--- a/prowler/providers/vercel/services/security/security_managed_rulesets_enabled/security_managed_rulesets_enabled.metadata.json
+++ b/prowler/providers/vercel/services/security/security_managed_rulesets_enabled/security_managed_rulesets_enabled.metadata.json
@@ -9,7 +9,7 @@
   "Severity": "high",
   "ResourceType": "NotDefined",
   "ResourceGroup": "security",
-  "Description": "**Vercel projects** are assessed for **managed WAF ruleset** enablement. Managed rulesets are curated by Vercel and provide protection against known attack patterns including **OWASP Top 10** threats. This feature requires an Enterprise plan and reports MANUAL status when unavailable.",
+  "Description": "**Vercel projects** are assessed for **managed WAF ruleset** enablement. Managed rulesets are curated by Vercel and provide protection against known attack patterns including **OWASP Top 10** threats. Availability varies by ruleset, and the check reports MANUAL when the firewall configuration cannot be assessed from the API.",
   "Risk": "Without **managed rulesets** enabled, the firewall lacks curated protection rules against well-known attack patterns. The application relies solely on custom rules, which may miss **new or evolving threats** that managed rulesets are designed to detect and block automatically.",
   "RelatedUrl": "",
   "AdditionalURLs": [
@@ -19,20 +19,21 @@
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "1. Sign in to the Vercel dashboard\n2. Navigate to the project Settings > Security > Firewall\n3. Enable managed rulesets from the available options\n4. Review and configure ruleset sensitivity levels\n5. Note: This feature requires an Enterprise plan",
+      "Other": "1. Sign in to the Vercel dashboard\n2. Navigate to the project Settings > Security > Firewall\n3. Enable the managed rulesets that are available for your plan\n4. Review and configure ruleset sensitivity levels\n5. If the API does not expose firewall configuration for the project, verify the rulesets manually in the dashboard",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Enable managed WAF rulesets to benefit from Vercel-curated protection against common attack patterns. If you are on a plan that does not support managed rulesets, consider upgrading to the Enterprise plan for enhanced security features.",
+      "Text": "Enable the managed WAF rulesets that are available for your Vercel plan to benefit from curated protection against common attack patterns. If the API does not expose firewall configuration for the project, verify the rulesets manually in the dashboard.",
       "Url": "https://hub.prowler.com/check/security_managed_rulesets_enabled"
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
     "security_waf_enabled"
   ],
-  "Notes": "This check is plan-gated. If the Vercel API returns a 403 for managed rulesets, the check reports MANUAL status indicating that an Enterprise plan is required."
+  "Notes": "Managed ruleset availability varies by ruleset. OWASP Core Ruleset requires Enterprise, while Bot Protection and AI Bots managed rulesets are available on all plans."
 }
diff --git a/prowler/providers/vercel/services/security/security_managed_rulesets_enabled/security_managed_rulesets_enabled.py b/prowler/providers/vercel/services/security/security_managed_rulesets_enabled/security_managed_rulesets_enabled.py
index ead4623f4c..f7f476ccad 100644
--- a/prowler/providers/vercel/services/security/security_managed_rulesets_enabled/security_managed_rulesets_enabled.py
+++ b/prowler/providers/vercel/services/security/security_managed_rulesets_enabled/security_managed_rulesets_enabled.py
@@ -1,6 +1,7 @@
 from typing import List
 
 from prowler.lib.check.models import Check, CheckReportVercel
+from prowler.providers.vercel.lib.billing import plan_reason_suffix
 from prowler.providers.vercel.services.security.security_client import security_client
 
 
@@ -17,8 +18,8 @@ class security_managed_rulesets_enabled(Check):
         """Execute the Vercel Managed Rulesets Enabled check.
 
         Iterates over all firewall configurations and checks if managed
-        rulesets are enabled. Reports MANUAL status when the feature is
-        not available due to plan limitations.
+        rulesets are enabled. Reports MANUAL status when the firewall
+        configuration cannot be assessed from the API.
 
         Returns:
             List[CheckReportVercel]: A list of reports for each project.
@@ -27,12 +28,14 @@ class security_managed_rulesets_enabled(Check):
         for config in security_client.firewall_configs.values():
             report = CheckReportVercel(metadata=self.metadata(), resource=config)
 
-            if config.managed_rulesets is None:
+            if not config.firewall_config_accessible:
                 report.status = "MANUAL"
                 report.status_extended = (
                     f"Project {config.project_name} ({config.project_id}) "
-                    f"could not be assessed for managed rulesets. "
-                    f"Enterprise plan required to access this feature."
+                    f"could not be assessed for managed rulesets because the "
+                    f"firewall configuration endpoint was not accessible. "
+                    f"Manual verification is required."
+                    f"{plan_reason_suffix(config.billing_plan, {'hobby', 'pro'}, 'some managed WAF rulesets, including the OWASP Core Ruleset, are only available on Vercel Enterprise plans.')}"
                 )
             elif config.managed_rulesets:
                 report.status = "PASS"
diff --git a/prowler/providers/vercel/services/security/security_rate_limiting_configured/security_rate_limiting_configured.metadata.json b/prowler/providers/vercel/services/security/security_rate_limiting_configured/security_rate_limiting_configured.metadata.json
index 8a804233a5..637502ab6f 100644
--- a/prowler/providers/vercel/services/security/security_rate_limiting_configured/security_rate_limiting_configured.metadata.json
+++ b/prowler/providers/vercel/services/security/security_rate_limiting_configured/security_rate_limiting_configured.metadata.json
@@ -28,11 +28,12 @@
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "vercel-pro-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
     "security_waf_enabled"
   ],
-  "Notes": ""
+  "Notes": "Required billing plan: Pro or Enterprise."
 }
diff --git a/prowler/providers/vercel/services/security/security_rate_limiting_configured/security_rate_limiting_configured.py b/prowler/providers/vercel/services/security/security_rate_limiting_configured/security_rate_limiting_configured.py
index 3e6419666c..6e37fd2779 100644
--- a/prowler/providers/vercel/services/security/security_rate_limiting_configured/security_rate_limiting_configured.py
+++ b/prowler/providers/vercel/services/security/security_rate_limiting_configured/security_rate_limiting_configured.py
@@ -1,6 +1,7 @@
 from typing import List
 
 from prowler.lib.check.models import Check, CheckReportVercel
+from prowler.providers.vercel.lib.billing import plan_reason_suffix
 from prowler.providers.vercel.services.security.security_client import security_client
 
 
@@ -24,7 +25,16 @@ class security_rate_limiting_configured(Check):
         for config in security_client.firewall_configs.values():
             report = CheckReportVercel(metadata=self.metadata(), resource=config)
 
-            if config.rate_limiting_rules:
+            if not config.firewall_config_accessible:
+                report.status = "MANUAL"
+                report.status_extended = (
+                    f"Project {config.project_name} ({config.project_id}) "
+                    f"could not be assessed for rate limiting rules because the "
+                    f"firewall configuration endpoint was not accessible. "
+                    f"Manual verification is required."
+                    f"{plan_reason_suffix(config.billing_plan, {'hobby'}, 'rate limiting rules are not available on the Vercel Hobby plan.')}"
+                )
+            elif config.rate_limiting_rules:
                 report.status = "PASS"
                 report.status_extended = (
                     f"Project {config.project_name} ({config.project_id}) "
diff --git a/prowler/providers/vercel/services/security/security_service.py b/prowler/providers/vercel/services/security/security_service.py
index 3c79f5c2f5..b472dcc811 100644
--- a/prowler/providers/vercel/services/security/security_service.py
+++ b/prowler/providers/vercel/services/security/security_service.py
@@ -29,11 +29,13 @@ class Security(VercelService):
             data = self._read_firewall_config(project)
 
             if data is None:
-                # 403 — plan limitation, store with managed_rulesets=None
+                # Firewall config endpoint unavailable for this project/token
                 self.firewall_configs[project.id] = VercelFirewallConfig(
                     project_id=project.id,
                     project_name=project.name,
                     team_id=project.team_id,
+                    billing_plan=project.billing_plan,
+                    firewall_config_accessible=False,
                     firewall_enabled=False,
                     managed_rulesets=None,
                     name=project.name,
@@ -49,6 +51,8 @@ class Security(VercelService):
                     project_id=project.id,
                     project_name=project.name,
                     team_id=project.team_id,
+                    billing_plan=project.billing_plan,
+                    firewall_config_accessible=True,
                     firewall_enabled=(
                         fallback_firewall_enabled
                         if fallback_firewall_enabled is not None
@@ -93,6 +97,8 @@ class Security(VercelService):
                 project_id=project.id,
                 project_name=project.name,
                 team_id=project.team_id,
+                billing_plan=project.billing_plan,
+                firewall_config_accessible=True,
                 firewall_enabled=firewall_enabled,
                 managed_rulesets=managed,
                 custom_rules=custom_rules,
@@ -246,8 +252,10 @@ class VercelFirewallConfig(BaseModel):
     project_id: str
     project_name: Optional[str] = None
     team_id: Optional[str] = None
+    billing_plan: Optional[str] = None
+    firewall_config_accessible: bool = True
     firewall_enabled: bool = False
-    managed_rulesets: Optional[dict] = None  # None means plan-gated (403)
+    managed_rulesets: Optional[dict] = None  # None means config endpoint unavailable
     custom_rules: list[dict] = Field(default_factory=list)
     ip_blocking_rules: list[dict] = Field(default_factory=list)
     rate_limiting_rules: list[dict] = Field(default_factory=list)
diff --git a/prowler/providers/vercel/services/security/security_waf_enabled/security_waf_enabled.metadata.json b/prowler/providers/vercel/services/security/security_waf_enabled/security_waf_enabled.metadata.json
index 7598e7cccd..467edbc66c 100644
--- a/prowler/providers/vercel/services/security/security_waf_enabled/security_waf_enabled.metadata.json
+++ b/prowler/providers/vercel/services/security/security_waf_enabled/security_waf_enabled.metadata.json
@@ -28,12 +28,13 @@
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "vercel-pro-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
     "security_managed_rulesets_enabled",
     "security_custom_rules_configured"
   ],
-  "Notes": ""
+  "Notes": "Required billing plan: Pro or Enterprise."
 }
diff --git a/prowler/providers/vercel/services/security/security_waf_enabled/security_waf_enabled.py b/prowler/providers/vercel/services/security/security_waf_enabled/security_waf_enabled.py
index 82859a4f5c..9ab93b87ca 100644
--- a/prowler/providers/vercel/services/security/security_waf_enabled/security_waf_enabled.py
+++ b/prowler/providers/vercel/services/security/security_waf_enabled/security_waf_enabled.py
@@ -1,6 +1,7 @@
 from typing import List
 
 from prowler.lib.check.models import Check, CheckReportVercel
+from prowler.providers.vercel.lib.billing import plan_reason_suffix
 from prowler.providers.vercel.services.security.security_client import security_client
 
 
@@ -24,13 +25,15 @@ class security_waf_enabled(Check):
         for config in security_client.firewall_configs.values():
             report = CheckReportVercel(metadata=self.metadata(), resource=config)
 
-            if config.managed_rulesets is None:
-                # 403 — plan limitation, cannot determine WAF status
+            if not config.firewall_config_accessible:
+                # Firewall config could not be retrieved for this project
                 report.status = "MANUAL"
                 report.status_extended = (
                     f"Project {config.project_name} ({config.project_id}) "
-                    f"could not be checked for WAF status due to plan limitations. "
+                    f"could not be checked for WAF status because the firewall "
+                    f"configuration endpoint was not accessible. "
                     f"Manual verification is required."
+                    f"{plan_reason_suffix(config.billing_plan, {'hobby'}, 'the Web Application Firewall is not available on the Vercel Hobby plan.')}"
                 )
             elif config.firewall_enabled:
                 report.status = "PASS"
diff --git a/prowler/providers/vercel/services/team/team_directory_sync_enabled/team_directory_sync_enabled.metadata.json b/prowler/providers/vercel/services/team/team_directory_sync_enabled/team_directory_sync_enabled.metadata.json
index fda5c7b94d..ed0ce1470d 100644
--- a/prowler/providers/vercel/services/team/team_directory_sync_enabled/team_directory_sync_enabled.metadata.json
+++ b/prowler/providers/vercel/services/team/team_directory_sync_enabled/team_directory_sync_enabled.metadata.json
@@ -29,11 +29,12 @@
     }
   },
   "Categories": [
-    "trust-boundaries"
+    "trust-boundaries",
+    "vercel-enterprise-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
     "team_saml_sso_enabled"
   ],
-  "Notes": ""
+  "Notes": "Required billing plan: Enterprise."
 }
diff --git a/prowler/providers/vercel/services/team/team_directory_sync_enabled/team_directory_sync_enabled.py b/prowler/providers/vercel/services/team/team_directory_sync_enabled/team_directory_sync_enabled.py
index 101922b6ed..d185de4971 100644
--- a/prowler/providers/vercel/services/team/team_directory_sync_enabled/team_directory_sync_enabled.py
+++ b/prowler/providers/vercel/services/team/team_directory_sync_enabled/team_directory_sync_enabled.py
@@ -1,6 +1,7 @@
 from typing import List
 
 from prowler.lib.check.models import Check, CheckReportVercel
+from prowler.providers.vercel.lib.billing import plan_reason_suffix
 from prowler.providers.vercel.services.team.team_client import team_client
 
 
@@ -40,6 +41,7 @@ class team_directory_sync_enabled(Check):
                 report.status_extended = (
                     f"Team {team.name} does not have directory sync (SCIM) enabled. "
                     f"User provisioning and deprovisioning must be managed manually."
+                    f"{plan_reason_suffix(team.billing_plan, {'hobby', 'pro'}, 'directory sync (SCIM) is only available on Vercel Enterprise plans.')}"
                 )
 
             findings.append(report)
diff --git a/prowler/providers/vercel/services/team/team_member_role_least_privilege/team_member_role_least_privilege.metadata.json b/prowler/providers/vercel/services/team/team_member_role_least_privilege/team_member_role_least_privilege.metadata.json
index 37abf769ef..d648769c1f 100644
--- a/prowler/providers/vercel/services/team/team_member_role_least_privilege/team_member_role_least_privilege.metadata.json
+++ b/prowler/providers/vercel/services/team/team_member_role_least_privilege/team_member_role_least_privilege.metadata.json
@@ -28,7 +28,8 @@
     }
   },
   "Categories": [
-    "trust-boundaries"
+    "trust-boundaries",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [],
diff --git a/prowler/providers/vercel/services/team/team_no_stale_invitations/team_no_stale_invitations.metadata.json b/prowler/providers/vercel/services/team/team_no_stale_invitations/team_no_stale_invitations.metadata.json
index 16a1d942e1..606f9d863b 100644
--- a/prowler/providers/vercel/services/team/team_no_stale_invitations/team_no_stale_invitations.metadata.json
+++ b/prowler/providers/vercel/services/team/team_no_stale_invitations/team_no_stale_invitations.metadata.json
@@ -28,7 +28,8 @@
     }
   },
   "Categories": [
-    "trust-boundaries"
+    "trust-boundaries",
+    "vercel-hobby-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [],
diff --git a/prowler/providers/vercel/services/team/team_saml_sso_enabled/team_saml_sso_enabled.metadata.json b/prowler/providers/vercel/services/team/team_saml_sso_enabled/team_saml_sso_enabled.metadata.json
index 21785bf482..fe66ed48bc 100644
--- a/prowler/providers/vercel/services/team/team_saml_sso_enabled/team_saml_sso_enabled.metadata.json
+++ b/prowler/providers/vercel/services/team/team_saml_sso_enabled/team_saml_sso_enabled.metadata.json
@@ -29,11 +29,12 @@
     }
   },
   "Categories": [
-    "trust-boundaries"
+    "trust-boundaries",
+    "vercel-pro-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
     "team_saml_sso_enforced"
   ],
-  "Notes": ""
+  "Notes": "Required billing plan: Pro or Enterprise."
 }
diff --git a/prowler/providers/vercel/services/team/team_saml_sso_enabled/team_saml_sso_enabled.py b/prowler/providers/vercel/services/team/team_saml_sso_enabled/team_saml_sso_enabled.py
index 8a979ec66d..38960efa8c 100644
--- a/prowler/providers/vercel/services/team/team_saml_sso_enabled/team_saml_sso_enabled.py
+++ b/prowler/providers/vercel/services/team/team_saml_sso_enabled/team_saml_sso_enabled.py
@@ -1,6 +1,7 @@
 from typing import List
 
 from prowler.lib.check.models import Check, CheckReportVercel
+from prowler.providers.vercel.lib.billing import plan_reason_suffix
 from prowler.providers.vercel.services.team.team_client import team_client
 
 
@@ -38,6 +39,7 @@ class team_saml_sso_enabled(Check):
                 report.status = "FAIL"
                 report.status_extended = (
                     f"Team {team.name} does not have SAML SSO enabled."
+                    f"{plan_reason_suffix(team.billing_plan, {'hobby'}, 'SAML SSO is not available on the Vercel Hobby plan.')}"
                 )
 
             findings.append(report)
diff --git a/prowler/providers/vercel/services/team/team_saml_sso_enforced/team_saml_sso_enforced.metadata.json b/prowler/providers/vercel/services/team/team_saml_sso_enforced/team_saml_sso_enforced.metadata.json
index feb43bc179..3e69d9da49 100644
--- a/prowler/providers/vercel/services/team/team_saml_sso_enforced/team_saml_sso_enforced.metadata.json
+++ b/prowler/providers/vercel/services/team/team_saml_sso_enforced/team_saml_sso_enforced.metadata.json
@@ -29,11 +29,12 @@
     }
   },
   "Categories": [
-    "trust-boundaries"
+    "trust-boundaries",
+    "vercel-pro-plan"
   ],
   "DependsOn": [],
   "RelatedTo": [
     "team_saml_sso_enabled"
   ],
-  "Notes": ""
+  "Notes": "Required billing plan: Pro or Enterprise."
 }
diff --git a/prowler/providers/vercel/services/team/team_saml_sso_enforced/team_saml_sso_enforced.py b/prowler/providers/vercel/services/team/team_saml_sso_enforced/team_saml_sso_enforced.py
index 746ebba387..564f0b5d46 100644
--- a/prowler/providers/vercel/services/team/team_saml_sso_enforced/team_saml_sso_enforced.py
+++ b/prowler/providers/vercel/services/team/team_saml_sso_enforced/team_saml_sso_enforced.py
@@ -1,6 +1,7 @@
 from typing import List
 
 from prowler.lib.check.models import Check, CheckReportVercel
+from prowler.providers.vercel.lib.billing import plan_reason_suffix
 from prowler.providers.vercel.services.team.team_client import team_client
 
 
@@ -43,6 +44,7 @@ class team_saml_sso_enforced(Check):
                 else:
                     report.status_extended = (
                         f"Team {team.name} does not have SAML SSO enforced."
+                        f"{plan_reason_suffix(team.billing_plan, {'hobby'}, 'SAML SSO is not available on the Vercel Hobby plan.')}"
                     )
 
             findings.append(report)
diff --git a/prowler/providers/vercel/services/team/team_service.py b/prowler/providers/vercel/services/team/team_service.py
index 916374ea87..7d8b119def 100644
--- a/prowler/providers/vercel/services/team/team_service.py
+++ b/prowler/providers/vercel/services/team/team_service.py
@@ -4,6 +4,7 @@ from typing import Optional
 from pydantic import BaseModel, Field
 
 from prowler.lib.logger import logger
+from prowler.providers.vercel.lib.billing import extract_billing_plan
 from prowler.providers.vercel.lib.service.service import VercelService
 
 
@@ -67,6 +68,7 @@ class Team(VercelService):
                 id=team_data.get("id", team_id),
                 name=team_data.get("name", ""),
                 slug=team_data.get("slug", ""),
+                billing_plan=extract_billing_plan(team_data),
                 saml=saml_config,
                 directory_sync_enabled=dir_sync,
                 created_at=created_at,
@@ -151,6 +153,7 @@ class VercelTeam(BaseModel):
     id: str
     name: str
     slug: str
+    billing_plan: Optional[str] = None
     saml: Optional[SAMLConfig] = None
     directory_sync_enabled: bool = False
     members: list[VercelTeamMember] = Field(default_factory=list)
diff --git a/prowler/providers/vercel/vercel_provider.py b/prowler/providers/vercel/vercel_provider.py
index 731adef6ed..54ab4627a9 100644
--- a/prowler/providers/vercel/vercel_provider.py
+++ b/prowler/providers/vercel/vercel_provider.py
@@ -20,6 +20,7 @@ from prowler.providers.vercel.exceptions.exceptions import (
     VercelRateLimitError,
     VercelSessionError,
 )
+from prowler.providers.vercel.lib.billing import extract_billing_plan
 from prowler.providers.vercel.lib.mutelist.mutelist import VercelMutelist
 from prowler.providers.vercel.models import (
     VercelIdentityInfo,
@@ -195,6 +196,7 @@ class VercelProvider(Provider):
             user_id = user_data.get("id")
             username = user_data.get("username")
             email = user_data.get("email")
+            billing_plan = extract_billing_plan(user_data)
 
             # Get team info
             team_info = None
@@ -214,6 +216,7 @@ class VercelProvider(Provider):
                         id=team_data.get("id", session.team_id),
                         name=team_data.get("name", ""),
                         slug=team_data.get("slug", ""),
+                        billing_plan=extract_billing_plan(team_data),
                     )
                     all_teams = [team_info]
                 elif team_response.status_code in (404, 403):
@@ -239,6 +242,7 @@ class VercelProvider(Provider):
                                     id=t.get("id", ""),
                                     name=t.get("name", ""),
                                     slug=t.get("slug", ""),
+                                    billing_plan=extract_billing_plan(t),
                                 )
                             )
                         if all_teams:
@@ -253,6 +257,7 @@ class VercelProvider(Provider):
                 user_id=user_id,
                 username=username,
                 email=email,
+                billing_plan=billing_plan,
                 team=team_info,
                 teams=all_teams,
             )
diff --git a/tests/lib/check/models_test.py b/tests/lib/check/models_test.py
index 815479cdfa..71fd1f718b 100644
--- a/tests/lib/check/models_test.py
+++ b/tests/lib/check/models_test.py
@@ -377,6 +377,50 @@ class TestCheckMetadataValidators:
         check_metadata = CheckMetadata(**valid_metadata)
         assert check_metadata.Categories == ["encryption", "logging", "secrets"]
 
+    def test_valid_vercel_plan_categories_success(self):
+        """Test Vercel plan categories are accepted using hyphen-separated names."""
+        valid_metadata = {
+            "Provider": "vercel",
+            "CheckID": "test_check",
+            "CheckTitle": "Test Check",
+            "CheckType": [],
+            "ServiceName": "test",
+            "SubServiceName": "subtest",
+            "ResourceIdTemplate": "template",
+            "Severity": "high",
+            "ResourceType": "TestResource",
+            "Description": "Test description",
+            "Risk": "Test risk",
+            "RelatedUrl": "",
+            "Remediation": {
+                "Code": {
+                    "CLI": "test command",
+                    "NativeIaC": "test native",
+                    "Other": "test other",
+                    "Terraform": "test terraform",
+                },
+                "Recommendation": {
+                    "Text": "test recommendation",
+                    "Url": "https://hub.prowler.com/check/test_check",
+                },
+            },
+            "Categories": [
+                "vercel-hobby-plan",
+                "vercel-pro-plan",
+                "vercel-enterprise-plan",
+            ],
+            "DependsOn": [],
+            "RelatedTo": [],
+            "Notes": "Test notes",
+        }
+
+        check_metadata = CheckMetadata(**valid_metadata)
+        assert check_metadata.Categories == [
+            "vercel-hobby-plan",
+            "vercel-pro-plan",
+            "vercel-enterprise-plan",
+        ]
+
     def test_valid_category_failure_non_string(self):
         """Test valid category validation fails with non-string category"""
         invalid_metadata = {
@@ -454,7 +498,7 @@ class TestCheckMetadataValidators:
         with pytest.raises(ValidationError) as exc_info:
             CheckMetadata(**invalid_metadata)
         assert (
-            "Categories can only contain lowercase letters, numbers and hyphen"
+            "Categories can only contain lowercase letters, numbers, and hyphen '-'"
             in str(exc_info.value)
         )
 
diff --git a/tests/providers/vercel/lib/service/vercel_service_test.py b/tests/providers/vercel/lib/service/vercel_service_test.py
new file mode 100644
index 0000000000..e267b84841
--- /dev/null
+++ b/tests/providers/vercel/lib/service/vercel_service_test.py
@@ -0,0 +1,29 @@
+from unittest import mock
+
+from prowler.providers.vercel.lib.service.service import VercelService
+
+
+class TestVercelService:
+    def test_get_returns_none_and_logs_info_on_expected_403(self):
+        service = VercelService.__new__(VercelService)
+        service.audit_config = {"max_retries": 0}
+        service.service = "security"
+        service._team_id = None
+        service._base_url = "https://api.vercel.com"
+
+        response = mock.MagicMock()
+        response.status_code = 403
+
+        service._http_session = mock.MagicMock()
+        service._http_session.get.return_value = response
+
+        with mock.patch(
+            "prowler.providers.vercel.lib.service.service.logger"
+        ) as logger_mock:
+            result = service._get("/v1/security/firewall/config/active")
+
+        assert result is None
+        logger_mock.info.assert_called_once_with(
+            "security - Access denied for /v1/security/firewall/config/active (403). "
+            "This may be caused by plan or permission restrictions."
+        )
diff --git a/tests/providers/vercel/services/project/project_password_protection_enabled/project_password_protection_enabled_test.py b/tests/providers/vercel/services/project/project_password_protection_enabled/project_password_protection_enabled_test.py
index 9de3eb874a..cd19a682c9 100644
--- a/tests/providers/vercel/services/project/project_password_protection_enabled/project_password_protection_enabled_test.py
+++ b/tests/providers/vercel/services/project/project_password_protection_enabled/project_password_protection_enabled_test.py
@@ -142,3 +142,41 @@ class Test_project_password_protection_enabled:
                 == f"Project {PROJECT_NAME} does not have password protection configured for deployments."
             )
             assert result[0].team_id == TEAM_ID
+
+    def test_no_password_protection_hobby_plan(self):
+        project_client = mock.MagicMock
+        project_client.projects = {
+            PROJECT_ID: VercelProject(
+                id=PROJECT_ID,
+                name=PROJECT_NAME,
+                team_id=TEAM_ID,
+                billing_plan="hobby",
+                password_protection=None,
+            )
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_vercel_provider(billing_plan="hobby"),
+            ),
+            mock.patch(
+                "prowler.providers.vercel.services.project.project_password_protection_enabled.project_password_protection_enabled.project_client",
+                new=project_client,
+            ),
+        ):
+            from prowler.providers.vercel.services.project.project_password_protection_enabled.project_password_protection_enabled import (
+                project_password_protection_enabled,
+            )
+
+            check = project_password_protection_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].resource_id == PROJECT_ID
+            assert result[0].resource_name == PROJECT_NAME
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Project {PROJECT_NAME} does not have password protection configured for deployments. This may be expected because password protection is not available on the Vercel Hobby plan."
+            )
+            assert result[0].team_id == TEAM_ID
diff --git a/tests/providers/vercel/services/project/project_production_deployment_protection_enabled/project_production_deployment_protection_enabled_test.py b/tests/providers/vercel/services/project/project_production_deployment_protection_enabled/project_production_deployment_protection_enabled_test.py
index ff2517fbd3..eb8e15ddff 100644
--- a/tests/providers/vercel/services/project/project_production_deployment_protection_enabled/project_production_deployment_protection_enabled_test.py
+++ b/tests/providers/vercel/services/project/project_production_deployment_protection_enabled/project_production_deployment_protection_enabled_test.py
@@ -149,3 +149,41 @@ class Test_project_production_deployment_protection_enabled:
                 == f"Project {PROJECT_NAME} does not have deployment protection enabled on production deployments."
             )
             assert result[0].team_id == TEAM_ID
+
+    def test_protection_null_hobby_plan(self):
+        project_client = mock.MagicMock
+        project_client.projects = {
+            PROJECT_ID: VercelProject(
+                id=PROJECT_ID,
+                name=PROJECT_NAME,
+                team_id=TEAM_ID,
+                billing_plan="hobby",
+                production_deployment_protection=None,
+            )
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_vercel_provider(billing_plan="hobby"),
+            ),
+            mock.patch(
+                "prowler.providers.vercel.services.project.project_production_deployment_protection_enabled.project_production_deployment_protection_enabled.project_client",
+                new=project_client,
+            ),
+        ):
+            from prowler.providers.vercel.services.project.project_production_deployment_protection_enabled.project_production_deployment_protection_enabled import (
+                project_production_deployment_protection_enabled,
+            )
+
+            check = project_production_deployment_protection_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].resource_id == PROJECT_ID
+            assert result[0].resource_name == PROJECT_NAME
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Project {PROJECT_NAME} does not have deployment protection enabled on production deployments. This may be expected because protecting production deployments is not available on the Vercel Hobby plan."
+            )
+            assert result[0].team_id == TEAM_ID
diff --git a/tests/providers/vercel/services/project/project_service_test.py b/tests/providers/vercel/services/project/project_service_test.py
index b82588ddd9..cad889905e 100644
--- a/tests/providers/vercel/services/project/project_service_test.py
+++ b/tests/providers/vercel/services/project/project_service_test.py
@@ -5,6 +5,7 @@ from tests.providers.vercel.vercel_fixtures import (
     PROJECT_ID,
     PROJECT_NAME,
     TEAM_ID,
+    USER_ID,
     set_mocked_vercel_provider,
 )
 
@@ -43,3 +44,69 @@ class TestProjectService:
             "ai_bots": {"active": False, "action": "deny"},
         }
         assert project.bot_id_enabled is True
+
+    def test_list_projects_uses_scoped_team_billing_plan(self):
+        service = Project.__new__(Project)
+        service.provider = set_mocked_vercel_provider(
+            billing_plan="enterprise",
+            team_billing_plan="hobby",
+        )
+        service.projects = {}
+        service._paginate = mock.MagicMock(
+            return_value=[
+                {
+                    "id": PROJECT_ID,
+                    "name": PROJECT_NAME,
+                    "accountId": TEAM_ID,
+                }
+            ]
+        )
+
+        service._list_projects()
+
+        project = service.projects[PROJECT_ID]
+        assert project.billing_plan == "hobby"
+
+    def test_list_projects_uses_user_billing_plan_for_user_scoped_project(self):
+        service = Project.__new__(Project)
+        service.provider = set_mocked_vercel_provider(
+            billing_plan="enterprise",
+            team_billing_plan="hobby",
+        )
+        service.projects = {}
+        service._paginate = mock.MagicMock(
+            return_value=[
+                {
+                    "id": PROJECT_ID,
+                    "name": PROJECT_NAME,
+                    "accountId": USER_ID,
+                }
+            ]
+        )
+
+        service._list_projects()
+
+        project = service.projects[PROJECT_ID]
+        assert project.billing_plan == "enterprise"
+
+    def test_list_projects_does_not_guess_billing_plan_without_scope(self):
+        service = Project.__new__(Project)
+        service.provider = set_mocked_vercel_provider(
+            billing_plan="enterprise",
+            team_billing_plan="hobby",
+        )
+        service.provider.session.team_id = None
+        service.projects = {}
+        service._paginate = mock.MagicMock(
+            return_value=[
+                {
+                    "id": PROJECT_ID,
+                    "name": PROJECT_NAME,
+                }
+            ]
+        )
+
+        service._list_projects()
+
+        project = service.projects[PROJECT_ID]
+        assert project.billing_plan is None
diff --git a/tests/providers/vercel/services/project/project_skew_protection_enabled/project_skew_protection_enabled_test.py b/tests/providers/vercel/services/project/project_skew_protection_enabled/project_skew_protection_enabled_test.py
index 19d1ce8885..38c02040d1 100644
--- a/tests/providers/vercel/services/project/project_skew_protection_enabled/project_skew_protection_enabled_test.py
+++ b/tests/providers/vercel/services/project/project_skew_protection_enabled/project_skew_protection_enabled_test.py
@@ -105,3 +105,41 @@ class Test_project_skew_protection_enabled:
                 == f"Project {PROJECT_NAME} does not have skew protection enabled, which may cause version mismatches during deployments."
             )
             assert result[0].team_id == TEAM_ID
+
+    def test_skew_protection_disabled_hobby_plan(self):
+        project_client = mock.MagicMock
+        project_client.projects = {
+            PROJECT_ID: VercelProject(
+                id=PROJECT_ID,
+                name=PROJECT_NAME,
+                team_id=TEAM_ID,
+                billing_plan="hobby",
+                skew_protection=False,
+            )
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_vercel_provider(billing_plan="hobby"),
+            ),
+            mock.patch(
+                "prowler.providers.vercel.services.project.project_skew_protection_enabled.project_skew_protection_enabled.project_client",
+                new=project_client,
+            ),
+        ):
+            from prowler.providers.vercel.services.project.project_skew_protection_enabled.project_skew_protection_enabled import (
+                project_skew_protection_enabled,
+            )
+
+            check = project_skew_protection_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].resource_id == PROJECT_ID
+            assert result[0].resource_name == PROJECT_NAME
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Project {PROJECT_NAME} does not have skew protection enabled, which may cause version mismatches during deployments. This may be expected because skew protection is not available on the Vercel Hobby plan."
+            )
+            assert result[0].team_id == TEAM_ID
diff --git a/tests/providers/vercel/services/security/security_custom_rules_configured/security_custom_rules_configured_test.py b/tests/providers/vercel/services/security/security_custom_rules_configured/security_custom_rules_configured_test.py
index 72fc44f61e..3eb92c4a8b 100644
--- a/tests/providers/vercel/services/security/security_custom_rules_configured/security_custom_rules_configured_test.py
+++ b/tests/providers/vercel/services/security/security_custom_rules_configured/security_custom_rules_configured_test.py
@@ -111,3 +111,41 @@ class Test_security_custom_rules_configured:
                 == f"Project {PROJECT_NAME} ({PROJECT_ID}) does not have any custom firewall rules configured."
             )
             assert result[0].team_id == TEAM_ID
+
+    def test_custom_rules_status_unavailable_hobby_plan(self):
+        security_client = mock.MagicMock
+        security_client.firewall_configs = {
+            PROJECT_ID: VercelFirewallConfig(
+                project_id=PROJECT_ID,
+                project_name=PROJECT_NAME,
+                team_id=TEAM_ID,
+                billing_plan="hobby",
+                firewall_config_accessible=False,
+                managed_rulesets=None,
+                id=PROJECT_ID,
+                name=PROJECT_NAME,
+            )
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_vercel_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.vercel.services.security.security_custom_rules_configured.security_custom_rules_configured.security_client",
+                new=security_client,
+            ),
+        ):
+            from prowler.providers.vercel.services.security.security_custom_rules_configured.security_custom_rules_configured import (
+                security_custom_rules_configured,
+            )
+
+            check = security_custom_rules_configured()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "MANUAL"
+            assert (
+                result[0].status_extended
+                == f"Project {PROJECT_NAME} ({PROJECT_ID}) could not be assessed for custom firewall rules because the firewall configuration endpoint was not accessible. Manual verification is required. This may be expected because custom firewall rules are not available on the Vercel Hobby plan."
+            )
diff --git a/tests/providers/vercel/services/security/security_ip_blocking_rules_configured/security_ip_blocking_rules_configured_test.py b/tests/providers/vercel/services/security/security_ip_blocking_rules_configured/security_ip_blocking_rules_configured_test.py
index 20e6224a24..9d8f537229 100644
--- a/tests/providers/vercel/services/security/security_ip_blocking_rules_configured/security_ip_blocking_rules_configured_test.py
+++ b/tests/providers/vercel/services/security/security_ip_blocking_rules_configured/security_ip_blocking_rules_configured_test.py
@@ -111,3 +111,41 @@ class Test_security_ip_blocking_rules_configured:
                 == f"Project {PROJECT_NAME} ({PROJECT_ID}) does not have any IP blocking rules configured."
             )
             assert result[0].team_id == TEAM_ID
+
+    def test_ip_rules_status_unavailable_hobby_plan(self):
+        security_client = mock.MagicMock
+        security_client.firewall_configs = {
+            PROJECT_ID: VercelFirewallConfig(
+                project_id=PROJECT_ID,
+                project_name=PROJECT_NAME,
+                team_id=TEAM_ID,
+                billing_plan="hobby",
+                firewall_config_accessible=False,
+                managed_rulesets=None,
+                id=PROJECT_ID,
+                name=PROJECT_NAME,
+            )
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_vercel_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.vercel.services.security.security_ip_blocking_rules_configured.security_ip_blocking_rules_configured.security_client",
+                new=security_client,
+            ),
+        ):
+            from prowler.providers.vercel.services.security.security_ip_blocking_rules_configured.security_ip_blocking_rules_configured import (
+                security_ip_blocking_rules_configured,
+            )
+
+            check = security_ip_blocking_rules_configured()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "MANUAL"
+            assert (
+                result[0].status_extended
+                == f"Project {PROJECT_NAME} ({PROJECT_ID}) could not be assessed for IP blocking rules because the firewall configuration endpoint was not accessible. Manual verification is required. This may be expected because IP blocking rules are not available on the Vercel Hobby plan."
+            )
diff --git a/tests/providers/vercel/services/security/security_managed_rulesets_enabled/security_managed_rulesets_enabled_test.py b/tests/providers/vercel/services/security/security_managed_rulesets_enabled/security_managed_rulesets_enabled_test.py
index 2cc32c4e91..03cd387d45 100644
--- a/tests/providers/vercel/services/security/security_managed_rulesets_enabled/security_managed_rulesets_enabled_test.py
+++ b/tests/providers/vercel/services/security/security_managed_rulesets_enabled/security_managed_rulesets_enabled_test.py
@@ -121,6 +121,7 @@ class Test_security_managed_rulesets_enabled:
                 project_id=PROJECT_ID,
                 project_name=PROJECT_NAME,
                 team_id=TEAM_ID,
+                firewall_config_accessible=False,
                 firewall_enabled=False,
                 managed_rulesets=None,
                 id=PROJECT_ID,
@@ -150,6 +151,45 @@ class Test_security_managed_rulesets_enabled:
             assert result[0].status == "MANUAL"
             assert (
                 result[0].status_extended
-                == f"Project {PROJECT_NAME} ({PROJECT_ID}) could not be assessed for managed rulesets. Enterprise plan required to access this feature."
+                == f"Project {PROJECT_NAME} ({PROJECT_ID}) could not be assessed for managed rulesets because the firewall configuration endpoint was not accessible. Manual verification is required."
             )
             assert result[0].team_id == TEAM_ID
+
+    def test_managed_rulesets_plan_gated_non_enterprise_scope(self):
+        security_client = mock.MagicMock
+        security_client.firewall_configs = {
+            PROJECT_ID: VercelFirewallConfig(
+                project_id=PROJECT_ID,
+                project_name=PROJECT_NAME,
+                team_id=TEAM_ID,
+                billing_plan="pro",
+                firewall_config_accessible=False,
+                firewall_enabled=False,
+                managed_rulesets=None,
+                id=PROJECT_ID,
+                name=PROJECT_NAME,
+            )
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_vercel_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.vercel.services.security.security_managed_rulesets_enabled.security_managed_rulesets_enabled.security_client",
+                new=security_client,
+            ),
+        ):
+            from prowler.providers.vercel.services.security.security_managed_rulesets_enabled.security_managed_rulesets_enabled import (
+                security_managed_rulesets_enabled,
+            )
+
+            check = security_managed_rulesets_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "MANUAL"
+            assert (
+                result[0].status_extended
+                == f"Project {PROJECT_NAME} ({PROJECT_ID}) could not be assessed for managed rulesets because the firewall configuration endpoint was not accessible. Manual verification is required. This may be expected because some managed WAF rulesets, including the OWASP Core Ruleset, are only available on Vercel Enterprise plans."
+            )
diff --git a/tests/providers/vercel/services/security/security_rate_limiting_configured/security_rate_limiting_configured_test.py b/tests/providers/vercel/services/security/security_rate_limiting_configured/security_rate_limiting_configured_test.py
index 1c00a3c358..aab3e84d71 100644
--- a/tests/providers/vercel/services/security/security_rate_limiting_configured/security_rate_limiting_configured_test.py
+++ b/tests/providers/vercel/services/security/security_rate_limiting_configured/security_rate_limiting_configured_test.py
@@ -111,3 +111,41 @@ class Test_security_rate_limiting_configured:
                 == f"Project {PROJECT_NAME} ({PROJECT_ID}) does not have any rate limiting rules configured."
             )
             assert result[0].team_id == TEAM_ID
+
+    def test_rate_limiting_status_unavailable_hobby_plan(self):
+        security_client = mock.MagicMock
+        security_client.firewall_configs = {
+            PROJECT_ID: VercelFirewallConfig(
+                project_id=PROJECT_ID,
+                project_name=PROJECT_NAME,
+                team_id=TEAM_ID,
+                billing_plan="hobby",
+                firewall_config_accessible=False,
+                managed_rulesets=None,
+                id=PROJECT_ID,
+                name=PROJECT_NAME,
+            )
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_vercel_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.vercel.services.security.security_rate_limiting_configured.security_rate_limiting_configured.security_client",
+                new=security_client,
+            ),
+        ):
+            from prowler.providers.vercel.services.security.security_rate_limiting_configured.security_rate_limiting_configured import (
+                security_rate_limiting_configured,
+            )
+
+            check = security_rate_limiting_configured()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "MANUAL"
+            assert (
+                result[0].status_extended
+                == f"Project {PROJECT_NAME} ({PROJECT_ID}) could not be assessed for rate limiting rules because the firewall configuration endpoint was not accessible. Manual verification is required. This may be expected because rate limiting rules are not available on the Vercel Hobby plan."
+            )
diff --git a/tests/providers/vercel/services/security/security_service_test.py b/tests/providers/vercel/services/security/security_service_test.py
index d0a690b1db..17c546db90 100644
--- a/tests/providers/vercel/services/security/security_service_test.py
+++ b/tests/providers/vercel/services/security/security_service_test.py
@@ -7,7 +7,12 @@ from tests.providers.vercel.vercel_fixtures import PROJECT_ID, PROJECT_NAME, TEA
 
 class TestSecurityService:
     def test_fetch_firewall_config_reads_active_version_and_normalizes_response(self):
-        project = VercelProject(id=PROJECT_ID, name=PROJECT_NAME, team_id=TEAM_ID)
+        project = VercelProject(
+            id=PROJECT_ID,
+            name=PROJECT_NAME,
+            team_id=TEAM_ID,
+            billing_plan="pro",
+        )
         service = Security.__new__(Security)
         service.firewall_configs = {}
 
@@ -89,6 +94,7 @@ class TestSecurityService:
         )
 
         config = service.firewall_configs[PROJECT_ID]
+        assert config.billing_plan == "pro"
         assert config.firewall_enabled is True
         assert config.managed_rulesets == {"owasp": {"active": True, "action": "deny"}}
         assert [rule["id"] for rule in config.custom_rules] == ["rule-custom"]
diff --git a/tests/providers/vercel/services/security/security_waf_enabled/security_waf_enabled_test.py b/tests/providers/vercel/services/security/security_waf_enabled/security_waf_enabled_test.py
index 1641868175..8df46dfec6 100644
--- a/tests/providers/vercel/services/security/security_waf_enabled/security_waf_enabled_test.py
+++ b/tests/providers/vercel/services/security/security_waf_enabled/security_waf_enabled_test.py
@@ -113,3 +113,83 @@ class Test_security_waf_enabled:
                 == f"Project {PROJECT_NAME} ({PROJECT_ID}) does not have the Web Application Firewall enabled."
             )
             assert result[0].team_id == TEAM_ID
+
+    def test_waf_status_unavailable(self):
+        security_client = mock.MagicMock
+        security_client.firewall_configs = {
+            PROJECT_ID: VercelFirewallConfig(
+                project_id=PROJECT_ID,
+                project_name=PROJECT_NAME,
+                team_id=TEAM_ID,
+                firewall_config_accessible=False,
+                firewall_enabled=False,
+                managed_rulesets=None,
+                id=PROJECT_ID,
+                name=PROJECT_NAME,
+            )
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_vercel_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.vercel.services.security.security_waf_enabled.security_waf_enabled.security_client",
+                new=security_client,
+            ),
+        ):
+            from prowler.providers.vercel.services.security.security_waf_enabled.security_waf_enabled import (
+                security_waf_enabled,
+            )
+
+            check = security_waf_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].resource_id == PROJECT_ID
+            assert result[0].resource_name == PROJECT_NAME
+            assert result[0].status == "MANUAL"
+            assert (
+                result[0].status_extended
+                == f"Project {PROJECT_NAME} ({PROJECT_ID}) could not be checked for WAF status because the firewall configuration endpoint was not accessible. Manual verification is required."
+            )
+            assert result[0].team_id == TEAM_ID
+
+    def test_waf_status_unavailable_hobby_plan(self):
+        security_client = mock.MagicMock
+        security_client.firewall_configs = {
+            PROJECT_ID: VercelFirewallConfig(
+                project_id=PROJECT_ID,
+                project_name=PROJECT_NAME,
+                team_id=TEAM_ID,
+                billing_plan="hobby",
+                firewall_config_accessible=False,
+                firewall_enabled=False,
+                managed_rulesets=None,
+                id=PROJECT_ID,
+                name=PROJECT_NAME,
+            )
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_vercel_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.vercel.services.security.security_waf_enabled.security_waf_enabled.security_client",
+                new=security_client,
+            ),
+        ):
+            from prowler.providers.vercel.services.security.security_waf_enabled.security_waf_enabled import (
+                security_waf_enabled,
+            )
+
+            check = security_waf_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "MANUAL"
+            assert (
+                result[0].status_extended
+                == f"Project {PROJECT_NAME} ({PROJECT_ID}) could not be checked for WAF status because the firewall configuration endpoint was not accessible. Manual verification is required. This may be expected because the Web Application Firewall is not available on the Vercel Hobby plan."
+            )
diff --git a/tests/providers/vercel/services/team/team_directory_sync_enabled/team_directory_sync_enabled_test.py b/tests/providers/vercel/services/team/team_directory_sync_enabled/team_directory_sync_enabled_test.py
index 7f08db7fa1..b85e12ba3c 100644
--- a/tests/providers/vercel/services/team/team_directory_sync_enabled/team_directory_sync_enabled_test.py
+++ b/tests/providers/vercel/services/team/team_directory_sync_enabled/team_directory_sync_enabled_test.py
@@ -105,3 +105,41 @@ class Test_team_directory_sync_enabled:
                 == f"Team {TEAM_NAME} does not have directory sync (SCIM) enabled. User provisioning and deprovisioning must be managed manually."
             )
             assert result[0].team_id == ""
+
+    def test_directory_sync_disabled_pro_plan(self):
+        team_client = mock.MagicMock
+        team_client.teams = {
+            TEAM_ID: VercelTeam(
+                id=TEAM_ID,
+                name=TEAM_NAME,
+                slug=TEAM_SLUG,
+                directory_sync_enabled=False,
+                billing_plan="pro",
+            )
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_vercel_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.vercel.services.team.team_directory_sync_enabled.team_directory_sync_enabled.team_client",
+                new=team_client,
+            ),
+        ):
+            from prowler.providers.vercel.services.team.team_directory_sync_enabled.team_directory_sync_enabled import (
+                team_directory_sync_enabled,
+            )
+
+            check = team_directory_sync_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].resource_id == TEAM_ID
+            assert result[0].resource_name == TEAM_NAME
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Team {TEAM_NAME} does not have directory sync (SCIM) enabled. User provisioning and deprovisioning must be managed manually. This may be expected because directory sync (SCIM) is only available on Vercel Enterprise plans."
+            )
+            assert result[0].team_id == ""
diff --git a/tests/providers/vercel/services/team/team_saml_sso_enabled/team_saml_sso_enabled_test.py b/tests/providers/vercel/services/team/team_saml_sso_enabled/team_saml_sso_enabled_test.py
index b7f40dd653..b99b862c1f 100644
--- a/tests/providers/vercel/services/team/team_saml_sso_enabled/team_saml_sso_enabled_test.py
+++ b/tests/providers/vercel/services/team/team_saml_sso_enabled/team_saml_sso_enabled_test.py
@@ -106,3 +106,42 @@ class Test_team_saml_sso_enabled:
                 == f"Team {TEAM_NAME} does not have SAML SSO enabled."
             )
             assert result[0].team_id == ""
+
+    def test_saml_disabled_hobby_plan(self):
+        team_client = mock.MagicMock
+        team_client.teams = {
+            TEAM_ID: VercelTeam(
+                id=TEAM_ID,
+                name=TEAM_NAME,
+                slug=TEAM_SLUG,
+                saml=SAMLConfig(status="disabled", enforced=False),
+                billing_plan="hobby",
+                members=[],
+            )
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_vercel_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.vercel.services.team.team_saml_sso_enabled.team_saml_sso_enabled.team_client",
+                new=team_client,
+            ),
+        ):
+            from prowler.providers.vercel.services.team.team_saml_sso_enabled.team_saml_sso_enabled import (
+                team_saml_sso_enabled,
+            )
+
+            check = team_saml_sso_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].resource_id == TEAM_ID
+            assert result[0].resource_name == TEAM_NAME
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Team {TEAM_NAME} does not have SAML SSO enabled. This may be expected because SAML SSO is not available on the Vercel Hobby plan."
+            )
+            assert result[0].team_id == ""
diff --git a/tests/providers/vercel/services/team/team_saml_sso_enforced/team_saml_sso_enforced_test.py b/tests/providers/vercel/services/team/team_saml_sso_enforced/team_saml_sso_enforced_test.py
index 360d6cdbd8..839c42f3ad 100644
--- a/tests/providers/vercel/services/team/team_saml_sso_enforced/team_saml_sso_enforced_test.py
+++ b/tests/providers/vercel/services/team/team_saml_sso_enforced/team_saml_sso_enforced_test.py
@@ -142,3 +142,41 @@ class Test_team_saml_sso_enforced:
                 == f"Team {TEAM_NAME} does not have SAML SSO enforced."
             )
             assert result[0].team_id == ""
+
+    def test_saml_disabled_hobby_plan(self):
+        team_client = mock.MagicMock
+        team_client.teams = {
+            TEAM_ID: VercelTeam(
+                id=TEAM_ID,
+                name=TEAM_NAME,
+                slug=TEAM_SLUG,
+                saml=SAMLConfig(status="disabled", enforced=False),
+                billing_plan="hobby",
+            )
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_vercel_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.vercel.services.team.team_saml_sso_enforced.team_saml_sso_enforced.team_client",
+                new=team_client,
+            ),
+        ):
+            from prowler.providers.vercel.services.team.team_saml_sso_enforced.team_saml_sso_enforced import (
+                team_saml_sso_enforced,
+            )
+
+            check = team_saml_sso_enforced()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].resource_id == TEAM_ID
+            assert result[0].resource_name == TEAM_NAME
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Team {TEAM_NAME} does not have SAML SSO enforced. This may be expected because SAML SSO is not available on the Vercel Hobby plan."
+            )
+            assert result[0].team_id == ""
diff --git a/tests/providers/vercel/vercel_fixtures.py b/tests/providers/vercel/vercel_fixtures.py
index 70775bb377..3e5a21f4ef 100644
--- a/tests/providers/vercel/vercel_fixtures.py
+++ b/tests/providers/vercel/vercel_fixtures.py
@@ -33,6 +33,8 @@ def set_mocked_vercel_provider(
     team_id: str = TEAM_ID,
     identity: VercelIdentityInfo = None,
     audit_config: dict = None,
+    billing_plan: str = None,
+    team_billing_plan: str = None,
 ):
     """Create a mocked VercelProvider for testing."""
     provider = MagicMock()
@@ -42,15 +44,22 @@ def set_mocked_vercel_provider(
         team_id=team_id,
         http_session=MagicMock(),
     )
+    resolved_team_billing_plan = (
+        team_billing_plan if team_billing_plan is not None else billing_plan
+    )
+    team_info = VercelTeamInfo(
+        id=TEAM_ID,
+        name=TEAM_NAME,
+        slug=TEAM_SLUG,
+        billing_plan=resolved_team_billing_plan,
+    )
     provider.identity = identity or VercelIdentityInfo(
         user_id=USER_ID,
         username=USERNAME,
         email=USER_EMAIL,
-        team=VercelTeamInfo(
-            id=TEAM_ID,
-            name=TEAM_NAME,
-            slug=TEAM_SLUG,
-        ),
+        billing_plan=billing_plan,
+        team=team_info,
+        teams=[team_info],
     )
     provider.audit_config = audit_config or {"max_retries": 3}
     provider.fixer_config = {}
diff --git a/tests/providers/vercel/vercel_metadata_test.py b/tests/providers/vercel/vercel_metadata_test.py
new file mode 100644
index 0000000000..0587c1a992
--- /dev/null
+++ b/tests/providers/vercel/vercel_metadata_test.py
@@ -0,0 +1,97 @@
+from prowler.lib.check.models import CheckMetadata
+
+
+class TestVercelMetadata:
+    EXPECTED_CATEGORIES = {
+        "authentication_no_stale_tokens": [
+            "trust-boundaries",
+            "vercel-hobby-plan",
+        ],
+        "authentication_token_not_expired": [
+            "trust-boundaries",
+            "vercel-hobby-plan",
+        ],
+        "deployment_production_uses_stable_target": [
+            "trust-boundaries",
+            "vercel-hobby-plan",
+        ],
+        "domain_dns_properly_configured": [
+            "trust-boundaries",
+            "vercel-hobby-plan",
+        ],
+        "domain_ssl_certificate_valid": ["encryption", "vercel-hobby-plan"],
+        "domain_verified": ["trust-boundaries", "vercel-hobby-plan"],
+        "project_auto_expose_system_env_disabled": [
+            "trust-boundaries",
+            "vercel-hobby-plan",
+        ],
+        "project_deployment_protection_enabled": [
+            "internet-exposed",
+            "vercel-hobby-plan",
+        ],
+        "project_directory_listing_disabled": [
+            "internet-exposed",
+            "vercel-hobby-plan",
+        ],
+        "project_environment_no_overly_broad_target": [
+            "secrets",
+            "vercel-hobby-plan",
+        ],
+        "project_environment_no_secrets_in_plain_type": [
+            "secrets",
+            "vercel-hobby-plan",
+        ],
+        "project_environment_production_vars_not_in_preview": [
+            "secrets",
+            "vercel-hobby-plan",
+        ],
+        "project_git_fork_protection_enabled": [
+            "internet-exposed",
+            "vercel-hobby-plan",
+        ],
+        "project_password_protection_enabled": [
+            "internet-exposed",
+            "vercel-pro-plan",
+        ],
+        "project_production_deployment_protection_enabled": [
+            "internet-exposed",
+            "vercel-pro-plan",
+        ],
+        "project_skew_protection_enabled": ["resilience", "vercel-pro-plan"],
+        "security_custom_rules_configured": [
+            "internet-exposed",
+            "vercel-pro-plan",
+        ],
+        "security_ip_blocking_rules_configured": [
+            "internet-exposed",
+            "vercel-pro-plan",
+        ],
+        "security_managed_rulesets_enabled": [
+            "internet-exposed",
+            "vercel-hobby-plan",
+        ],
+        "security_rate_limiting_configured": [
+            "internet-exposed",
+            "vercel-pro-plan",
+        ],
+        "security_waf_enabled": ["internet-exposed", "vercel-pro-plan"],
+        "team_directory_sync_enabled": [
+            "trust-boundaries",
+            "vercel-enterprise-plan",
+        ],
+        "team_member_role_least_privilege": [
+            "trust-boundaries",
+            "vercel-hobby-plan",
+        ],
+        "team_no_stale_invitations": ["trust-boundaries", "vercel-hobby-plan"],
+        "team_saml_sso_enabled": ["trust-boundaries", "vercel-pro-plan"],
+        "team_saml_sso_enforced": ["trust-boundaries", "vercel-pro-plan"],
+    }
+
+    def test_vercel_checks_use_legacy_and_plan_categories(self):
+        vercel_metadata = CheckMetadata.get_bulk(provider="vercel")
+
+        assert set(vercel_metadata) == set(self.EXPECTED_CATEGORIES)
+
+        for check_id, expected_categories in self.EXPECTED_CATEGORIES.items():
+            assert vercel_metadata[check_id].Categories == expected_categories

From 6cb770fcc8d7579dff689e07276752a0db3316c0 Mon Sep 17 00:00:00 2001
From: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com>
Date: Mon, 4 May 2026 11:17:54 +0100
Subject: [PATCH 10/29] fix(ui): clean up findings expanded resource row layout
 (#10949)

---
 ui/CHANGELOG.md                               |  8 ++
 .../table/column-finding-resources.tsx        | 78 +++++++++----------
 .../table/inline-resource-container.tsx       | 38 ++++-----
 3 files changed, 62 insertions(+), 62 deletions(-)

diff --git a/ui/CHANGELOG.md b/ui/CHANGELOG.md
index 8a18dae634..49ec9a26bd 100644
--- a/ui/CHANGELOG.md
+++ b/ui/CHANGELOG.md
@@ -2,6 +2,14 @@
 
 All notable changes to the **Prowler UI** are documented in this file.
 
+## [1.26.0] (Prowler UNRELEASED)
+
+### 🔄 Changed
+
+- Findings expanded resource rows now drop the redundant cube icons, render Service and Region with the same compact label style as Last seen and Failing for, and reorder columns to Status, Resource, Provider, Severity, then field labels [(#10949)](https://github.com/prowler-cloud/prowler/pull/10949)
+
+---
+
 ## [1.25.1] (Prowler v5.25.1)
 
 ### 🐞 Fixed
diff --git a/ui/components/findings/table/column-finding-resources.tsx b/ui/components/findings/table/column-finding-resources.tsx
index 4b184459ef..5789b8a96b 100644
--- a/ui/components/findings/table/column-finding-resources.tsx
+++ b/ui/components/findings/table/column-finding-resources.tsx
@@ -1,7 +1,7 @@
 "use client";
 
 import { ColumnDef, Row, RowSelectionState } from "@tanstack/react-table";
-import { Container, CornerDownRight, VolumeOff, VolumeX } from "lucide-react";
+import { CornerDownRight, VolumeOff, VolumeX } from "lucide-react";
 import { useContext, useState } from "react";
 
 import { MuteFindingsModal } from "@/components/findings/mute-findings-modal";
@@ -203,23 +203,6 @@ export function getColumnFindingResources({
       enableSorting: false,
       enableHiding: false,
     },
-    // Resource — name + uid (EntityInfo with resource icon)
-    {
-      id: "resource",
-      header: ({ column }) => (
-        <DataTableColumnHeader column={column} title="Resource" />
-      ),
-      cell: ({ row }) => (
-        <div className="max-w-[240px]">
-          <EntityInfo
-            nameIcon={<Container className="size-4" />}
-            entityAlias={row.original.resourceName}
-            entityId={row.original.resourceUid}
-          />
-        </div>
-      ),
-      enableSorting: false,
-    },
     // Status
     {
       id: "status",
@@ -233,29 +216,35 @@ export function getColumnFindingResources({
       },
       enableSorting: false,
     },
-    // Service
+    // Resource — name + uid
     {
-      id: "service",
+      id: "resource",
       header: ({ column }) => (
-        <DataTableColumnHeader column={column} title="Service" />
+        <DataTableColumnHeader column={column} title="Resource" />
       ),
       cell: ({ row }) => (
-        <p className="text-text-neutral-primary max-w-[100px] truncate text-sm">
-          {row.original.service}
-        </p>
+        <div className="max-w-[240px]">
+          <EntityInfo
+            entityAlias={row.original.resourceName}
+            entityId={row.original.resourceUid}
+          />
+        </div>
       ),
       enableSorting: false,
     },
-    // Region
+    // Provider — alias + uid (same style as Resource)
     {
-      id: "region",
+      id: "provider",
       header: ({ column }) => (
-        <DataTableColumnHeader column={column} title="Region" />
+        <DataTableColumnHeader column={column} title="Provider" />
       ),
       cell: ({ row }) => (
-        <p className="text-text-neutral-primary max-w-[120px] truncate text-sm">
-          {row.original.region}
-        </p>
+        <div className="max-w-[240px]">
+          <EntityInfo
+            entityAlias={row.original.providerAlias}
+            entityId={row.original.providerUid}
+          />
+        </div>
       ),
       enableSorting: false,
     },
@@ -268,20 +257,29 @@ export function getColumnFindingResources({
       cell: ({ row }) => <SeverityBadge severity={row.original.severity} />,
       enableSorting: false,
     },
-    // Account — alias + uid (EntityInfo with provider logo)
+    // Service
     {
-      id: "account",
+      id: "service",
       header: ({ column }) => (
-        <DataTableColumnHeader column={column} title="Account" />
+        <DataTableColumnHeader column={column} title="Service" />
       ),
       cell: ({ row }) => (
-        <div className="max-w-[240px]">
-          <EntityInfo
-            cloudProvider={row.original.providerType}
-            entityAlias={row.original.providerAlias}
-            entityId={row.original.providerUid}
-          />
-        </div>
+        <InfoField label="Service" variant="compact">
+          {row.original.service || "-"}
+        </InfoField>
+      ),
+      enableSorting: false,
+    },
+    // Region
+    {
+      id: "region",
+      header: ({ column }) => (
+        <DataTableColumnHeader column={column} title="Region" />
+      ),
+      cell: ({ row }) => (
+        <InfoField label="Region" variant="compact">
+          {row.original.region || "-"}
+        </InfoField>
       ),
       enableSorting: false,
     },
diff --git a/ui/components/findings/table/inline-resource-container.tsx b/ui/components/findings/table/inline-resource-container.tsx
index 2aa13056d9..22ccb027e1 100644
--- a/ui/components/findings/table/inline-resource-container.tsx
+++ b/ui/components/findings/table/inline-resource-container.tsx
@@ -70,27 +70,23 @@ function ResourceSkeletonRow({
           <div className="bg-bg-input-primary border-border-input-primary size-5 rounded-sm border shadow-[0_1px_2px_0_rgba(0,0,0,0.1)]" />
         </div>
       </TableCell>
-      {/* Resource: icon + name + uid */}
-      <TableCell className={cellClassName}>
-        <div className="flex items-center gap-2">
-          <Skeleton className="size-4 rounded" />
-          <div className="space-y-1.5">
-            <Skeleton className="h-4 w-32 rounded" />
-            <Skeleton className="h-3.5 w-20 rounded" />
-          </div>
-        </div>
-      </TableCell>
       {/* Status */}
       <TableCell className={cellClassName}>
         <Skeleton className="h-6 w-11 rounded-md" />
       </TableCell>
-      {/* Service */}
+      {/* Resource: name + uid */}
       <TableCell className={cellClassName}>
-        <Skeleton className="h-4.5 w-16 rounded" />
+        <div className="space-y-1.5">
+          <Skeleton className="h-4 w-32 rounded" />
+          <Skeleton className="h-3.5 w-20 rounded" />
+        </div>
       </TableCell>
-      {/* Region */}
+      {/* Provider: alias + uid */}
       <TableCell className={cellClassName}>
-        <Skeleton className="h-4.5 w-20 rounded" />
+        <div className="space-y-1.5">
+          <Skeleton className="h-4 w-24 rounded" />
+          <Skeleton className="h-3.5 w-16 rounded" />
+        </div>
       </TableCell>
       {/* Severity */}
       <TableCell className={cellClassName}>
@@ -99,15 +95,13 @@ function ResourceSkeletonRow({
           <Skeleton className="h-4.5 w-12 rounded" />
         </div>
       </TableCell>
-      {/* Account: provider icon + alias + uid */}
+      {/* Service */}
       <TableCell className={cellClassName}>
-        <div className="flex items-center gap-2">
-          <Skeleton className="size-4 rounded" />
-          <div className="space-y-1.5">
-            <Skeleton className="h-4 w-24 rounded" />
-            <Skeleton className="h-3.5 w-16 rounded" />
-          </div>
-        </div>
+        <Skeleton className="h-4.5 w-16 rounded" />
+      </TableCell>
+      {/* Region */}
+      <TableCell className={cellClassName}>
+        <Skeleton className="h-4.5 w-20 rounded" />
       </TableCell>
       {/* Last seen */}
       <TableCell className={cellClassName}>

From 921f49a0de407b06afc2d311564f56052526a724 Mon Sep 17 00:00:00 2001
From: Daniel Barranquero <74871504+danibarranqueroo@users.noreply.github.com>
Date: Mon, 4 May 2026 12:38:15 +0200
Subject: [PATCH 11/29] feat(aws): add bedrock_prompt_management_exists
 security check (#10878)

---
 prowler/CHANGELOG.md                          |   1 +
 .../compliance/aws/kisa_isms_p_2023_aws.json  |   1 +
 .../aws/kisa_isms_p_2023_korean_aws.json      |   1 +
 .../__init__.py                               |   0
 ...ock_prompt_management_exists.metadata.json |  39 +++
 .../bedrock_prompt_management_exists.py       |  54 ++++
 .../aws/services/bedrock/bedrock_service.py   |  37 +++
 .../bedrock_prompt_management_exists_test.py  | 280 ++++++++++++++++++
 .../services/bedrock/bedrock_service_test.py  | 122 ++++++++
 9 files changed, 535 insertions(+)
 create mode 100644 prowler/providers/aws/services/bedrock/bedrock_prompt_management_exists/__init__.py
 create mode 100644 prowler/providers/aws/services/bedrock/bedrock_prompt_management_exists/bedrock_prompt_management_exists.metadata.json
 create mode 100644 prowler/providers/aws/services/bedrock/bedrock_prompt_management_exists/bedrock_prompt_management_exists.py
 create mode 100644 tests/providers/aws/services/bedrock/bedrock_prompt_management_exists/bedrock_prompt_management_exists_test.py

diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index 643aeb518e..589f76323c 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -10,6 +10,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Universal compliance pipeline integrated into the CLI: `--list-compliance` and `--list-compliance-requirements` show universal frameworks, and CSV plus OCSF outputs are generated for any framework declaring a `TableConfig` [(#10301)](https://github.com/prowler-cloud/prowler/pull/10301)
 - ASD Essential Eight Maturity Model compliance framework for AWS (Maturity Level One, Nov 2023) [(#10808)](https://github.com/prowler-cloud/prowler/pull/10808)
 - Update Vercel checks to return personalized finding status extended depending on billing plan and classify them with billing-plan categories [(#10663)](https://github.com/prowler-cloud/prowler/pull/10663)
+- `bedrock_prompt_management_exists` check for AWS provider [(#10878)](https://github.com/prowler-cloud/prowler/pull/10878)
 
 ### 🔄 Changed
 
diff --git a/prowler/compliance/aws/kisa_isms_p_2023_aws.json b/prowler/compliance/aws/kisa_isms_p_2023_aws.json
index f7c2a0bc69..b2b71fa905 100644
--- a/prowler/compliance/aws/kisa_isms_p_2023_aws.json
+++ b/prowler/compliance/aws/kisa_isms_p_2023_aws.json
@@ -2897,6 +2897,7 @@
         "bedrock_guardrails_configured",
         "bedrock_model_invocation_logging_enabled",
         "bedrock_model_invocation_logs_encryption_enabled",
+        "bedrock_prompt_management_exists",
         "cloudformation_stack_outputs_find_secrets",
         "cloudfront_distributions_custom_ssl_certificate",
         "cloudfront_distributions_default_root_object",
diff --git a/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json b/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json
index 877b46250c..a933fc8d27 100644
--- a/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json
+++ b/prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json
@@ -2901,6 +2901,7 @@
         "bedrock_guardrails_configured",
         "bedrock_model_invocation_logging_enabled",
         "bedrock_model_invocation_logs_encryption_enabled",
+        "bedrock_prompt_management_exists",
         "cloudformation_stack_outputs_find_secrets",
         "cloudfront_distributions_custom_ssl_certificate",
         "cloudfront_distributions_default_root_object",
diff --git a/prowler/providers/aws/services/bedrock/bedrock_prompt_management_exists/__init__.py b/prowler/providers/aws/services/bedrock/bedrock_prompt_management_exists/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/prowler/providers/aws/services/bedrock/bedrock_prompt_management_exists/bedrock_prompt_management_exists.metadata.json b/prowler/providers/aws/services/bedrock/bedrock_prompt_management_exists/bedrock_prompt_management_exists.metadata.json
new file mode 100644
index 0000000000..195cefccd1
--- /dev/null
+++ b/prowler/providers/aws/services/bedrock/bedrock_prompt_management_exists/bedrock_prompt_management_exists.metadata.json
@@ -0,0 +1,39 @@
+{
+  "Provider": "aws",
+  "CheckID": "bedrock_prompt_management_exists",
+  "CheckTitle": "Amazon Bedrock Prompt Management prompts exist in the region",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
+  "ServiceName": "bedrock",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "low",
+  "ResourceType": "Other",
+  "ResourceGroup": "ai_ml",
+  "Description": "**Bedrock Prompt Management** enables centralized creation, versioning, and governance of prompts used with foundation models.\n\nThis region-level check verifies whether at least one managed prompt exists in each scanned region, used as an adoption signal for Prompt Management. The presence of a prompt does not by itself guarantee that every application prompt is managed.",
+  "Risk": "Without **Prompt Management**, prompts are scattered across applications with no central oversight, versioning, or auditability over instructions sent to foundation models, weakening governance and compliance posture.\n\nManaged prompts are a governance enabler; **prompt injection** defenses are provided by Bedrock **guardrails**, covered by separate checks.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/bedrock/latest/userguide/prompt-management.html",
+    "https://docs.aws.amazon.com/bedrock/latest/userguide/prompt-management-create.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "aws bedrock-agent create-prompt --name example_prompt --default-variant default --variants '[{\"name\":\"default\",\"templateType\":\"TEXT\",\"templateConfiguration\":{\"text\":{\"text\":\"Your prompt template here.\"}}}]'",
+      "NativeIaC": "",
+      "Other": "1. Open the Amazon Bedrock console\n2. Navigate to Prompt Management\n3. Click Create prompt\n4. Provide a name and configure the prompt template (a prompt can contain at most one variant; additional variants are created via CreatePromptVersion)\n5. Save the prompt",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Adopt **Bedrock Prompt Management** to centralize prompt definitions, enforce versioning, and maintain governance over model interactions.\n\nUse managed prompts with **guardrails** and apply **least privilege** access controls to restrict who can create or modify prompts.",
+      "Url": "https://hub.prowler.com/check/bedrock_prompt_management_exists"
+    }
+  },
+  "Categories": [
+    "gen-ai"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Results are generated per scanned region. Regions where `ListPrompts` cannot be queried are omitted from the findings."
+}
diff --git a/prowler/providers/aws/services/bedrock/bedrock_prompt_management_exists/bedrock_prompt_management_exists.py b/prowler/providers/aws/services/bedrock/bedrock_prompt_management_exists/bedrock_prompt_management_exists.py
new file mode 100644
index 0000000000..b8ec65dbb4
--- /dev/null
+++ b/prowler/providers/aws/services/bedrock/bedrock_prompt_management_exists/bedrock_prompt_management_exists.py
@@ -0,0 +1,54 @@
+"""Check for region-level Bedrock Prompt Management adoption."""
+
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.bedrock.bedrock_agent_client import (
+    bedrock_agent_client,
+)
+
+
+class bedrock_prompt_management_exists(Check):
+    """Check whether Amazon Bedrock Prompt Management prompts exist in the region.
+
+    A region is reported only when ListPrompts succeeded for it; regions where
+    the API call failed (e.g. AccessDenied, unsupported region) are skipped at
+    the service layer and produce no finding.
+
+    - PASS: At least one managed prompt exists in the region (one finding per prompt).
+    - FAIL: No managed prompts exist in the region (one finding per region).
+    """
+
+    def execute(self) -> list[Check_Report_AWS]:
+        """Execute the Bedrock Prompt Management exists check.
+
+        Returns:
+            A list of reports containing the result of the check.
+        """
+        findings = []
+        for region in sorted(bedrock_agent_client.prompt_scanned_regions):
+            regional_prompts = sorted(
+                (
+                    prompt
+                    for prompt in bedrock_agent_client.prompts.values()
+                    if prompt.region == region
+                ),
+                key=lambda prompt: prompt.name,
+            )
+
+            if regional_prompts:
+                for prompt in regional_prompts:
+                    report = Check_Report_AWS(metadata=self.metadata(), resource=prompt)
+                    report.status = "PASS"
+                    report.status_extended = f"Bedrock Prompt Management prompt {prompt.name} exists in region {region}."
+                    findings.append(report)
+            else:
+                report = Check_Report_AWS(metadata=self.metadata(), resource={})
+                report.region = region
+                report.resource_id = "prompt-management"
+                report.resource_arn = f"arn:{bedrock_agent_client.audited_partition}:bedrock:{region}:{bedrock_agent_client.audited_account}:prompt-management"
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"No Bedrock Prompt Management prompts exist in region {region}."
+                )
+                findings.append(report)
+
+        return findings
diff --git a/prowler/providers/aws/services/bedrock/bedrock_service.py b/prowler/providers/aws/services/bedrock/bedrock_service.py
index c19bcb9166..e04319fc57 100644
--- a/prowler/providers/aws/services/bedrock/bedrock_service.py
+++ b/prowler/providers/aws/services/bedrock/bedrock_service.py
@@ -140,7 +140,10 @@ class BedrockAgent(AWSService):
         # Call AWSService's __init__
         super().__init__("bedrock-agent", provider)
         self.agents = {}
+        self.prompts = {}
+        self.prompt_scanned_regions: set = set()
         self.__threading_call__(self._list_agents)
+        self.__threading_call__(self._list_prompts)
         self.__threading_call__(self._list_tags_for_resource, self.agents.values())
 
     def _list_agents(self, regional_client):
@@ -167,7 +170,32 @@ class BedrockAgent(AWSService):
                 f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
 
+    def _list_prompts(self, regional_client):
+        """List all prompts in a region.
+
+        Prompt Management is evaluated as a region-level adoption signal, so
+        prompt collection is intentionally not filtered by audit_resources.
+        """
+        logger.info("Bedrock Agent - Listing Prompts...")
+        try:
+            paginator = regional_client.get_paginator("list_prompts")
+            for page in paginator.paginate():
+                for prompt in page.get("promptSummaries", []):
+                    prompt_arn = prompt.get("arn", "")
+                    self.prompts[prompt_arn] = Prompt(
+                        id=prompt.get("id", ""),
+                        name=prompt.get("name", ""),
+                        arn=prompt_arn,
+                        region=regional_client.region,
+                    )
+            self.prompt_scanned_regions.add(regional_client.region)
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
     def _list_tags_for_resource(self, resource):
+        """List tags for a Bedrock Agent resource."""
         logger.info("Bedrock Agent - Listing Tags for Resource...")
         try:
             agent_tags = (
@@ -190,3 +218,12 @@ class Agent(BaseModel):
     guardrail_id: Optional[str] = None
     region: str
     tags: Optional[list] = []
+
+
+class Prompt(BaseModel):
+    """Model representing a Bedrock Prompt Management prompt."""
+
+    id: str
+    name: str
+    arn: str
+    region: str
diff --git a/tests/providers/aws/services/bedrock/bedrock_prompt_management_exists/bedrock_prompt_management_exists_test.py b/tests/providers/aws/services/bedrock/bedrock_prompt_management_exists/bedrock_prompt_management_exists_test.py
new file mode 100644
index 0000000000..c29b67c064
--- /dev/null
+++ b/tests/providers/aws/services/bedrock/bedrock_prompt_management_exists/bedrock_prompt_management_exists_test.py
@@ -0,0 +1,280 @@
+from unittest import mock
+
+import botocore
+from botocore.exceptions import ClientError
+from moto import mock_aws
+
+from tests.providers.aws.utils import (
+    AWS_ACCOUNT_NUMBER,
+    AWS_REGION_EU_WEST_1,
+    AWS_REGION_US_EAST_1,
+    set_mocked_aws_provider,
+)
+
+make_api_call = botocore.client.BaseClient._make_api_call
+
+PROMPT_ARN = (
+    f"arn:aws:bedrock:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:prompt/test-prompt-id"
+)
+
+
+def mock_make_api_call_list_prompts_access_denied(self, operation_name, kwarg):
+    """Mock API call where ListPrompts fails with AccessDeniedException."""
+    if operation_name == "ListPrompts":
+        raise ClientError(
+            {
+                "Error": {
+                    "Code": "AccessDeniedException",
+                    "Message": "User is not authorized to perform: bedrock:ListPrompts",
+                }
+            },
+            operation_name,
+        )
+    return make_api_call(self, operation_name, kwarg)
+
+
+def mock_make_api_call_with_prompts(self, operation_name, kwarg):
+    """Mock API call that returns prompts."""
+    if operation_name == "ListPrompts":
+        return {
+            "promptSummaries": [
+                {
+                    "id": "test-prompt-id",
+                    "name": "test-prompt",
+                    "arn": PROMPT_ARN,
+                }
+            ]
+        }
+    return make_api_call(self, operation_name, kwarg)
+
+
+def mock_make_api_call_with_multiple_prompts(self, operation_name, kwarg):
+    """Mock API call that returns multiple prompts."""
+    if operation_name == "ListPrompts":
+        return {
+            "promptSummaries": [
+                {
+                    "id": "test-prompt-id-1",
+                    "name": "test-prompt-1",
+                    "arn": f"arn:aws:bedrock:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:prompt/test-prompt-id-1",
+                },
+                {
+                    "id": "test-prompt-id-2",
+                    "name": "test-prompt-2",
+                    "arn": f"arn:aws:bedrock:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:prompt/test-prompt-id-2",
+                },
+                {
+                    "id": "test-prompt-id-3",
+                    "name": "test-prompt-3",
+                    "arn": f"arn:aws:bedrock:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:prompt/test-prompt-id-3",
+                },
+            ]
+        }
+    return make_api_call(self, operation_name, kwarg)
+
+
+def mock_make_api_call_no_prompts(self, operation_name, kwarg):
+    """Mock API call that returns no prompts."""
+    if operation_name == "ListPrompts":
+        return {"promptSummaries": []}
+    return make_api_call(self, operation_name, kwarg)
+
+
+class Test_bedrock_prompt_management_exists:
+    @mock.patch(
+        "botocore.client.BaseClient._make_api_call",
+        new=mock_make_api_call_no_prompts,
+    )
+    @mock_aws
+    def test_no_prompts(self):
+        """Test FAIL when no prompts exist in the region."""
+        from prowler.providers.aws.services.bedrock.bedrock_service import BedrockAgent
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=aws_provider,
+            ),
+            mock.patch(
+                "prowler.providers.aws.services.bedrock.bedrock_prompt_management_exists.bedrock_prompt_management_exists.bedrock_agent_client",
+                new=BedrockAgent(aws_provider),
+            ),
+        ):
+            from prowler.providers.aws.services.bedrock.bedrock_prompt_management_exists.bedrock_prompt_management_exists import (
+                bedrock_prompt_management_exists,
+            )
+
+            check = bedrock_prompt_management_exists()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"No Bedrock Prompt Management prompts exist in region {AWS_REGION_US_EAST_1}."
+            )
+            assert result[0].resource_id == "prompt-management"
+            assert result[0].region == AWS_REGION_US_EAST_1
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:bedrock:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:prompt-management"
+            )
+
+    @mock.patch(
+        "botocore.client.BaseClient._make_api_call",
+        new=mock_make_api_call_with_prompts,
+    )
+    @mock_aws
+    def test_prompts_exist(self):
+        """Test PASS when prompts exist in the region."""
+        from prowler.providers.aws.services.bedrock.bedrock_service import BedrockAgent
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=aws_provider,
+            ),
+            mock.patch(
+                "prowler.providers.aws.services.bedrock.bedrock_prompt_management_exists.bedrock_prompt_management_exists.bedrock_agent_client",
+                new=BedrockAgent(aws_provider),
+            ),
+        ):
+            from prowler.providers.aws.services.bedrock.bedrock_prompt_management_exists.bedrock_prompt_management_exists import (
+                bedrock_prompt_management_exists,
+            )
+
+            check = bedrock_prompt_management_exists()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Bedrock Prompt Management prompt test-prompt exists in region {AWS_REGION_US_EAST_1}."
+            )
+            assert result[0].resource_id == "test-prompt-id"
+            assert result[0].region == AWS_REGION_US_EAST_1
+            assert result[0].resource_arn == PROMPT_ARN
+
+    @mock.patch(
+        "botocore.client.BaseClient._make_api_call",
+        new=mock_make_api_call_with_multiple_prompts,
+    )
+    @mock_aws
+    def test_multiple_prompts_exist(self):
+        """Test PASS with one finding per prompt when multiple prompts exist."""
+        from prowler.providers.aws.services.bedrock.bedrock_service import BedrockAgent
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=aws_provider,
+            ),
+            mock.patch(
+                "prowler.providers.aws.services.bedrock.bedrock_prompt_management_exists.bedrock_prompt_management_exists.bedrock_agent_client",
+                new=BedrockAgent(aws_provider),
+            ),
+        ):
+            from prowler.providers.aws.services.bedrock.bedrock_prompt_management_exists.bedrock_prompt_management_exists import (
+                bedrock_prompt_management_exists,
+            )
+
+            check = bedrock_prompt_management_exists()
+            result = check.execute()
+
+            assert len(result) == 3
+            for index, finding in enumerate(result, start=1):
+                expected_name = f"test-prompt-{index}"
+                expected_id = f"test-prompt-id-{index}"
+                assert finding.status == "PASS"
+                assert (
+                    finding.status_extended
+                    == f"Bedrock Prompt Management prompt {expected_name} exists in region {AWS_REGION_US_EAST_1}."
+                )
+                assert finding.resource_id == expected_id
+                assert finding.region == AWS_REGION_US_EAST_1
+                assert (
+                    finding.resource_arn
+                    == f"arn:aws:bedrock:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:prompt/{expected_id}"
+                )
+
+    @mock.patch(
+        "botocore.client.BaseClient._make_api_call",
+        new=mock_make_api_call_no_prompts,
+    )
+    @mock_aws
+    def test_no_prompts_multiple_regions(self):
+        """Test FAIL in multiple regions when no prompts exist."""
+        from prowler.providers.aws.services.bedrock.bedrock_service import BedrockAgent
+
+        aws_provider = set_mocked_aws_provider(
+            [AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1]
+        )
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=aws_provider,
+            ),
+            mock.patch(
+                "prowler.providers.aws.services.bedrock.bedrock_prompt_management_exists.bedrock_prompt_management_exists.bedrock_agent_client",
+                new=BedrockAgent(aws_provider),
+            ),
+        ):
+            from prowler.providers.aws.services.bedrock.bedrock_prompt_management_exists.bedrock_prompt_management_exists import (
+                bedrock_prompt_management_exists,
+            )
+
+            check = bedrock_prompt_management_exists()
+            result = check.execute()
+
+            assert len(result) == 2
+            for finding in result:
+                assert finding.status == "FAIL"
+                assert (
+                    finding.status_extended
+                    == f"No Bedrock Prompt Management prompts exist in region {finding.region}."
+                )
+                assert finding.resource_id == "prompt-management"
+                assert (
+                    finding.resource_arn
+                    == f"arn:aws:bedrock:{finding.region}:{AWS_ACCOUNT_NUMBER}:prompt-management"
+                )
+            regions = {finding.region for finding in result}
+            assert regions == {AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1}
+
+    @mock.patch(
+        "botocore.client.BaseClient._make_api_call",
+        new=mock_make_api_call_list_prompts_access_denied,
+    )
+    @mock_aws
+    def test_list_prompts_client_error_skips_region(self):
+        """Test that regions where ListPrompts fails produce no findings."""
+        from prowler.providers.aws.services.bedrock.bedrock_service import BedrockAgent
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=aws_provider,
+            ),
+            mock.patch(
+                "prowler.providers.aws.services.bedrock.bedrock_prompt_management_exists.bedrock_prompt_management_exists.bedrock_agent_client",
+                new=BedrockAgent(aws_provider),
+            ),
+        ):
+            from prowler.providers.aws.services.bedrock.bedrock_prompt_management_exists.bedrock_prompt_management_exists import (
+                bedrock_prompt_management_exists,
+            )
+
+            check = bedrock_prompt_management_exists()
+            result = check.execute()
+
+            assert result == []
diff --git a/tests/providers/aws/services/bedrock/bedrock_service_test.py b/tests/providers/aws/services/bedrock/bedrock_service_test.py
index ed39ac865b..5f7ddf0cf2 100644
--- a/tests/providers/aws/services/bedrock/bedrock_service_test.py
+++ b/tests/providers/aws/services/bedrock/bedrock_service_test.py
@@ -341,3 +341,125 @@ class TestBedrockAgentPagination:
         # Verify paginator was used
         regional_client.get_paginator.assert_called_once_with("list_agents")
         paginator.paginate.assert_called_once()
+
+
+class TestBedrockPromptPagination:
+    """Test suite for Bedrock Prompt pagination logic."""
+
+    def test_list_prompts_pagination(self):
+        """Test that list_prompts iterates through all pages."""
+        # Mock the audit_info
+        audit_info = MagicMock()
+        audit_info.audited_partition = "aws"
+        audit_info.audited_account = "123456789012"
+        audit_info.audit_resources = None
+
+        # Mock the regional client
+        regional_client = MagicMock()
+        regional_client.region = "us-east-1"
+
+        # Mock paginator
+        paginator = MagicMock()
+        page1 = {
+            "promptSummaries": [
+                {
+                    "id": "prompt-1",
+                    "name": "prompt-name-1",
+                    "arn": "arn:aws:bedrock:us-east-1:123456789012:prompt/prompt-1",
+                }
+            ]
+        }
+        page2 = {
+            "promptSummaries": [
+                {
+                    "id": "prompt-2",
+                    "name": "prompt-name-2",
+                    "arn": "arn:aws:bedrock:us-east-1:123456789012:prompt/prompt-2",
+                }
+            ]
+        }
+        paginator.paginate.return_value = [page1, page2]
+        regional_client.get_paginator.return_value = paginator
+
+        # Initialize service and inject mock client
+        bedrock_agent_service = BedrockAgent(audit_info)
+        bedrock_agent_service.regional_clients = {"us-east-1": regional_client}
+        bedrock_agent_service.prompts = {}  # Clear init side effects
+        bedrock_agent_service.prompt_scanned_regions = set()
+
+        # Run method
+        bedrock_agent_service._list_prompts(regional_client)
+
+        # Assertions
+        assert len(bedrock_agent_service.prompts) == 2
+        assert (
+            "arn:aws:bedrock:us-east-1:123456789012:prompt/prompt-1"
+            in bedrock_agent_service.prompts
+        )
+        assert (
+            "arn:aws:bedrock:us-east-1:123456789012:prompt/prompt-2"
+            in bedrock_agent_service.prompts
+        )
+        assert "us-east-1" in bedrock_agent_service.prompt_scanned_regions
+
+        # Verify paginator was used
+        regional_client.get_paginator.assert_called_once_with("list_prompts")
+        paginator.paginate.assert_called_once()
+
+    def test_list_prompts_ignores_audit_resources_filter(self):
+        """Prompt collection is region-scoped and must ignore audit_resources."""
+        audit_info = MagicMock()
+        audit_info.audited_partition = "aws"
+        audit_info.audited_account = "123456789012"
+        audit_info.audit_resources = ["arn:aws:s3:::unrelated-resource"]
+
+        regional_client = MagicMock()
+        regional_client.region = "us-east-1"
+
+        paginator = MagicMock()
+        paginator.paginate.return_value = [
+            {
+                "promptSummaries": [
+                    {
+                        "id": "prompt-1",
+                        "name": "prompt-name-1",
+                        "arn": "arn:aws:bedrock:us-east-1:123456789012:prompt/prompt-1",
+                    }
+                ]
+            }
+        ]
+        regional_client.get_paginator.return_value = paginator
+
+        bedrock_agent_service = BedrockAgent(audit_info)
+        bedrock_agent_service.regional_clients = {"us-east-1": regional_client}
+        bedrock_agent_service.prompts = {}
+        bedrock_agent_service.prompt_scanned_regions = set()
+
+        bedrock_agent_service._list_prompts(regional_client)
+
+        assert len(bedrock_agent_service.prompts) == 1
+        assert "us-east-1" in bedrock_agent_service.prompt_scanned_regions
+
+    def test_list_prompts_error_does_not_mark_region_scanned(self):
+        """If ListPrompts raises, the region must not be added to prompt_scanned_regions."""
+        audit_info = MagicMock()
+        audit_info.audited_partition = "aws"
+        audit_info.audited_account = "123456789012"
+        audit_info.audit_resources = None
+
+        regional_client = MagicMock()
+        regional_client.region = "us-east-1"
+
+        paginator = MagicMock()
+        paginator.paginate.side_effect = Exception("ListPrompts failed")
+        regional_client.get_paginator.return_value = paginator
+
+        bedrock_agent_service = BedrockAgent(audit_info)
+        bedrock_agent_service.regional_clients = {"us-east-1": regional_client}
+        bedrock_agent_service.prompts = {}
+        bedrock_agent_service.prompt_scanned_regions = set()
+
+        bedrock_agent_service._list_prompts(regional_client)
+
+        assert bedrock_agent_service.prompts == {}
+        assert bedrock_agent_service.prompt_scanned_regions == set()

From 652cb69216438e4357df88edd2a29a830535ae20 Mon Sep 17 00:00:00 2001
From: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com>
Date: Mon, 4 May 2026 12:59:06 +0100
Subject: [PATCH 12/29] fix(ui): compliance card layout polish (#10939)

---
 ui/CHANGELOG.md                              |  3 +-
 ui/components/compliance/compliance-card.tsx | 80 ++++++++++----------
 ui/components/icons/compliance/iso-27001.svg |  6 +-
 3 files changed, 46 insertions(+), 43 deletions(-)

diff --git a/ui/CHANGELOG.md b/ui/CHANGELOG.md
index 49ec9a26bd..4b63c9cd84 100644
--- a/ui/CHANGELOG.md
+++ b/ui/CHANGELOG.md
@@ -2,10 +2,11 @@
 
 All notable changes to the **Prowler UI** are documented in this file.
 
-## [1.26.0] (Prowler UNRELEASED)
+## [1.25.2] (Prowler UNRELEASED)
 
 ### 🔄 Changed
 
+- Compliance cards: progress bar now spans the full card width, the passing-requirements caption sits beside the framework logo under the title, and the ISO 27001 logo asset is recentered within its tile [(#10939)](https://github.com/prowler-cloud/prowler/pull/10939)
 - Findings expanded resource rows now drop the redundant cube icons, render Service and Region with the same compact label style as Last seen and Failing for, and reorder columns to Status, Resource, Provider, Severity, then field labels [(#10949)](https://github.com/prowler-cloud/prowler/pull/10949)
 
 ---
diff --git a/ui/components/compliance/compliance-card.tsx b/ui/components/compliance/compliance-card.tsx
index c94b7ef63e..98d3949016 100644
--- a/ui/components/compliance/compliance-card.tsx
+++ b/ui/components/compliance/compliance-card.tsx
@@ -119,49 +119,33 @@ export const ComplianceCard: React.FC<ComplianceCardProps> = ({
         />
       </div>
       <CardContent className="p-0">
-        <div className="flex w-full flex-col gap-3 sm:flex-row sm:items-start">
-          <div className="flex shrink-0 items-center sm:flex-col sm:items-start sm:gap-2">
+        <div className="flex w-full flex-col gap-3">
+          <div className="flex items-center gap-3 pr-9">
             {getComplianceIcon(title) && (
-              <Image
-                src={getComplianceIcon(title)}
-                alt={`${title} logo`}
-                className="h-10 w-10 min-w-10 self-start rounded-md border border-gray-300 bg-white object-contain p-1"
-              />
+              <div className="flex h-10 w-10 min-w-10 shrink-0 items-center justify-center rounded-md border border-gray-300 bg-white">
+                <Image
+                  src={getComplianceIcon(title)}
+                  alt={`${title} logo`}
+                  width={32}
+                  height={32}
+                  className="h-8 w-8 object-contain"
+                />
+              </div>
             )}
-          </div>
-          <div className="flex w-full min-w-0 flex-col gap-3">
-            <Tooltip>
-              <TooltipTrigger asChild>
-                <h4 className="text-small truncate pr-9 leading-5 font-bold">
+            <div className="flex min-w-0 flex-1 flex-col">
+              <Tooltip>
+                <TooltipTrigger asChild>
+                  <h4 className="text-small truncate leading-5 font-bold">
+                    {formatTitle(title)}
+                    {version ? ` - ${version}` : ""}
+                  </h4>
+                </TooltipTrigger>
+                <TooltipContent>
                   {formatTitle(title)}
                   {version ? ` - ${version}` : ""}
-                </h4>
-              </TooltipTrigger>
-              <TooltipContent>
-                {formatTitle(title)}
-                {version ? ` - ${version}` : ""}
-              </TooltipContent>
-            </Tooltip>
-            <div className="flex flex-col gap-2">
-              <div className="flex items-center justify-between gap-3 text-xs">
-                <span className="text-text-neutral-secondary font-medium tracking-wider">
-                  Score:
-                </span>
-                <span className="text-text-neutral-secondary">
-                  {ratingPercentage}%
-                </span>
-              </div>
-              <Progress
-                aria-label="Compliance score"
-                value={ratingPercentage}
-                className="border-border-neutral-secondary h-2.5 border drop-shadow-sm"
-                indicatorClassName={getScoreIndicatorClass(
-                  getRatingVariant(ratingPercentage),
-                )}
-              />
-            </div>
-            <div className="flex flex-col gap-3 sm:flex-row sm:items-center sm:justify-between">
-              <small className="min-w-0">
+                </TooltipContent>
+              </Tooltip>
+              <small className="truncate">
                 <span className="mr-1 text-xs font-semibold">
                   {passingRequirements} / {totalRequirements}
                 </span>
@@ -169,6 +153,24 @@ export const ComplianceCard: React.FC<ComplianceCardProps> = ({
               </small>
             </div>
           </div>
+          <div className="flex flex-col gap-2">
+            <div className="flex items-center justify-between gap-3 text-xs">
+              <span className="text-text-neutral-secondary font-medium tracking-wider">
+                Score:
+              </span>
+              <span className="text-text-neutral-secondary">
+                {ratingPercentage}%
+              </span>
+            </div>
+            <Progress
+              aria-label="Compliance score"
+              value={ratingPercentage}
+              className="border-border-neutral-secondary h-2.5 border drop-shadow-sm"
+              indicatorClassName={getScoreIndicatorClass(
+                getRatingVariant(ratingPercentage),
+              )}
+            />
+          </div>
         </div>
       </CardContent>
     </Card>
diff --git a/ui/components/icons/compliance/iso-27001.svg b/ui/components/icons/compliance/iso-27001.svg
index 109c19521d..b79f970b42 100644
--- a/ui/components/icons/compliance/iso-27001.svg
+++ b/ui/components/icons/compliance/iso-27001.svg
@@ -1,8 +1,8 @@
-<svg width="41" height="45" viewBox="0 0 41 45" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-<rect x="0.666626" width="40" height="44.8" fill="url(#pattern0)"/>
+<svg width="40" height="45" viewBox="0 0 40 45" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<rect x="0" width="40" height="44.8" fill="url(#pattern0)"/>
 <defs>
 <pattern id="pattern0" patternContentUnits="objectBoundingBox" width="1" height="1">
-<use xlink:href="#image0_407_5949" transform="matrix(0.00233051 0 0 0.00208081 -0.237112 0.0838373)"/>
+<use xlink:href="#image0_407_5949" transform="matrix(0.00233051 0 0 0.00208081 -0.2575 0.0838373)"/>
 </pattern>
 <image id="image0_407_5949" width="650" height="400" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAooAAAGQCAIAAACms9a7AAAMPmlDQ1BJQ0MgUHJvZmlsZQAASImVVwdYU8kWnluSkEBoAQSkhN4EkRpASggt9N5shCRAKDEGgoodXVRw7SICNnRVRMFKsyN2FsXeFwsqyrpYsCtvUkDXfeV7831z57//nPnPmXNn7r0DgNpxjkiUi6oDkCcsEMcG+9OTU1LppKcABxggAy1gzuHmi5jR0eEAlqH27+XddYBI2yv2Uq1/9v/XosHj53MBQKIhTuflc/MgPgAAXs0ViQsAIEp5s6kFIimGFWiJYYAQL5LiTDmuluJ0Od4js4mPZUHcDoCSCocjzgRA9RLk6YXcTKih2g+xo5AnEAKgRofYJy9vMg/iNIitoY0IYqk+I/0Hncy/aaYPa3I4mcNYPhdZUQoQ5ItyOdP/z3T875KXKxnyYQmrSpY4JFY6Z5i3mzmTw6RYBeI+YXpkFMSaEH8Q8GT2EKOULElIgtweNeDms2DOgA7EjjxOQBjEBhAHCXMjwxV8eoYgiA0xXCHoNEEBOx5iXYgX8fMD4xQ2m8STYxW+0MYMMYup4M9yxDK/Ul/3JTkJTIX+6yw+W6GPqRZlxSdBTIHYvFCQGAmxKsQO+TlxYQqbsUVZrMghG7EkVhq/OcSxfGGwv1wfK8wQB8Uq7Evz8ofmi23KErAjFXhfQVZ8iDw/WDuXI4sfzgW7xBcyE4Z0+PnJ4UNz4fEDAuVzx57xhQlxCp0PogL/WPlYnCLKjVbY46b83GApbwqxS35hnGIsnlgAF6RcH88QFUTHy+PEi7I5odHyePDlIBywQACgAwms6WAyyAaCzr6mPngn7wkCHCAGmYAP7BXM0IgkWY8QXuNAEfgTIj7IHx7nL+vlg0LIfx1m5Vd7kCHrLZSNyAFPIM4DYSAX3ktko4TD3hLBY8gI/uGdAysXxpsLq7T/3/ND7HeGCZlwBSMZ8khXG7IkBhIDiCHEIKINro/74F54OLz6weqEM3CPoXl8tyc8IXQRHhKuEboJtyYJisU/RRkBuqF+kCIX6T/mAreEmq64P+4N1aEyroPrA3vcBfph4r7QsytkWYq4pVmh/6T9txn88DQUdmRHMkoeQfYjW/88UtVW1XVYRZrrH/MjjzV9ON+s4Z6f/bN+yD4PtmE/W2KLsP3YGewEdg47jDUBOnYMa8Y6sCNSPLy6HstW15C3WFk8OVBH8A9/Q09Wmsl8xzrHXscv8r4C/jTpOxqwJoumiwWZWQV0Jvwi8OlsIddhFN3J0ckZAOn3Rf76ehMj+24gOh3fufl/AOB9bHBw8NB3LvQYAHvd4fZv+c5ZM+CnQxmAsy1cibhQzuHSCwG+JdTgTtMDRsAMWMP5OAE34AX8QCAIBVEgHqSAiTD6LLjOxWAqmAnmgRJQBpaDNaASbARbwA6wG+wDTeAwOAFOgwvgErgG7sDV0wNegH7wDnxGEISEUBEaoocYIxaIHeKEMBAfJBAJR2KRFCQNyUSEiASZicxHypCVSCWyGalF9iItyAnkHNKF3EIeIL3Ia+QTiqEqqBZqiFqio1EGykTD0Hh0ApqJTkGL0AXoUrQCrUF3oY3oCfQCeg3tRl+gAxjAlDEdzASzxxgYC4vCUrEMTIzNxkqxcqwGq8da4XO+gnVjfdhHnIjTcDpuD1dwCJ6Ac/Ep+Gx8CV6J78Ab8Xb8Cv4A78e/EagEA4IdwZPAJiQTMglTCSWEcsI2wkHCKbiXegjviESiDtGK6A73YgoxmziDuIS4nthAPE7sIj4iDpBIJD2SHcmbFEXikApIJaR1pF2kY6TLpB7SByVlJWMlJ6UgpVQloVKxUrnSTqWjSpeVnip9JquTLcie5CgyjzydvIy8ldxKvkjuIX+maFCsKN6UeEo2ZR6lglJPOUW5S3mjrKxsquyhHKMsUJ6rXKG8R/ms8gPljyqaKrYqLJXxKhKVpSrbVY6r3FJ5Q6VSLal+1FRqAXUptZZ6knqf+kGVpuqgylblqc5RrVJtVL2s+lKNrGahxlSbqFakVq62X+2iWp86Wd1SnaXOUZ+tXqXeon5DfUCDpjFGI0ojT2OJxk6NcxrPNEmalpqBmjzNBZpbNE9qPqJhNDMai8alzadtpZ2i9WgRtay02FrZWmVau7U6tfq1NbVdtBO1p2lXaR/R7tbBdCx12Dq5Ost09ulc1/k0wnAEcwR/xOIR9SMuj3ivO1LXT5evW6rboHtN95MeXS9QL0dvhV6T3j19XN9WP0Z/qv4G/VP6fSO1RnqN5I4sHblv5G0D1MDWINZghsEWgw6DAUMjw2BDkeE6w5OGfUY6Rn5G2UarjY4a9RrTjH2MBcarjY8ZP6dr05n0XHoFvZ3eb2JgEmIiMdls0mny2dTKNMG02LTB9J4ZxYxhlmG22qzNrN/c2DzCfKZ5nfltC7IFwyLLYq3FGYv3llaWSZYLLZssn1npWrGtiqzqrO5aU619radY11hftSHaMGxybNbbXLJFbV1ts2yrbC/aoXZudgK79XZdowijPEYJR9WMumGvYs+0L7Svs3/goOMQ7lDs0OTwcrT56NTRK0afGf3N0dUx13Gr450xmmNCxxSPaR3z2snWietU5XTVmeoc5DzHudn5lYudC99lg8tNV5prhOtC1zbXr27ubmK3erded3P3NPdq9xsMLUY0YwnjrAfBw99jjsdhj4+ebp4Fnvs8//Ky98rx2un1bKzVWP7YrWMfeZt6c7w3e3f70H3SfDb5dPua+HJ8a3wf+pn58fy2+T1l2jCzmbuYL/0d/cX+B/3fszxZs1jHA7CA4IDSgM5AzcCEwMrA+0GmQZlBdUH9wa7BM4KPhxBCwkJWhNxgG7K57Fp2f6h76KzQ9jCVsLiwyrCH4bbh4vDWCDQiNGJVxN1Ii0hhZFMUiGJHrYq6F20VPSX6UAwxJjqmKuZJ7JjYmbFn4mhxk+J2xr2L949fFn8nwTpBktCWqJY4PrE28X1SQNLKpO7k0cmzki+k6KcIUppTSamJqdtSB8YFjlszrme86/iS8dcnWE2YNuHcRP2JuROPTFKbxJm0P42QlpS2M+0LJ4pTwxlIZ6dXp/dzWdy13Bc8P95qXi/fm7+S/zTDO2NlxrNM78xVmb1ZvlnlWX0ClqBS8Co7JHtj9vucqJztOYO5SbkNeUp5aXktQk1hjrB9stHkaZO7RHaiElH3FM8pa6b0i8PE2/KR/An5zQVa8Ee+Q2It+UXyoNCnsKrww9TEqfunaUwTTuuYbjt98fSnRUFFv83AZ3BntM00mTlv5oNZzFmbZyOz02e3zTGbs2BOz9zguTvmUeblzPu92LF4ZfHb+UnzWxcYLpi74NEvwb/UlaiWiEtuLPRauHERvkiwqHOx8+J1i7+V8krPlzmWlZd9WcJdcv7XMb9W/Dq4NGNp5zK3ZRuWE5cLl19f4btix0qNlUUrH62KWNW4mr66dPXbNZPWnCt3Kd+4lrJWsra7IryieZ35uuXrvlRmVV6r8q9qqDaoXlz9fj1v/eUNfhvqNxpuLNv4aZNg083NwZsbayxryrcQtxRuebI1ceuZ3xi/1W7T31a27et24fbuHbE72mvda2t3GuxcVofWSep6d43fdWl3wO7mevv6zQ06DWV7wB7Jnud70/Ze3xe2r20/Y3/9AYsD1QdpB0sbkcbpjf1NWU3dzSnNXS2hLW2tXq0HDzkc2n7Y5HDVEe0jy45Sji44Onis6NjAcdHxvhOZJx61TWq7czL55NX2mPbOU2Gnzp4OOn3yDPPMsbPeZw+f8zzXcp5xvumC24XGDteOg7+7/n6w062z8aL7xeZLHpdau8Z2Hb3se/nElYArp6+yr164Fnmt63rC9Zs3xt/ovsm7+exW7q1Xtwtvf74z9y7hbuk99Xvl9w3u1/xh80dDt1v3kQcBDzoexj2884j76MXj/MdfehY8oT4pf2r8tPaZ07PDvUG9l56Pe97zQvTic1/Jnxp/Vr+0fnngL7+/OvqT+3teiV8Nvl7yRu/N9rcub9sGogfuv8t79/l96Qe9Dzs+Mj6e+ZT06ennqV9IXyq+2nxt/Rb27e5g3uCgiCPmyH4FMFjRjAwAXm8HgJoCAA2ezyjj5Oc/WUHkZ1YZAv8Jy8+IsuIGQD38f4/pg383NwDYsxUev6C+2ngAoqkAxHsA1Nl5uA6d1WTnSmkhwnPApuiv6Xnp4N8U+Znzh7h/boFU1QX83P4L2JB8Uu+mibsAAAA4ZVhJZk1NACoAAAAIAAGHaQAEAAAAAQAAABoAAAAAAAKgAgAEAAAAAQAAAoqgAwAEAAAAAQAAAZAAAAAA9wLWsAAAQABJREFUeAHsvQd4HNd5LjyzvRfsAlj03tib2ERRIimqi1az3CTbclzlJE58S26eP/fGqb9TrhOn2E4sx7IsWcVqVqVIiZLYewVAEL0Du9jey+zMfc8MsATBRSUpgcQZQbuzM2dO+c7wvOfrrCAIDD0oBSgFKAUoBSgFKAXmEwVk86kztC+UApQClAKUApQClAKEAhSe6XtAKUApQClAKUApMO8oQOF53k0J7RClAKUApQClAKUAhWf6DlAKUApQClAKUArMOwpQeJ53U0I7RClAKUApQClAKUDhmb4DlAKUApQClAKUAvOOAhSe592U0A5RClAKUApQClAKUHim7wClAKUApQClAKXAvKMAhed5NyW0Q5QClAKUApQClAIUnuk7QClAKUApQClAKTDvKEDhed5NCe0QpQClAKUApQClAIVn+g5QClAKUApQClAKzDsKUHied1NCO0QpQClAKUApQClA4Zm+A5QClAKUApQClALzjgIUnufdlNAOUQpQClAKUApQClB4pu8ApQClAKUApQClwLyjgGLe9Yh2iFKAUmByCggCzwtMmidfOLg0+cQV/I0/ZCwjx/8Mo1TIWJbFOcsyMpl4aXw5ek4pQCkwXylA4Xm+zgztF6UAwwB5kxwwmI/GU+FIQpDJool0OBQNRPAzGU1wzgiXSvEcx19OLa1WoVHJ87RyvU6p1yo1OrXVqFEwvFqlMOjUuKWQy/B3+YP0CqUApcB8oACF5/kwC7QPC5QC4HjTaT6RSsfjqVSaj8SS4WjSF0rEEmmnO+KPJP2R1IA3HomnOV5IyuV8gktyfJphUgyb4oUExweSvJxlUywr43leNoq1SkEAU43rIKtZJdMqyXUlI2hZgZHLNQoWHLVKwVoNqlyTKseIP7XVpNZplRajxqBVqVVynUYJFFfIwXZT/F6gLycd9qdOARaSsU+9E7QDlAILigLxJOfyx/qG/G09/qb+0FAgEYmlfdFUTGC9ibRAOFr8qyTgygkCkFckjvTvFBfJCf7ZEmk1OUaviOcXP8TngcaCVOjijUvO8M+fV4yVAKIbZTKjnDEqZTk6hV4jr3Ho68ssJcWWYpuecN6U1b6EevQHpcC1pQCF52tLX1r7gqUAkC/NMxJnHIwkfKH4kDsyOBJp7gudGox2hyGx5hkZK2eIZlgC3flDK6A79u1gyNGldFowq9ilVvXyUkNFoakwV59r1ZkN6oyEHBz26FZh/gyA9oRS4PqnAIXn638O6QjmBwUAt7DYgrA6xRF5tcsbae3zH7rgbekNusKpMM+EgMQE9VjJQEticOcbMGelJekq0JrBdgIjSFsZ1qaT5+oUa2ssS+vyKvMNZqNGqZDDDA1IrYRUfZTjz1oZvUgpQCkwIwpQeJ4RmWghSoHJKCDZbRH+OBj3BGLgj7uHw6e7g4fcCQLFLHOjyoSB2ek0/tJ5WsXaEv3yIn1JvjEvR5tj1gKtTToVrM8oTk/22tDrlALTUoDC87QkogUoBS6hAEA3lU7HExysqWHMNeKLtvUF9jaONLsTnlg6ApsscMdjmuFLnrxhfxChAHhruSDkKFmDSn5btemmenupw2TSqw0wGtcoAdXUyuyGnX86sGtDAQrP14autNYblAL+cGJoJDQ0EnbDtmsk0jIQPjYc9yTTogp5zMjqBh37jIfFcmCrGabKoLyp1FCVr3PkaB12fYHdmG/TwyCckmnGlKQFFzQFKDwv6Omng58JBWBo7Q/FIbsGKncOhU62eo4OxcIpIQbR7TWHGjQAKXKWIxOHRDLgQglWuPjf2ANQBpPTS/s5aZ2T2YGP1TaXbwj/9SxbblatLzcsrbAW5RHLMqtJC+Myyk/PhaD0mQVDAQrPC2aq6UBnTwHwyi1dI5BdD7mjvf5E42C0K5pmEa5Ldk2AWQZHKOIyBZW1XE5OGY5heLCixIiaSfEAYMKVSodSScyqFaxSoWAzUUnUchb+UfipEFEZJ1w6iWKplAy1yOVkNyGwcjhCy0QvKXCyQG74N6fRJCNGIhPVxTwpeDUPEteM540K+RKLoq5AZzOpC226FfV5lUXWG1U3fzXJR+takBSg8Lwgp50OenIKwAA7EE70DQe6BgKtfcHjnYEWf8rH8dCdXm3MGq2PiIJh8i0yydBra5Qqu0ZhUskK9IoCg8Jsllk1Wp2B0SmVrADzaF6p0qL7Jo0cn0SnO+aOjA5CdMwBkDNwzTDJFH4mEwkhKcjS4GQR1QSBULhUKJmIRVh/OOmMpvsCySAn+MJcKIkgoYwMEUPh8SVnwXpfPmZixT059WZyBzUo0zwsvbeV6haXmWpLLGWFJofdqFMrqYPWTAhIyywQClB4XiATTYc5IwoMjoQ+ONZ78oLLGeIHo+n+GJATYJRdvDyjGkcLEUQDb5yJ0hdNpmNxxOMk3LDDps03qlYWGeoLDeUFxrIcrc2slSvA34KRlkkwSXyVRKjEh2R2hk+A2XiPY/EnCb4NtjtzgNXHOYnTjQ5I5+JdgLTE0ZLw3bjBCzBz6/PG4Jzd1B9s7AkNhJL9oWg8TnouUyiMakQAxSn5eZGFx4+5H5AF8DqFrM6ksBsUDrNq86qi9YsLjDrV3KukT1IK3EAUoPB8A00mHcqcKACc8gbjLV3uEy0jBy/4ekLccIog2OWM4wyrx8PA0AyoAwVTnABvaFaRVshVq/IVtRZlRYmxzG61GNWwbbaaNPgEEwz2FxgMxCX8MFyHRb+sGTZ6JcXEDiPNBvHbzmTaSKSS3kACgoRwLObyRtuGgi0DycaRhCvGgQVHeg2lElG7M8OUPLrn2AuQCJKBYiW7KF+7YXHuitrcymKrXqOcY3X0MUqBG4ICFJ5viGmkg5gTBcAzOr3R1z9qf2HfwACH5E7yGGE9oeOdu5AVjChUyDDISnJMNJGKxzmjUbbIZthQa11fn7u+zmY16sYBv0xC8jl1/5N4SOK3pZYAoslEvKkv9NGZ4ZO9oVMd3uEY0X+D3yVabeTIulLGmoA9YdFT6WqT8k8+W71xWbkKWwDCsdODUmDBUYDC84KbcjpgSbvc2uM5cHZ493l/oy8BYBbJIop9Z0UgwngS9JCJjr/Q+xqUbKGWKzEZl5RrlpTnFdgNNovObtFpVApAHcpKbVx3iIPxQb4u7l1EqzOB9wSjbn9ixBtpH3I3d8cvDEYGo5w3JaRFgmCg4iZHGuhcCAti3uLQ3r3GcdNiR5nDpFJSz+lZvZq08HVPAQrP1/0U0gHMkAKAlngyHYwmz3e6n9rVuacvplRIBtj4VwDsmSViAmvBKbOCVibP08jsSl6nkpXalbVVhatqc+tLLAvNINkdCJ9q9Rxv8/YPjnjD6WBKNhATAmI6apBqnMBgRtNFtj2kINFPI9fWl1bYPru1qijPpFUr4DgtWpfPqB5aiFLg+qUAhefrd+5oz2dKAaBvKJoacIVOXXDtP+fa2QvvqFkDhtgYIAOYDCchQStnHGrFojy2ttRYWWgpd9igQs7L0UMYS1hMwlSLXOZM+3h9l8twx/Ce8oUTgSCCm4Zbun29rshZV6jLw4fTMD6D89Ys90BjVElzQpVefnu9ee2ivNoyGwlvgr3VHCsbq5R+UwrMbwpQeJ7f80N7d2UUgKMQjJvcvujx884fv987GEsjmfHsqyR2T8SbmGFyDYrFMOzKk+fadcW5tsXItwib41HZ+OwrvqGfwDYFAvDGnkBfv2d4xN/rYZq9iZ5QCjkzs7psTU4MCYcF+IVha/RAnfmh9cUVRWZoDYw6+GItoG3Q5CSid25AClB4vgEnlQ4JFMBSjhyOsMc+2+b+uNl70pfkiOp31gwXeD4EBjEwfKVVvaHOsLwyx5FjhkbZbNAYtApiXz0qhqVUn0gBIkUQ6QPfa6QMQb6QIbe/vTd8oM3fOBwdjnAKJLcijmITH5z6N2bELGO2VRpvqs1ZWm2vLrHS3BtTU4zevU4pQOH5Op042u1JKQBgdvujHf2+0xdG3jvrOetPio5Kk5bPekNCZY2MXVGoW1euLsk1ljmshfnmIruehqLMSrFpL0oC8EAoNjASRtSXPmfkTF9oT2c4mErDfl0+y1DcRJyRFm4vMzxwk6OqxAoZhllPOelpJ4EWuJ4oQOH5epot2tepKQB2DaLs062uo00uRPtq9HMxovCc+qHMXVKOmCazLJfiChXp5RU5d67IqS3JRYxovVYFXpnKUTPEmtuJhNAgNMKYxxMp8NPDnsiHZ3oPXQi3BrgU0dcTM7KZV47pdSjZtUW65VXWdYvza0pzqE565tSjJec5BSg8z/MJot2bKQUgPj3T6pRCixx1g2OeKSyLDZCI04jkhQgim0osO1bYEAu6OM+E1MUUlWc6AbMvh71Qmmc8wZjLE0EI1ZNtnreafaJ9AKKrSbbbGZuzqWoHJ21RyG4p1m1YZF9Zl1dRZIEb21QP0HuUAtcDBSg8Xw+zRPs4JQUSqXTXoP+5nRcaB6JdYS5AlMxTPjDuJuzEYG0US6XNLH9zif6RW8tW1DnAK8OCDH62qGfGNY2r9Lo6FeUFs2BYr8Xg4IkO/XQswXUOB/cc7n2vebAjqFAoZWJEVTQ4I5DGVBZr5eUmxbYV+dvXlUHmQdUQ12KyaJ2fGAUoPH9ipKYNXX0KYFlv7fHuOdb7fqP3XCCZEmbhLoXVHFrqcJyryNE8sTHn5kUlZQVmrUZF8hHPopqrP6hPskbJgA4tWo0ayVEbaE3imX4auxKAMCKBA6Rd3nBzt/Ofd/afGY5q1AqllH5rZnSRxN2rHZptqwq2ry9HtNSZPUdLUQrMOwpQeJ53U0I7NBMKAEWgZn7nQNcvP+rriqU5Eo8LkDJTNgtBtZOp+CKz7OH1hQ/d0gBOS4x1PZOWb6gyHn/0hV0tv9g/nJ+jLjGr8mzax7dWVxeaPl2+k8wigpSnhV0n+1/+qPtIdyAsEzF6xpsGSShSqxL+5usrF1flqZW4QA9KgeuMAhSer7MJo90FMIdj3OkLw8/s7ny/PzJjSyIC3uIiLei59KYK9f0bKyHHhnaZRPQkPlcLkbTDnvDPXmv8xUk3jLKgEwgGY3v/bOPy2vxPF54xEyITD5c1WTSeau/1vHm44/2zwYE4z8tkM85FjcWNNzDMF1fZH9pSVV1sxaAW5iwvxDf7hhgzNaC4IaZxYQwCSmIkmegdCrxzsPsf9g6r1STDEzitmQArVmoIrRfpZHWF6m2rSzcuL7lE7DmTKm5EIieS6cEQdAIwpBNgS2fQq82GeSENzhjJI2/V8lpHfUXuPWtde052NXbHz3uSLiTinN7AmwT9xvbtZ8fce1t839hefvOKIuzGaAyZG/FFvjHHRLnnG3Neb7xRIf4Xgn/tP9X/+uHBg67EzAyzCceMQ8sKNTr56irt7TdVNlTYrUb1wtEuT/0m9LuCz7zT0jkUCiaEeIJLqZVPf299nkWbQUfp8Ys6g08vXik2WNFEus8ZPNTU8/FpP0DameBn9hqQl8AkY++sMuzYVLa0OteI9J3IKUYPSoH5TQEKz/N7fmjvCMAy7kC0o8/7yr7e55t8MzcUEuAnxQib85XLqgyr6/LXLi6lKYQnvFBk0xOIe0NI6pyMRxOJFL95ZfGEIFzARVwPx1PJBIegmogrDnXApyhugKF+c6/39IW+5o7IW+3BcEpA9LEJ48r6E++DScH+wa2FG5cXlhda6MuQlUr04vyhAIXn+TMXtCdZKID4Fb3Dgd2He948OXI+ys8s8RFROip5YblVfstS87qGkuoymw0cM47rxyQbQxiV34oM64SeS55IsFLGkUhyMLrWa5USR4gHcR1+SuSeeCDANfBUIh1uYbuDQ45IXVKCSLGMxC6jWhJkc5zcGN7k7X3eEX+8zxnuGQ4tqrE/cHOFRq38FOFZYuUR1WRwJHTwbP/HZ0aOOpNBTpgJJ43hIyDoukLtAxuL1y4pzDFpKBstzj/9mI8UoPA8H2eF9kmiAAyXzrW53jk6+FprYNrAnFi1gRlgo8Bd1ZrSdy/LBce8tDrfapy//q9SnydMN+ATvCy07OBZY8k0y6fzrDqzUZtBRDzlgw3Xid5kigc/G4mlyguM65cVG3UqVIXHQ9HEnqPduIsMyYBhh12/qDIXHkr9I2GPL4Ly4I9vWuQAbMPILsGljVq4k8kvN5uC21VTh+tPnmlsDSSjSYQeTz/39WW3rS6dPykdQ9FkZ7/3bLtrb6N3d3eEeIRNz9izkAEUa2RfXJO7doljZZ1joaX+nPC+0Z/zlgLUNGzeTs2C7hiY5rZe7wfH+vY0eZtD3LTYDGIRxyohbWO47UtN29aWNpTnE6tsgM44XvBTpynhidHVcV26HKHBwu4/3X+q1Z3k+ECUU7DCV++tJxZbY08Bp8Ec/8O73a4oh8yYyKT1vY15K+odEjwzDHHm/q9dXW3RtBI8c4r78sYCi0nbNxT48ORQtzseTvJVedqV9QVIpXyifeR007DNrDHoVTq1Yt1ih8WoRSfhtKZUKuCFDLV0kzeuULBaNWtWqCsKTfMHm0FJg061pBphwqzLqn2rzw2/c2rkvD/JQa+c2ctkmXIBEoLBBA/rwtva/fesCWxeXZKfoxs/KVkeopcoBT5xClB4/sRJThuckgKSpvlo4+DOo4Mf90ZCgK9pDrISwzUqkozdlq/52l1LpXzA8yes43gAhqK3xxUKh+IpngFjm2PWVDlMsFTCEDKAAt6u3xn60f4hrUoO7blDKXs4koBUdjxbqFLKNSpZLMKQnE+C4I2lAaUT6BRnZAg5znHMcCC561j//saRo64Esk8gFprDpkHheDLd2OX74Z4BCMb1MqbQoHyq0gZ4Rm7s/3ytUa+RmwzqI+0+UfzLQmS+wqGFufu8gjEQDd1DrwDSRfmGtYvzYd39wvGAM8krCEjj/qQvEPjsD4cTJ9/pfmw4vHllAbzs5s87M2Eq6c+FSQEKzwtz3ufpqCFN7Rny7zzY/eZZb2+Yi026tF7sP8sjfgWfp0h//87iHRvrbCTwF1jm+WKXS0YgEBk1TI73nhps6gkMeOORFNCUQcxQs1qxuFh/98Yy2JNL3UZ5GcNDJ4r8G7B4kgtCUsRRZDqGmDpzgP/L0SlYb0K8IgSiKZAuc5ecoHaGwzcqOdgdYrpDQ7E0sn3Ahhnl9ESowHA83+uMyBQyXAnyQuFYtLDmXt+/HBi265V6BetLjup0ITb2J/iWbg98sXRapU6j1KlFg6z5oc4HSNvMBpNeW1pgXFI+/MaB/j290TiPzoNqk75GIGNQYJ496W7uDz3gjmxeXQqr/vnz8lwyofTHwqMAheeFN+fzdcTQGR862//Snq6jQzHPRcOmSbsLcEAO5xSf+O6GvEdvqy+wG0kCZhzzBptJZwTeE0q8u7/t3eMjjd5kiGcEjgcLC70vVKBA0JMjiTO94ScfatjQ4FArSXkkV9So5RzECEQMDtm1ACU0Mfcaf7CyfKuWQVQW8XCGAfhAXpFdJAAvIDymdAsIRIBZgN9UusSqLjIS/bROh5YYLpXuD6XQEXDugGiHSUnOGebDU0P+SBKB2ETPcqkaBk7ErZ7ED3/bgm0Bnl5Ta3v0joazXe4VFTkZvTiB/k8PrdF1yBJsJt2WmyrACm872/PfX+uG3ZwOQggyiOycNK5CQrPfmeh+r6e1L/jw1qqq4pzRMdMvSoFPlQIUnj9V8tPGxyjgD8Ve/7D9H9/vi1xuoTRWJvMNYAYURVLx7YX6L21vEH2BkOs3c39enKCHvMCP+KLPvH3+v46NcDImDV6OS6/K0xSZ5R0e7rQvJVfIwP8e8ya+/9SZ5/5YXV+eI7JuvEIhB9xiGIBcsMWJBMD6EnhGQBaLPvOPl4U6GQe0ziIDLEPmrVCaoBHQXSAaeaHeoPjGg9VQyRt0RJAOXhs1gA/2hST+G11lSsxKGH8DYu9aV1zu0DudoaNt/sMjCaKqxcEy0HS3hBkmmmY4Yf0ieTSW+Ltnzgga1c211q0rC6oKTRajRq0ax+OTxz7RQ2J8sctx2AwP3Nqwpr7456+ffPZcNC2TqWRIFTppZ4DfPbH0z4+6DrUHvveZmvVLi6ige1Ji0RufFAUy/8I/qQZpO5QCl1IAllDdg/6/eub0gcFYauqoi0AossKyCp43s6lv319297paMVy2dP3Seq/lr1GoFO28SIeyBS/DdiEa43Yf6Xnh+EhCRqTK5jT3499btqreAddtpDp+dW/Xj/b0A6GBqa4Eh8Qe5YVmrZrAm0KlSI15RvHJdApi6EvQGcw3a9ESDlg63FHikSyJDaSCyXGy7ny17L89UHPLqlK1EvQlACxXyQHnsA/3+ROQoqMS4L/DqpGL+u0VlbaVVbmxRKrw4/ZdL7Ua9YThxpaozKJKh5P+SCKhlC+vsalViuI83c7ucNPhof84MLij2vhHn1taJcbOHO3Wp/qFTUWpw/inT2y68/zQD18+3+lLpJTKqYUynFx21p/6/37T/I1bgztuq6aC7k91AmnjDIVn+hJ8ahQATsCx58T5ob/5bUtbOM0Ccybnb9BLokXkhQIVs6Vae9+mZQgNrSXi4E/6QLdhVBVLEnhLJVMKudwAXaxWOcEbGMXaECz66JCXiKsZRC77+8eX3Lq6TBpigV2+ZUXB0TavO5AsNivyzCbYYUkjARE0olYXAUuhLU7KZRD7T8BnYE+eWSMxi6BLihPgRiUKxiHY5mGSHUsRdhvcc5oTNlYZK4staqUExGQzgYYgC0c4a2TSFLXUDMcJJgOGclFtjw3BoCcKGzRsLCAcX5Gj/uuvLjcaNIOeyPBwoKIIJtzyohyN0BPBbkOQ8e4IB3Y862SIXRF3VllvX5uL0jD1GtnG5cU/cZjf2tchpTWDDGOKroDDHuTYH+zsHXBHPn9HbYnDTIOAXpv5obVOTwEKz9PTiJa4FhSAzNbtj77+UfuvDw4NIOrzlCY8ABqgnZZhltrYO9bmjzLNs4/LiErAYoJx5NJEaCxhHtAFf9OGpwDa4QE4DY/4IgeaR061jPSNhCMxXqmUlRYYti3P37CkYHxI50AkdbbVfcgVJ/yxwCzNUa+oyxtFUNHeGEv/E3dW4259kRnG2/C+BRKQHjKMWquCoJmciQdRHV8q3IbqOtdwcWsS4gTsFcAwI7sHYAn9HLU9A1vM88U2+E3B4mmsurFvjCWU4Bkd2QvApxmZGyXds3Q/leJa+0MIQMJCkc0LRXaNQasqydWX5hmF+jyUwR4lx6Llkmkxhhgb52DcTXj48Qd+Qfvr8seA8IB2rQqkhjP26BZhfMmpz0mtc1VsY2bBRn/tM0tXNzhffL/taH98kNjMTXEIrEL285Oepv5Tf/hg3dKafBjBje6EpniI3qIUuNoUoPB8tSlK65sBBeDW3DXgR2aLl066XSQZJKDj0nX90kqEdNos8I+tNd+yqhJMM4yc52aCBI4wFI4NuSNOb8QfjIdiCblMkWvRFOYZK4ssU/Pi0NdCCH+kcfjpg4MXRuLoNbYH8N6Rxfnjfv/rTb4vLB/5wtYKePhIztbhaKLNFSWBRRWEoc03gRElsuXMyCwG9bZVJZmfYyeoldeolGqFKBBnWcTxSgNjiWr54gGCmfQQVZMrYAYTad4Pc3BeADxLR1IQFc8iWpp08GGe+C8ddxB4K8qyxMVKPPS60Qqln8jn2OxJApfgWs2kmdpCIyQEkvxcGgW6ZjFpJBM2cPAxjoej9mhdY1/oNib6n14/P+JL3NpgrSkxF9j1MFOXZPhjpab/BqOPSCxQnJuz7TOmfR4d1qhlqxoKoApBoLFXD7tOeRG2/eJcTKwBNJXLDroTPb9u+h93R9YvK4Iye2IZ+ptS4BpTYOI/2mvcHK1+oVMAqICYVs2dI6981PV2RyQ2gdu6nDwIQsnzG+yyO9YW3LexHh5HxOb58mLTXQFXCkE64oMeaxzeddrV4k54OYHDKiwIBoZfmqd74o7KTStGA29NqAzPgjFtbHf940vNR4djiHpRZFA22FS5RuVIKCUmUCI9erHJ3zV05s+/smppNWEuYdsFfycpiBW2BZJfMoZ7ORebaQ4NScgHC3QNuGdALGHkZJE4MczOFMMJcJ6k64LZl3gVomk/zLMJhBN8RmzsFFEFjB6IF0YU3JceYMcRrhpeVeSywGDvAO9n0FYqhZ5AOz4Ag3ARw6C0ri3UI+zJeMpjU4U9x6jEnJibgWW/hH1GJd5g/OOT/XvaArxcdmrfsJYZ+N62UuyEZuX8lk5z2Bi9/lFHfZl1w7JCu1U3h2gz6DkY98rinFyrvjhfv/vI8FutQbiTiVvDS0kz9gu3YPT+1292PjESuefmiiIy2rHtz1gZ+k0pcO0oQOH52tGW1jyRAgAnbyB64MzAm0cGdvXHpoZZLIRY7BF0En5Td66pqC+3j0XFmljtTH63DgSPnh3Y2ziC0I9AZSJiVQjESopl46z88EjS9eqFUDix47aarCa757vcT715Yd9wDLLoZXrZ528trS+3ImRVLJ7af3rw5eMjsPsFUh32pp/f1QYWLd9mGK+GBUhDNQv2VjKunqzDkIcDCKHDBh9v0cjdiTQYb1BpMAhDsUsYU0jmh7zgV0nobGxgQKkgQoWNQThSWxCRhNgMjL0A5ESgfOkBVns4mJS2OmDuLWqFSQ/0GcVf7CdOdXhiKZ7IuxECU69AJgxor8fXgWodOVpgP9HlsgyE26gzUwBzDen33hN9Tx0YAjajGuw2HluVt31d6aj/W6bodCf+UPKj433PHnfltAQ+MxBcuzhvdUMBXgY0Nn67MF01o4URw2TzyoqiXMvyC4P/8G6/M0k0AmJNFzufqQrUh4/ffxx0DrhjO24po6FLMpShJ58ABS759/YJtEebWLAUAGfl9ER2Her+7ZHB5tA0yS2wYHIpfo1Nfu+Gsq0rq4rzjdPqhicjLJIygfF9eU/nGy2BMDAOjCdUs8TSWSAcpohicgXbEU3/5J3O1YvywduNF0GjWngfvfRB++6eCEJ8WAXhM7eU3rOpyqyHVlaGQdksOsQAe/7EiIfDQs/uaQ3c1Dh0/6YqDEEr8qZgwqC+7Qlx0WiSsUCBfvHA4wjR5QtEIWz3hRA+2r95VTGYbyiebTq5J86RnsiYpqGoP5zIBJ7EpgKxpg82jUgVSfxfJApjsFGACSf4NCNI/7ZBNy3JljERyLD1cfrjBFpZNiXwVoMCuw2pFGpBTQcueEn9LPHWKs9RY8cwge8H4iPEWK5OPhLlQNUk2SSMdgA9xKOtPZ5ffdjrFgObYDa3l+vv21QOjbtogCb1fZpP1APX9nMdI88cccUVcvCy8H36+IL3s+uC65cXYqbmwEajSWwWakqscJTPMepf29f7Tk8E+5cpugLH6NdbQ/5IO0zx1ywuuCRT+BSP0VuUAldGAQrPV0Y/+vTMKIB1FvLJF99vf7vZNxiHfdYUj5F7iND5UJX+89vqpey8GaHrFI9NdutY0+BzuzoArnCbAYCYWf7OFXkb6nK8kdTO085jgwhNJiBb4kOLc75xZxWCjqEegMz4DqLn5/uDktPXogLtZ24uhdpYag7gV5RrWFlj333O44bdsozxp5ljTa4tq4qVKgWMsYnuGSZcLOOMpc91+xAdenw/wV8ePtv3wYmhAV+yJ8w1j8ReqrAtFcWwDUVGaLilZ5uc0Q+O9DhydIBDPA7EAlf6botf8oOSKoyMuj6TX9DUiipvNEtwB1HULlcIAMu7AilRFU5iiZVZNQowx5JqHJmV46lTA2FWCfkCJPtMjV0tuVdJbWU+NRpFuUU1HE4B/qOiBdnoDoGVuXyRp3e2NwZg2Y7tkFBmUj60qbS61CYCaqaC6U+gcv7dgT4xtbOM+HAzbFMg3ben/9Z234ZF9vs3V4MXn7CdmrZSMrmsDA/C2ays0Lz4cM+f7+ozaJRTpNOAFmZXf9S/s2MkELp1VQWkI+PfkGlbpAUoBeZAAQrPcyAafWR2FMCS3djhfubdC6PK5qkWNsLaqtPcd2/Jv3dDbWWxFTrRqYpP2REgC9qVsJmXyYCUYOC+vL1yESJoapTAjDXVOS++3zESTt2zrgh213YLcluRhXt8i+h8vzPsSRAeGPLZQpsOcakIZvFMIBTvdwWbOr2Hmt3DIo+IJqCubXfFeoYCgKJFRfBVIlJlgBzY2VcP9G1fUzLBAM0bTL513heTKQDtEGErRSG0Vq24d3neW+c80viwM/j1wWHw6DXlOWku3dkfwG4AcKiVs5LyHirkMFJKjfKuDPTQ0oOQWqsUMpU6K/fMO33YmoAlJo9VmJWQ6mcGPuSLXRiOGHTgmOEozSNnBqJ4SnVmPnEHMvMKu+7IQAzFIAngx6TrMDp7fmfLay0BADzBZq3897eX3by8CJVkmsjUM8UJNiK7Tgzsbg8C48mQsANAS3IW7OzbXeFzvaGtN81aVJ5pDv1H3HKw0VaT1pGrfn5P33FPGh3OFJhwkmbYQ57kyAeDwTB/76bKfJt+zhKdCTXTn5QCWSlA4TkrWejFq0YBINl7hzqferf9dBBs2KSLs8iwsrDQzpNx33+w8s711fA1usLlD7ZgB84M7h8g0U4QFkvLc08+vLgBkS3JEow/fnGl7Q8/ZwDGQJEpXgRYXb4684FIMjoGPGArgYI9ztCHpwZONLn6vXEoL90pAdLyQCylV8m/enPBFzaVlRda4I2D+M8NeZoLwHaQUyHb2+o/2DQMa22JO8cnzKng3UTMuEiOJQKTdpsRnwDKRRW220s07w3EiWcTAnPy7K+OjRjPEMD2Jrh8lvnGhkKXO/JyawA7ADDHMEPL6Kehh8YmA+LatExAFC/E754gfkBL4VhqKIz7kF3DPEpWWWgEPGOyCAVYmdsXjcc5wDPpOCPotYT9lrqNK5kD3mC1+TqeccOSPsWwSZioiezz3lP9Tx1yQk8PGXcymd6+2n7ziiIjwD7z5HQnUlvnutw/eacDkcqkB+tzSICUNh9xrwZOF+aoia95limbrvZx9/G43ay5Z2Ntab71r185d2woPXUya+QBe2r/UK8r8q0Hl0BwcoWtj+sIPaUUmEgBCs8TKUJ/X0UKwIHqg6Pdf/VyqxMIMzk24xYwAK63sND+5v1L1i8pnRDiY7ZdEjGCRAXZ3+pDmGtwXDAr/r0tZYiHNW49lcGg2WGbyBRmbYuHgxG4U1Y40h/5Xz87fLw71Ac2WQy9CR9qh15x92LrupVFqypyYEKFGoDiiRSL2B33LbK27x0i+wPwfjrVT19rKrHrakttgB94aiFX8al2H0zB0cNYnP/OxoL6EovYARmYs8fuqB54vulUiNcQjychyCNxRZpLpIu18u8/WLN2ScHPXmtMJdIaNWMEk5rgAKgYONhhXyTFp7goYoVwvFXKEw0+erxUQOCH/bFgLKUkQcrIjUKLJuPdi75COo5uoFeAW1iZeQIpWINnnLbFHpIP+IuX5Bskphu7lggSZ/HChX54UrVGMN2wSmOER5ZYHr69Nj8HSJZ5bgYnAgYkvPp++0CSB/OP3VG+TLi9xtztjDaNJGArkIilGsrzAPkzqGuaIngl4OiFaG4/ekLz7M5zvzwdFsiGJ/tToImLE37ThJSbZ7/zQENNCd6o7CXpVUqBK6QAhecrJCB9fFIKICrki++1/GxPn1MABgCPshwSk4RFnEmlN+TJ/+zLa8A1ThAvZ3ls2ktYMUWh9OmhmNg0Wd9XVkkRrS95GPyi9BvoghVZ+hSvADKlOzIkQgbXJkZsZt1x7uWWgFoQNAqZIhavKDA+uKnkzpuKbSYtygMdEWvl2T0dA/3eL+9YsqzCtrohb2WzF5kcGdEK66Sff/wf9z++raq8wHiqxf32SedgigGXCR3v1iLtnz62UhKGo2Fw87esLCnMNfxqV/tH572RYBxyaoNSsbIh9/sPNFQ4jNBbP35X7ZfvbcgxaiAMR+tQAEt9fmxr1f0byuDAFggnYd5dJim8xbAemcF2DUfsPMfEGFQLWy27BTuiUckBaAK3LrEkqU+mYH920Nk8HN2+uqi6yFhbZMnIqNFbmMghehkid2PvEk1wYLt/9UZTO6Tr6AtijVlkj26rwiNSx6TWZ/KJiXjjUM8zZ7xQb2OngDwityyxFhaYOgbDoBV2DtguwHj+CuUr43uC2Yet2X9/bGNl4fkfvz8wZVIWlmfSr7cHzv/k+E//YG1pgfkqdmN8l+j5AqcAhecF/gJck+ETlApEdx5sf3rvgMg3Z8dmtI33D7pJZZr7zkbrA3esKMkjot0r50ZQA4TQkN+KclGyOVCx7MFG16alhcR5SGwAIATVZjKFiNZpaJE9kWQC0T04wsoitQPklgiCIamiHXadTS4MiuwgemeWs7cU61dXW5fV2iHEliIzo7ZTF5zP7+l6uzXoCifuKSM2XFi1EXPqa3fEmV3dp9wJDsAiY51p5V+/1SnRXQXNsCAUKoTtDdYv3lFjHrM4E3sog9YdfPaff9Xyh6F4BHFQGIQiUdnGMh6C4ZsstxJiaDikBib5hMs0Qoo2lFoQayweTfjCSTts4sZJievKrE+syn23PZhWsDwrizPMOy3+V5u8G3PVP/njjSBMpjCMAxxqtgcO3gwLQT3E2id7w3DYBrWq9PIn7qxaWeeYLTaj11Af/Mkz5xQaEiWbwLxd/cDNJXhV4J+GbRR0/DatYm2NbZLxzeWyJFZBxpDP3FpnMSmf3zN4MR3IxPogoyBbmfNR/ol/Ovw3jy9Zs6gQLP7EUvQ3pcCVUYDC85XRjz59GQVgIuQOxN7d1/nTjwcREWzyg1iBpVmhXs3ev6ngW/evlMlJeK3Muj/5gzO6A5QFiiDSNTF/AiunlP/q8NDa2pzlNbl4Hgt9MJps7Q8c7fA29oR6R2L+KAmhBekw+FCrkvncqrzPb6+pKjQqFArog/VqgSWgQ4S9y6zyJx9cBD/s0X0E5MaInAJH4U7fL0+OmHUq2ACr1YAtsl6D0bxtTTlw+p1DPchSNRjlohClyuVqudyikuVpZMhetWlZ4Za15QTms40MtnF5kjvWOPjMVnAW14CXNqM2g/TYTiG51sXWWRlu/fnvrXK80nhhIOhKyNzRlB/6hzhXV2IibkVjPUE98CC3awHPJMzWL444wwlOioiiF4RH1zm2rS2/3OV66o5iKwfLsjc+ao8jdJpoF2hhmduX5FQU5xw92w//NOjpoelfUaBHqM7JqpL2g9h7SeZu4zQakz1x8ToE5vdsrMsxGqy7z3/Yz8eIycSoXOFiIfEM4pKepPA/n2n8+y8zcInWX2Y9N6E8/UkpMCsKUHieFblo4WkoAGwecod/91H7b46PuFIEGCc/BJgy7ahUPbKl6ubl5TACRslZLaOT10yEzEC13BxdvVl90p/CbwAJp5D96W/OLyroTiA6SpSDYVQoyaVSPMye4aGk0KsMSL1IeszGBeHpk55AKPbVexvqK3ILc3SINnXMNcKJy3RHSDh1wQWR5uhyLOaAgpGXxx3RIhMUElqwTI1DX2wnSmhUB5OrrWvL6ypzO/u8gyMRmErhOgTaZr2qIFdflGtEGKwpwlFdLZpMIJfI0Y6iDs7he5UpQCYNCG3SfffRlX3DgQFXEObl4IzhmV1fZYO+OTOrONNpFHkmTdobhSnaCKzJYUYgh+tX+smbHQ9sqYHAPFM4U/8UJ3geBuAnW4ZfP+GCWhm7JUDg+hI93MHhlY34JJ6xuKGb6rOoKi7WLKYtQT05Jm0FCVJ2cXQXy2Q7k6iNXQFySsKjveDjlp8c8qmU2YOLiboEdoBj/ur55u/tSE0WdS5bO/QapcD0FKDwPD2NaIkZUgChrAZcoXcPdiHKUkgUb076oAAM4x9eqv/stobFVXlgsGa1iE9a7dgNCXsqCi03VZraTrqJmRJwg2WDjHB4ODaaswjBsBGKGtbKY3rxMcNykd1Wyn/bEi6w9cHDFfFA7llXcqLdD5UqJzADUe71w4M2i3bdYgfYahhDRWPJlm6YofkJGqX5ZXb12hWFGd9oNA1LI8jtS3LB7Y2quklPRVstic8jP+ffgSFYqvMQRZwEViWWXynMFOJxEhAWewswg5+YzaQShDAcnmBjAEEFIpA8UG36yn31drNuVqOTCmN79/R7Hd1RHsJ96CFKNfK71hYtqbJ3DwZa+4OJtICXBYL0NZUWqfzlbw6EGYgkc7rF+d2nz5bl6P7njupFVXZkKxFdrmeK05D/15fZvnrXUo2i8e3Toa4oB/FA1ilCBy7E+P/c2YmNBZzHzAZihUAPSoErp4D8Bz/4wZXXQmugFMCa2O8Mvbi79ZfHRmBjPMUB+bCW47692f7I1kU1iFMBZfAUpa/gllpNpOWd3R4SeoRlpPyMsABDe1hosSMg6zvSPSCXQyINUMEfQChjnAUGN+SPr662AKEREiQVjb3X7EM8L8C8M552D4WikRiCZrT1+pAn47kPe88GELeLNbHMN7eVbl5RDLGqyF2RAWCA5I8I2ccd4tCkW+Lp/Pq4pPPAYZZFgmdRc38J+sDGG1L9o31h0A0jBkStzVV//7OLSx3mMUu12YwLbngHu9464w4RWzNGwQtbKw0Pb6mG51t7v//5o8MewCQrcyiYx++osRlhUZDl3RkYCb27v+snu7qdKRaZsJs7fbFQFAprq0k3cw2xVDEk+bWl1hIre6g1CLv48cbvE0Y1FE8PDYQsagYm9xNc2yeUpD8pBWZIAco9z5BQtNhUFIBMmyQt+Ljzv46NcFNzwgJfpeN2rMp74JZFCNU5wR93qjZmfw/AD2+ZJ+5MGQ4O7O8ORYSUnFcgmqgMTkZyViNjywxK5Ixe5NBZ9CopKlbHQBBhI+FTCxk1lv6mYOpstx97CPCRd99cAW/Xp894EeMDBQ664vt294nLvYCIINIW49YS/SPrCzetgo8vGMopNymzH858ewIDRHCyQVewdzgE23MYcEG0sMyievL+GuSkmsPMAtqbO927TzudAEIRHqsM8odvQ4guPYz43P54mw8W4iTXSKVdnWMgPtATDnQJnUFqZ0RxcWIKiQs30xFJ/+sB54mOwAPrwyvq87BvyBpWfUJVmZ8Q8t+2quqHMuWzH/d91B+FbD9za/wJOnzKn2Q+7MPFzatLrUbKQ48nDz2fCwUoPM+FavSZCRQY8UV/8cZ5xCVOZMVmcKmEyQG7mq7UcY9tLkHCZggbJ3cunVD9XH8KPMx8Nq8qhbPW6Xb3B80eqJxRV7FRWVdsrC8yIncF0jwgTyKAHB3HChsIxxOM7KeHhlRiPEtYCJ/qCd6d4ADPBXbDdx5a6rC2/d9dfQhiKUcaKDkCcYhZFHm+wqT89rbSTcsL82zE4puMdpw2d64DmNfPQdLg8kaefa/tUH8UmAXHKkVa+Pr2cuSrgBg4C1c7+WikrQyxKDzYs68vmibiayHJMY9sKITJFQzrApFEz1AwHk8r1HL4ilUgeBsCkI2jMF4x+Fwjc8kbezt3N/tcRFGBFB0wQZDxBKRZmGH3vN+7tmn4ka3V6OHMERqtIPznravLoMhg3mnf3xedLLJYBqHR7rZ15eO1G5MPnd6hFJiUAhSeJyUNvTFDCnQN+H7+u+aXLgTGdLeXPUfCU8DMh29QsV+/sxr5ghCnafzaetkDV+eC1AQYWfw57IZNy4uwgmOlhgIV4a7UKvl4gyxJkQlDp0duKfvtSZeUahBMdjKeknqDzURhrvELdzXAlbmtz9syGEOgLrNOWZGrQ2iOikITUiygoavT9euhFuTXevmDthfOB6AFAFXVPPNH24o2LC+aQxBs4CdY59Zuz6H2QBwzgVgoPPHL2r62VPLGjseTwz64d5EtFD6XVFrHc7FA90SKP9fueu2jLiQ+gYEaHNhi0dSXb8pvdUZPkjxjLK70RdJlId6gJZuxWREYLxJJF13v+H0Za93d+VpHaHzr46siCB1IpT/sxcXt68tp8ozxxKHns6UAhefZUoyWv4QCyKT0D78582F/hKSDuOwYZZsJK8XnM6mv31t914Za2BYRmeMne0AdOLVGUOL2wEPD+VgNQ984sa/GUVtsAieNE6kAhJarGgqW1+YjeyMOLMfgoYHc+Fw4sSkAh2AQf7On7ZlDTrCn0OEnE9wjy213ri9DQu45bLxA29Ye74v7ehu9CVAT8BpPcH/8hfoi0Q8ezcELbsAbV2AiBGIrvqzcChsATAphu1kZRN8nzg/9++9az7oTEeA3cnDFU9/bUnL7ivwv/9txuRJ7JgEbRJua/fLtZXXl9tnCszT7iNuyuj4PPLTm7ZZXWkPAe1y//MDVcyHuX3f34Na9t1TNnE2/vCp6ZYFTgMLzAn8Brmj4SAjxf5878V5fPD2JzQyWKiyLADIbk/rhV5bAgWpW1rNX1LnpHsbKfjmQYKH/+NwQUjAhdyTQ16qSb6q3WSDVHDuw+BOeW0wRPHZtwX1D5fz6ntYfvdnB62GcRYTID9aZv3pXzZzjZwUjiePnB99CCg0osfHCcMJ3bym6d0O5pP6AR0AokugGcstJXpPl+VpHjj4zd4ifuvdk34/eaIOOGdsldCaZFv754er1K4r/z1PHYvD3IhPNJlLpuxfl1JXZ5oyXeJmVShVq+Np9Ddzr517riE5my40XojuW/os3O7F1uW9zzRx2AwvulaIDzkaBT5qJydYHeu26pACW1F+91fxeTyINdmWSEYAPAuNijsX/7NHaLaurRI7nU37lgMpYqZFRqq3Px3GwtYYKlRzwr4KBW3Ov9y9fboG0Fldg0X1frak43zTbwBpifVftQ+rh2CfhF6U/9Hb8HzBs/N/4W9L52IOjbmSiCJlUNYeOglZxRnb74pxyljdx3GKzYsfG4prSHKDpnGrjMR1vHnUBm/EmoUOWVBIqBmINIFUnpMFMd8XSJPgrw6yrssB+Xup5NJHeeaj1iV82tsdIRHREjWnQsK8+uWLHbTWv7+3c2RUWrceJjX61QbllZeGEhJ5z6C0QF4Zvf/T5VZ+tM0n9yVoJeg4Z+7dfaPv4zADon7UMvUgpMDUFKPc8NX3o3ewUGPaEn9vZ8sppLyJtTYLNJFoHFqYqA/eXX1tz8/ISrKcZjid7pdf4KkAlkeIQZGPnwe7fHnVurDQ9fncdyVmpQOYIJpbgjrY4/+ONC8jtKDoICYtNytvXFCHL5DXu18Tq0U/JPRoCZCAuAp6Aj4dqFvbhoVgKkbTDcQ4ZKmLJNJJLomgc0gnEARndZozWRuJvww8KUUQRdEUhR7wUpVph0CgMaoVJp4J8mDCmiKWGyOFyBB+VnsKV0cen/oL84Mt31H1uS7XTF+0b8sMdDdJ+aHRn9vQldWOsLj+xCDvkipNdEbJkctz3P7uoCs5MYxqQYJQ71eGDxzNhQ3l+WakRIdkwXG8g+ty753+4Z0CrhSEfg6ik2yu1X7yzbllNftegf++ZIYMO8bpJp2xy5osbHGsWF6C5OXRyfI/RK1SCgGXfeWQZ8/LZ1y8ESR7xbAfmRquRf+mnp379e6lb15SNN3TIVpxeoxSYSAEKzxMpQn9PTQEgBZL17D7S89YZj29SbEYdyJfErxUzUG1cVjQfsBnWvx8d6/7L1zoGY0iVqEC6hW73mSfuqCgrNHsDsVcPDfz80BAieYFpQ7CqZWblk/dUwNBptnGvpqZe1rsgDsTFgGFYroGzT5BYZmmEVBsJJDqGQq3Doc6ReI8v7gtzfqCyGHx7fD0IeQZHMVyBYDdznbiOIT3nWB5M6ToJjiaXGzTyfKOyzKqpzNXUOoxV+TqEx1IrZGBJ4dkMlAVmi3+jzGE2zAY7KINjd0muvnRMPZxpelYn2HZ4/bEhTxjcbVc0jeCi9y2x79hQOh7MQpHk4Z4QSavJMDkKFsmnsV9xeiI/ePb0G80+vVaJ3pRqZLfXmx/aUl1bloPwKa9+2NEUxOZQ9K3ihbXFuo3LC4np9dU40A94z1cUmL/3ueXMi8dfbk9IVghZ68ab9oPfXvhnkwabhpl7XWetil5caBSg8LzQZvxKx4t4TDsPdj2zt787DqucSWsD47whX/mtHQ03LS4kfi2TFvykbrCMNxR/dk/XCMdLTBVcdOC7fPDZ81o5k+BZwKHFpIaeUs4zmwu0n91cirCOV5jXcvzYCEs8xrqBP0aMaxJuLM7B6CkSSSDPVb8vHvBFYZ8MJSvMoJxxPsjx8CQmoVKgwhdZUxipqVQIzS0CxOinWO/oBwHpcceEnyQfF+S8SPzR40v0euMftSOcmROZtEwKWT6if+doynPUDqsmx6jOs+mQLEujUUmsNnhxImoeY2elk8xPtDj+fFwHpj8FEw8BBmTFR84N7jox2O5JIvWFVqPKsLnAWH8odrovLO43hGq7Sq9VtfZ4nnqrFRk7NFpEfRPq9HK4YN21oQzOb6DqgTMDe1t8SJpF/J4Zpkwrv215flWx9Sq+hETjzjBo7vcfWa1/+/xzpz3cJLIDsO8DKeEfXmr+H48yyA5C9dDTvxO0xBgFKDyPUYJ+T0cBrEew0Dl0duDVA71tUWJuk/0JBN7i+TvKlQimDV8UcGNkJZukbPYaJrkKVEul0+EYl+I4hOOEAw9RZs8Q+wUeSRifvL8+/Vb7cXcc9sYk6qioK41D/wrTa1gPJdN1RuXdS3I2ryyAeTbp+VU6QADpiMRTSBIVjiDVYyIYSfY5w0d6QqcGwgBLCKvRBwWk0GhWBEJYHk2SzViqL1PrWO3TfYu7JGJqLhUU//HjXAgJTCjGt8H8vjeMBNIQHkB6XGHTrMzTrKzOqcrXI1MWDNqBi2BA4dU9ZzC+vINoHlx4WYEZsUcqis39IxFodknAtbGiECr0u8LeSFKrU3I8bzGrO/p8L+3rP+hKYPrlqfSqPM0jG4tuvalUShzS6wzuOTFAMlqKo0VmDnDVuAvBwFiVV+cbPcTeAtZwX9+xSClrfuq0R5q1y2vHv5QWf+qlDzrgqw0N/XjBwOWF6RVKgQwFrvIrm6mXntx4FEAeoeNNQ796v/u4jwcrk3WAQBasoeCbgc3rl5TCh4qUy142awXZLxIgEoXqp1tdbb3+YDRl0mGlsyyptlmNOqJGzf7cxasSoqxbVoSQni/t6TrQHfJC/ivCM7gsNc8V6+Qrqy33rC1cWpM3Gp/54tNzP4PgGipkiKyhpnW5Q71Doe7h8JA/0e2Od0FYnSRBvIFF0AAbP52MhBcxHigC5FboiCYVfHavPwEm+63WIDJrVRgU5XZNgUVd7jAU5RscNr3DboSo9qoES5emBgbVYC6XVKWxMxgP/4Bn5BGRJgDz1etJ/OyDvu5AUmSm+U3Fum/cW7O0Og/xZ/AUzBX3nxk8iMAm5J0jQ7PLhG03FZN0maIL1twnMtuTUhvgoR+7u0GtafrFEbhmZ9dDYwP0XkdYs7sN5g4149Tq2Wql1ygFRilA4Zm+CjOiAGyPGjtGXv64+6ibrIxZnyHMZip9r5iEak1DydR+xllrmOJiY4f7wJnBF4652sXIjii5JHfk4dX+bevLof6Edc74NX2yepBjasOyYptZe0efDzA5iOyEDIOkkQhCBXFuQb4ZHDaYG6zr2Uc4Wb2XXZdQ2ROMDY+EkONhxJ841x8+2hloD6Wwf0HYKUnICfZdeYUtXdb0VbmA/Y5s1OKJRbiZ04HUcW8CmmyZzFVtVK6tNC8tNtgt2uI8g82qz7cgPeZVWElAkwlG8iBjPMkhlioSY2NcePFa/EkiLhGjjjy+0v7Y7ZUNlbnSlOEVbe4c+eC0cyCaRkkcEId86Y4S5FyZyQZubnTD7GHTAP/sBzfXJ5Pt/3l8hIhkss0pEHpPa8Bi6HroNll5oXkmr+vcukSfumEocBX+Ud0wtKADmYwCWCXber2/fLv1o4H4FNgMLekqm+L+jZVrF5dKgS0nq3Dm19E0ONMoYy4AAEAASURBVLljF1zPvNWyuyfCyRjojPG4KDBM/uLjgQFP7JufWQzRKIx6SZ6LbCvj+ObA80F8Wl5owboPIyzcgtgTrBuYNjGJBeF+pqtjfH2j5+inpOqEeRc8cfucwTOtI12DQXDJfUGuN8xFiZU1q0CALdFra/SxObSUpfFremmUvQZ2SmqK7jDXcdb9xjlPkVlZaVJCY43ILUur7RBQQ3iLYhnL8zkg0OX0wBw1DohBQ8EOo2pgnyCoOe57W4se2VbjsBkydtOw7zvc6Dw+PPqKwkP6tgLtvZsqSRSzSykkDWnCxUuLzO4XdhUlDvMjW6vwtiIVKTcJQg9yzKsnRyD42XFbdb6V5BulB6XAFBSg8DwFceitUQq4A/Hndra+0xOZPA4Di5idayyyr9xZdvMKgs1zWJonIzcSYf3Lb5v2DcdgRE2WflikSSJzOTvMCy+c8eaa2r7x0HKSiGpmKy4gRIr0OVmLs71OlntWBuF/S7+/s9t7oS/Q5YqeGo45kSqDcPWkY5OTboatsYilNcX40AfpbuZkunpRnHR8VgdpAgJwhkVuis4Q1+ZLyXoj9mbfilNDlQXGuhJzZXlOfbEFghPsVzBZ0+6Wpm0dGy67QREdisIZDLsvgK5Bwf7lQ3UbVhRD2Zx5zUB8JOHeecYdFvOdAMgDkeQTd5N9W6bMtG3NuQDIgo1JWYHlvk3l/kjqxZYQwohmrQ3JoV85gizUGhryMyt96MXxFKAJJcdTg55noUAomvw/Pz/6HsSyCMCU/SAuznlM6otbCu/ZUA9mZSZcbPaaxq4SZlRc2sElv7mv49WzHuI0zQtLzKpCnSIUT0O5KIEVmNbG7gDDcyur7QiveeV4MNaF6b8lIITHcSgS33928FdvnX/po+49bYGjA7E2fzIiELGnhM3T1zWDEiCryJgSKQHBVcAfgmThG37PPH6xAETiIk2AEemjRDttPADvc/EK+oJbsDgm/CceFGNpzaDZqYoQ32kZG+EZ6NGbhyOnO/xHzgyd6/AguIjVqCFa5DGrgOxgNVXd0j1Bp1HBPK1Ake4ejrjj6ZVm+V9+YdEtq0otYsYqvB4oB+vu7qHAc7s69g8jshhxTMakfOWm/Cfurs/Y9xFC8Ty822FZ9v6p/sYuD3JogN3PODtdIUHQD/DxORZdvlXtcwa7AqmsexMU83DChU5fpV0FkTh2itPTgJZYqBSg3PNCnfkZj/vF3Rfe7gpD65iV2cKKT/gELv3F2/Ie3bqU5BGacc1TFwxHk3CSAc90tjuQZgVjmv/7x5fAbgsL2snzzr97o70boTdJbkcmyMp+vqur1K7bcXPl1HVe3buQY3cO+D4+0X/gvOe8JzmS5JFoEiBIWiHWauLJlTUJmEEWD/yfAiaDRYNsX8EipohVDQ8ruUnBGlQyvUJGHK7krJZNSq3FBFUCoUsYNsLx4STJqRVM8r4ET/zHUqiKuEdLVaG/mNgxDCU9nsP0iY+zcYaF8LY/JZxt9n/YHqgxNW9YUnjLysKl5bYJGmWpkzP5RPcgUUcMkC/ft2RFg2PvOSfCaMMQbEJgTjgUIOX2h91h7AdIJlCGWWlWfPf+emgrMq3gDGKYl/e07TznGYLpGMOYlWyDXXXvxtK71pdfFTsJ9BYqcqi6v7gt6v5d1ymvaL+WjaR9SebnOztLCswwE5PsEzP9pCeUAhkKkA115gc9oRQYTwFgw3uHOr/3m5a0knBu429lzsFQR5Lxh6r0f/HNW+wm7ZXLM8HEoHJkQ/rt7hZYaD90W9XfPnfm1bbwU4/VPXhrjdQJsEHHmgZ/9ErLcU9S5CDxASYu8Zv/tm5dfR7OM9276ifoHhhT+Cu3DwVeOdDz9IEhjmG1xBX5ShtFteB5AXUaaHkZwShnjEpZnp61GZQ2m8qoEc+NCqNWbtIhfgiSbpHAIMS1bMoDAU8QSDzB8YkkEkukQ7F0OJoejsu8waTHk/SEU/4oDyqG0gxCVQPeCU8ul8Qk2Wd8ytYu3kQV4Xhal05/Yb3j4U2lyJlNQpWBTnMllMjdilFixwGeNB3IEv34T04GOOziSGYq5Kr6l8/WPLC1ltiAj2vuTOvw373QdMiNjQTJTk3KMjIk6/76poJvPbAk5yplUQPVMCU7D7b/69sdzdjWkn5fJIt0htbRfoVO8fQfr0f+6U9S5DOxK/T3PKYAhed5PDmfatewqpy64PzBr86ci6If2VdqLMFwGdpRqZKw+ar0F4LKAXcEAZN/s3/An2bub7Ac7A4hpOPJv91SYB/VI6I3sBj68Hjvv73d1hIisaHILpMXNucr/+JrN10js1i0gL5hx4Cdwc6jA7vbg0FI2C+Kb2c3eiJnZkmsL+SU0PC8SSaYtPI8k7IkV1FqV5flKq0GhVF3ieMSBMlY09EMMj/ATUgKCjOT7bWIUaQ5oKMk/ZfqkXoMvjwS5UYCqQEv1+tO9HsFZzAVRLyUpBCXyZJwDIMwXIQc6XOW42SQGxKhvjZWm+5fW7SiLg9C7wmoObsKLy2Nt9Tpjf7Li2cQAw42gxgjaHTPopz//fmleVb9eFhESexUGttdv3ynDXw2AmIb5Cwyk/kRWC3F31+j/87DyyqLCC975WCJWUL42N++3/yzDwYGOfSCzNrlB7QOT67N/e6jK+BQcPldeoVSgMIzfQeyUAA4BHegH7945rX2sLg6ZzFKkrB5S4EKiIhMA3NZu7O0zDh9kWffOf9Pe4cQdAJwkkymId9EtocTP9yaMQXCUotHOY57e3/Xj9/t7k4QDSteZchpH60zP/nIUriiXkWZIZpD6gVfMNbvDP7s3Y63Wv0IYQ2dJZGQzuaQ+GPQUy0XStTyEiPhjPNMsjyzIi9X7TAqckxKg5pw4fGUgChmYkTOSRf32bSctWwGvARw4BIvjnLhBO8NpoZDnGsk4QpwSHwNDrs3wrjifAQDAE6L0uOsNU5xEe7L8Ci7vcr0pS3lDWVW+LYRn/hxrO0Uz05xK5VKvn+s//vPNsaVSoAgeNLFZvnffmX5kio7Qo3jQWzjYEgPLQleJtFEX47Mlb9+98KgP7G+Lgc7hTPdgQ86Q+G08KUllq/eWw/zrquiDwal0O6v3276yb6hEPnXkwWhEa8nHk///58pe2hrA0XoKWZ5wd6iuucFO/VTDdwdiL24u3V3F7I448iCzbgKIe+mPPkffm45AifhZ2axJ09cwYE8UaEYB1luDPwwM+pG5Q0k+0bCGV8UaVlXKBQw34X78gtHnE5IKWGPxAs7WwJ5H7R9/o66/Bzdla/+AOZEikfEzX2Nw/tODL7VHcWOwahH/mBm5tgsghoDnXyhksnTqwqMioo8WbFdVZ6nthgVGjGZNCpEMeCxn8SilA5pTc+yrI8VuMLvizWj3WiKj6ZIhYBqq1FhNyv5Ii0GC6n4iC/V70n2u5PdI3FngB+KCk6OhCWHMB4FZnggiDejkH3UGz7+66bNJbrta4tW1ebl5eiuMGxqJJ5+80CvICehPcE5A6IfWOOAjxPRqAu8NxA/2TJ8uNUXC8e1Bs2SMtOyKhsMsr54T0M6mawtI0rxOwJx7Yunf93oe+Gcz6jteOzu+sJc4wwHNUUxEAaI+8Bt1f0u37NNSD2J3exFgksPYqOm1Cj+9Hc9RXbT5tWlV2VbMEWX6K3rjgLUcvu6m7Jr3mGEXtp3ovf1o86eGEydsizAWGlgrFRp4P7gvkXrFhciy0KWQnPtplqtcORo+VAU4ZeJV7J4KBTySi2zvJbYhWW6hBODVgWJdyIUOTsY4QlWsGCkfd54joYtzDNe4dIfS6R6h4ONbSPPvt/x8496G4McujErfg8hwcC3FaplG/JVd9ZqttTqNtZqNy3Sr6oxVBVo9BoFBNQoAHTEn4TiYyP+1L6BIRB9k70C0Y8CUtkco7LCoa4u1NQXaWscqqUO1bJcpZ5nw5wQSmBHBFy8OClT9xt4nkKES1/ynTMj7YNBsxyaYkGrJnTNTOvUNUy4i97ajMoiLetBlPJw6rOLkBWjCrITdGlgJPzKB61/9rvOAz3hMyPxo93BXee9zuGgIp0qc5iqSnJUsOpmCYjCnPFXBwbw4rkCyfp8DVKIXi2kNOhUcAePjXjOOhNjYV4mjIDENHUOBmuL9LlW3VUQrE+snv6+jilA4fk6nrxr0XUE6wDD8fyHPYc9qUkXC14ANj95Z/XmVeXaq2eqLQ0HIGsxafMsar8z2OZLSlbF2AD0DEVq89RFkAUTo+iLh9mgcdi1A93udj8HpSZ4OgQoWVxkqC61zs2MHNgEYSgSIh1rHn7to65f7hs4PBxPY8G+pNmLHbj8DHgLCXWhRr4eqFytuWupYfMiw4oqXWWh1m5WadQKwB7MtZAo8vJn58MVCSmlT3QR/YTVGBAYtl25FmVJnqaiQN1QpF7hUNZY5BZWlkjwELMQrn9mcm9QErkj+/3xwy1ez3AAinS1RgmQBolBfCI+Hz/Bk1MEfQPA4pWoLDIXm5U2GX/7mkLYdQN3w7EUck3+aO+woCQJuCDZRkm8G+3exNl2fzgQsZmUVmj7ZUhMKQyOhH5zeAjz4olx+VpFfYnpauW2Qt9zTNp8q7ajzdUfgfIly8DwqgzE0ilfeHFljukq5dSanGb0zvVEAQrP19NsXeu+Yv3qHfYjdv873dGs0mrwzTATinGJb99WdN+GWosRcSGucqewNgOAkYAB9snOgWB/FOwW9glsKM27BoJ1Rfp8m2F8m+hAjllXkqtt6/AOhrlqo+LrW0u3rS0ThdvjC86on4CHUDR1+OzAzsO9z+/rf78vEsEGIduqmrW6RAoqcKbBqnp0qfbBVcZ1tfpFZbrKAq3VoITftsSPzsSYK2vln/pF9Fz0qBbAUlv0SkeOqtSuqi9S31SuqTPLExFhOMwleQKZM+oqy0J/cc6VaO72R3zhVDJl0Kvg4ASX7BniM5pBScwOmFSIrOtKzWWFFmTvwLVzXe7/3NnpISYK4sEz9Rb1xjKDQSlvR4DS/kh4JKSW88X5kGOzr37YfmI4hi0gRAF5Wvnquly7STP25FX4xj6gwCo/3+534/W4jDbY+ODPH+GsMr6y2HLVU3dchQHQKj4lClB4/pQIP/+aBTa7/BEYW/32jAd2rVkP7PSRxflrq8wPba532A1ZuYGsD052kbQDhklctLBw4SdZc0WuyG7R6+R8d2/QnRKzY7EyX5RD/sWSApPNSJbgTJ04Q8Zih1XtH/J+8+6arWtKkNMC98eXyRTOeiK1C8lBS7cHi/Xz+wd2dodcKYE47F5sJ+uj5CLYYNhxOVSybaXyL91keeQm45IyHdDLpFcolAimMn8Z5UmHNOUNkAssNThq+FvDvNyOVBn5qtUVyHClyJGxQZLqQ5J4432Zhnx4hfwpHiFNLnT7Q/6ISa80GcBHz2Ly0AD+EAKF5NTSINcVGmXePzHw4QUv4B8HLLDurTD84Y6aO28q2bo0d3WBJuyL7e2PtnYHbFq2Yyj41J5e7Eax9cT+aWttzvr63KvIPZMOyBi7xWhUJA80I+9kdnOfECd43dFcg6zUcdVE62Tw9LieKUDh+Xqevava93gSXGP/Lz7sG4D+NvuiiqAW6XsqVF+6YzFUd8hXdOXtk7UVQComP8ZKnWkWF5HnABEZg/5w80AkKSIt+OgBd1zDJSDMBMM0vnXwtwU2/Ypq2+LKXJNeQ6q6WNn4glnOiUAVNbuCL+2+8Nq+7hfPB11xxAKZUQ0A5ngiXWhQfGmV6ZubLZsajKX5aqAyWLH5o07OMuardAnwR/6golbIDVp5fo5qeblmU43OrpW3DycD0ZRSzI45dWsgNHzHXTG+eTAy0Ovx+iJghcXYczNlo1E/3hxxzkffoOMXXAfbAwn0jGGWW1TfvLd6zaJCmIsjmmZpgWV1jTXlj+zri3QMRQ62exHKXYzOwthVssc2FS+uyr1aumdp4BggNhy5VoNFlv6oI0AcEi4/WMaTTMN3v6rQAJewy+/TKwuQAhSeF+CkZxmyFBbxp2+0nvJhqcxSAJfgUVpt5B7bWnnTomKEv8aik73cDK6SZZNlEBesvc/7xt7OV/f37DrU/fG54cHhgFolhz5bzInLQx8JD5mYL9Q0SITtMELCzqHfE89VM3BuzoRjFBtEtgm5zYRAkoRjm3nX0BHoKfefG/zP15pfafS1hZFPaqYcM7jmdTbVl1bqv70lZ32N3qCDLTlh+4DZBBYW0iHKvQnd4Q4HrcTyMu32el25VZUKJAajPMgxrYIABbD9Qhzvpu7Q+dbhHIPSbtWTkJyzDD4qvllMMBg90jyCaHOYhKV29WduqbAY1OgeDtRpNaiqSq1NLa4z7oQ/lSbzDbP/FP/wYsv2tSU2M2z+RydP1IWjyllsFLJOO15eWELYzOqEL3LOCX9ywuJPOEAkZ5jTp1PlBUaDHpFu6LHQKUDheaG/ARg/lp8Rf/Sfnz+5uz+R3YlKJJJRxn5ra+GOTQ3EIjqzgM2eftKS19bn/eUbTU+907GrPXjSGT/vSTS54qfa/UfODrk9IUeu3krWUxKusrzI/Ma+Dj8POTFZqsMpvr3TZ9fJygrNIoqTHqA7WM7E5Xd2XWvt9z/9ZtPTH/ad9KaQ5mEyucH4UYJccFddalL80WbzF2+1Li7XI4YXQoVAiI1b9AARII7QqOV1BartK8wr7Ip2FzcYRARWMj9T0wcF4iJIHzrr6uoaWVKZY9Rrpnnm0hpRGC8YdNhHzw30IRo43iGOrys0VBVZpYLkPZHJOvq87x0Z8CGoF9n1AZyFeqPiC9sql5OosRcbRH8u9Hqx6bt0L3hpkzP4RUYORwOdyqSR7W/xBOHNP66VTAXYfXY7Y2Umxfh3O3OXniw0ClB4XmgznmW8KS79/uHuH+93Ei1Z9oPlUuk7ypRP3LMclqgXV6/shae6iqUTwZuaOkb+/ZXm3zT7/YIMgmsJWrEzAP/kSjL7O4P+IX+ZQ28zEY7HYtDcsij31Ml+NxytEGmLZb1pxu+OVOVr85BHMus6N1UXyPKNNRxM86Gz/f/2avNL5/1BWHRNhxyoEmyxkudXWWTf2Zzz9W059aU6XAG7TVE5K70JTgtMpUOzfYmhzqIQwilnmBfncJo3CJMeYdhTzsSBkwMlVjYPrl3E3Az1zYyLZVlkJLNaNXuOD6ZkMmciDZ61qkBPXl1WiCY4KSJsYxiR10ilOBabFN//TM32dRWZtwkvCfZbJ84PfeXvD1Y4dLUlcO6fWetZaYE3l4jfZXk5+jKD7GxnIATlR7YDAVKESKK2yJhnRW+nIVS2Cui1G4cCFJ5vnLmc20iwDLX1+v7o6cbYeK7hkrpYNc+vy5U9+cjK2hLLFS4Z6TR3rn3kx6+c390bhTmPUcGa5Sz4oyT6AUaGmO0y8Lq54E6cb3UvKjHkWrUAYLtFV5arPnB6ACktsaohxMVQKBX2hBdXWKyztB7H4/CbGvZE4BT7t7/rPB9MySFBnfrAMwjWgSDJKuaJDebv3uuoyFcjpgTcjbIvsVPXtsDugkrA1tpCzS2LjSUGecRLsmzDaAuyhqnfJXDb3pTw4UlnKhxBVgy9VgWGc+pHJNJKmFaWZ1hWrG9qcsYYeacvceycc8AdhrDkhd3tP/2grz02Co+o0CFjvrix8P5bazIqZ8wrotXuOtn/v/7rpE+h6uzyOSyqMhLt5IrwEmiLJmBbnor4z/bFEVXg8ncB/Wn1JzXxRE2J2ajD9vTyIvTKQqEAheeFMtOTjRMBwv7q6ePgJCZbeSD+y2FT372/asvK8hmtjpO1JCb+G3BFYBr9aksQ6Zm3FKgfXJ1/+5LcFUV6h4p1BVJheJ6I/QCP3BdIKqLxhoocvRYRtwQEi8jTylo6fEFOUArM7eX6R7dW1JXbYXw08xUMewAwzWdbnT9/68JPjrqSJKzkZAKD0WFg04BoEbc6VA+tMjy2xb6q2oBAWlL+qMkHSu9cQgGyJYJLFsPUF2tWV+qK9awyKXTDVW4G71NCLjvSHfYNuHOMKvi4KxSAyJlNOMuW5JvrSvT6VIJL8L2RdFO3f1+r95QznhJ3ougQ/jOlue/cXvb5O+rFJOXwjSZMsz8cf3d/5w9fbhoRlGjPl0hHfJGKfO3cvPXG0wKkgIjboteEPOEefyoTeGd8GbTY7UnUWhWIx5dR34wvQM8XCAUoPC+Qic4+TLAIv/u4/ZmTbjFfZJYy4CuTXPrxleZH71gG9dvM1sUs9eASFqZgOP7W/q5/2zekksu2l+qefHDR1rXli6vsS6pzVzXkWTUyeTjaF0jBoAc8BEJuNw9HCwzy2mILNNA4kIBPxSW7egJ31Fseu6tm9aIC7fiUgdmbHb1K2FyBd/ljH5/q/9uXWw8Nx2DENDUrBmA2yZjVVuaeBv3nb8lZXqVHmkiEEyFV0WP2FADdwElrVLKl5fqaApWV4VWplCfBJqHwnwxxxRcOe7XzntSZC269LJ1r0ZJIODOAaPIoyzhsegSbq3Fol5UaG0pMsjTfjyyb2O6J75iG5R9ckvOVexdlskdLEWmef+/Cv+/p9zAKyKPRbTSnY5jqAlVVsf1KGWjSKQajUCu5ju7gYBzWFFlImeCZoDuyrMIMa/MZjDVLDfTSDUABCs83wCTOcQiw1oZq7X+/1BqVAYWzgw48qZCQ6g8+t9ZG0u1lW0hm3DiyQPYMBX/2TkdflFtiVX3rvprldQ4k7sVSCWZGr1EhU0JxrlYZT5wdikGwmQac8szJzsCOVf+PvfeAc+y673sBDHov03vZ2dneC3eXTSTFIlESRTVKsuQSW5afY8fPTj6OnU8Sv+Rjx4njZ3+ei1ziyIoa1SlRFJvYltxdcrncXmen9xkAg97b+x7cHSwGwGDKthkal+Dsxb2n/M+5F+d3/r3WZha9U4zVtq1a88iB1k0d1YR8WjpF6NevDM/++I3+P39pZCaepq3yhJNMs8dQ9eRW/aO7rPs3Yp9UFREhqUvPUvmmKnfzZ4AZjCZlFr1yY5u+q07Tqpd7PUnCspVnigFIdyxN+oqqWJRnQaCPnCA6v/GCc95X3i6QkKSNW9rZ/mXevuweDGDhwIsjh6n+4s7qX31iS6PDKD1ZdqskzPjeK30/eM8pQprMCZSIg3PPeuvOnnqrQQ37nq1e0NVyv8odFkM8HLk0FmB3UuKtksugUxuNbmq3FfgQLrenSvm1OwMVeF67z+5GKZ+ZDf39j86d9iZgXkq1JSdgdENV6g8/uxMZMuuXWNNu4IgnUu9emPzquzMsRvd3WR7c3YRGmfbEYjfXMoYzjdX6hCdw0RUTVClkE7ORRzZXtzdYxKJIFmS9el2Lnb2C4GiWQI5Y+LIC7VOXp/7imcvfPedJ4JI8t+yWHA1Mc51K/ki77hN7TQc2mogugpZyATuekg1ULi4+A0Q1YZ6rzap1TdpmS5VVkfH5Uz4RF3TB14ynFknLTgz5Xe4QdvtEnlmKNXXu1UJkzQt/9ooL2MOTChH2x7rNX35yC/G3eUN4nTAZw2LxWy9dJTdGgDeP9wsSMYbAKF/EHpdNucIeD+Zkab1GKVQquaYXH25xiTTEExvc6/RdnkYJXWKzyGZ0wBntcai7Wmw3yLIXd1+5siZmoALPa+Ix3XwiEVk/99bA90/PhoROsOQhR2X3Z5/tObC1VaR2XAoYlmxm7mIklvzOG4OnJ0NA3e467d5NdVbTvNCJ9IEEm7DDeo3i/NVZuCV4H1bIxzZYe9odgoLsIdgsjrlmy/yLHpHl3uWLvnxs8B9eHHybtARz6aEWqpVMyXoMii8dMn9wl4UAI7h3i3DTlePWzABTy06pxq5ZV6fpsFZ5PenxcLqcMUBW0tLrjAyP+OTJeFMdtlNLzZQs9nZGbVudPukNnZ+O3t+k+60nN/W02sSrhLdeOP7WqZHvvDL43FAIRp4XD4ES718kkmgwq3pqtBPeOBFFjgwFxsZ9qVi8pdaky6aXXtnEZN9g/Kw0xFz72fHxiNhrlnij4zKZbya4pd1CtoyVdVSptaZnoALPa/rxrZB4xNrnrs7880uDl4IlrUfF2hSJR7+82/7pBzcLy6xSa0eu7zkUjJDgtkwWCuD5n18dmPQniZRpkst2rrPW2AwFPDBLFHeFNC8WOzYSBBhjSfnjmx0CnsuyvDlicifUJUbj0IT3x6/3fe3w+GVW3UVU58J57Be36D93yLq104ChEBmKK9Ccm89bdCLtfdiQNddqNjSoLJnUhCeZdVdesEMSXKCyPXbVWxUONzh0CLp5A8u/otm2MuTGINRJo0OrikQf29+8Z1MD287sBi7CBu6fXx19cyKCoiWrHZah1vlAq/G3H2z98iPrHtnV8MDm6had/PR4cMCXvDgSsKnSLQ1WsmiUANUFCS++kSYYrVWZeO2yD/168W2ujAaTimBoz8baSizukvPz/r5Ygef39/MtPTqPL/LMGwMv9weyGX4Ly4DNaF5xNf2jz+4gvCIcbWGJgu9yOYLBb/7s4uleZ2O1oYAnzpWNxlPPvjNKeAqAdjaSqtFVrWu2SOayuTKcsEpp1VXhaPzU1VlfIhOJJj69t7671QZ/kV+s/Lm06J/vm/76873PnPOMJYSoskwVmGadLPPHH3I8sttqNQkHHrC5cty2GeB5MecWg3JHp6HNUtU/GHYlhUXCQs5XPExUMkR7dU24CcXVWCOUx+URmrscJMVCKr61y9HVbOXdQ6YdT6b/+ntnvvPO9CV/UiS7zr6BMM2/d2/Db3x04/aeOn4COEyjdmmqMWrjseNjoXAmPTgW3NlmQDq93F1j/pRCDxr0jkara8yFkzf2Fvl3pXMESqMzkY11mq7ma2FVistUrrxfZ6ACz+/XJ7vguIBewnF89+jE8AJWo6CxJpX8H0+t272hkdx8CzbEisi9LOPy3JGBv3xx5NxU2DnpsZlUKJWLLXcSyfTZPvfZKVyX5QlZZmQi2GZVkQ0wa3w9b20FSsedgTcuuz2xNKD+5YfaxTpYFl/ziYSXwsbnvYsTX3uh77mrAb9QIObfn3eO8Bz/nk92aX//Q9XbOgxIW1EuLiV22LxWKl9ueAZ4l5h2QLq1RrOnU6cIp09NxbIhu0s3LRBaLr/qTbrHPUQAJY8ZcpeFn/P1RkBog04p9NZyBW7Q//Mb733vvNeNG7v0lqQz1Sr5Hz7S9uQD3Y01plzwWl4/eOVYLH6yzxNIyTzxdDQQuXdbPT4F1ype72F5Z2q1EhnAs8dGxB6y1AgiMtnkyOz+jTULbXyX11+l9NqZgcUYo7UzkgqlS5yBvjHPS++OX8RApvRihh4u8dQuy+6eZrjYpbR5onf6//nGeW9GBsfz/NXA6StO5NjFFREt3rPJLImLWYinErI/+dFVknDgqsRCmV+ezFHO2fCIN45t7V1tpo5mWOd5BfILF5/HEuk3z4z/wdcvPD8cii0wSKkWOByMpP7NQcvvPlFXa1dHkhjDLUVMWtxn5cpNmQGRBSuektXYVP/+k/W/sdcUCMXKv4IYk70+Ff/T71966dggtodLJAIjBz6ER/mdvzz6XH/2JUE1LePpZxTR5B98uPPJB9ej7hUpvvNePL6xXQCO6YUGfnrZNzzpW2KP5Yuhu/lPn9wQjSWJMF5cEvi/GJB9/9WrbDqL71auvI9nYBmr3vt4Fv7lDC0UTZy9MnMY+xchRS5xZFKpNl3mob2d1UuzRoG7/TtSSeiE45MymcaM68G72kk/QNNwsYIl4q8w0ZIBz+uaavYQ3FFws/K0LD2dzjz1Txe/+pNzHn9EKsNf1iBiLv7Ni0MI3ms1Vf/5M5vN85NTlSB67hLgygBZqf/4OxcHw0isyx2pZGavRf61p2o/c8BKpBGKVmJml5uv23dPiFIC0dSXH6n91hebWjQKnlSZznnKFwPpv3hu4Mev9XqDJKlaqloCzvhLH+me9EUJvCOOZOaeWu3//o0djx7qNOmFo31+pzTrD0UuD3mGw9c0QsF4csoDZ3ujB79DYo88tq/tV3Y6oguMlJ/HW1e8lwedN9pZpf6amoGKcHtNPa4bI5YlBt/fb782dMaLXLBEW6xT5nTqDz/RdfeONhHxo2Sh/HoCgOXj3sjksBenlz112i8+0r2t0wHSEZzrh28NkMPCTKSnrBMKrZGNqiqTOtPnJfQ/azBMiEGteOmK7yuvDDbp5U0OfSSaPHxq9D9/93J/JKVOZ37rA03372oxEIaiFLX5hEjnITp9c/DXv3ExTrLLsp7N2Kbd16L/zUcd65v0YSJaFbdVuXJHZ4AnAlY12tQf2mmanQ65fGlSZSxIkVzmSWWO9Xo6zQqhLlmqwDmzsb066A8Ojfp51/fUan/zY+sPbW9W40TFq5nXHT8cXzD2wtHhP3h2kGg2EhmKtOwL97Y2VxvySy5I4WI3YM3J9HXkFGFrS6uTsIZT+MP7NtcvxZ1ssd4q99fGDFTgeW08p5tCJfE7Xzw29L9Pu0saodAFsTs+ttHw2IF19XZy6i28Gl6nRoT32N1ds7XdJA9FDmyqfnBvK1kV4YCPnh79p5/1vXJmxq6Tw4hn5eTAsxIrHn06fmE4kEVofFdk6iphAfTCBfe33hz95uHhp0/OhJMyc5X8U1ttn/hAV53dgITxeocLnIkFNBT/yRtX/vJnwzKNCPa0QEF2DrJ1esVndxieuttabREC7QVLrsobS2Txc48vVz4X7Sx3a1WObx5RBE9Fobyzw1CjlblcSScxXxd4sFzGDemtyx6bPNlcT2JR6i1QdK4H5oFnf2hjrSIaadRX/fantuzqqc/W4s61uuLlyKTxzfvZkcGv/HwkQtw4LnAzmXmk0/jpB7oIpzPX3g39C7OOatmsTJ0Y8DOQUgeSpWStsYpUqkjdSxWoXHu/zUAFnt9vT3Sh8eDofLHf+bVXR0gzUBKRWMe7jcnP3Ne+q6dR5NldwsEiJlYyeQbQ3dLlWN9mJ9w/CrwB3JkOD70yGXPF0k+/O2WQpdpqyLpI7gkF6yaBizWpuGc2OkseDNhoBUuwgmBM6KvBbDpuMig/ssn2ix/q6Wy2oxPMrZVlKPIEol9/8crvPzOo0CgXWMLFgotub5dF8dQ+88N77CqVIrbqHackcM1OsrA6ViiqqkgYolColGqVSiXyHKrUWq1erzMYyDetM+Q+Op1eo9VyV0lJUmGzacpWpD6NCA9zZjb7IuS6KDO9d/AWkg244c4GrV0ji/piBAEVG6pSyMssIRR6q9fTZVKQyoxk4Yu/PFn9S1ujdWOXY0OrXRrmHDSLb6lUetod+u5r/b//TH9CqaRfgc3pTLdJ+ZuPd68jYEj2J3Dj80OriKtw+ndO+c67SAhdOEJGNxtPV1dlelqtFLvxHistrP4ZEIzL6qeyQuGNz8C0J/S1Zy/+w3vOBbTOcpM888V9li88tr3OZlhud7kFEy52ejb89EtX/ubIVFISL2fSkVjmUz3mT9zXtqOn3mIQcSRgR46fn3jh+MRrQ0EfIZDlChGZKZ1h1dlVq/3Ivoa7tzc21ZnZJRSuUkWUST0+83rfn782noSrWLgCKsyHmzWfPmRhrWexk9TNRe2tigv8KgEOHHzFxgUUVqqVYCxyVUUVqCzwVYFPzpz2IYu1+UZMuTHQSlb/L9SxWKSn0imaTYojDvCk0sl4PJZEZpIS/7MSSPutXPXVc8J7QJCQocnIj4/PvjiaKmNVwMyho/m9e+o//fAGu1nLBJYfBVNEAfEGFoE+Pg6XBl0/OTzw1ROuZFbiTSHmc4Ox6tc+2P6BfcTb1PC+LfzGle+5xN1ILPHGe8P/9QdXx0m8XurdX6dT/OYj7Y8c7CRkWon6lUvvrxkored4f42xMhqRHe/CVeffvj2TEQl/SkwIFmGbqxV3b22ttuhK3F7sUn6TAILDotpZrTnhjmcZWYVOI3u2L3Bu4uKXHgod2t7UUGOsseof2t/RWm8+0Oea8UTc/hg9mHSqWqt2Q4dtU2cNtjlZL5tyHUvrKbsBUkP+9etjSRULFoSU3m4qU+lPbtA9tsvS06wLEo9s9e1KpY2yxBnD48Ilq8Wh4QMk870kAEsTBMZgFpc/WbmnnMUnAVGo4wtWdGoJoI7HEolELB4FpxMCtlPJJAIWMY1sYvLbvIPnWTFHprtJ94kDDpvB/5MrUeEvV4ogaIbB/bPXJzFZePRQB6Ka7EAWBOncrBa0FgjHL/TP/N2zvT8fDmlQl2TfK6wc72/UPXGg6f697Ww0b/r0aDWqbd11H98987+PC2vJ4vFdDiaPnJ/B0htJ1aI7j+LqlStrawYq8Ly2ntdKqOVn7vaGn39nFKarZARP5MnYu9y1yQourvg3n11MBELUOQwfOoj22mh+bfCN8eg1HlopH4ll/uHnw4MT/scOtm3uqkWUt6Wrur3RGo4loiRJwNlaXUXQMYA5t2IuOtoJZ+Anh/u/9c50QmAzR4kVTVxNpH9hl/HJ/VajXimweTUdACFTx0KPINqgN2q1OgHGWVl0PiQDpRKfB/eWTsHXpRJxQJSLMMhAau6uCGYNby25oiELF75BggnPNikk20I+zgRwmY8QkKuE9hR0p9m5Ix4OhyORIDz1quKnGWVbnfYzdysNau83z4RCC8OjXKn4Ly+PugOxX3tiq9jqLefgcUTjidfeHX76jZGjU1GtVgmzDpPMDu/x9ZZP3te2dV1twVuafTSLKrsXJ4ItAvFP7tvRfrb//OuIn4qCkqEeOjoavmvATX5V4s8v3mKlxFqegQo8r+WntzTaWXnPXHW+NhjM5FiqwoqZB1pUjx/sWZZOSyxJeIUK2aC0MKVnfdGxGT8KY7tFe3BHS61dv/7t0adPOHGJFrZamQwI/c8n3ePu6IcPhPZtaay2aI06pQjhmRMwiiAnCzI6BVRPu4M/Ozr09LHJuaBgJbAZMHPIMl+6z3Jok8lsUEVXUzAwxAyApZZDo9No0BTrAWYk2PnDhJWFpxX8rDjiYC9QzEUwmOsC2LP5icXJ3MF5juuVToQwnIBZAqrBZiW4zDkdqfgI5bQ4BIArrkE1T9ZgMCUStmgsGotFI5GwxE/nmp3r6nb/K3joTIbn+Pg+q0Gj+NOjATW5JdmZFL/YpFORy/7qyLRZr/ro/euWrq9h7JOu0Funxr5xeOycPylXKYQgPSMzKWQf22r75Ac6SQ+TH18TV67xGf+sL4JUCldp7MbZYvJQlv4aF0wiT4IAYQc31b7rGo+IfVsBVy8bi6ZfPzO9qdOxod2+4l4KOq18XZ0zUDENW53P5WZSNeMJ/bdvn+sNsWSUbFZuDkd/6ZGO/VtahFxwgULFNS8Me1yzQYtJh4qZWsT1hJH9xst90XAMBtpu1tit+o0d9gaL8uSV2Sjsh1hDM7Bjff7k0IjX4w621JlMrLJUzh50wb/FHZW8gir92Tf6v3V0cjhOrZJFRHtGWea377Xcs9UMa756/KcAZhZWk9HscNRYrDaj0aTXG0BKIBKi2U4ByqFQwO/3erxur3c2EPSHw4FYLBKNRsDLeBw7P5TFguMV7HMeHosxz58O7opiWVgHZQn1QgsS6IbDQVoOBvyRaCSeiMMgStw2LQDfQLdGGJ3pgWp2D3THBqG4fa7c5oNsV0Ta2tCi6zJVHbkaSme1wsU0COG3QnZpLKhPxTd2OpZix0AjzCcx9b7ywtDF4HUjDYMs89R2+y89vqm9ySbFEROvcjZeHk72//jTS0cvzb5z2X221xUMhVDcGHRq8UYX07S0K2pVFXHNZqf8vd54cTO0O+6NtxkVHU0WhOFLa7JSak3OQAWe1+RjWzrRLOE/fbP/qyed8E7FtUAD8s/vrld9+eM74GKL14LiKrkrR86M/Z8Xev2+MGCs16lIxvdfv3/lvCc1NBHY3GTAuQV9Kdc7G8yHui3jY97emQiSVLFmyWUzkdSlybBn2ksuBFTRMJFLX8tYFn3B6KvvDH/9rfEBvK1L15QTlKRZLfu/77fetRlKFGQFzFF+p06ySCqE2DarHWA2m606nQ6zL4m7zVEVDPgmp8YCAV+E0M8JoQwWKCzw4BqLLD0m/uaOXN3ik+IyXJGKZWEb3E5KaB3ESi+RwOSb+1Itdk7w2YLF1miNwjJcj6CcrQMU0UKuneJOb/UVaSo66zXr7cqXrkQwK0QkUNwpFMKADo4Hlcl4R5PIYCHILi6Xd4UqmHyPjXvPTUUk4yxbJvNvH23+5IM9RJaVTBXnBi72sjq9+p9fHb7gT01Ek5e9iasjwbAv1FprMBs1i9uN5/Wbf8q0I8dCudA/EppN0kv+TXEukq2GY1s7bQ6LTpJcFZaofH9fzEAFnt8Xj3HhQXgD0f/2nYszievCz/yyIDZZI//nF3b0tFUXrwL5JQvOwcgjZyafPjN7ctD/8xPjrXX6Z98YfHMqps6kP7zJ9sCeZpGSOesTRUQkoU7bVp/xB88O+nBzFk3JxRIz4I4dPj1eFY9v7qpGplfQxUJfYdNfPT70xz8ZmMArdgGiWb6r5bLfvt+6Z6NI6SHA7Y4ec8Csqqtt4IMTlFqtBflY35lJMHh21gVYqtm+EHwtqwwOh0NcgWqucNwK8qWWpcah0GSysGkAi7kCSdMzE0JRrWRHJYTwkqmawWA2myzw4tFolN3CLSJsKYPlkSLr7qrXbnNUHemL4Cu8EDGBtGx0Ilirk3U2W9molW+ciUav3NlidY66B/0JWSjx7z++/qmHNuAxSI9OX+TEVdexC1PJdNqohYevwkBsfb3uJyemMuJpyoJp+YWJMKaY61usmDouRFJ5GrjLzwHb7L7ByasesQEtaIeOhoOJzXZ1Z5O1EqVk0clcuwUq8Lx2n92SKP/+K71fP+1icS0uzaVwPPVkl+6XHt/GcrAsCCAo2Junxo+MhRGJOuOZp9+evDQbw5Cl1aB86r428vwos9gjdcriQnagA1sbNtSoL4hEzilYeXpHZRiUK73uyEcOtGrVi5tBgAcwbuf7Zv7fH/eO4SKNlroUbAHG9SrF79xvgW9mVHcWmyVg1mq0NTV1dXUNCLGBOglKgEC/3+N0TjtdM6FQMBIN47UMqwrNnICCnAutczIpsc0Fa3TxA13WFYkwdNjonC1mW31do8ViRxtNI+wYJiZHfV5fIOhDwA4JPC7U09ziJUFpDZBbzFbU1dFYBJPxYvxYFiU3UhiFRXO1ZqND+UZvBPPChaaIDBa9Y4EGgxx9ihTDrlyncrnNqLboq672uv7sl7d99O4uHhmG3C8eHfgv/+fM3xwef/7C7HffHu/vnXaYqlA22y16/7TncL+fN1gY0CsUxwZ8PZYq+PUVYydbAYtRE4ilzw94w6UFP/L+Yd+9m6qx81jeT7fcyCv3VtcMVOB5dT2Pm0sNhs2f/JuTGm1p5GMJwFbqP392W2cTSemX17PbHz18avzMjBAAcoAprNHAyMPdlgf3tTpM2nxxNW2LQnIZC9a+ddaQM+AOJsI4N2GnKov/h89u7WmxLmWJYem7POT+xa+cGkOmLTTepWluV8t+5YD57q0W8PuOxx2BGa2prq2tvQbMIB/azXgi6vV6pqfHvF5fKo1CV4hJ0Sb7Az6Mt0FlBgYk6PVGs8VmyCK68FIWGw0xl6WHvcyrKL9RKsMu19U1ImaXtgWCvHRqZHQQy22imEAVXyPhsM/vQe2ND7bE8XMdZhoZADiNtRq68GV2fpOLt9ZqN9qrekfjXkKWlJoeRN9sCiOz4fY6fY3dwMZiMQoyDTWmD+5t2thRQ3skMn/lncF//XSvK80UIN5AmKDo9yeeOTK+vUFHGK91rdb1dvXvPN69v9PqmvQjkR6eCBzosd+I8JlJbqs14upwheaKyUVDFE2162QbOxwr3gQUt1q5sqpmoALPq+px3ExicL750atX3xoOllTLwQpF4tFf3Wf7zMObl7BaFRIWiCSGJrwzrkhAuN6IUEqsJiznLl884As5jEpCbQuGnGOuKqcEWiD//I5ue7UyM+sKJ2Kpf/No5yP728iWkVdwrkLevxKqTbmD/9/3zp92RkGOvJvzTts1ii/sN9233cJVEWjjzh1wmVaLHWAGxljOGQJaXkDOPet0OqdC4SA4LYypszPEX4PRWFNdjx03wAzh3JWkyvg9G4xCpGw2WyTw5krWBluSjeePkcnOfRi5OOcQdl7iP5UOUy+DAV7ZYa8Rym+LDXWyRBvPMLtLgB4Z6md2V4l4DKwW9bNqXXh91OHQz0AAaYiUWtYbTDRCZXTScOS3f77pEvgiyVWdVjYxnXCjx8m9c3nUQO+QP5n0hTvrjTbzvO1jXilxKmozaQqFUSd8CjDOOHNl6kv/eK6KbS66iLk3WoQoUVZ95/jkJrtyx/ravT01jdWmdY3mamPV1RH/eU/cmEnvWCfMvEuRU9Bn4Vfx5IgjplKwK3vjzEys1H4CiVfcHzuw0WEzaXgWhU1Uvq/9GajA89p/hguMADD72ou9Q8IAtdRPN51Zb8r8h8/tJQ7JCn7b+Fx2NFtqdfLeIa83Pde+XBZKy06NB09ccBnkSXxaMMZBKCrd5i8rndsXwa13c1dNg1nRblU9fk+XlN5qMRoyM57wn3z/wo8ve3I5CQrHnZE1qmSf22u8bwdyV/md4puBKIAZY+zamnoAlXNgD/kwwDbrcblcM9FIGMoZLweFwTlic9rs1dWO2iwuKuZstUKJBLgj1M8gIcUwIsOCGrA3Gs1GIV62wL7qdUaJiwW54bOxswaB+RgNJlhbyMA+3Gq1i4/FZrHYuH7NtRrtg/DKEuJzTMNglzmHJKkjimG4zZWsaXgWpLNvEd5cwUAAmTb7MfGfMPVWsF2gR0YqdlFZQzbaKXw6t/g7kdubajQE/hQIXSKdqeiefca5ybAxEUO1zMtZhkiovzYApBqpzAtHh17u95NLUjw3WWafXXOwWb/JofFFUlG57FK/Z3ubCaackD9AJurt6SnvuZnY24O+R7dV19v0YsuzwiNjs+r7+52XPfF8cVSusZFQcqNVRZQS+s1drJy8b2agAs/vm0c5byCwzi8eHXzm3GxoAX4mmoj9q4N19+7sWJRznddu3heDVqnTKo+emZgIp1n4SNUrsVnI/VD1vdPndU37WQNNBrWUn4C1G5H4M6/1ne9zYjjW3erYsZ4M85iesuYtuLhQC3gjJ/TTL17+2yNTGo3QgJY8hPfLTuMje4T5D743Jcvc6ovALWpjGFObzQFoQTlYC/LhH+WZdeK/xBWJ75QoAdIQLDsctSaTGR6XwRK9y+f1YCmGPDkY8uNzjOg4a7ydoiKcrlRRAmyqZx2mcZuG68YMXATflj6cc4UPtxBcS/xubvigrvBnjoSDQT8deX0e1MyhMBsCbAmIfy6YYwl0YbrBb0ZBXfBMHAo5V+D+JU5a0CQwugpKdDoDSmoR3WSufK7HW33CbgxK6mxKnSIzNhVDZyCQtOhA7nJ1JupQJNsbLNhelSoyrw5NEJvlzVMT70yECQuPTOPuRv0XH+z46L2duzbWdViUYxP+q4GUZ9K7sd0qmUPiNv3upZlL7lgyldlZp93SVVMSWed1s8AXJluvUVmNVS+cmU7ObRjyy0I/GugHt9XYzCsJ9pffVOV8Fc5ABZ5X4UO5CSSNTvu/+vyVc74kv/Di5sg732PO/PpjWxprhGFzcYGlXMGC+pXjIy9f9IRkctjWT2y1DzijsQQCPzk2XzBc52Yib1x0G1NxlkFhkyyTnbw49U+vDP/wolcRDG/usOGpwrpeksIcAdylo7dOjZDLj3ZKCS5pWF6VSP2rvaYP7bHq7pB/M8CsUWthl8FmdLrMKpAG/gF+MM0gNAUYC0duaIiaQXGYWhCU67Ckfr9vdtbp93nRNEslAUJAHR9oQm9KQMt1CcXxQuYu5xxzfwX20z7oC1csbghuloDacakwky0VYPfmhZV3O4HkrOZY7GZoREB2NAzlUCkk4uA/HLtaGC0ju6Y1iarrtEUEoiPSpllAOrtdIOrZNdtvaci58d7qE7rj6TfYVfJUesCZxKWq5EEelFf6fNtr1FhCLMp00gY7PSJvk0saeNYpZL96T/ND+9pqbAabSYspeKNZebLfO+pNWKtSXc3W2UD01XdHfnDBExb7BXmPVXXX1oZFeylJZ+4i0U7GB51nZqLIhHIXpRMexEwss84g37Ju5ZuAgjYrX1fPDJQ2Glo99FUoWcEMsPie6Z0ZXgCbATOCI/7CvS2E9wIdV9C+VGXaEz511e1OZhKJ1Id31X3+kZ69G5w/enOYQJ7AM/CCFDqYypCp4tCV2bt6RDKrl05OXYXVrpIbtGSvWpAPzicJzDh9ZeqPn74EMpTCZlEWJPrkRj2RpGDT43dIqI2E2WpxIFSWphQ0BWtR1hLugyHk808SaCF5tlkd8Lxwo8BhEGdnnwdo5C7ih9wMZIFQSMspDzyLwabTAT8mZbNS8E7BucqvzST8s9XqgIB4LAr/nWuE9gFpviLrRr4tmGmFHH6dDQFHPm10DeR7CBkTDKDtzhYWgms4ab9GS4AUwV6LHQYfsdugTWzOYcR1OtTjVr0epbWClgUvr9XNetxgf377OZJu0QlR4bSaKnZp4UTmO+cjJcNWZ7ePVV99ZdhhN9y1ub78T4ARVsnTXa02mWwEPQPBbVrq0ChcCwaCu8E9u1p/P5b6wx9c/fn5WY2mPxiO//iUyxkVuytwPRvD5EbHylv94YOt3z5/Ng2tYsrnHexZf3xi+rF7OpceGW1e/cqXVTwDFe55FT+clZLm9IVffHvkrdFgSYEYUuh99qqnPtDdVGu6Aa2YSMRbb9dqiSSVSP/bz25vrze11JvXN5ubdfJpZ3gmkhQwwyKVNcl5Y8D32lXfUECwZVusyk/c3bqpq2YpaSuvjMx+9bneU2TXWGAnkQCb1+l/4X4H8UFvPzaDpuwzgDG7vSZrZqUAPoFa7L/AZqAOCJNgTHqYAn0VCoe9Fr4ZCAPkkGYDhx7vLCeUzC9MFak8jcNkA9KwybPuGY/HGUPinSaICAkt4gQCYzcQi0ZhX9FL034kEnK5pqXrIuNFVjqNyJkgndQR/LAItc3/aspkiby+6ks0AOfIrnHq4iscNGy0RiTn0ApNtUDo668mBeCq6QUSqEWrkMGmAYQW2utMhihllC4Y1/X6N/sMUMSLr9GmmpmK9XpxCcujNdsXDDH0j4dS06OeXetsdrOO/VMZ8rilUyv9M/4Lzghbou0NmrYGCzjNw+ED2OPWPzgy+9pI8ORo6L3xsEskpRYJsLD3/o2HOtY1L8krodw04Ohl1k2Mz17CKLJoOFQcCyY22VQbO3H1rxzvqxmowPP76nEyGODh3fOT3z82MR4rvegQh+Tz+6sPbW8hpU+ZVWnRecEkFbHb5g773ZtrupqsiE2BW2xiu1ttmxr1iKRHQZzsuizssllXxKIlJ1fl5/bVPbi/XYrvXX5Bwbrtm89ffq7XH2UpzMeEOeIIPr3HofnSB+12s+r2x+xEqExKKcytMbzCvIvxAV5u9wwf4ApkLZheyjNF9fUtZrMZGONJwXq6XTMogBdCCLDWbqshyhgnCKpd7mnU2MAhbFTBAUML3mPSRUmwmmidJcoQhSaOaVoYJbWyivzbKiAXXEdVXEAqX6GfUSCfZ4/AMNkcoKGAQQeeiQoq2RlIz0GiBIE87DigLkTiKl4tUmGqRKAxQtDESszG3DO8+f9ieUCo2U3Nmgt9EVei9K+AyRkOJGX+4P4t9eXNLxgdGatwRrjY656KZTCWbq3RVtsM1GIrQACAy0Ou509MTUSFulu4QGXfaUUy9at7az92bxcmGgVzu9wB0x5ceK1Z9drJaXZwBdXpkLE4p0MP7qznF11wt/J1Tc9ABZ7X9OMrQTym0T87MvSzgUA2xnVhASRuGGx/8YENnU03JNlmUcDsF8wh6xDMAABAAElEQVQ16TUERshJ3cAGLG7qq43b19lbjYqJYe9UTGijWciqZPJ0Mn1vk/aJB9Z1NljEml5I3fXvWQ+d9Gvvjnzr2NS0WGGvy3uvF5LJ1xsU//4j1fUOze23BQO9sJTGPBvPIphFMR/ZaB7ItCVgLhgf2IztVkNDS1YCXIXAGQG1yz0jMc15g7p+SpVsXO5q8I7m3W4nTHYx6ucqIP2+Ds8BfwEBUjEuAsaAKEE6hVW98OFVRKOYbRfCGCU52BMAuvDfApyVcMZV2H+BzWHyRRVxcllEh4uOoX2Hhxa7siolIVlQeaNBL0N5bgg36wQVh0Wv3N6iefW0LwKhpV414r9cmIoYEtFt3bVZEXfhDOSI4a7NoqszKt685B4JJmcmPH5/ZHw2curS1I/fHPzR25NnvQlQmeniL9IpNjy/vr/mFz+0kXi3TG+unRWf0DJbhIlRd7EGmpFx1xNJbalVd7dYBQ2V4/0yAxV4fr88yew4QIgrw+4Xjo/1B6/ZFs0fHuxd6pcP1Nyzs92sx6545QfmrJFYKp4U0Jtd2q41JRaLbEhC9HP4e2zusqqDERbBaCqDuO9gvfaXH1u3f1Mdq3yZVQTsh7N889To3z0/cAUWpwgGRGcZmTmV/K2H7D0tOhG26vYeIA3KZnya0bDm1l9WRqymJTHvtcV6jioJmxsbWmBwKQYDiocVcLsQ0yzVo7Wa2joszijmdrswMWPYZdbfpcAzLdMCXD5sMapogc9YmGdkWavyOXLz/pW6E6LzKB5xQiLOXgGExuMLe7d8YpgTNlVMC3FOsOLO3eJEUrED85TIXc/r5Jackpyszqqq0StJm5HJU+fnOuM1Q/MyNuLf0mpoqTOXJwyxBxHH9rQaQu7g+enYO4OB1y+4jl71nnVFxmJopcV+lRYQ56w3Vf27R9s/9cGeertO2rfleryRE35lmPv99LRTwbanuCEE4LLU3k31lRAlxXOzdq9U4HntPrsSlMcSqePnp7510kUap+LbLI7dxuSn7u7obllGjOv8dkBN7M4ujXj/+YXer7/Q+/MTY1cGXEj1OupNrE2gSA4/+IrBaqPDeHBbw6Nbq9c7NI9tq/nVD/Xg8bzomgXpWJ4/c3jwuX4/i1E+AblzXKh//ZD93s2YYt3+sJ1yNMFEwZQE2uAx0AXMwThltb8W0Ai0Q00rgTTYjEq4ob4ZXSyIgDp2cmoUJlvwWgvwOjwpUL+mpgFvZoaMGtvtni5mcHOzIZ0sEZ4pTL8gNA2CpnQEG41515zZV0Gr4qtUnjDgsMKS4NpgwNFZGYBHz4IFo+I6c1JdXZv1KBMjw9gNi3GooguNVoeqGyP0RUdRovuVXsIWYWurzl6VeXUgxj6yZDNBmTziDu1YX10+fTKVJYS+b2fT7nXWqSnfhdl4VCFLZuU6PEl2n4TZeaLb/Huf2fLA7laLQYO6p3SXJelY7CImgBhXDgzN9nsTxQ2zO0hGEtvbzQ3VpsVaqtxfMzNQgec186iWQujwpPeZo6OnUFGVWhmwcH58vemB3R3CQXMhZCjbDXZYpy5P/s/vnH/6jGs0lun3J98aDHz72Pjb56bqjUKsjQA0axB2bV2Cncrazhh3ddds7XBkk9gv3nMomjh8cvTv3ppMLiAYBJA/3aP7xH4L5mDkxbjNB1G3CKANErMdIScjqSPcLifYhskVOw8BRRot1stgM9ZYCIfB5pqaeuyqQCyKjY8PIxnGbq78E6AXq81BIZhOp2sa8XL58kzC0uGZwrSGFBqCyUaFczOOUWwysO1aqBeuc9cf8LIpyTLHCioyWMzQGDPad7BZAnumhWFOTU3MzMyEwgHuorqWHKNhvjFlK1Z137onGE3K2mrVAVe41yO884s7AtgGZmOqcHhHTy0pLooL5F9hEkKR+EtHB3903oO6XogCxAZLrslktlsVv/lQyxc/vHl9s0UytCjRWX5byz3PIKlSmFTpwxfciRJNywPxlCGV3LuJcPeld7TL7bBS/o7PQAWe7/gjuGkEROPJdy9MfuWN8USpZYiFp1qt+Pz9zTs3NGJZW+IHvhgh8M1Xhtz//TsXjs4ARcJylUaI1gQqTQSSz52cPn9pOi1LkU5AgFR25WLtyq5fc01nL859Kf0vAoATFyf+/Cd945F5/ki50rApexzqj+0xNVZrb6eptiSYra6uI4Y2YIMgAZOuGecU3DMohVE02SNYqWEiGTzgjWYa6TTOzdh1Y/bMdKFmHhsfBhTzXady48o7QUiur6tvYZ0F55CBY0E2bxrziuafLgueqciIAEsYYvhd9haECGMrkN9gwblEA07YEqijUcZSDFLJpWGxWBF6A8ww5QQ5mZ4aQ36gEG9ZBhk4uI5EgVkS/lZaHd7VtzNuCXZVm1r0o2NxEaq91IHOORlOtFdrmuuEEKj8TyMWT14cnD0xGoyJosJ9qk0te3i95dc+vvmB3e02o4Y3HtFOPJEKRJLBSBz7bT7ZAHDChqu0GrwUVQXX6IrqhDAbHHIP+Ni4FpIZz8jNmfTmNgsGmwV1K1/X6AxU4HmNPrgSZLu84Z8fH31zNFz80xWl05mH23Uf3NdR7xDy0uUe8MGeYPTHr/d/57wH9CXVIVJK4XqbBXokfEhj8eR68ayzb9CtSMRZmpFLw47kE1O4ohQRwfo+5Q795PDAC4NBOLqi+6z2svV6xVMHzLvWGZESC43fbTnoCvgh5Ijd5qBDDLtwPsawCzRi3eQKfykDjuKqJBZScQgDZtCIityl5OTkGHLwxbBZoCbcNnZkzAbSYx8uzksb43LhGarEQ5QJk28QF2E19JdnbUWVVJqQYWw+AHXAhr8MkwfDAEFi/K1xd6ZVnrt0MBz2JTRLSXqBgaa7hPAHIxfI/N3b0oa53FKYJuCj4NDLrwxHPCVD3BLcI5oypZNdjWaLcZGs5ziNw2NPTvgQMvM2PtSqf+pQ8+cf3bCuyca7zqbN5QsPjXveOT/19Kv9f/Vi/zeOjj1zdKR/1KsQ8XmUZECn2HKHIJVnRtlXBwORwwOB/J+VdJfXEMe7zmrNulbs/Bf9qa2MhEqt2zoDFXi+rdN96zpjXRie9P3w7fGxsAhAUXw4lPKP7DDdtb19ZcYjQPHgmPevnx9AVwfz+vhm24EWY6tOFohmQoSuyq4GsAaY6+Kv8sbl2fNXXMFglFCfyHiJvL2UJQk0CkaSR06N/vXhBcTaGZlJIXt8o+7eLWaCVN22jBcADBCLkTYqZ6BXGF17Pe7ZmQI1qkAjhRzcAb0Qa4ssFEj255gxarGb4ButMVL+z93Kf1hcNxktdruDkphj0QuBTUqWzK8lnS8XnqlFdzDoQDMROZGpIBVAXF/cslQSMiiJNRwRSLQ6PXOSK0kjADMO2fDfUJ4PDxLxGJdRBgk/cwJCE4Q0FoswS7SwxNHl+lrJicgRWaWVZfqm4yWjiRE2vm86UquRdTVZtJrr4yruC4wkgyTi+6mp4MPd5l/9yIaD25uNIlBJhvB2V4Zcz7wx8PcvDn73tPO8K+aJpgPRlCeaujAZPnzZE3D6Ghw6kZCjQKpU3M0CV9RZcL98FRcveP7CQpGUrMVQtanDrq94WBXOzZr8XoHnNfnYiomOxJInLkw+/Z6zOLef0KelMxvNig8d6CQMIetLcfVFrxAO6ZuvDvy013uoVvuFB9sfv6dz96Y6FgK/L3xxgkQYMsJikxKAdmgehmw8nHqrz/vOlVmfK7Cli5gh6kW7IJZZ77DrT5/po25JNSGM+gMtVU8edJgMSgov2uBNKQCAYTtdU10n1MlZvjkbRcRVgM25vgAbqiDORbKNzpX5YGeT5XuUhN8CltDdYi/NrgW1dJZ3nYdPYF5jA0ZkasnzCu45H+pyvZQ8WQE8S9RCCaBLp+AmIAqU5iCTsbCrQBSAlB47NYDZYrWhF5ewWew5GCH+vqlEIBiQKubq5hPJRSS8hFGhojiUasmFms5KPuv8ujflXKtWOMzKcCBxwYk5V+FPgO/xtEwRjXc1GuvseEMVFsingc2mw6Zrd6g/uL9tXYvIv8LL6A/Fjp4Z/dbLA9886yEyCbbi9CJ9mCC8D7DWvOqMykLh5hoDYUbKd5HfXf45TXKEAuF3R9knFxJJt6p4qrvR0FRrpFh+xcr5WpyBSlDPtfjUCmlmAXV5wq+cmvYnr0mbC0qAm1vbdBs7V+jrnJU5B58+MqZIy7a0mnb21EkRBMEZLLMICrXNojzUbTty1XPBJ/ygYKbJ3YC0dCSYGJoJw5UV0FPyqz+cePHt0cuzMXkpsTYrIEq+x3ZaGx3qUPz2YTNwQoQvUjpKfDPY7J51Qv9Cyx9oBphRhQCfVMF/CYkxeISWlr8atQ41L0gPk423MQpaVNfJBNZSQuYBU223WRECcw6WEVnzNqyxDAR1OESymYA5tpitPh9KdDHDDITNBPRkdcxit8EVBsX7AOPL0IhCqtXoCBXKoKodNYT3BqGpuNBBL4wRHl1k7NDokOHzNRwJLTSZC7WzguuYKVhMqgPdhivTqTP+ZDH+oqY5PBldf3ys1mZoFZ4I5V7aWqvuvj1tZBqRHhD7jmPnJr/ybN/ZQFp6e8WmhilEBySSjonJJK9krEr+9DlPa+14rU1PZtUVjIIqVpN2Q5ul7ZRrIMq2b14bTOO7M9HTva5NnTVS2J95tytf1toMVOB5rT2xUvSyug9OeJ/v88tVpU1Pm1XyXRtqHeaVrAhikcnIRl3hkXAKS2miPSCsZoGGkIGx2bMD3kQi/eShlkf2NN8z7v3hmyPfu+AhhIJIMomrSSL9sUMtVsMiPta0xvHW2fGnTzizQxDL2fwD5W3qA9uMG1r1wVhpA5/55W/CN1ZYsJk8j6CpUCumktMzk5iD0XQZOGFZNpusgBxVgF6ci7B2BpDgTPXkfDQYMZISImKdkhMjKJckMKeIygnaxRNJTKBpn76IDgYjW6ajmzDCuSaYf1J3ZDNeGbQ6A3Ze6MjxigaYUUhLf3NwJW04IlGRSwN9sxAGKJXEIWE4BCvFjj2nj59r/vq/DAcwnpoar69vAqEBdRBaZL8OBRdVyV9vZaVnGEhs6zJ8LJh0Hw9OxHjHCl8zzNZ/eNa9fZ2zFvGwmqdcDqFVWcWF+HWk01dHZr/9CticIggA1PEjjCVJFC3b2aA72GltrNZNuCKvXHQPENRWIX/nsuvuHU0rhmcs3VrqLVvqdVf7A8Vuh4Q4758IEG6PeEG3YW+30kdRqbekGajA85KmaZUXwpr0Qr8bg+AFHmdmc71yW1dj+eVmoTEKnM3I3K6gRglLLB93RbBBs2ChKpOduux0xdNdNs1HD7ZXW7TVVj1be5ms96e9PrteGYikDnWaDmxpWArzPOkOf/XFgVnMeEpvMDKENPn0IVS/Qnm7EKk38brEBIOyoBRoCl46ndPYZkOAoGGBg1rYTGFBBq5TRcJmLnIezuaeAgURESPlxjxKyHhF7GtMpbQs8cjDOfhK2yCftA+gbq6rMv3myizxJL9ZqtAyFGJ8Djazq0CST4TOrLeVABteG/CbDQSeV7g+Z7cRIs+HRA+mcMRLkRhiBAaIDYhpWtB+PlXUoiNQnCAtgi8H1AXbnSoTPS2/+o2cE0qMkB7bOg07hkLjIyVcyGBGXfHMC8cnNnU4WhssZdwbXD5EHwmi1vNuY6T90jsjr47FlBoRHo+NKb+BT2+x3bujrqfNYTRgEFZF3PNH9/i++0r/964ETjvj/ILwg0BIvoLh8Diaaoy719l+PhwIi7RY89rga58zNuEMdjbZVtb+vOYqX+7oDCywnt9RmiqdL3cG8Nw4ctmzgNOmXJVIrG+1EV9wuc1K5QV/kMn4SXGBbrlK/mqvT/bTy//qoxtZdy4Me33x9Gd21IDNFCaBT3er/UP7Gk+NBH7hUOPGTofVoLJbiJO1yDJEgR8eHjzjiWftwK8DEm2y0HPX64/+0idq9BolKYlWNorl1gJFyCgF2AigTafBZl8Wm8u0I2ES7CDcJOglklD5vTmgokEuwhCD0MGgT54V8BKDE34a+Ef+z99c44iRW5o7gGyQDHExwIjWNkVQZ9A6b3OQdzq3aZk/1bner6M8RKBkJdZbFTHSBTyisRZxN9nbkTExu9aLTcMcKWJjEQ6SDRoakF0LbXnWqE3CZqkUBtt+tZe9BobZbGgoHwwEhNo1n765BvkXATlIPzo21NTUioibzQruajPOydsgLSD4a7VFdfdG88UZ32A2r1QeXeKUN/DlwWD3sZFfemzDQvLh/rHZHx2+PO2V/dGv7MUm3B+OH7vsqtIQW1tw0u0axe98uPOubU1sVYlLP4eeGhJQoo/uc1444YoOOiM7YsnygVAKCMv/yua4u83aU+06hTK76LjiT45OBwkGbs3uoYvuVy6smRm4viKsGZIrhM6fAbbh/WOe41MRWSnJdpUsY1Yi06sFO+fXW8Y3VlqzTsmyTqbIcaIfaKtYd872uc6NhwOx1O42AmjjjSwO8gQgGGw0q3unw48eaJMyOi/aE/l0/+HwOMVoZG45u1aJJZ4c0p/fWb2xRU+WwEWbuikFQCBQE39lsBk483rdYOqiLaNGbWhohh2kJEbXWDIXiHlzcCVADqxLxLH8AhQR84LToBTdSb1I0m+65iKaBZTS8JeUF3+J9pX9C1pnL/NvigLAZj6FwgobEObBZP8Difk36z2FWZbAUTCYv0S7kiCZgrnqAsEzslDQn+OVQR2wR6I/N4pceejDlB3iRTrLKhUbFLh/qM0rUOKUMjPTk42NLVSE7bYm7AQ6petS7ZeovuJLTBuW/2Ou+NdPhQLz5uxak5ief+fYxH3b6rask2Jxz+vK5Y+8/M7It972esOJR++aun9HUyiaHAsI6z9eX0ILfOmhtvv3tlsMIilIfk2cDBFK37fRduz1SWLi3ohtIy2vb3McbJs6T8i+/D6y56F05vB5556NdSJyWcHPqahw5cJqnoGVL9mreVT/omjjp/7tN4ZjCnnJZ8lC2+lQH9revuI5kX7gtQ59MBQzaPRdZvW9OxvB3ReODffhySHYrqw8Gm20kILKsCH3xZLTI37yQBdI3oppoDyhG/7q++e9KbI5lShO003Gqv/4cUeglLKwuMEbvCKxhhhd19U2InqlNZIcS9LaMrDBLQBMWDVbrFRBnYw+FZ63jHXuXGvCXRiZOdZYrS3t4CUrL3E/6Br4lNZ3BaZFWUdqiZ7cACUQzX0FoSkGKHMFZTm2bNdvCcNhIaOWrlBROuFKFg6vXYcS8DhrwqamU0TWyLIllXCZgeTaxGgOLlzI7TW62pqGkZEhlZr2SwFgVpwOcqCHnpgYhYdmK4FDOfubrNld6Sr5w7mR81RGHomnH9phefVc8HKCsRd2x1yNxNJYKQKBxRroK4OuZ065PLJMQqN84cjQXZvqJW2MGCnB7HbUPrC3dSG2FXW11aCGxW6tMZDFmV2a9LxWMBw474ZqPd6S01iDzq/PRuG1oeAT496OJjKgl1wV5leofFutM3Dtl7layavQtfgMEJ76m6dcJfVMLByRZOyJQ82LRiss3w06MmJl//bBeuyz7ukwttZbwtHkrI/kwRm1UvHSexMELKMFFihvKHZ50HPFk+B6+Talu6zRZ/tdb4+GweaS5YPR1O/eZ8Fri7WsZIGbexHUZMUUCSKz2AxSZoNsLMLSgc2wgI7qGgkC/QEfwLMopOVTTspItNHAKJrdgYGBwaGrg4NXx8dHgCs4bHhx4ZRE2mbJGQscy0IspF7/sEuai3cBGdevZ8vQF1X40AKccZYXTzA6GqeLiclRuusf6B0eHmY7QjFaQAMNw51PZJlz5g3yZj2z0EkxwQ1brUIaX/agFrbrHs8sJNGj2WzBv2shRC/b0rJuZoSI26x6dJ8tg/lWqQMl8j8en+kddhfcRFLlDcT6vTGmX1OlOHwVX+8wkUY67RqwmaitzbUGySyjoCJf2QUgcO4d8z/QYkDpMzTp40dUXGyJVxBfbVxX3WVRydCoF4qcMjhTXB31BcKLCDCW2Fel2J2agcre6k7N/E3r92K/S7eAVzG/3Lqk7K4trTfYGUtntUX/25/ZbtCe7262IL6G/4Brp1nikDxzwVP39JlffrSbry+eGPuzl0dxW9naaGQFKdOvBDDhWOqZN4d8hevLtXqZRPrhZvWOLkP4NkbWtlqrJRdnImzAQS5FIQrMYOCNHTJ0A6Uu13SZgRfcAo3gHYVxeFb3jDUZ4dK4iMkVH5A+TbIvBdpiElcIuTT7hqyMGqE4yaOUkvCaNqGBgzJsksBgXJ8knOOM/2Do0SJnDwJ2YaiU4Cv/CWJEPfGHU/hd9MZ2ezWycaGTJgBnFFnvkkCaYmjbUWVnqyvr6ptxuwKzpR5ER6UPBOMuBoLggaEhGMdqrLx3VulmlnMVUiPJzBfutp3qi7w+dd3JO9cGwXRiqfRfPHPlr/61PV9DjEQamRBGZYBtLJZ84r7WahuZsxX7uq2vjo5X6VS8z8Sl16rF/ibXGie87b5g7OSl6e+e96yza//4B1cmnf6//vLe7evrshbg8wrnVyxzvq7BvL7RcNwdQ7dRUAz1Re9YwOOPYBRSQElBycrX1TwD5RbQ1Ux3hTZpBtjOv9frxtciuzsvnBXiVx/qMbCCSPxQ4e1lfZfLaqzaLz25jUqkvmCZwr1KNJDJ4Cj090cmXjjvIvJD/6wI52lUyPe0m034U81fpOZ1KFcA8K+fGH53wMdiVop+ebdZ+WsfrNaqFLcntjagZjZZbPZqVjRQGeUxDj+LghMoSJwvDLypBea5SC2VSksy4XnjXeALaIo0GLss7gNmwdC8eI2w4BI40gsk8YEk0RKXs5jKP7DHUttgfHV1PXxzhEQd02PS5MNvU5eDMuB0rq5oQzQ+D3r5ikweUy+aggM3GsyRiIgCtsSDUWMNh3wbPytAy2GvxhWtoIvipngNEIxjWUZFROtWix0zMYng4sI36wrth2Lpz91tfuGbYYLGF4sJNOqqw73e45enH9zVkuuUKHAajQoTL38i1WZR/+IH1+k1VUzqB3Y3PXfGdSWQeueKe3u3G9DNbU2ZcaQIeDodPT3+Jy8MI86+7AX6uVz1Nz+9+t9/zVJt0ZUxEc91XXDCM7GadHs3VL/R6xsq5Wp4fDLi9ITbG605SgpaqHxd/TOwkl3b6h/VvxwKESa/1R8ohW3MAZLD5L3bGwxYl5aByaVNFssB7F2NVc+HGrTZ3W7vMCoxR4bVwGx1Iprs9yeIycDKc1cDgX+tOmxZF26cW3inHDk7PSb4qyxszC+MRdjDG3UNDvWNGNHMb7LcN9ZrEEKkosq6OMO24tq0KLRQC6trtM5wtOyBkBUHg8t24RXq3qxRGIkjJeFwPqHQkH9cE1vPISsECD5YcMawdcJGjLpQAuZJ1ynAFamF/LrSlfyOcudEEoX/Zh6wj8MpSGohd7f8SVbELWziKGY0mtHiC2F62YMtCHICjMsYO5SbhDPbPMV52dorvxmKp3qa9V/YYikphIfotFb11Rf7vEFh9SAdzInNpO4xi9ferFfqtWJTxcV1rY4v3ttMQM0XhoLPHR0hc4zbG/YGItiRjUz6SPHyp0+f/cNnSMJOTBahPhHGeUoFMfh6h9zZ5zPXwTL/xQGszYo5YYnf2XQ8fa7PTbC/ZTZZKb6KZqDCPa+ih7ECUt48NXY1RHjnUtusTKberLpnV+cKml20CgvW/k11j/W7v/r2ZFShxqME7SG1MqnMBmPV43c1r2uxl1SHSy1TndK9Q67zE6VDhNPcZnPV7nUGoVm7LQcoK5mDgUywj/BzWXPlEgtfPjmAHPma9Ho9GyCE4bB9S+c1aQfkw4cKrpHVGjQFovIbX8n5De/DAEsswnByztqIqYxGi9c3u3RKmBA2KPDQDjvO30p8mokZztAWbSEY8hOkPFtLhdo7mUjc6mhikIo2/ov3my9OhS8GC9Xk4sFXyX8+FDp8ZvzDB9rBYGkIzXXm7a3GU7OxQXdsdDogaZrhoR892EFggG+/Nf6dkzO+QKSn1aZVVUUTKYKEvDwYcoUShG+RWkDWgVKB7K54Yg1NBg5uX3RuFixQ6zB21+vfFAG4C8ugMfnZKecDe1tsJuy3S60PhTUq31fdDFTgedU9kqUTFIklvv3acMk88ywB0VT6l3YaG+wrdHeGDAlES9OTSSOUe+L+Tpysnj07e8EbE6YxCvneWu0TdzUe2NFMaufSFaWrZKaaDR85M3kxAJtVtLTIZBaF7Kk9xsZq8lVmbV/KtXUT7mVhkmwNpGxCFCHz+tzwfyzfizaNrpda+AgRSoQ4X/Bhy7IIowv4ZvhcLMKI8QkTuYQ+FyQKFIwKk7Qq6LmRduiASGf8RTAuGZNn34UF+y24QdfYl0m+1LDOJIcOhRafTB4Bsgdiq2m1evplcxAKE+yzoO2b/BWlid2s+sg2w3uvenXaazqC/D5UKvlPDg8e2FwvCY245bDo1jeb6y55h4NJopF0NtsMvPcYZ1j1jx7qbKozvv7e+PfOe793eZTCeFEr2KWSSyrLZ3OF/SuK6wO12h3t5s2dtu5WW353yz1nW7Cpy6E7PRsq+hHR6fHpyNhUoK3BWjbHx3L7rJS/fTNQgefbN9c3vafJ2fDLw0GruXTITHLO3ruzecULHGJGlJNor4emA+FYAmlcvV3nyNuJ8/vvarbZHtbdvyc0NOEbdEfrbPpNzSZCGsFSlNmwg/qJVObc1Zmj/b5EpoR1MBZL+5rUm9oIQ3KbtM48Gpg8gk1Kz2jpSaIwhc6yvB6GgcnVsrD5Wl/xqNstgnhjwcXfpewJpIoFf6kYi0acrumsKdgipuYFdQu+IgMnXSY7BqmpZWEzTUEJm5uZmSmpWdyylzIoyrC9wE5eIb8mQljxq1swnPJfiRG7u9vY8l5oOpSqKtLGIJY650qcvDz9yF0dUjvkjOpsMmMyPR1JPXvK2VLT98QD6/GMYGfm8UdnvFFXMMmmhAhiUnlpFIQFQCoTjaU21+k+d7Bpzzp7ncNIYgwRtuRGWFu5Yvv62hrtAA4OxZOsVit7R717tzSuLEld+Xmr3L0NM1CB59swybeqi/5hN0GwS7aO8ckmi6K93g7KlkHKknWli9ignrs68d6lmTPjITxAULO1WVRN1SJbQF21odZuIAoSjAFcBdahnU1W3J3RU0LPot3BEXkC0QuDnn5/qgSeZQhZnNnWojbrRb6N23NIiJKUCY0pR/FKJ10v/suam0xdi9y09Fr57dx4C7nWRFPRiPR1ZcTcxKYI0rkCSsD1nKr7BoeQG8uiJzaT8v86aPmTn7uTRTwo2OlOZt44ObF3U70kJWZXuqHdcWiD7bJraiia/vMXhyfcYYdFG4ok+qfDJ4YCg2ECa88TJpPWS5tJPrTOev/2uvVttqY6C0FLctLyRckrX6C5xrin3dR/wZsXdO5aDXYbF4b9REaX6RfPF1e+l8rdOzIDpRf3O0JKpdNlzQC4C8KRPbdkLVyStjU6qm2GRcGyuDotY5b1wrHeb786ejEgIzow+/ssymcsSm+TTm5WpW0GXUuTZes6+72b6wm+r9MoCLNAU0vsDnuZ1/v8UTiHou5B5H2Nui0der226vYYbEskrBgMVlwxN/Qbb2EVNrXiQa24Ym4SlntCj/u69QfO+d9wlgikg4PasaHguxenJAaaNxzh0OP3dIF8L41FnPH0X789Y9MoyKKGOknEbgPApf9kpDtPY7x5V5vpdz+8eVd3DR7SMN83C5gZJj8fGPcHdtR/87y35EJwbCzk9kfsFfeq5b4Tq6N8BZ5Xx3NYPhVwtxdGCUqIKqsY4+QpBTbbdTiHLL9hfvSK/jH3KyecJ73XDE1phEwVrDzeZNrvRwxLAsuQajhU+97Utyx9OF/u6LI1N1k7681LsUPBnBWm/PR0GJvXYvJsSvmj69Ud9drbY7BdTEDlym2YAVjk2w/DC42LKCWwu/dtNLw05inWQEPnVCx5pte1f0tjLhwYyTC++Oi6wa+dvRTGb13ukkLaAcxZS0YUzPFU2lAl//wOx/37Wra22swEbM36zi1x/7oQqSWvY79dI08F0lVQUlBgOpp6r8+dTY9RcKfydQ3MQIn1cQ1QXSFRJrs0MtvnwpKo8AfJ3BDVghAPpIpaYbAw+PI+1+vjUX7tLKMctCn95QQbUTxDCN+cqFJMJNJHXbFvnJv9nR/0/9u/PXGqz7Xok4HBmJwJHL7gxni1mHQMtjdZVR0NImz1bbPZXpTmSoFbNAO5V0u8ZPOPW9TjQs3i+7C+WddVo0UQXVwmkpFfHAsMT3j4KfABYlHr7N/S/Be/tb9dLQuEhPMS2mUlUdLSsmA4oYgmntxW/dIfHPyPv7Lvvq0id6SEzRQjUAHBvHCD9odinCOp4lPc47KukHVma7MRM44StRTyb786jAVJiVuVS6t+Birc86p/RKUIBOTeem9sOl5iKYFfRsj25AadJG0uVXuRa4NTgTMjfiHTrlLg/rHBrGqya33BxEwoMRtJRESihSzPLlgFsSLg9wyOb2017e2pXZQ5iMZTg+O+s65YSbcrfGw7axR1VtXtFGsvMh235TbYJPUj/csMM5Ms3NL2S3Idzu3ESu7JbguZK++EAUK2NEx82MicIWzCRb4O6S8Ju7CuAq8EVoFZmIkR2ozyXMwB2C0dOB72v7JD99/eLAFl9HvaFSd9ak97dV4svDT5Ir/3Rx+40O88MeD1+KJydVVHtX5Dk6mlwVpv1xMOTMyXXEY69kln8GTvzJmr7reHgiPBZCSd0SnkrUblR7bZ79vXvqEFv3kUSDz0lcwwBh8HNxpf6PebCOg9/2CqjztjU65AV7PII1451tYMVOB5bT2va9QGwgTvDYST6WwGxsIhYLN9aMu6vHWksED577OBaO9MOJ2R69OZJ7oNv/XUro56Ez1eHPGc6HUNj3imvRFvTI7l6mwsnWBJkWeIo9TdaiEBXxZRyolkCDT49oUZH6atxaGSMumNZuVd6w0EfFhKFM9buliXnyLu5gB10ZILFZBawD+VAoyFkJZ88LMSYlClOmc0J/SZIjVVEntyEkEliR2WvBZrYgk0LGOSltDaQkMpfV1qkH0GqIMHGsHRtISfVYlgoQxwKVAEfxmLhjCJJzS3lFVT6mkpLumlaVrgKqIavUqBs8Cu85F3ZhNFQmKZO546fsW9d4sHSbJkay3tRDGNvH93G5/ihrNPLeULRl85Pvy7P+hj02zUYj0pF5ysXBZJp/oC6f/6ysTv/2TwR/965907W9hPS6x5cVOLXJEr9m1qNb40g/CpiHKx7Rue8FfgeZE5XJW3K/C8Kh/LYkTNzAaD0bisFA5iydKqUtTY9WI/vqIjFkvFwuTByeyq0f7e53fjKMV6hB/z/g21fIIRkmFEJl2BgXH/0FSwdyJ4lai/qfS2DpGsqTz3DBsxPOn7WR9xK0vQplNU7evQbm43xBZL6gzmGPQm1voVje8mVAItQ+HgikNDg1sMgZxUarVWQJZOBPUEmKWw2wvRJzGR2WBgAqPxkyYQCogtWTsX4zBX8B4mVSUNCnOBxY5QMECU7MVKLem+NEClEkAmbrcOH2h2HiK12dxzz46lxDuQ3zplqKAUKbFNVrFBEVHCAWlGzd94XFhi5Ze/wXN2hESl3dmietsZlxV5WPHGXnLG+ke9xNtZ1I14bq4VAxOef/zxxW+f96o0CpWcLOCE2Lt2wCrjAq3TVOnVut//1uU/iqUePtCx4i315jb7jgb96ekIoVTmerj2r1ajuDQ0+4G9reV/mwW1Kl9XwwxU4Hk1PIVl0zDhDMK/Fq/INIQ4ur5BW2PTl4gjvLR+CEGs0SsTzhiB/nHNvParnvPOJEMAn7YGy11bZWjRrox5Rif9E9OBdS2LBFgAIMgKcOTMlIigNBelIZ8iW1Vma7OWrJLlJduscazyxJskr1R+9dt5DiLCxi49XUSONoiXIpnAShLXWqM1lBTy58rnn0gPQqkUuTGk6gAWAc4IpZLF6VgxT6nTGmy26vxGypzDnNMOFJYps5RbbDI42BmYTVbQuSQqlLxY0Hh+Gc5zA7fIbMw/qTsIP44gAd66eOAFTS3xq0lf1dOk7bwaGwwXmnDDlY7GUgMTfm8Q//7FQ/1A0rQ79JVnLv2o14+wAFQWE8t2okpoqdvNygaDWHuvumLTsYxHnvlfL/S3NZi2r69fIqn5xQBkDMIf2Gg/OTVebAvKKnF6yE/Ot0V3FfltVs5XwwxU4Hk1PIXl0cDPfMYddsdLsw7JTGJvm81iQt68CHeyUK+1Vv3mWt2bgwFy05bBeFZxo169u7uGjy+UMOrKhgnLht0g+96xPh9cYnHXLF5NJjVGYYuyzsV1b/+VFWCYVIUY1KCyTm9QqcjDsMIHlBsvQEhrZG8kBidYRchuvI1LbtpyVcqf3Ag0M0BYTKQa7JzgmMnflY+v5ftd7l02KGzOGDvgTGh0oJqAaxBwI2OHBqrzBt7dFh69VCIXJrZXp0eDH3AGavFXLE9xJh1PpF46NvRGn18YcFA4k0YGZdFXTZO+Qp55cptj98Za5Fsjk4G/e3noajA5EpMdOzcl6bYXabxU1+wednbZ1K+OpsD/ouOdiQgxwBtrhBylcqyhGbjRBWINDfV9Q2o0nhh1hsTvvNShlKu2d9rNNxCIAKuW/Ztqdzg0Z4Z83kBUkqkWd8UiIj5Cs6jA4WRRLjCZygyMey954iX15eTA2rdeTxbe96XBNsihUWsJKF1b1wA7K1JU3TA2554ITcGqOhzVtbX1pHsCY6StQK7ArT6RcJGdh8NRS04RgJMB3jpszg2H3Qncud1RKwZutaMsuMGBS3mgN7fq6rWwuIUHEPjOeLBv1Ld4ngmCmfgiZ/pd5FQRDompzIFq7X96vOPfPda+1aISWdJVVevbHHs21n/o7s4//NS6di0psNJvX5kdHBexVIu7LiSlxHdFncPQrKe3Evc88dS5/sW9KkrUrFy6ozNQgec7Ov0r6pxYnmPuaKLU75AfZ5dZ3VprW7HZNmAMx9zT4djVamTv/80XLhOwE8eMhUB66SOIxZOvn52JliRbJmsyqh7cbGB9XHqDa6UkmEHGSSDEbhfAfIvIBg7R0VZX15LYA+byBoFq6UTSEd3ZrA52HlarAx3z0uveeElGze6EnCJsferrGpln2ryRsfMGNjvUXSY5+bKLyQskZe9dcbk8oeJb+VfYthLg0xMBl4lbLru/UfsHn9v62N1d+7Y07mk3RlOZH55xubxYX5JLVHVoe/tHdtZEk2lsOC4OiLDt+U0t8Rw7O/RQ3bW6RFF1hsEs/fTo6M1V1S+RsEqxG5mBinD7RmbvDtRF/Egsz97p0gsE0X73NmmwoF4Z7wIG4/jUO+xGztY3EwmkM395ZGpqNrK5zdrVYqmxG5pqTPnZ6Zc+flrun/I/f9lbbLpCIxjoQnatVUUA5KW3ufpLCuiqqiKllcViI1vlyh7KsoYJUprNFlS/BN9GNb6suhRmlV+WfJsBwjTDuWaTbuFxd2e2+/SLZlp4a6nUGo3W63WRTnNlgm6RJMOkbK1WKaZLZNlCHH1mPDg9G2qqM5cPKoBbsy8qXmZ/JPHZBzZu6qxmG4HfWGu9XinLnJsMX0tWoZBhELilyxH5+ZhHo5xyhwiOu7KfGNqlrZ22Z/uDqvmLOnsFEoITPgzLD7v5Vu0Ol/umVcovZQbmP8ml1KiUuaMzIIyfp0OXA+kiDwrIEnkdNzQIeBZb5uXTyc77TO/03z3be94V86YyKVYUhewHvYHXR8MN6imrBsbC0NVu29VT01FnJp2zCOifPcqvy2Az7PeR89OuSJLUxsV0BUOJA93VWK8U31q7V4Aups9mr7GYraDmbRsIzwKwrK9vcjqnblzmsRDZkgidRNfVjtrbs/NYiJLcdQYO726zV4PQZPZMJEjbtYIfgQy/PuTb7f3RQXwj5jfA115fUhg3JtO4NZd57RFBqRSkfklbDardm+p5E3i5CVzfVG2265TjodS4K4R+OpusIo0EIJFIxTPpUDRFsBLjiuLks3XAe0JVNZqbkNwJhIaiiRlPuALPuTlZEycVeF4Tj+k6kaFokl1wPC18Tq5fvXaWMcrSRouZTDXzV5WigqUuIPu6OjL7T8/3vT4WwbFEWtrgpggT5oqlndEU2C+b9pl7/S1HRtusmq5GY3e7vaXetLEFWXoxMXl9yBX+cOTEhRntXMrb/HvEJXaY1T0tOpFqr6TqLK/0GjqFbwabrRZbeXepWzEiYAPLrJqa+lSyBAtYpsels844OdG+1crokAqUafJ232JLaTQalcqWicnReCwG8i2XAhjoHZ36zZf8Y6OpnB9UrhEc/Y9cciOm1mvK2W9bjFqzRsyLSpbBwFKKWY/Xc0ONcVej3jMUONnnefSgYJT5VZFZlchfOFpJvZRB/RwZxSdsFzoara127bi/xL4Ea3rcKza0OYorVq6s2hlY9ru7akfyL4SwQDDqDcarSvHG4JxZmam163XqZa+Xklj76ojntaGgPMsXwPxlVWfX5lWgNUZgVXLCfJO7/qWx8N++4/ydr5775T99q2/CX37yocbnj5yYipY0CmN5enKzQxiFCTfWZVNevus7cldMXSaDTBtd7O3HZmnILPHoudFG3/QZYGhESqmvb0TPjVRgVWFzbuzYyrW1duJznX0Uy5PK4HVvN6p66nXGIh9i0b5C9lyvn5RrvLdlDtJmmLQKtUI+6o6i1pFK8nI31Jju32BHP390OBiOJGBq/8fTZ/7Xu0521IA32dOxsSzTbLlbSE10qp212mwsv8LfEXnI4deXvv0q11Hl3u2agQo8366Zvkn9BCNxbyhZMiAJO/36Gq3dRPT9ZYtSWc2j0cTlYW8cWxtZhhUCn+J2rbxJI7ekUpq0uJI1Zr32syeQJ1x1Qquud+jJA73o4F4/OzVbMj1kJmNUKT61RxMWfmI0XnbNW7Sb1VGAyUTqiyFYgWh0dVBXjoqlYC1LfEN9E/rmVb7Ww9Y3N7ehjS434NL3MryNnQ0aa7qYeRbOV7Oh+NuXnWRZLV1b2KalTQZNg8OoFxZbmpePDGHSwUU++DhgxtFsVpPq6n/95MK/+YvDf//WhEajTGXStcpMS5OVCJ0r/g1o1co97RZcrot/R0jOR2cwWBHq8MqxVmagItxeK0/qGp2BUGxaCK/YVxX9itOZbbUmk2lxsCw5ZsyzL06FiZ7Nr/tj3ebH727raDCTF2toJjA26umfCDgDiSl/YiycDmOPyhZdIU/EEnv2NdqMixjroi///vFJQiwX90uKgR12dWuNxhspsRQWl5euiDCXN5xIYKHGb/A6lCFYRiO7Yr5ZSBF4CFIwz7kY1Mw2hIkY1Tz77JF9B26Q2MLq5RGXodF7fV2DxWK9Fb0XUnNj39lqgM1NTa2TE2NS8mkhAVrawU6yqVpj1lWlQ8VZoGRKddX5vtkP74/j979AiwpQdveW+p+ddUXlin94ezomO/vk3a1GnbraphcZLGq1QwPBfzrjVSnlCpUCzCQJzP0bbHs21K14YqGExB5NtQaayiaunrc+sJ8mwB8h/1Zmd7a0aauUuskzUIHnmzyht7Q5Fm4ckcfDINm83162U7lSKV/fYqyxrBCewTxvTLiT7KnTfeHhrm3ddVm1nWJLuz25u8UfTiBX7x3zXhr2EiZs2B1zhlNTSdlDOxrK84gQ2jvmOzUZIX4h5wXLWTSWvqtTnWWdlzdzK17FltfNikqjkcVaarlV2XAkkwTBikUiEYJsEJdM5ISYz8Ah2iD2JwZQiG0J/aEkTCa7nttlLw282W3VCAZuW4/LncPi8mKrVF03PT2GLXfx3YWusBFB27K93Xz2jAfT6oKfGyh4fiKEZ3M2Nl8JASTbADY6d22qv3/DOPnckkrFP7099X+OT32wzfAbH99ErQa7NtXnz9qFibaVOFzUqT56d1uDo5w+eyFqc9eJ045826GUT4pMsLnL0ol8NpyamA333EBEhIIWK19v9QxU4PlWz/DNbB8RmdMbG4+WcBpBIm3TKuvtxhXvjuHLao3iffhgj6Wl3pJvesa53aThQyzP+3Y2E/yLrFZTMwGnN7Kjo1xkTSAHPvvs5SmxOArNM2vG9Y0Ft7AM39C6bKMwSL2Z03rz2mJZJ2aWWcQGKbFql+kHM2Oic/oDXoJ0El1aiFBF0qrCYZK/iThZBAiDi4Y1NBpNOq0ePSueVMvtsQwxJW8xNIDZZrtj2vSSVC16kWkhqlp1db3LNZU1bli0xvUC92xU/+iCPJT3xubuDQWT065Qd6t9Icsz0a9W8Yn7O08OBU7NxlRViqRCjmfzlCvY2WxrtOu0CJ+QaPMTyGQ+tcX68P7mzV21SE2kfBu5jpZ1gtEIyStbrepxV7FNXIY4g31Drp5mERu/cqyJGajA85p4TNeI9AWiKJDwnixO94TVZ6NJVpxRbunDw+tjV6vppat+s5H0DAvapwjr02oDn3iyDs8QapVfUNhSnLrq1l0Lsn0dmyFMns5sr9M1OTBenXd9UZol4fbS5NvLhvKlNbsgjRazDePhBW+XugE2u91OsJmQFCByGWNjgdoCssX/1PJ43IEqr95gwndLqzPAMN0ikAab8W8m9gjMeqkRLPuatG9LY/8tcnEJJa7YxyG9R3xPxlKFHMEAooLlzmRJOrK23Ca8wL2+2eIdT8kqXIwkMxtb9J1m1TlikRQdsYz8yGX3/m1N5b2fe9odv/vx9f/wXN/xqUhCXgWo4xW5P5Vub7dvsU97wolNdboDm+0HtzW3NVgXQvqizhe8wNPH+7nWrs04Y8WFZmNJjEseOVDS6aO4eOXKnZ+BCjzf+WewRApYvZye0MXJEJrHUlXSnUYtaq1Stxa5xlqJjhlh3foW6za782Sff8/GACmqSi6OWXQQBBBh/5p0rkzzckUgFL4yEcrnxXPFWZAPdWr12qr4MuSO13hKuMxcO2VOiG69rODPYAUBnNPzRcrF7YOjSKELroNhyJrxOS64Xv4rLJ0/4AObUTbnkkiWryLdlZBGVPd7yeBktljNJsuKLKEW6Y1x0awI1blAfotF6s+/DcGJRCwaibC9QHqPDD+X5pmCQrme/Q8BPlsBLW+HVnvjg6IpIsOQ8GPpWUzYMWJNvbtdffJUHGn2/EFAZ+b13tlfC8X0mgWVC/xSAO/7drUYdKrTV5xvXP7/2XsTIEmu876z7vuuruprjp57BsAMMCAggDgJQKQoiqQoSqIkW4ettUPSrh2xWod3ba03YmMPe3cjFF6v13ZoZQWXtLSiLEqiKImHeIMAgcE5AAaYe6Z7pu+u+75zfy+zu7o6M+vs7ukaoHJ6ujNfvnzvy5eZ7/993/uOxIW18vm59BOx3PHpwG98fIbvayrqPTwdEDH+uG1VHwMdMlrHp7yNiyI4qGor1o2EGBo47ImqtdHhHRiBETzfgUHemS6YvpPZ8qW1knqqkJtHKxbwwjsPYKcq7LwWVjN//LcXTDaPyW75+tXMwZfnmDKmooRGYtLoWwBt3jAX317JzOdR2WknH2PAavixGTvKgGb9HncAjHwhWyzmOtdHyI5GJkXyCW3nba4EKhKJGHmQut4zMKMSxdBUkqSpX/kSrCKZBQ9X1VobAnWKuZC16nh8lTxOxLYcwG5fp9GWItpHiw7bsU3RHC6wXCmTuCOXz5ARkwHkOSr9NO+9WVIoCjbUbE7jHoZS3eVykY+y58fYQr28C+Ws1xOQPFbtQ8WNSQQp1IrnshhwtS7KiCZNxovx8vXFzHjIpe5s6zFdP3hy4tj+4JMPFgrFCuFKsA7DmvLpDx3kBvm+tjmqW3szkFL6+BQsqY6dB8vRhD3JFysDr3+p+hod7vYIjOB5t0d4x9onpUQmV4mVGiIckWbDEimIn6VdeGX0NYtRn0mSEINfeDllchdszPUGw5++trqaLN13ODg15T884dsf9fbVZit1564mCA6qjeXJZD3jtU4G+zahUhpnHsdVpbUj7T516EVb3rkEdauwmtbhJzpfx7gbSa7c72xL6IxKlSHf7gbNqVQS9mI8Ojmw0biWCEYQMzRSQ24T9RnTXDadTicRYdE9KHqCJio3+20toWskbHgOLoE/QLW+nYDeiKoij5bDKVbue3q4xBEw7I/aiSIAH6GSbWmBlZ2LN+KP3jvRlfmj64DXiSc0t8mnoKxBOO0sOsOTCXfFgT+u5rg1d+xWUzTkHrObVpkoNO2S0zqVK0+EPc36o51hHoERPA/z09lCG9NBrlhlYU4HlDD+NBu8Ibfb3reEwSeM/Pr29XjDIaCdfL+ULFWkP7mU+cH1TNhm3BdyKAHCTs8E/WQvdKzH8uwFh4pl2ZdaTx0Pt3FifGcWMrcM0x4dgCVADlZa/fYvOIhuuvRe2pQhRyKnJOJ7NDLRy9PppVnU9V6vHw1zL5V163B/MA2wDiz9grXQ2bsOn8psXMXlKMJFTpFtKNhZ5oB/QrHeY0Ru7DmiAdvpiONdlnI1HxbmFO/OpTGtcDt02GXtUChPxCR7HotPWLaarNXqfNfYiDFEcC2ItmvJwsJqfiLqfeBYxO3om3mlF6fdeiJoiy2VVDTAFhA3F89MVfnocGhHYATPQ/to1IQRjDdDmF4WODXcNt7DIYtpzOckUZ36sh6OEby+eTmFrTGcPMFG+JE3aaFqWCg33s4WrHP56FvxaZd52m8+OOE7emTszExoKuzGdEfDoG/2xxx0ay1/ayknK4rVTEWtJh2J2pipN0IZbl54l+4hs7L1SzzwgxKXR9Dvhe3qJxJxm9VG2sp2FXovh3UguAe26Aq09H5ha01FrI8n1mRhscP70nrR5j40yAdSNpdGih2PTiBDK3LnZqXe9rgLWI1iqQgT09sVBofV+Nxx51urZe13ZTEJ9yrCBHUGUQWJ0YaTB3YtXYpnS4l0KZGrFktV1mcy+SpBAIvlClHICA9QqpsypXqqVP+5x6cxBOncsu4t0B3LUpN+u7RQ1Abpy1Ua2dwOqGp0ux4V7vgI9D2b7DgFowZ7HIFKucbHrCeIilhADmvF5fLoGnN1bX81UZi2G5Im4wKxjeqSCYmpKSvImjuiHCyWG/y8kaw2bhQN35m/b8L1b37roZkpfzuzbWVWml/NZkS8EbV4gYrPbjfvG7NZ9BT1XQkezgoA7QCEYfcEqCMgDnCt7iVwPKxDYxO3zeSVCi6iVWbxXrejroVCLyAZstnMwNjc2gXDm89nEgmLEky09VTv+6jocRgv5LM9CtAsPz9CbNCX9JyrjIabmWouXx4PdjQGlBp4If6T//BqstLIFGrFWq1cURgOQ8NGmq1NXYKIZiAJK/Fauc7SEjZzA3AhvIIul206SKA/g5alyNQkUmn1Plyjmns7AiN43tvx76N3kuSs5aqyckyNdnzX025nyD+gBnJf1P1vfvupQqk6t5r90dvLP7ySuL2KZW29arUSC7AOuErCa5lehIU1RqsO6wlhftLx5eHChmFlNVvEFUeTiorVvCMBa9iHo6bhfSM9MzYDSJloa1GJl8tqVWQfb4amKtizurI0NS1sg/viGajcXNAHDm1WOwbPg/F8ClEYvuH9NZjcrLktUZDOJBkukmYOMNRKg8QhR1VerRE8QLeHLYX4FOyL2I+4zdeKOuoNIuC+ciV2ZF8IvO3QGG4Li6n8SsMqrLMJMsoikhhnmYM1Glu9FhhzypF6U+jJiP090Ga3WgJuGyvbWqJSFeIaVQZA/YEIGV203RHoOMNut/HR9Ts5AuVqDXjWlVbRS5OhdqqbEWk7ahCW3WYDmrRIwPWhY5G/X6zNreZuL6YuzyXnljML6fqNjBQjY5XCFZiMtWr93n1ekXmjQ/AN2O9rHgAAQABJREFUo6lcrS7FC0U9+MXS5kzU6XOJnHybgNCOvrukHIZkgImPMWRBtJDPE3hSjMZObLSDCjedjoeCZCjSMnNt+2hiMzVoxOV2b8caS6i1k4lSudT7YnNbyuQTkAR64YSGGfnA3lZmBGj4oUqv/JDFZDwWtl+a0zoHQkz9xcuJX3pWLCTrfpjK7RAbIOhzL6aqsgG4gGMRHRWI5t2HhxWbeO6KLhpTbhaqLDiED7rewYoTPTrMRq2YnK5L8WwZL8oe18tl2ka/9mwERvC8Z0PfV8dwwuVK/XZGf90IlIuEHeFBc60zE0AMQpLg5w0GwgXfOxO692Dg2YcPYrcyv5J59Wr8xq3k/Fo+XpRW89VETYqEMEDpNO8z3xCUknW1gh4Xj0x33xRqvXUZQu727v4FcmBhRyDOAfAMsCEaVyy+itf1zo2CMBNj2XhgFTfPzeXclokvAc6A0h1iOdYHhnHO5XIFb97nGzBQGu+51+vL5bM9jjYLPoeipuo1JRaQ8ok0iTGdu4l1WA2BtcODc9osXpe5Hi/RNUSTYtJtNtotJpfJ4LRYHBYjHECtIWFrfStfO+i3/vg9Yw8dCwV9AyrDMEDxeax+m2m5qjY4R+PNJ4l12ACr2h1ucHRql0ag01u1S12Omh1gBLDqZNFoKdeqCdtshjVnn4dMdJ3wcrP21j0Evqu3cchpuJgwmLncNjxAxIozOYPlwCOnDo2dnAkRTJ+AvbF4dmEll8iWiaXQ1QyNOCfxDLZsOgEXwmZpnLjUFpOeaL2VvrvnCANlAnMOAM8I0GSfRIdBgJFiqaCsQ4ND27l1pEwU5vhwez3+HtvB2xu5TqnM5ayIb9NgO5fLNH2oeqShx2o4aLEojmVij/VV1VhPwHqu2BszxFBgJEGSDOfG4Gy0JrTQt5NlVE3HO0bK5D1/5FhoxmuJ+B2kjOTDIeKPEHDtFp/HRtASYqTVytVbS9lXL8deXSiOOU3wx+S86qSd2iBC+5eQgm6nzWc1rpQbKodGxHXy3Y18q7SDNpwlI3gezueipoqlMuzCCrWG1hqTqm6L0ecc0H4HX4sv/s2lC4uFkM/mcZh/9vHJx+9nzVJNACI10XqPT/swWGFVjBmn65Lk7URxSS8gIiz8uJPp6X2l2RbjZTRiXez1EZ1RM3zq4VQfg8Uej4/gG3jlYksFUpIeA1cbmKdm1X4BG1xBgMYMqoPetdk46tnW+DCIzqjcB1YgQzbEEw1tp9Tam3SirDehui8gmpMTpLW89304IfTbNNLDJYJfGQ9YvXbsJXjCshp64zKWksu1xq2ldKdA1sQmNTV+/okZOOsAugwrhzxJ8TD5y4emYDDdnD1ZPzETXPqzi//3t2+hWfrpp4+M+R0DIDSvn9NtD/hs9VxB6+VBvrt4qmA4yKrHaBv2ERjw/R7223rf0QcixlJFXWtMeHqvyRAaVBXGEhdL2q+slU3xcshq+skHJ4S91tatOUewg0FY5zjDzUuXYvlFUlNrNlTpEZYOceBuXerUVLvrCphwkZ4xhjLbBwmtyuXABnpXdN0oyQkaKnJWEfQSqIY7wzlWRNlqiCwKVBXMgBghMc3rbc1yeeViE+P16ooymm5ewiGtQkm7yl3LeU8KhQwIuhvwrFBbKhWA2K6UtKtAuFDVLberSXnEZ5nxWImYrWWOSRi2lCzxIrd5DgLOwUtyyXRon1NUI0Qucfo+fMT/7RvZP/zhPEGB/J7JzvaX7dpElRYkb/QWTbyoC5nku4unIFhERGl3+ah8SEZgBM9D8iC6kEEy5tVkURIhSXSmY49VQhfWpYk2p0lxEfDgf2ywWU1ONG926458tzhxppOFeE29+gUVwEzEi3cmaW65F80U0obOO1PcClH99si1OBIh/A683EuPDL4FyyCLFcUyQIwUWhP/arQsckcgUpPzU+wzinUB2yLG2boZURMkBriL1kvALUGAc8A3irtg9odT4Y/u69rvwOrWJ+h6MKh7pqdCq433XDaTboerG83wlvJdHB933shmta5KKKiXlzO87d3jz2802OEvjbBKhX5gttC4sZAhh1WPrLCqTZvNMu7SEisCli0V6+l8EYu09llvVI2NDvdsBEbwvGdD31fHOEHOx9vamlrNkrP/AEMKAaxYP3n/xOffWEOezVekfA5Ll7pVZBHui0B15UyhEk+XqnIIQ/U5gyHkIlPx9jrQNjoEJQiLxMbyeL3bQWjlPsBpMUIYE1kwARBlYB6ADWIDn8omQFpgs0BuglQjcLPeLCuppQ5pr3oZJ5ZmB1DRN1tGJVMsFnSMDpo1tr0jgoM2GgMTSdpsBhYlRS+EoI4+Pm7++nUdbgPu9naM/NyDw7PCnwpGVTLAbeWLsge8yXh9lewVdW8v9GnqoEWfHnNZjDqJMQg6VCpLsPuDmapouhoV7OIIjOB5Fwd3p5rmuxXRMRNl/Zgk2IKaMeMa/FE+df/0f/NE7P95ZY21uPPXk2dP5vaNoy/vz2VWdbPxTHk5VSHIiSoaIpMRCQaCHrPDPoy6NWBPdSP9HqKOxiBrfHx6YORo1+M6YGscpYBtLsFUClAEb3BkAqRBR/a5G9isVsm4XeOt5Vxl30YUT5qCEgKJ99tvKw2d92mZcUZ7gLanc812Z/mUYKHgZ7T6atUlvBLImodDZiwnVafkQ4nVXLQYeqd6K5MfH68d1pdvX119/t04EXuI3beSEsHJe2tCXYs8Wj43gvcWp2qlEsF0YSYGblnd0+h4N0dg8Dl9N6kata0eAVSZiWybwFKS5HWCebpzh7od1TGTAjMLHtV/76dOAaZfeiv+jQsJs+3ar3706IEJGHd1m9QXbH4PKstKiVCFOgQz9ZOX2E9KaeaObWOh6naG5BBrrHwuQ56lO0OPshiBSpzhtFqtLF2DjgIgK2Xib5AeCnkaQbZ3sMR/224b0KtHuWWhcq/X++q037FCZwD/MYCdvNIRg2a3OzCDMOnogHVoiWAdZjJkefXVm5EwnACeuriHY0TYeKa0kiosxAuzS9m5W8kLc9m5mskKOMuRdQdmkDFAI/EzcQkIoa8iBHatVG0gpqvKR4dDOAIjeB7Ch6ImCSUeEXrL6g+tWY0vzWyztVmXbtbS7Cgoe3s5/av/+pzXac0aDED8imT8wstLz78XO3s4cGKfd8JnC4c95KdD3Q1L7rBZPA4L8UhEcOn2ukvkOYL7F6pirUu7TXrMHgHPprqIJtb2rrQX3hUloCDPKx5nscC2nfwNA9ysvB4hOCo8jojVBgGKlVkmk8aEWwnE0QtIg3wYqQ1AQPMSVsmFzL7NBZJmc3o78BDoCQgBpneypzLgWV4/6Kmyx2ked5gyxY2A9JsXSdmGkTwWndNAwaq+9t7S0lqedeqVVGktW0kWa9lCnd/VakOJ9EmMz2YyOtDzvmkPmvPNfvrZk5kPS9BmLGpmDdQGOAQMxk/0Q8Ko7g6MwLY+wh3of9REbyNQqTUwD2rHTeOybDET7aAHqXZrd1yRyJTmcjUr4cjQ4gn1HXZB5huFxvV34rW34qJfNGGye3LQbPTaCXFl+51PH3nux2aw7dra2OYRk0u2VCf+PoZhWoCedFsCdsWk9/2Gzc0hAAtlFfckQm2zcE92kKcJUh0MjaVScWJxo9Xsak1NhQFye7TeHSZsrYe7tI+Avp2WYZ7k1aJeX8KIy3K1UBarBS0b1gD4Vs0liqdbCrW75Wrj975x/duzeXLWsOoB2wrvIthqo4SSAU7KQG4q2aBAaX7SXCUlBskttE11LVHuR+i3XZaFUlnFJKFWKVSwNhxJz10Hcu8rjOB5759BVwqwBYLbLRGDt01CKlh7vuSt80bXVtdNwFdy1QaiFgELxD9w2KjkieUjR+/nFPy7mXmD+QTPm7TUwCKHKEgddOlciCq+WKgQf19Xeo44hNk2YZK6k3jX1mBORKtsXDNGxsYH9h7e/t0rem/aARJCwYjX4yOgRzqdYEWjHUgLJs1sJCvldnrHJazft3GA7mAbB7iqeQksCERqtL/N85s7souBIeA0V2q4P22Wswf/yQe0Esuzzwu9BbpbKmJcdjDiciwUhEIJYJajenJejpQrYJkXhk1cIRmOuky/+tTRB06Odw7M19L8ll2FBp6vXRu+QLwJxnylUeZORtvQj8Aes/ZDPz5DQSAzSLnc1tLSXJPcLhGBazBamVkIny9PxiZhpMLMIXx2SC3JjzzlyO0K8DaIScTrNGO6Iosd+h0yOzDdlMq1IpGWNBtUBrwm8vTRiebk+6qAQSAKWCIZk020dIbiDt8tkz+SdCQyMT0943Q6eZRQqEsDNdehQvd0D4WsbrRpu4eL71QVeBc95Y5O9wwUn1fIIxzdNKclOJHVlDa+9ZaK9BT0O4gPyjeFZxwvv/jExCg1+PRcJlPYbPDDFfGJSdJnHow89/ABnxurtwE/avomNplHT/jiyaKHq+h9m1soHh0MwQjoPcAhIGtEQusIMDsUKyLionZT5ldsoQezE+bymQnvv/joAfxpSSyfylfThdpavhrL1+OVerLcKAsTH6lRaxAWmN4xc/V58chQ+HwtOeslEIzGL6sn26DNCzpM76c8ku1GQUE4jLMQ8kKhMbttwBiN7dofoFwRponmMT11IJVKIEazcrFNJNYlg+ApuuU7WMg6DEFbgLemhmCAxnFewwqr64WKD6DfRVpunbpgbQ59cYNVg7Zoytcz7raYGlLAaQrYTBGflbAhEa8t5EQFbcV5mm+Kdoht8IOLyR+8l/B5bj3z0P7JMQ8JJ3W67KHI5bASlVxw2Hp6EPiCbQ5dDySMqmx3BEbwvN0RvAPX8yXh94wtjNYYC8y0GhqkDB6QDKnx7Nlp44P78XUm5UahXAWhs4VyrlTjp5wtFcrlfLGRLzGNE8uzjs2n024hGnDn7sSCXLVR5o+iaGupbTOayJYjm223lL5/d5kE0+kUYlIgECTQx2Bc1I4PD/r2UDiKdjeeiPWYGaIvGrjfvuoPUrkLi9hTk3xZvdQT6ahMRq+jLVKmC1W4W1f7Chjr3Xs49H/8jNHjdRBkmx8PYbFd1qDHTrjcJoeRyhaPTN36wvdu/8u/vl6vNT773HFZhu6FRnUd7FGI760ulY/5tMkeSzRflaJet/KocA9HYNBpfQ9J/uB1zVxHDrgaysk29+4cyISExprzAj6S/HhdtvGNSEzMW5gRAcnEE0U0wMsUg16hk6tLXXPplEpVIU+gqdPgs8sk2YWsb1TMzdrc0PunGNkUHCH6NG5OXq/f7w/s4VJ067DCKOD6xQtAPmYM2XZDhm7t7q7eB8VZj7eLnDH691HKl3PFSoc0UPCjp4+E7zsaZaf50WnbIhvNUx86EMtULnzr1p+eWzxzfOzMsXGgXcPlai9Vl5COvZ1lGTleszkY8saORDpTdzw63rkRGMHzzo3lrrUELlYq9Tb5eYw+ixTYhnuJimpQGdtOIJkpiR75wsVHrhXbVZdtPcShE35CV7HGFLe17gfiCNkLCCzHRcAQ4oegXh7YYXcHx0sJ8Y18jwxNlI8mQrPT3N/B7na4qd4E353qFB6LuHwE04NXVqElBpD4EKJh6qguZkHHxmJzB2wWpBpNiMsHx90hu/n1WPW776yemBkj7yTlA9xImxnDkKsZWCwbRSYZYEjv8CUjeL7DAz5gd6VqXTUptDZkddpaD/vdZ1rh+weVV5LFN67HYsuZfAltugQw+4OuY/v8DxyJKFrZHhWKGJknCzqmoUxtEGrumCi6X+LvlvoAHhwPKa1IlIRWGUna5/XvuSQNQiND4weVTMWbml52eBm2M7DC8FtYIxMppSft8WB9EZazC9oN1q7eVTw+lNvYRBKnVrsVa5LgR9tv6x9ON5RtSskNM75txgs3U2ihXYPpoNclfchttrpOHwtYuF/DQ7end3RmKEZgBM9D8Rg6E8Ecx8qW8MZoA9GECuncQoezYiqWDLFU/oU35l9+b/X8QuF2vl6S5yB6wzTlzLjj7AHvU2enHjo1wWTby4TIVJVuM1sRylPOJt2BovftKUUklTNbiIRUhApBjHY6XKQfxqa6l4HdjaERMrTPTxBQonZDIZscxntb8Czupb1l+G7cxQBtCq60ZxM2rMPIGcPnkBSxdNQbK0ClCqEDBpFxW9uCpFiq8Pb1RFJ4ahgTmUqRNSKhhuq7ZZNBascG57FBS5EPbQTPrWM/jPuDT+vDeDfvU5oQZWB4EUZ078/jMjC1657qWihmKKMpmyv+L59//Y2F/EpNBOXHLlsJRAwYZxrSC0vF80vFH1yI/fyTyV/42Elcr7v2xlRVKOlIz9Cj+NPCEHyQNwYYlgtFNz9JKY7Fr9PpIdmz2+2xWu0KD3Yn0Rqrcr8/SJRsRcWN5HwnbLu29wZsT7wXffMSwvH2TgV4iYuEQQPP+E5XqxKxrDs0JT60ja35ZCmEBoUE2aqjcWk+9eXv3fjOhXidj8xokIMCbV640UBPf8WKtYh/IoIJqrZqTcK3igUsVfnocNhGYATPw/ZEdOjhGyaSgEZHJWqiQ+S3y9XOaEyntdYi0XKh/D/8/qt/dS27HlDQJMKPrNcRll2w7RIxFy7kGraXbs9Mep84e4AuN2q0NrZlXxNMUJxlSrWZzaTy21L1g30gpNVGI5fL8MOUiiyLZpiVaZvVjkiNGtws/8cFaPesvgEMj9efL+SgQdZsgxvbEq0gWYad3X3QfVpEqN8zMnP3js48Jqy6CBfPO6wK0y37J5DdUxvvc0uP+NelCjVSxeAfUSjAv1bJDpfKVpZytUSqmMpVYrnaUqZCDtaaHE6EkLchl8U1qNUnfSvOkFuIkA+YS0RaOu2JUcmQjcAInofsgbQhx0j0LhhtrSW0XJ+A2G2u61QMysJef/+1W3/8XtIjAF4AhRCdDRLuT1yJmTYKOwIb4RxKlKnz8dqf//BWNOI7vq9LsgckiTaas4ZZElL1ri5JdrrnoTwnhlwO+cKwIL+KrFOlohyQfJ1c3MTJfkgORGCb/w67A8zmUJwWLj/y3+1pVsF+r8dPMg/ylNAiuvfthLMWHsBNJm/9Jnb+j0i1uY2NdFUwRuvD10M7SM8kfjYVdHCtZjFjHdK5jVi6/M/+4PUvvx1rVrM77YSvR5FiggeTPwrxJsiP0ySJXDWnj5LGfcDgJArvQsA/op83e2zuEJVEMBqjbbhHYATPw/18NqirlkT2J53vbKPCAH9pDT/Lf/v1G8rStb3R2O82n4w6pya80QAJKs2ZYpUg/reX0ufjUkFq1K2Wb13LfPi9pYNRD7kxOvSIJJEt6yu3TWYLa3gyD6DVunVo8n1+Skbo9XtU9i0tOgZgG8xmyxdYHm5WA7MtNrHZSTDlcDoBbFmd2fc6pdIiMajNZivO7TgRkTh6OyN+B0zeYABkUBucTMazXxHfZq4JRNcLltmVDrQf0YAj4LZZZUsRhUOVFd1K+DAjliV8EpSbENAl6eMzrs89dZDQ2c0n3rWL1gqotrEzby1p3UcX35div/Xa0f4dG4FOk+wdI2LUUdcRAJxF9HwNQCslFp0Fpq5Nigrnbyaux0pGl81vMT65z/XpJw8+cs+EKhLCrdXs3740+43XFl5PS6lyfXY5l86XO8Nzu77RmzvMI5693fC0LVcAW5HzgAcO5cldYDY/qKQJWWO1md0uL2bYdmKuinxgfYM0mIrTVyVJEgUD0nNbano4sU21cw89CF3PNp3TWPjvS8RHeraZ0TXrSMks42JP15ls1iyiQXWaTrEmzT/UYqiy5PVp4ocd9VlPj9t/6aNH90/4mwvVnRvXnkUIZ/UZbNdnk7UXjEqGbwRG8Dx8z6QNRSI7slBgbhE619eeB3WsurWcKxiNHqPh4QnHb37m1MmZsHZaPxD1/r1P3jsZdr72/11GC5ctsnJWMQTdbchcL2bm61BBER06VLgbT/V1U63ico83q7SvXLj1N4sU615buXwWePb7AuA0y9g9ttys5iFnRiaFgh0zMcLQaF+GZs3OO6yh96407txUu7PoCVibb3e2azn288VSqWu1ZgVlBaF5qN0Bnvky2730oCz5LabDTi601HGbAumNpHyzGw1eq4mwQm6nOWg3B9yW6THXkWnfqcNj0ZCb1W5tR6OSD84I9P0Bf3CG5m65U4/b4eIr73+Dc09lStiPuIyGR06Ejx0ItZuOEac+dGriVHTuwmpxpSCic3fujeSXhm51Ordw150FLz1unyI1oleE/ta409qScqm047G6ZMyWisUiciFBJwgj2u/qrI1VbZO5biRmRa1SLuH3NdiDADsxbdvxG2wSA6eCtfl20mpVa0TsFnqC3jek54G+s/UeSFpzYsr7209NOqzCzM9hNbscFqJtE6KG+NioPLwuO2nXQ147qqktPHjvJGpq4nnenmfQ1B4VDNkIjOB5yB5I/+RYKwN+y4LblzdLQ0I47sCqA9vMIEfG3e8sFTD6Yt2qK5m6CTy6XnWXVgAtEFXDY5F1c61ut0H9fD63srqoCMTdqvd3XpGkE8k1LguHx/rSjvKgMTmrVLGZkrDiHhieGQ27w4GBm+Kh198N9FYb2vq6NVWr6AdUJT0e8tUMYodJbHyzkRBg6KsVjyd+A9g8LPHdyfxcK6vQut8jYaNq778RGMHz3f1MWXsmcyvC6gBbq74unUOZyWJV28U4YgwRU4xemE666i2pYGORTs/GdQA674pLkFyFV1TP+mTh5OzyEou762AOcPsQwxI1YU88Xq/DLhSqvW/cAkwDYiV+VqF6rfc7UnXhcrrTqaSqcKcOWedhAMVqz6A4ViqxqtPfxfgj4C7Y+tX0dTswEySDaY3LrbDHELHBJ/fV3qjy+38ERvB8Nz1j2bVqC8GsPeelSrpYm9hS3NMB80XA5yC6dslkunAj+VymGA0wla+bFG0EUuBQBE+4Mhd/cz7P2rPfLkfh7tyDyez44M05fYnCWLBjh5UvZBVTr87DOcBZsKderxYL+f7hWSRtoEesw7BtdjoHnCK4O3zAWkN5D3AXupcwzrgVYKreJ7xuNsayOlHSNo973uvsPNUV7WU3a6F5ImIuCeKSuXKmQPCuutNiCvudKKiQp2UnyW6huXsmmCDfGx90z9eMKg7NCAz47Q0N/R8UQviAFQ2Y7g0PHADoyKTXRTJpyfCD65nw1y5+/MMHWYEmdZVg5zf8aLP56kvvLH75+bmaCdvSRtBlcQ9qiYbkwWQk2mZmlecq3du5Swv7ksZQQRAjjFhdJITeJfEJWyUsvGCz+lICs0wuS88CawjzObB+m2VvLNRi8bWBQbTda0BEM38ohHV6uwpdy0vFPCPTtVprheZKUGthc5+v09LR1XC9piwpL8XyL729eGkuSRySZEl8DlaDFPFYAx7bzITngZPRmamA1dzfU2tS0tyBYNlYrVmwZYcetxyPDoZyBEbwPJSPRY8onVw55Hxsayuq14Sm7MHjkeMT7suZ8mLV9EfnVl+6FDtxMHh4yjs+5sYKJlWsz61kb8wm31vIz+OVaTYyaUyFnF3zPZstJlubzFT1tlkxNcS93wsAMJ83gI2YEux6F24XaBbROfuy/yW4lUIJIF0o5AIBHWP+HkkllDeZNnZWPQBVyM2wNfA3PZKhqobonM1mBhDrhXK7B6sLVXeth0QauXBt9fNfu0oA3WTdSEJ0RGl+mIUZbKzygubYwZcXP/fkvo88PENySa7tKpG3tq/aJ2ercPfQa8NoI6vrYGvoqk5Gh7s4AiN43sXB3cGmiRqGmkoOGrZjbC8NOezW3/7kkV/7/Lseh5SUpNeSjTdScdtbcWy52ZAvyD1VRp4SC6QS0YYfm3DcezSMFq7rrZHbR1uHDNANTIIJWTTa5BEgEkggEBJeTPWBzAe6DSOW5IrReLeKm+eBZ0UNABCWETNzGXy0Nk/3s4dx9Xh0aml5vimO93O1Tl3aoTQYDG/LpapWHUyzDTwTBBs2VQuZllodllSH4q1FS2u5//hXl79xqyDntpGDgcqLSeJ7MBqLQHRVWlgt3fjL66R8/umnj4z5XXrYurXRNkc8R4jVPYlDF9soapju4AxVYfdXaqjI/WASAzoGbMqcoP+9kQp+gJERLUqNR+6b+uxRT03kyZNB2GQsGQ0Jg/jJGQw1Cx6sQhNN3WmPBb7+4XumtNOTqneRPECPNedGKpLeCdX1H6RDwG8sHEUWVLBnB28dlCWamA6YdOyjyShwOf5V6Uy6WdLxOp2TKNVZgQ6HIpzb/t3JGG8aC497vT6dznouKhTyrMr3tRLRbLtUQRfQPFrfUb6Ozmlp+H5imeIXv3XtqwS3lx8JyjBztS58oOVmhAOUHJYEXni5Yfjdb958/b1FkQVrexuslm4DHmJ5W0eyme7YDFHhCJ6H6GG0IwXR1e/aldS2wjrMY/8Xv/7wp456gwYRbFmo0OUNSX19HjEY6XvGZvz5s2NPfOjAhslYO2JFOUmXgm1MiupSo1KVhYdODXxQzimrwl5fIBiKwLtsH8NaBw6jMJa3W0u67qPyRepqJYMIJfhHdb2wXQUMvxF2QWjurl2dXsohiRZoJxgM0WZfq+mt7RNkDZc29Nuthb3sQ0Cx0sjXJLMAUvVmxZXZondioyJu6Dfnk18+t0g8N6skHTQ2ntvv+rVHJ3/j6X0i6nZdchqk0z7bjElyy6xw0WT+m5cX07nBY7fRI5YiupE7ybsFwYQn26Bu9HdIR2DEQA3pg2klC5i06UqjcqVcwZAvDs5lM9lMhtz//FfO/s0LN968lnwvXpkv1soiO56YEN0m0wGP5cEp56P3Rj/24UM9xvK0OWzuNguehapBbrz1/j7o+4jOAA8RpBOJGKE8GA6FMRpsXBRwJe8VUqbIHNXPRkiTaq3S7J0dFO+s1LLcO7CHFXG8Q6ExnM4y6RQe1ZDXbL8X0pT6EBDwh+Bj+tXVt3YBZ4kzN9by/dJAI3wQLMrk5NB9KoEUJTVmYR7sJRF/NwwqW/tln1ABt5ayKxXJYTc8Oun47NMzT5yZDnrssXThT384WzBY7wnZ/vmv3B9LFF58a+nrF1Mr5TpJ5H51JTMWcA2Mo+0WkcI2M/HLevyWVTcyOryTI9Df13snKRv11RwBhFqiC6FpbPehFreRulXMNUbD5Jj7lz9xz9MrmXdvJlZi+UweY3CJMIRhr3160nf2eNiHuTZZs3rbCFKIuK+tC7su3KtHm94I+Hx+QnmsrS2zMjqwOVUTmxHHff5QX1Im6JXPC0cvqGsiqCgs5Fx5N2DfV2vNW0S9CrSHgmHhCZ1O0lqtVlN0MM1empVbdxQQJRK42yVM3OWIZtsS+MqVMkFPBx5btD4sP+s6PiM74xPVSrxqH1F2djmLzOqzGD/1yPQzZ/d5XTYGoVipl+omAp347MbxgOv0TPjolM9mufrF12Opau2tq/H7jkTkaASdGlf1pRwKb8g2W8hmHHMhxqvYjDa1R8V7NwI6c+jeETPque0IuOwEi9A/y+edHVQJhpZPCbNQropEC8f2B48dCGNfWsAkTDIAz3LCHDE1KPOpPgWaUi70Oi06RjQksydDZTuuXtNOuwJIRXNLRoTWwJm6lfvNmoDCwOP2dm2WvrC4RhbU7XSwQsCPm5qa3J9KJwuENa+U0MTy0IG3zjBGdwoqs4PQbHc4MQgnf3O/ts1kslRsplq7Yx8yWIFGfu13MFvHgbvDR4vsWu6Ct1DMKU7VCk43X2xlnZRD+FHM2gnBBr/C49iO7N6kgVcdtTbGbq131zzbdQe0K5TqZErW5l9m7dll44W3thOdaVwot+Mls8F4ZtxxeCbE0q/SI/BMXCGTQzC+ZHIDiQkr9tjp8eevZc6Xaktp0jK3+ey7UYxam06xwtdO8TY5mGhnfqJb86Pzd2IEtM/uTvQ66qOvEcA4y0EWIv3vVGIKL5Ww4uqyoV4rlgk0LNakPE6r075uff3axWV045lcZWrS99DxcVpBSrZ51IJyq+SkENKB93bZrT6XsDzRSspFvFNqwttn4A0oQhpDnMLsqHsjG+mQu9eUaxD3KxIRg9B5Y4FWUUQPNtd3aFwRNH1eP0iJEVOpXGT1V3Zg5b51Rg0C2LiKmGXAJ4vN/PSr01booUddmynaLxZz2VwmgDtTz2HRdO+Ry8m64XJ76rUqOSvhb8iTyWA2rc8wNKeOAGYiT9vtViseAH0LjtquYS4L2KCnU7z+3I62QrcSIxkvcoQ6rTe0Ro88Ha/DAgPdoRFe+Jzs4jzpt/N1NCnAjYGrgFK+R7usnQKhfW7bhEvcdXkb3ski3EkdO8xmV5vUeS1GuminitusN9rb6xHo9ErtNW2j/jdHADdiB1l4Nws296oGEzz45nGbvXS29LUf3czkynWT+ZOPzxye9FORue8LP7j1/OUkwsF//dx+BZ7bNNBSLJuYSkr+h5bi5q5suW3CQAxfkWahslOQDPlSo8o0N8gsudmYqZ8ImpuXdduDCyFdQbdaQlptf/ddr+5SARrQ6AqlrttD3C6EV9ALrkqx22qQVlTegDEWYpEyIZjRAJtBZa7q0nqb0zSO2lnmA3RqoBBOpRJkufB4PK2Mmk7VbkU8djODbLNDMKgpMAQ5T4h5YuOO2OSH0P0pKJf08hsxPZNJbTNFB8pt3b6AQAfwLGdx1q1AoaKjYmc2Vc4WiA0qYJORVJalGHanx459CSVI+ZVqvYCcbjC4e15O0vZbKNdSeeYG7RmDhbAExF3bCb5Hp/VR0c6NwAied24sd60lkMxqNYtEFCa1UKv0Wa2IxbzO82axUvvq+dWX5nKTftvTZ8alCa9Sf9xtTVQbNpMRM1FUaa0LzPRIqG1WoYXMjfBdqsbzlWS6xPLYzJRfhy3fGAEIJuY27pVFDdtAHJV8GedniRQ9AxjQbvTwgfgLABNTE99oRdkAlikLw+jeQTAGWWzC8U2MBnt9LUC0jiAX5nJZhHXU5K3lzX36gUtIJmOwDf1GCW02ot2BZqCC8u5+9NqLeyuBP2w0avAWWIRxF71dpK7FdfCvyVJDF9EYfx/gSqy99qZhtEhcMMliurhcfPPd5X1hdyToAiBZzVY6Q/4mUgj7rCthRHYjI6RqkkvC6SoV+v1dKFUzNZ2nybtEenjzeuTWflsd1b+jIzCC5zs63IN1JpTbuCmS8b1NspyskEelzlEFmc5xdrJYTalCbX41d/xg2GkXM+PJmaDh3DIfbSpXiaVLQPJqqkCGjEy2lMtXkLYpz5fqyLulqpQs1+Plxj/9xJEDk/4O8wbzoN1qdluMac3KGXq8RKFeKDdcjg0xcLBB+cBcJRBYmaJ1waFlHKjZctTHLjZT2Vy6cyAtnmmxVMByjUgj21mE7oOsnanaQG4meJnu0kDvPWB8mcrqGmYbsdgO+uUIX+3Hn4XeMzOeP343mTMb/+zcciyR+vEPHztzbLzESg/pI2sSfBjf4NJa5vk35r+CS1WlEXBYPnQ0pIjUvdPZrIkIntMLdQOHx2RiHzk9N0dqiHdG8DzED6eFNBSYLMaVNGhHlRqBRAghXGsI3Vj7CQJVaMQrNJ9Vg/ErP5oPeO0TYTe+IoTtFHmqTMbvXs8u/8GrrA1n8rVMqVaqSbSMjq0qNbgEe14hwzH/NwzLiQIpn0m/00Lgll34CY/b5rWZGwgcGu5/LYufSdNuTIfB39LW6GCXR6Avmymsq1h0Z3keyX6X6dqZ5vEKi8dXt4nNJlmpkCwqTs/qF9pmNo4HuyTG5vvdP+63lW9iRXYlX7/yUurI/vQ9hyOFcr1uFnqm77wbW1l7eS1Vuhovr/DpGYyfORWIhtwDq6CZEAhBqqswIOH0yC5sZ16vXW7l7vjGdnkQhr15dGuKk6JY8lQr6IwoBmHB0V235qrT3hJ+UceiLlRpqMu+t1B85/PvOGRlWqJmIMwD9RfLjcV5smOgDdy42qR0BwyT94YzAkpRoy9mq8Qp69Adq7cep8VnAdXVEZ8xc8X7M7uu9R5h88ZQ79Ff9LGZdAIA69HdiNcvmUqw1DExuW9g5Lhj94qf2OLSbc0nM2D/a/kq6+LqiyXJazHsj3SBZ1jno/uDjx3xfX82Z3VYUxhtySYOKKhoEF71UqJyGcWU7LfFoV+qfezBCUw41d31fIwvRqygIz7DOrPu3EsI0p67GlXcrRHQvG271dGo3cFHgIVGu83sNgKPas6dRhFtMQMh3FPnDlgcm5n2RbCMFYk0DCuS6XbFwE++CcZcr/jw8FIoP80W0UODpAjQdUOtUp9dyuZLOl++Ul1ALtEcnVa8TeTLmq2IHW6BWSNXaBsQeEvtu+qgdxENUy/hAZzP7u398aRYbyZlVo/YrFCL5VYqlVpZWWiaW+/tXej2DtuB3Hx7flb37ACF6HtiJXBTfSkfistqmhSZWDtuRtPkmOe//8XTP37QLcmfKiBNa9k8nlUykwrfyvqTCYZW8tVq//hjMx+6ZxItdMdG257k9svlWr4it7y1Fp8wHlwj5fbWURnSo5H0PKQPppUsBGY+p0NjjoWFoib90LoJsTAc67hhunJwwvfcMe9XLmew2AYo0XxtmAKJnSa6EDKRQIMo3Eha5WTuqDWcVmzTjMRF8nhtaMhPHAi429upym01cIph2oIiZgjVnBYrN5I52AkMbXY4jGXHARiuk3hM5eLZifEpl8vdYUli94gWFsLl0urq8gD2zFgwpHFSqlYnJqbJTrEn9HcYGW4NlcDK6hL8LMxEh5q9n1pJVuK6llYE3LVKbncXg3mIQNlwZH/wH/3cvd6/vvzOrawHdDYaM5WG1WhSTMLJQ+O0GMdt5l9+5vDHHjtMtN3eyVPVRHTOFatavwmqMR6g/ro9oeqy0eGQjcAInofsgbQhB8+NgxHXDxYKKIxVVcDAbNGA1bWqXHUIFk9FfZ977ojBcP17N3OrwrlDMNdYznKKdFig8mm/9dQE0SfMBBXBcdnvtgV9dpfb4WLfZcNX0kdgCdnZQxiptt+Yr30eR9hnM0oFFbnMDuWqlMjXq5WG02HsIvK372IIz/SrRC0Vy8sri+TDwIH7Di/l8vjwA44nVkvl0mAAxlX5Qn55eSEcjuxI2JAdeaBCaqyU0Uwkk3H5ceiIj/12RDtws/OxSrnOwpD2amPQC94JTrTrhlYZ38XD/8B38WZsaszDGE4HHb9wJkicHlhZIgPuj7jPnIgemgpgWdm1tQ4VcqVqLIe/RUPr3IyM7iDud8cYZx1aHp26kyMwguc7OdqD92U1m6Z8Vp2lL7lJIhBgq9W1daxA7z8+7vO5zl5YnF/NFyp18tb43Na/fCd+MVYKuiyffXTyp58+KhuLiskNFhs01ZWNdAtbCQDawz67riOYySilC3XswJ2O1is+cPusY+KttLK6WK1GiOhJNI47s5qLUhrF7+raEjrtwbBZeVRcS6bqynKFpBdej29vxWiAmRXxcrkUj69BlUJhvwxTu1eQJeHLK/onUXpPhxx8Mvqn5VKE+HK1xnAprG3I53zszLQy+J96+uhPCZNLscl8gGAFtr9leCyrOdlWZEtj9OQ2GXHRHsHzlnEZ1oMRPA/rk9lKFyvH0xG3+KQ1ny84mq9ZUlmRSqHzhiCLicqJfQEcl3GvLOPlbDa5ndb5/BtvLuQlm3ChhYVXJpFmU3zSKgm4earDDjmhQ2FPwLKWrKlX7ID25VSD3HwdLv+AnGJG5pnGE2vFUtHv87s9vl1FaDCsVCplsinkS/rdPnrRAlYPWJaVikWCchNH5Q6rAZT3RFHUc194b8PxbP++VK9fqVy/lCAmEG+sGjyJe7Yv4u6Adnw+OF6//M4CH1ck5EarBOdKrFyF1d6Rb01FLYdlpOeyzvcFYB/wkkPMBeOtvWpUMmwjMILnYXsi+vSgpAr4iOypow1Gaib+QCLbPa4nTStSL3MDEfmbITEn/A7ssfHlIMCiNpI+2NyK0EIvSuQxeQWrgwzNVeM+24TNCDyrbgmpMV7EPkY2C9dy+Kra7/dDGUskMimVy8VApQLCEZh6x0FO0foComh9FYX2TmEY7WC1gNs0XtHeko8Q2cTjxL/+zjw33tdqtYy7VzabVhJf7tR9tdKfKdTnUnpm28JpohEd6+L+RNiAf/9XV2+lKvujzjP7fPdMeybGXD63Pegj5IwVl4pmZPsB+OBWOpV9vrd8tZ4s1mDcVRv2Z4QLDfr7zgKuamd0eGdGYATPd2act9sLEYVY+g1bTKsatKPpfENKyWGGBuvm0VOR3/NYoyHneJgEksKQVPNdC4Qm0MHsSvbWUnp5LX1sf+iBExMO7Mfab/uingmf9WJBHYoUaF8lI5aeD3f7xt7nZxh2IYYmVnP5DEE/vB4/gal3SpIm/wQRswsFkRCC+G/0teOjCShCP8G5Cvk89LOavtsL6gBzqZhHSy9n1yCczmDBtLuOBGKmFM9UE/kKGT0Uc43Wawi/tX+iyei2ntnYlwxryfzltWLKbFlcKL48n0dinnCYjo05ZkL2gNsacNvGx9yRMfdU2DMZcnZgeTda7PIXvUgxX05lKroBtyMBRzTQxQ2sSwej03dqBEbwfKdGenv98NESNP+g17Ka1EntjAdFtkIm3S5xPXVJAHfPzAROHWABTW3OiWlJKl/OZkuxdHFhJbucKF5YyF1ezM9nyv/kJ4wnZ8Ko3DvM9ARViHitVlLXajom8MJqonJwYpDFZ0U8IpsCxs+ahu9QQZ0gztUttnhIkOiNm7GjO9OxfvlW6Ua5L1ZPSbpMdgpnzkUGRiRR1nRJ1NHvrM3LQAYqNL2irUKOsVK02bshXCo3u05/pYR0TgoN9MwOclQ53YPRrzuA3BQLzNxVqVRgOYA74wapSddK77pXbb8QuzCiVztlU8rW1qS6NOWxHRr36XK0Sk0eciJTitcMIk6X+FzMKJ0XS8QYKOADTR2MwqIuy6Gg7dS488CEF9U3jPLkmHdizDOYgRiML2vPmaokPLVayRXMhRETE59zNO1vHZdhPRo9p2F9Mhq68FYMEDswCSowG2zZ8KBIZCq5Yg2V9ZYTPRzwASPuqC5bjOffuB67cSu1upZI5IypYn0uV1suiaDPokmT5eaaCBzmbTQ6SHiEUgl67TZjXuvgQaTh67Hq2WoDfb1IXdnnRuYglLT8yNd1kuD7bLhr9c31PGhoQgI7HGLktXVtcrPy1nJ6ASvbSrFIt6AO+F/IZwnoqeRVdDpcGEh3Nb9SlNjFQh70IuUl7AId7TYwt46awEnShtbrqAEIc50kE7KFyOGwGh6n0zkAn0Hj3BTskGAzCnlk5WqNQHbEgMdDWBulp5WWndnHYO/6asWFl6Fm4829bz+AasVLsUM2yQuzy6l8JUAiClRTTdUFRpey5yHf80KhtpCrvbBQdFlSUYeJn4+dHf/MM0dtFnu/bBk0ouXKF6qEBdWqSUiVRSJ2l1P1uWtubFQwHCMwgufheA49UIGoOuXVX9JjnorHK2vp4gDwrPQsLwFjrlW/Mhd/6Z3l16+nrsXKS0VyxQvsJOgz04oIKCZPLgQQe302my9WxkNttWQ0iDnrVMjpMkmaxBi0ZnhzqfGJsoDnHm5dXYX7xfyY3/SiFhDUdXf4uNmjQKGtG4C6tUAJs6ZPofby1muVswKBhLBYYVk3bUyyIA1UyzkwyLooNuZuoIsLRcYSAVkidQlIxm+lnFM0pbTW2v5u7ys98niEkqGGsFvMZlJmwWnwz2a1kTBJqARItCV8A3jBNiyVlEzbJByV74JfZFwk7qVoplojdarYlJtq/t7le6E747W1hhLkq7UvTjQM0nOnQs2n0Hq2df/HTu7/T//QO7eYeW02c2mttEIE+2rDQhR9mbcV4QcQc+W46jCyt/K12Zz0a2GnxzGgQzmvAoaffLnK2LZSErSbWPBW2aO1VhjtD9UIjOB5qB5HJ2KEdZjbiuZKx/myId3IVZZieSVNZKdW2p4T2PzCm7f/1y9djDWMQunGtI9LtPyCIKRQIOZcOeInHlkvzKav3kpMR/nW2wmvDTTfk1GPntQhZtgLsRKhHnwefYajLZktJwTsqCGy5fTu7LbrEdjQUtOucu+kNdukfQXqmh2xo/AKch1lIMTAKlvzwo2CvfnbJEOW4kWCZywlFMrXmZcmXfJgNQjGrrxQ8iG/VLFrmg02r9vVHXJ2JrLVy5lauxftoaMhCOgs47IMdPJgsNaQbegKlXdvJb99ful7V1Jvzaa5djLgqAl3DHpYf3zTLsvkmFuJ4zvA3aFeQFgH9bWcb9hm9ntGovMAg7o3l4zgeW/GfYBeWRvGimQdNtXXG9N5Yy6vNsJS12p/TMwxQiX8j39+dQEDbqQyavJxIy0TNpsZkQhTlToJp8c91nsnXY8dCRw7FD6+n+AJ7bBZTFhMNtGIx2eUFiUUeVv6RmQiO/1KsnpkWkcFt6Xq6GDrCDTxiR35OSmnN4F5a/VhPNqgfOs7IVOq1ccKHmTvNo/d9PyFYramwxMzdU5YjZGguyt1spCMpkBUBHQ/EnB95Mx0qVJbiefnY/kfvD7/J6+upMmtie0HaVurjXv2sxYwOIgScHchWVbEcRVtKKvIhaMqHB0O7QiM4HloH42aMKvV4vWaRN4oDVeM5jlRqqeyORI2E5lIZ9pTN6Y+JgTgl56/dT1ZdrpkcZYpkWUqizFoMToa9YDHeOTw5KMnI4+ejI75RHhh+by6EdUxZByM+qbD9veWKloYR0i6uVb5MVJND6TfVvU1OhyNwG6MAIYRP7hSllO5qr86InHeN2H39GztofoqwWmysmIL9vjpqZ98cu13/sOr10qNZ474ju/zRf0OVNCD3Q6LGsViZTalw6nzzbqkhtM+mvMHG9o9uGr0qPZg0AfrktAHGPLiYqn98li6qkr1eL7EmpPfo55HunbHd1soVuaXc1ZZGkZe8ZmMTx9wnznkJxt0NOKL+J1Bz5aVMNVc066LkNd+5GDou4tLinq8tRr2yDfWxLop3MTIx6p1ZEb7QzICSPmJTPXcQg7BVktSuVw/eXSM8DvaUz2W8BGxPszX98Dh8L/8rYf/299/o1KsPns6evbEeI8t6FYjvu9sShi0qzdJCjjNYX9bexF1/dHxXo/ACJ73+gn03D+2NAGvY9JpvqGTRFkqSYZ8usiyE+kzem5yoyJOOLVGEY9qTHUaktdsJA7wr33ynumIRzF76by0ttGK/t+HjoX+6OWl9SiLLVXQb19JVXIlIm8z94mZquXkHuwyFytLubIytQ9imirmgdWwSgsDX946WNsnptnaBlUU9DEazcvZGYyYwa5q7XeH9oVh9eVEdTlTDfh0vikM8E4eDGiC+PXX+TqbazThnfXwAc8fvpt+4nLsxAwrzwOifqUmkTQ6pjNFiGUxu0Xydsve0d8NjGrv5gholY672duo7W2MAAuNIb/zgX1ukURZs2HAKwJZt8/zqLliswD0JeWG32MV5r+S9NRh72efOUr+u+2gcrP1UweDEQHAOlusIr11I6/2ttapuOtFQKPD7gwFw35/0O9jzu31uyA8ls8bEFf5g+wPALF4NtNCMBD2uH0DXN4cGq61We2QQVM4Mm2zKaiiHZkqYm70qCtp0iLSn3m9fi6HHtz2eieG/F3KYLpdeO3pvOebfez6noRt46XZAh4T2q7weN7ns5+ZEXZhHbZMvoxJx0oyz6oTaudOy+gopWs4kNVfuZG6uZwd+M7p8TJxCfTSy7IE5nHZtyPud7jT0andGAGdN283uhm1uSMjEPQ5D015DVcy2tYweF3JGlPZ4sFJv/Zs1xIiCx6Z8DSuZxtG09GIM4QWbAOiOoC0mEQ6xkKhgt/jOBWx37hdlD1othBSNxhfuFH9yAMN7GNxAxlYStvS6KAHeKGQ2gGIxY2HfcWpuinJdWjV7fYS4Yu741ryM7aYa3W4aP0UuIV/USAYgjkgcgjRPJDJeulUt2mAkPxX+F9lMiniXOrW6aUQHAn4Q4FACHPrVCpOwE6u6p0qYNXtco9HJ6FEDulFwBwu79IzQ4Fj91h4nECXVI3FVmXT7m6XdWl1u6ffuVVy6DGXcA5PHAuEu60QX7ud+J/+9NJHjvpOHvR73XYCefLjclpxgCRFbHNMQO7bK9kLi3mswwjGWSIIyqAbmu0ri1mthR3tYUdycMLbwZxz0D5H1+3WCIzgebdGdjfa9XvsZKBzWUzaQB+IezcIPZjVapF7IoRMGM/eH/2jV1cKDQNmn4VCxdDGJJWpBDPvYrm2mCgQ4PP04TDezx0gnPQ4Zw4H/vxKRhsTEQbg3EJhMVY5EEV5OLDA0NMNdq4E9oBnpKaIRibw5EGcJaYHCRObE2i7y3FKTqWTdrvdbLMH/EHic9FO70hGTaJt0Jed6dpqdzo9mWy6a6e6xAgIbOGAekFE3XYoJDUKUiwt1GtVoln32xQDSJZJsBl0l4OJ5nXRorV3sBnmBp7AZhfYTPiRdCalzf7Seslu7zssplur5feSdT0GgRXjxnP3hIWt9YbHti49l2aTl5eyry/l7S+vEvLvsM864bcFPLbJsCsSdo+FXGGvg0ZuLqb/5oc3r+frFoMUsBidZHvsGOdEty8K+Taz+cpCrITDhbZOxGY8dTjcmWDtVaOSPRyBETzv4eD33TVW2cThOuCxXCbCtuoDNBoWsxXCB6JGGyDsAJecmAn+ytnQ778Wf/565iM349EwmjDMwdaJZKoVsQnTxXiqsBwrrKWKlxdyr8xl/7vPnvipD8+0MxbnaiDj9PFo+a9nhcH31o1TibJ0c6l0cNyh9oLdWvPOHCExE5zL5wsgwAWDY0TCAH07Yy1nZUjOinSQZgvCnxLXuvNVrbdDQBEQmkwYAp8CQUVUba3Quq/SEgOcbDwjscO5Vm0wh8SR2eB5ms+xtTX52o0HvHEC2TcYCBGejLVKwomQnJFre78deg2HxkB32iNZBVG4Kel8ORVAdLCZnFfobNAirMVW0GFsULQ3f7EGe+VmifUXPQ8ladppOjzp7ewkwfO4Mp+pEIgF40eD4Wa6yk+VmCOELrCacG4m7DbJKAk5dn6pKCDcaqpJxkNRV9Dfid/tMBykmUlkikuZim4i1wihQ6cGUa116HF0aldHYATPuzq8O9w4UylWKuScuayj3jbk6obZxWIyWxpvI/h2pibgcX36qcML8dLf3sx94duzi2v5s/dOED0/U6jOrmZnl7KLC+nVdClTlhYKdQJps5pGor0X3l37qUcPiAgmbTa49QeORe6JOG8VSA6vruRxmt+YzX/84WCuvIEk6ip36FiBELIFo2JFS4y+2l8OIk8zyXZDFzTASVTcCNDgut8fWl1dJbpXj3QjWQLPtXoNeAbVCFJNjLDmtQJj5W3jL6GbibQlQoaxmeToYQjN4p/RxIIxOEd1m90+NhZlR9gSiMhjIpiY+CVCVotfosl1xFZjJ62GQmO0BkOGFEu/XWVf0Zq8Ae1E7vT6/FzOuKWSia78jXIhi+Ui47XZolxF4PH1FvfoD088W6q/fjmr2z+x6O+ZdocDpGXUPb9eGM+WZ1cL2HMA8DxHsXqDnwILOXKgej6ihVt5wy1lDcIId8fZMZvxxH5/NKBlZdfb7PyH8c/kqzFCkujlnx4P2Mf8A/prde53dHaXRmAEz7s0sLvVLH6W5JmQlkvqSB9yh5dXi8lMic+b+bFfClCynZgJ/9O/c/+Zl+f+07mVf/uDxSNvrmEvVinV1gq12/k6em85ZrBReEkxgZlJDm18+0Yqka1EAp1eJMxQP/lA9N+9uKhFcSa415YaqVxNDr4NyXsM0uVKidDZkxP7FFm23qiRGrmJkbpDykiQBCIWX1VWW1myBW5RjPeOasTSQr+NchvZEQkym81hQc8YW8ArK/EvQVtSNFqAXgHJMjZzWtnWSZIfN4OpPEwQjk4AAEAASURBVHehKg8LeBY6UlmuVn6DzAKvZZBGN8BfRFUlXiaoLeobDD6vTxad8fWt5Qso6pXi7r8ZJQHtwTF6pzY5MZKpRC+Xww9FIhN0qix15+Sl7u797WINRlMiDcateNWgZ5ldrUonDgVRLnX+yirVxumDvlTdSIA84uFDr83GUzQQ0VZs8u/1FliYgIsySj826T55KMSXKNfo+xfRthfW8mXinGsuBfyPTrhI9645MyoY3hHQPsfhpXVEGSOAaQmhPWHJtYo1vsDrK4lUpoh6crDPELfpdxcyF1ZLeE1mao03ExWD4kDJ1G2C8efbFukmBVxtwOiVWGk1kY90S1H3iYcmf+8F4JkWNq7ceJxLpca3383/4ocDJN7YKNuzv2Ae4IqWG+kTLMT2GOCUFbyd5jVgKZ1OkQUScAVQWXlFAhbyUi/ohIzbkGACkCBNVqvH4/N6MyKHhEukq0JQZiyaUlo7PFDGtEki1QRUi1HcMtErzjpIqM3xFepwOQ2U0GMX8kAjt8AiNnVYRK9UKtxaZ+6k2RQ7oWAELT29IzQvLd/m7ruOABXCoSiWcVxeKmQz6dR2jONaidnOvtdhZs0lxyhqXklGjGDYjxwNdo3vQXbIf/S5s/+VJMVShZcuxd6aTdyYTV+P5RZKaD1EnG2R8FE8Xp6A+KJmzIbnHpw8diDEM2k+yt7vgqsw2D4/lzaLT0zdgM1o3D/ubff+9N7LqOadHIERPN/J0d6BvrD/xLQEAVbbFprOZMG4ls7CRDvtW+ZlbWXdkmS68OXvz37jatrhtBhb5uXm8hsxFJisq5U60ZSibuujhzxPngiNh7vr4iYi3rNj9jfTVa7fOmVzI9J/fjv/yQd9lPeOBLr070gh+Z3S6QTSKnIwWu6Jienl5YXOCC0jsQGxW0nK5HC6x8bGV1eWAMetN6smEGCmSNFXs8PsabXaDhw4rK63cQxqop1GE16tkC8QSjHTE8pqRYmNGOqVvcLgMMB7RenNjQi0VoRudAIse4I6G8oVmY0TZ7lTFt3rjUnBCsj4DTzTLW0rPEbXG8Fa2+P1IvBzVSIZa164Qbv+32hk0uPxcA45nqtQJHTuSL+VHS1FFV2qSpeWyikNNtMPYu5HDngOTPi7ZntkkG1WgZP7or6fj/p+7smZQrkez5SSqfx785kXLycuzGVYm24QLtdmfGTG/5s/eeTBU5MIuDrfdm83iNn2ufn8VpZs/Upek8lI9/ijvfUzqnWHRmAEz3dooHeqGyJvE/AvYDVmUIhpGkXkTWWqfKUkh9ac7F7g9ToePBz4zmxWmSL5jRkLszWcPgE+sfwcczQm/M7pfaH7ZwJnT0TDXrToAO6mNKbbBxWCXscTJwIvPb8sByFprSUhlL+3kJtbKR0Yd+Ic2npuT/a5awS4RDIuVqBdbn6jel1cuk1Gig70cFW1gsg4PzV1EITzef0orHFwan+JWDf2gGluDz+gcmtNBXoV9CVdk3BPonV+VyoIptSUddTrV2x4wBnAVyH7GkzUjMfjSrmSApSqHArANpnQliPikzUKmZW7gwyIFxANhDfbMhimpvaFKxFAGuNtsFN+MvpPB+7EYXegM6BBamTSSdQPvYjdaMJZqucVguC1teVcNru31trKgNotpvO3Cu8tV8mJxsisj/LmH+m5+8b8XgfPqMnlbJ7cutd6MZXdDn6sB6Le+49P/NKzBsw451Zz2UI55HUcmvAqKSlbL9naWJejaq1+cS65kK3abLJI3lKdY2O9RiSDlrLR7l0wAiN4vgseUiuJTKAE2jwzvvLCUhFpq/UUk3bZZJyLZdFRBwgm0f8WcNvvO+D32pYKjYbTKBFA1Gs37/caD0/69k/57t3v2zfuY8nNyxpWyzyu0qBqu2ViMpsaHzo96XhxRRY0VWQbnE7buUu5E/ucOW3AUm1zu18isLZawUyMrkBoDL4mxqeWlpdqtU6yHTfJgiuOwoQ3AW5RjGP6vVXsFjeOOOvxeD1uL9CoiLZM9AKP0Uw06oAl0zR6ZnpneRhRmRFjU920ANKtkzB1QF+lmoBbDMjkQ1U1IJ/1dRbLlXdHfjQwCiLRI+5kHq+fhhViuBq45ScQCGODjZI/J+O0wqYoJNERO8jkuIyjM6B3dOQsw7OjpVmhrVkeDkVC4Shk0CCyPrc8DNgMkJVrjQvX8tcz9eZ4KpQrv6ftpv3jHjTbDF1ruXZfeWbqd72lHmG3T+wLNAt6wftmZe0Ogf/emk01SIylgWfCgx/y2cP+7loubbOjkj0cgRE87+HgD9j1gakAkUMEPGs2zIdencv9bK48FRkEn7FJCQccTxx0E+dpImCbHnOPTfiOTflh7ds5azEHwf4XK7Wwz9nBpIVJ/4FDoSf2u15YKIgo21s3XEpeuFH62YqEWStq860n9+wI8y76Nlss2DphmD0elVBfgyV6EtU6kSBiPL6KKKmAOt5Z6KKBQyGYytmahf7X4wOYlQswhpJI/lslKXKNNW4KQSyxLmkyVzDJ2whR0qHH9Y57/qM01cLXSWjGa/VSoSA5HevKT5AScVYI1rAPZgzUzApOY1xdEiCdQXmONM9QgLXcGnHWkNp5xFwVi691HiIohQYWDljdB+HgP7B7x0JeKe/5PnarIprttVT1+mqtqAe/is32eMhNQLHOFORL1XS2BNtF0DECdTWDdPJyt14JJJerDepQqNdh5062nC2VqpdvJkkjvaVUPmCh4VMPTQ2mUdO2Niq5YyMwguc7NtQ71lGQ4CRh55jFGNdbG7sSq2GKMpj3M3MHi8S//vFjIbc1FHB50X22sfUEV3CsSuVKq/H8+StrS7HC3//0vZ0NxBx26yfOjr9w+6Y24xby2s284cV3sz9+v68mNOV7j9BACBiGhVc8thYei4DQ8hLp1OraUmdnIcRT3HbHo1PCvMvtCdQq2WwGjyvEZdkAWyw6MCkD26CyMDsrFRFMQTsK+cc1sAK4aIXD0dW1lTs2FD6/X7g2mYRV1/LKomIUBioD0twI9CuL1uyjS4CZAMKx6wan3S4PWAvzAdAmU3G8wDu/6IAQ2oWm7xb6/0RyWLAZytFsL8Ur82l9r2ug75ETYSKKdIBSPo1YuvjS+fnXr8TJoU6ggvsOBY8dCI4FXQQLI7ENg6wMEW95Ol99+e3bBycD42E3Vp8dGNzOo4p6JZ4pvrdSFKbhWzd6QRH/zAOTW4tHR3fBCIzg+S54SCoS+bynIu4xlzWe1ayGGjG1rrwzt3L6aMTmHUSXhVNWZ7dpgD+RLq7Ec0ux3Juz2W++vXYtWT7qND3z0HRneGZiOn107Jjv9tVio1WA4O7qBinfMLx4Mf/oCddwaDjXhxzpUITxMhkjY+Poq5ERAVEsmLBzFuitt1GOIjiRiAHqwBvrwU6XG2xTbKaYuyvlEhUQqcE22mFipSXBDPDHhFFVAoTmEQPSzmxmq25cr79tl3GPaKf9Pr/iT8X9Vsr45giDbXpHhZDJprgRgBmoBqeF15bV5vfbUNFDPxI2h2AzQAsj0oGfEB2ZzSw2g82MBiOZzaRQNsDQiHsfgg29Rb5Sv75SvlUiQLWaIOg/Nea473AQ/lh9ruU4X6x+59zcv/vW3K0i8VnRKCQtL608tM/z8XuCR6Z9E2OeaNjdVDXdXMn8s8+/c+xQ4NMPRD/24ZnOn15LJ9rdxuJaboUeNR7P3MeJoHVmalOLrr14VDKcIzCC5+F8Ll2omhxz+ywi9bN2ErEYredvlj5drPqx2+rSjPq0qN9mRQ21Hjmhl+O5K7OJS3Op9+azF+MVpgMosNpNqwbz+ctrD52aEA20aQGzJFa/SMtz6UJSCcLQ7F7MzpJ0LV65vlg6fchTkiXo5tk93JFhQ8pmRdBpBaHdHh/KXuTjdgjNJE5l1LyYdJE8DBxaB+Y66utiLp8FlTG8RnFNNdpvBSYO8qBhNgOoowvnt2yTteu6BBgC0FfGkjKuTc01V4U84BOcRpHAjdisNvTzsi0bNmUWeAjl6SBtQ3YHtbbAZnmJWmQckeN9ZtIJsLmpwFfa2dvfxHm5dKvwo+uVfEMHnnFbeHLGi/lFU/zVpfbmQvJ7b68uVhvKS+4kUUpdOr9S4GfGsXQs6jw57Tk2Ezq53z8R9ly8ulZy2F+ezzvrC888tF+3wa6FvB9MBW/fTFUUPzzNBQ8f8hNbV1M8Khj2ERg9s2F/Qrr08WH7CIqg5+DI3IH3M6E3o2iotc7Rus3pFSLcKECLM+XVhfTtxdSN+dS15cKP5nKLxZocbNhkkFfgEP9K9cYrV5M/sZbfH2275g25ZNx68oHJL11Msya3BZdkoErUDBfnS/cfxnF2KDyslFFRiFFssInILRZinW6gGjEXKKVO643gvoJNNPEpATBso5UWlJEEm0mYgdCsXNJ6lVKt+RvsVyKX0YivFEhnks1TO74DatptDiCTVWYke4R+1Owq2pqHoC8/cAxAOBIwqaUUerhBbpaFduRoVqaBcxakFTZlo4KEhI1OmzRWgDSFYLMcuZOa/fKQOz4Gmw0WSvUbS2Xh7q+hCgiM2kxHp7wdDKwYB8KPXJ5NnlssCtdHmVETL7owthC3OVuRbswVvjGbm3gr/sQ+94lpz8uXEzWTwV43nDoSoWVaoFo7BneTUM0eWvTvXkzIVNPRFn4Oxvr4PhK4q5XemjZGBUM3AiN4HrpH0gtB4FzU7zAvVbQuTfgrz2XMq4nCiRk95+heWpfrYLGSzhcv3oidvxK7MJuaz0v4aObk/ghMKBygUclKRCmRYN2rDWl+tXB5LoHTSIceyNJz/EDgqf3u7xPOUGPCQiAPEgQ9ulKaGXcUMDYdmk3BJ2Ro1oajUeJb2YT+GaspYaqdUXCI38yqGH4RdpuVY5gkplrADKwS4bjJwm13IKE2Tabb3Rx9sbKLJTOWU7g/oU5H2gbUmxjZ7kLKLcaGovyAh7DxjIxCqMIzrhUpVZdzDz5/AIYD4okKgnAP2Rt9ASsCXGgHR2kROUPGGAybKULLrTSFWptOEYhZmxcRPT3+eGIVXoSzSjtYvwHeMDRC8WAStmAwAXiWY680VNhsMxsT6frlZaL6aI0XDY2adGzCcWifH89G1Ri2HsaS+VevJZOVOt8Ibkz3hGx4Os2VGvCxwpKewTTz3ZjXSvW/uJLx3cjyzpNmXZmF07lyg3xW9k7tt/a1uU9w74UUUbtleV394RTK0rEDgVYlzeaFo73hHoERPA/382lDHTj36L3R71zPrvJxqzeJufy9WyuPnJ7Gc0N9sv1xk3NPZMsXZ+PnLy5fW0hfiVUuZrDtxWlHhNggqKeybizr/ozlaq1YqhFP+5cen37y1NhUFKfbThtzRCToxm30xVs5JnVVVfJLvhZvPHQtPxne4gSsqnaHD8E23Mg8dhNBmG/cjl1Zxq/Uicmyw2p2mq1+Ow7mFXyLawYrAiXyriIdIonmcxkSQkAtDsEogSmPRMbB9VpumdQFlAPayo6yz+9muaGaqlZFpmSAE4agnF7gFAS0S7tJeiXimQOccyvZ1VQxmytn4zmPy+y0maIhO9lBCyL6xZZXhfsCcKEHF21QE04CC2qwU8ZU8cvvELe8mqxki3XiU2JVD4UBu+ngVCA6PskKNC8Mhtyx+Arxr7h3TMa4R/gW8neRqCoWWwGYaQfMBpvpiNeH9nG7gvmAawm5ZbaFRuWNGwSe9spunxsGlTEKO7cIsqrfTAaOL+nDR/wnDobbrf5wE8RFxSgMDRPjCTb/7587fs+hMHLtjYXUH51bfv5KkrsjNRyuc7zqsKdyVmcx1KzJY8OxuJz98D1jH3/8SMjbaW17fbxa/jCwL15YKVbqXs3CM5Q7bcQL6/JhtjQ22h2iEehj+h4iqj/wpPBJP3Tf1Pi3yFWhY2IKnHz3cuYXP1rDFrTHoWKqJaTRciz7+nsrXzu/emkxj6AM9BPaW8Ao2uZ1aZkDzI4RyOpHXOYn7wk9cnb6sZNRN/micbTtQYHG9HRsv/9UwPZ2RsdDqVBrvH278vCJajRo26uZunXEhNRrNccy1W+9niU19Xy8VKotS411izzMmqMe6/Fx87NnfGfuO+DzrScaQv2LvTe5p5h6E+nqX78Rt9vEQgMtk71oNZasFKtG65ZPT6rWKGn+pqbNmSRzlEJMMpW02ixPH7MT8quVPPZBAmTcxXj51cu5V27XYukryYLQn1cNVpvJ4LAYD/jNHzrhfeyoMxqwVUXQ7fUGoA2IHQtHFLU2gUQQnZUGkd9SuepfvJF97UYZg4BSTVK0NEqD+8Lpj9yTf+ZD0yhjM8llbMd4G8lUHQig7hZKclKDoMcmtwfR1nCnJqgLHQEh2ISj0FYW8tF+/9nruUKhKtI5QW1NCtqkM4fdQa+lSeE6oXfkDw86kal+9e3SalnEyVH1aWpID4ZtZ46N4fGvOtV6SGAQtFZzqQrM2U+e8J89MY6NCBWI0/nUgwdmF1PfO7/02sWVV1ZreFzxveA6rfhewPLOFeu3buYCbstHPlQx9AnPmXz5tXdXnQ4dprZWa/zGIxPkiW+lc7R/t4zAljnibiF6RCcjgIn1iXHHe1nyVOlsrywWbs4nx/xOpm+d01uLYunct15f/NH55eevp9dEVANZm8mkK/6tq0bZRb6oVERvH5nxfO6pgw8dj+Ar0s4femsPm0fUnxr3P3w89ObLS4rtzOY52ACz8WKsghBDBug9z2GFSFoo1752Lvnn53OzJQmeBFBBQWkwbsyDVeP1WPmlmOFP3i18bCb+X3zyNDMy4cYIgMVNgX+4cSN6/vB87HtLK8TWVO4ULYQQKtWbdpmCkRfCN1utJj077fzwIRZ3lYL13zwpQtB85830n7yZu12S1esmFNHwZDII86tqvLlW/95K4sA502fOuH/msRDPVsE/ZGfEevTtQgguYpCWFnp4swls/tLzsa+8nb9ZlLAwkGVm+T2gT6wMytLsQvH787f+z+/c/swp588+FhrzWVmJAJAQo4Fe2kQhDxjT8oEDh4TeW34DYVkYlvx6Mmwjff3H764t12AvxFCgn3koZD006Qj5yK+4wUFsudfdPSAO7rWl0jeuZ53ChEpNAE/9aNR5fKZLsmRG7/B04GceGv+zH95iuZfsNYwDdMOY4VJ1+mj0nsNj+eJJbMe++vLCVy/EYuUtD12sRIiUJereu945WXDeXMjLahv1tRDw8Ycmt2GC0rXzUYVdHIERPO/i4O5q08x6Z46Evnw1J9aAVT2hLquZv/fO2v3Hx7sG345lir/+v73ww+WS32llPdVm3vKFyxpQo63RmPGYj4XtDx4PP3AqeupAiDALijJc1XMvh/sj7ifvHfvOe/FZ/EA0FyyUpR9eLOyPkvzOKjMDW+jRVN+tAmBsNVX5y3PJP3y3IGAZWUczzMzjiqMqJH51tv6l3339f/6p8WdPAevGJgRCXx1B1qIjk20lvRMXRWhtD0HGNgBeuRAKY+kqFH7xAt5NxhaZr3XExCoECLlYM/7rlzOza6Xf/Ilxp9OKvTRCLZbhNFWulDFzQ7SVle2N3/t2jAZNFqPLqs0HAYciOAsiSROx5QvvFq6vlP7hR6Ok62Y9mhOskRP9NFyOoOtmNZof2heKGTkIGnK2stiMTH99qYKBIb5aChainDHat2DV1sHZ3SOeF2/aGzcKMgvVOnqiX1AzajXef8xHYNrOdKAgOTkT+p2Dob/70aPURFGkqs83i0KLiJ5njkVnvn7x//r+PAjtNxvdRmmpItUMEuqNalWX31a1tOXw0hx5T80O1hJkXqf1HEwPmu1eePTWq0b7QzIC6hdoSMgakdF1BJgNie6ZLVzzujeEuc1rjMzlb19ZTueOEVek88eJE+fDpyKvxBaMVhMTpIL1oDKyss9qmjRJ4yE7efEef3Dfyf1Bj5MpaB1IFMlgs8+e97jw6P7gR4/7/uDNhHZCoeTrN4r37bc9floIYT23upMVma9Rdf7nFxN/cqkEysgW8p3aZ0JFQvI5zf/qb1fWYt5ffWaMSX1nlbQ2h9UV2F8vrQhTLHTaImRKHWz+fy8UcCjvRNz6OSy0zX9xvWL45so//tSkCKgZDHMGVCYrMybo3DINfvH78a9cBuxFg11RgjfhXFxyP5/6tWeC+yJ2mZci3hmevoRYWQc5qEVijsfXQG4Fm6GcjE9ffyNtd6IKUGNhDzeyK1Vur1W+eb2sO5JmSToz7nz4vgNdFUWC10RbYDQcnvR3oBJ+ZWEtd+V2OoWHXbXxDz5x6NR+/3ffWLw8l2RZCoTucK3qFE1R/RuvLMC56XxKBsNDM57OtmyqBkeHQzUCI3geqsfRHzGEGiBNBTayGhkUWc10frWyuJYdD7k6Nwp4o/76wstL6wIfwgK57TzWh6edM+Pu44fCR/YFDk366YK5YKfwkmXLkweDk5fS86WGiuPnsFA3XLhdOXO4HvKZ9sQFulCsff+dzJ9eBpvFfbcOoKyBbKCgprBFYJWrkKHZav7Lt/NHxqxPngkQMBsFNydAvtYWBt4nYYndN4XJFVCHWcCL72VRqstL2psUKuSJbmXfNcGatXSuIPTMy8n/8hdOQoZsDpYg6ggUsr1yOffqXLkqy8dNIpUGOZR18op6v3lSQMJ3F8vBV1OfezyEXtpsFT5awmlblptx/s7gg5VO0JEQrllQNyOnSn/xo/jXr5JVsYWyzSb3YI/H/cUXsxhuNVnPViICRsMzZ6IgLqO8IxSj2H/nWuyF6wQVMk57rJ997CAheB+/b/LqrcRaokAE0NbeO+/zPd5aTb95i1QiOhVZijq2z0/EUJ1zo6K7YQRGT+5ueEptaAz5HH/n0enfO7esx/VLWaP5rRtLD56c7Dqt3HM48uwx/99ezRzyWI6O2Y9NuE8eCd9/OMzSsstuZRZVpv+dwmZag6O/53D4wYmVpZso59WTHrD3o/nyk6tlZnym9aYo1mYYdr746kLpD17LgT2yLkG5ewHTDmPjdMge8Qj5Jlkwz6Ur6CRVUkvaYPzR1cqjpy0up6NaEf5FUgPLKlzQ1LfJKWEuLG8sbPNXJACmEPlLu1WF0MyyLrZXLOJemk38+5eyMpRukAfc1hv3Buynx+0Rv6NYKaSyjYvx+iURrGJz/cNmNf3uC6nHHlh+9L7JtAioGWN4QfGLc/lvXijeFB6/m71z6rDD/MA+72TAjt0TZskXVio3i0RU2axDZKwfzZYfPFx6ejJMFhDst3lPWIomOBoOVLl8hrtRGBT4v1yhBlfxpVdxKJLvcKOZVh5Ce+u7WgLH8O5C6ds3sk6XFaI2KFrvU4yA3/T4/dMcq04NTBXZKolST6aZdMnwseM+4hPQFE4WLE4zbn01C8d87uLKSgFLQw2oSwafxXT0QECxSeyr2VHlIRmBETwPyYMYhAxEo888tv/3zxGZWWdDUfaV19c+92y1GY5fp5JchHHyZx+ZPBF13nsoMB31TUa9aLxpvDlb7dTEpBBAa/hpHZoOfOT+8QvLxZtldYxPqq2UG197M4eHVcivVd23u48dKAdLsBj/zoV0XlKsotbBDxiNWAy/9ViARXG8leipWGmsJirfv1j8/rKi1l3vnZt5a638ytXapx6fIHinN7kQ8piPlpAndUYR72QGukl3GVfgau1yTrgSt9Q2YmI0M2ayG7EYdzqcLgKAvPS3t2MVCd6peS3Y/GTU8XefPcjyp8dtJyN3rli5dDOB5vNrc4Um5MPuYF/wjZdvn5i2I9eiG2VlGvHxndnia/EKqulWbcHZgO2Xn5k8eTAKO1UrLCXS9ifjla+8mv7/2XsP+Diu8150Znuv6L0TAHsRq0SJqlS1utwl+cndSZzE72cnN8XJe06uE9/EcWzHLbFs2ZJsyZaoSlVKFEWxd6L3jgW2990p9392gcXuYhYESJDYBWcFEbMzZ8585zuD8z9f/2ACgt8U2UBWuAu0DHFb1yHumTiaQWEORzOIzfHo5wjD+0IcXOTsXgb23X29YZIrPvVB07uUxGiu0AH2DfBKw5sW07SD51PTnXh8KMzdvK4ECbETZy79AH9uW1aWl+YZB0a9CKROnmn80S2of2RB6elzRGdjM9kU8rfU6JC/CHuvBfUpNs4eDojwnD1zcTGU1JSZry1UfmTHwp2+sqA7+G+f6pzYsbpkjq4JBtPU1tWl61YUIdsJ/IMSUvLM2j/H/Rd1CT1DXFi3In/V6fHBfjifpz8KcPLmUHhbf+DaNXEBGo8RGOBFPXyumzD4gfHQB0NsLAwq0ZKWM8yXd5pv3mCGzhgLOi6gZU2xyqSXRQ663p9gk+W/4QB7stN+7YbyUqulXq75jCo/4BlHBZFEd4kD2LXlmnwtuB67H6DX2jX+t68MUgncJSI7+/jWgju3VUMwjd/oDNLvdYSSsRlCXqNO9vit1deuLweUxmcQSFmcp1fI6X5X93k3m0BoEnfX4b6x37u60oKCHDBfOtxu1GgiGaKTmFwiox7aXnL9hgo+Qupkgv/5JnmJVYkOu1+zA5ITHULx/WaHZ+eIp8Cqo9gQ4qf9Aa9SSh9qR6KTqD/M2TzcoCPc5+ftUAFMTbUANxJsuWIHYNWrR5zQz8dsALNJotflq+7ZWbu4+mGo0MuwCc7TrW24oH3/ApxAFpTOMVLobPZHRVO3bCxGXer0P63ZTcUz2coBEZ6zdWbmRxdyDO1oNH+wfzwVTmI3Qy0M/+2Tvdc0FSaDblrH+OuFzGS6qPoZaV0t6CvWQkjqG+vMH/b5HDPK15k+sPq/0xLavEKn08hS5NOZJot/BJzbf947GWZhpk30Dr3uvfVauKpBsJ6JxoZOGN55FZrrndF2l3csOqPkhqZ62BmxuQLIoZZn1JmbVaGQEVHFPo8T/ceRON45NMm0jNFoVIgYRjIyZOJ+99AALPwzz6a4L24t+tjOmvIiJA8hN2G+3js10uWLJoelIW3I9c1GONxxTCgQi4QnvuZIhy6lVtUV3LLKff5DxHpNL9Q0BZ38oXbPNrj8GbDZ4Lon+FanLXmHAce2+kLV2ob8oNceDvnjmbGxwUD56ZVV2lubgj8/6YP/dnwUGMRwiD16frzaEkbFJAjNOKOSS15rCR4aQRA2FLZELCf9T5MQv3FJ/8X7xSOi/WcferDdEqQrGop+/p7qi6vNesGhQVBGVMXsHcEFb0xuABt2n4cRBPkms6KyWC/6hSWzK+eORb1Hzk1ZCsEQeDY2FUTDU4kyUq5RPEJo9rVMOr2hhCoytcHUN8G1SbDl4p5Emedd11SsKRLe4GM1PzQRfuWIKy6tLu6jM/UG7+UD/VFpqvU3Tym9f5sRpQZnsDl2P+AKkmhDmXp1Xkq6EGCRO8yM2hyxghYIJpYhZ5bFnJdfUKrWGJD5KxTlkOELTlIo/oFqE6ioODY+jLTez7/d/utjEwk1OHKlPlhvuG1rZQVc86B1R03ocBApt545OJRssAe6gMJ1pXL4daMWZPwHAU6jI0P44SP22hLi65esQMZxa/cEKo+hSlUoKukeCoyEYqie4AvH15UpDfREIOCFQRRwiyvYW0AiV6j0j95SWqlKWTpw/VSfZ3TCB30+GsfbR9gI7iLB09IYNic6z4oDXq+S7j3msmE+Uqc7Rh0NY8HaPMW2NXNpni59HGDrxf31YSJc3uCJTvtQMHXiYjRhnlaVaqwmzUK15Zc+IrGHReSAKD0vIjOXpqvackuBVg4RIL4mJhOBZafdKenos19Cobrk/hbzmKxKtKSsUH//9VXHftdGUk/N+kDd+uvj7o31WqiRhXTDs264tBNgIKykY34mZoKd6gtItipficAhwV0CwmDyjLIik0Q6lhKJFIhSPrcbabPi5ZAhGcOlC45dwGmUeUambpRGZqFOJuIz8X1T8KFDp7oQ1+SfXq6hQ2+0KG/dWlFVpEEBiUAgAGwGTTZ74OxoQJoUUwuL6SqLsjRPSfPokkBoMhskvDRPI60zSnvhED/9gaQ/4WYGxtz5JuW4K3iq3w0385k8ZjxnUEg2VykTiE7Cd2gaWbVNRuL8FWHp5sKhoaFgQuCGwrbHE4U9Hq8cZipOg0IKv4FQPD379JOz5DeJ6j7S43/utH+2WyXYh3cxGmafuLUB3pFZQnEaGdiXdw46O0ag2IAvYdpFKsJQDeXG+ScNTL9f/J4dHEjZAmcHSSIVC+MA/gj/4sYyuAIJ3oZ1/N3jvQv1CBXs6nKcxPq+pblwtQXIEl8VUx6CqwGZ/MXDPuRnFpBwUtouwhdgJQDGF0kxJKNyQ30+XJFRS0hgAzH3U5kIUlJPDA31O52TkH2xpCK1E/ynLNaCiooaJAZBZSogGYY24ojsOeLoCs48JF8je2STbm05BTl43DaKFKEIT5LwDFKqoV52sn81y9E1+RIkLYmDIgH8pA82ECqFpDxfhvjdBLVgrIenu7oHbCNdw/3d50YC8VCxeAM4mZdrJdgS4V5CnlRmNlsryqtKisuB0NhqQGW6ZYXVHyDCceLjjnBw/sI04uHxk5Ce0UGIpcJRPvETZTgIpom7luIA5PGeAPP0vgm70JziMob94GrLro0VsAotBYUXfmYownQOuPp9zGzRH9NcrZPWlBrg03DhjsQWWcwBUXrO4smZH2lYl6/bUGp9b9hNpKOZJRhfcAIL8f4uFzbajcjmn30fIBayk37ilhV7f3HGZBDIEA4c+mOHp+Rt+ed3WZyBeMGGyzUMiKF+BsmbaLKqTTMSCTXNKqLWTqBO8uOhufVGeH8oRXRGA+Rmhm8UPrC5RqLhsbERudyWl1dkiqXRhspRqlSrlGqzJQ8JNf1exwsH+9/si7JoHYMDbFaa9HRjqRLFn5MBD9ywuaMxTfo0fSQciyuzyDP5/OJ2lYLGEGDohJEjQTxc0x0+sm1zeRlbiEtb5StNxEE9wsnzLXk6nR7qBAwlcS/HMkoShZTyCVGSCSdqhZDdBiQ6cMysVFVbBMwuiMdNy2eZ0tFl/gK1cIFejtjrVg92OemjiD2clgbCD+4oRxKe5FFfZroW0D2GEAhFh2z+0VjB9fQ7Wf7OZnNlMal0kn5J/J5THBDhOaemS4hYrCAmneqOOv0z7aSkwezPpFdy9Pxwfbk5C/9csdCA4Ht21Dxxeuy5FieqYc6mH0Ev398/edsqrdmguKxqAECLkqY2W2QUigpNf6IhHpFRsWVaYCkHavWOhs7YiVUaO6H4J5ZwjUPBqOk+SFpNeFeNjg7ZHRNAaBS2kstJ6Bp+UMyqa9jfPhKFSj2BnnkKenuDpsiiINUbp4VR9IZHeJHIJZVLCDRGQS0IrUQBIfRBe7hby1EyMqkBYrHDJMMzhSLHKNcNpErcitiw8lJjUVlDMipjpqAAQHVL1J/Gv1pJEDbbxC2xA24Q8DzFCN4T5P7+gbzUBuQbdpPn+wN/90fbuFAg+Oz2i34GPgTnBwII8nal8jbxIFS1fuya/JW1UDgIvI2JZkt70No7icrrgjTg5VlVbc4zZalaXpBm8aQgB0R4FmRLjp1UqeTr6ixPnnUm+xsnxoCwyDPdk7d7A1ajbmYNTlxe0oOEdPLY7voPOo6OA6zTSSQe0ShU8PT7zm89WAQvt0wgdOnjQM8Vhcp//vSMNxDSGKNbpGIGOCXDZPxZiJpFXu6POv2dzmjCnwuXIImWWZEbBGnJZ/CQiNKoIBmN2GxjkEX1eiMSbKEINEJXPzo79t5YGPhKuuUpVGrcVaffvbUIUIcUmfFnoSt8gOA2DxOT+WbYhOggjQobiHhDgX8hzkJJi2htjpnZQyCfCkpZQIsbZkiqZ1lS3inop40aBjptjBr7IfzDxHJzoj4mEnaCeAw8efMRfyRyqkwEpYm8GmiWVsIy3gwbmjBPYQzpCgcBwhf/FCYB25E3TrqPOwQKpuF5YPJKi+qxOxvzjBfIsL34xM27R7wznf2uUxNBTGfatOOFW5WnLCvUwe9y3v2JDbOUAyI8Z+nELIgs2AKbaqzV+oHZOTLRT5jje22R3mEPgnwW1O2VbFxbZn5iV/k/vNGfHC+UIAByDBJxrznuvmG1HjmrZlTPiRaLdIDtgmqWih1L9uw9ASAKqHamx49EmGma4SqlZEONJlbKKd3ISkA6tqC63S44iEG/fXog/Iej41EkaokvtDRlklB3bq+orCiHE1k4HIZuPAp1MGzgPKuWhFFEKy3RRCxLCnCFsCVpP0A4En9WPKw8BuAz2wVcRU4UpcYg0UCKdiYvBCjvqJ8u5wzHcjhjo6YFLN+4BaBL+iVVhMnqj+6S4cEZDpENDQmfTh947KYl/gesB2adGwyeHIplBU+HNkIeHNw/vrnQalrMPCSLO2zsmeDTd7zLCTt/vBxncv/EVaJIg2wkiY1v8lXxOLc4kPxXmVuUi9TOcAA60pI83f1rrf9x0EbNyk4FXWWHlz/aMbyqNl+tzFJvEWQpuX9X3ZEe1xu9vmkImBkgjsI0/cJhV12RIlF9IeXyon1BZHO8r2TcAc5NOV7Fr0EeRaYtJKn+2UeIeJ4RSXEV7s7rihWrKtSCsmOCTOAcQMzu9B4+6+j0sTF9dQxgWb4iT9FUk4flVaFQ4ge3YEXGv8jVHGWiCuno7HIV0F2rlOnSXhzw8RzIwTojr5b7qZRqSFjcpXK1VUZ5UM84QRg5iD0OsrLdMYmdAQYPaqe2FSnt0r/4wrEc6VmJzaAVDB+aiCBHWHKSluQxYBe2u0a/ZXUx6jpnLbyFo9zgmBvp9hBinkx8/LhCI0M2e4RUzb4knsk5DojwnHNTJkww8jhubi5YcdbeFcRSm7raUpSH4c53OftG3I3VeSmwI9zZ0pzVqhUf31F+rLfFnhAlkwmhqR4/9+4574PbZCqlNC0EObnhIh2n8DAhlgKY4Q42NBE+1O577XwQyUdJiaKZD12kpG7fqI+lUknpYaZJ0tHwZPhwP/Jc49RUY/g6377ZoqCC8AmTKxCWrEwYgCE0I0ZXplRyXChJFU3BXq41WYuKiqcF8JkHAJsJrtK0ZZAhdS6h3U6iNubvJiTm0hKnwx3xIVUak2bnnuk6145gAoBa+8B574GRdG1HfCjYojSZFPdsL6sqyV6nKrwlLm+ord/dj2Kss7axeEs3FKlX1+chb2iuzY9IrwAHRHgWYEounkK1u7IC/bpSTUengPQJ8afFxrf0jSMJaNb+6cJpaHVDwWe32X9wEG5DyZg3NSGoo/Baa7BQL9213gTISUDmFZsvIJzHH+23hV8/6XqpJyKBzj0J7SB7lSqpJ641rigj+uK5qQL93gBzqMPf5mOSXZDWW+Tb65T2yTFKIlPIFUqVCrFYMhTihqwEMRg+azHlflrnpOoEcDvDohz3p4MBOfUuOgpPL6+diXjTq4ZNtwOR04e5/RsDgW2gfTD4bmcoU6ksFDW/scG4uh4JxrNUw4Q5gO56cNzzRjtyrAp8CuWSNdVGJOMTuCaeykEOiPCcg5MmRDIWUrNRs6bW8tsWt4CDGE0Nhtn2fv+ONUHYpYQ6WPpzUCeiBtdtWyu7R/17un3JzlZx4kgyjQj3fqsXIbkrKzW+ME5fAAUXa1TYCpg1so7hIMT3A10hqKOl6SGxEGb4v7zFsrJGG0WBqjQj8Cw60ACi876uUHKOTwQH39CgNqklriDLw4GYiQZDAVguoJ8mcrCERgExFDuaHS8DXysmEuC59D9nuH5xcOxiGIfXHwBVqZ5EKDbs87rD4fS0U3jYBbcXswZETqDCh5DCVbDtlTxJ7AgDtvBzhxwdgRRLxDQRCLvndpSod20qhcNzNu9JPP7wqfaJc7agkIsGXaKV1VeYkOh3elzi79zmQPrfc26P5uqmHgazxipUyBg97EClwXRewKX28KDzugEHKkBnrV0NUIQElkjl/2Ffp4MXCDUGwBx18mWnPXq1tMCsmLYTpw92cb9DLxrl6A/Pe1Csaf94lEbOzyShGc9Cqo0bi+QPb7cgHzXx4Eq4L2egA3dDsdw6FEouLAHlKsyKG+u0Xng2E6+uqSkkvcHhKob3coo4cuNEsnIbzZ0TkzaLkJqaZNgg9/rcSM0svJUh24ykmGb0D/iHU3f69iN1LNFYb8lvGTKN6xREE5/acOm/YccQCLLvnvF8NMknaztmKOP5ep303m2lcM5I1mTMNMiOI7wJNmfgw1a78BaD46rM0sYqa9b+dWcHF3OJCgHnglwiX6Q1iQPANvg/37g6jxaCBwDbmQnmcOuQzRWMuxol3ZpFhxAQt6wpeWxnKamkIPSBH/LrnaGj7b5IlIU5VajJop0DsCGkGFWKf/227edv2/dPIEkT/mRmcA4K42iIeWyV5q8eLEJ5DILNMxczkgHoDYa49zqCmJREI3h+1ZjlpSR7qMDIcQs+aGzWyvGUxF04CHDEqhoKh+DjHY6E0n6IxzVMztCLku3OzH1yipPLJfGSCanehDTyi0Gwnmk66whUx8E+hQ6KKlAIJCGZdfcVPkGMIMjc/lJ7KG1TlaCDZXlYhTatLM5ax0mQir9ZvPB9w85jYyHBPUSxWnrtmpL8bM1CmuC2eDB/DojwPH9e5UBLJPhsKDetMQnXSEbs7plu38Coe4mTKs7JSEAI8ojdtKHk7hpdJqxDOoY/nvKd6glg5Y2D1pxdXuRF9IyKF8ih8ZM3xl9sDbZEpgAS3QGWYsIuv8VM/+C+gsduzlfIpQDm+WAzuZ3nT/UGz7pmsofiDEDirgYVSTCS8UP2XQV6GcmAnfRB4Bxil3GC0DfrE28IYRd5SJLQGSUrJXBPxv5GKaORrTsZ8eHqH+8w6SHph75YBu/kDtECW4fZivf0O6/gd3BVp8Q77//tab87hWczREARjJKsn719BSo8zpzNyiO3L/zsgWFPmgvBNKlNZhkKeGCPPn1C/J3zHBDnMuenMHkA2FaXFelXFKoE0xojb/VH49GBcWc4JcAmuYPsOKaJGuDa1WYdMmmkCWgxAoFB3SHu+2+Mw6CIJfhyEA2Nr1ZBt/b7//kV+0t9LCp2JAm6BOcgYj5Sr/7mfUUbG/TQVC/Ikxx1sfad9cAWnKAc3WsUkhtX6dP9txItyAF5ilYlIZLtzK0UhGmHn+VYHhbWlObTX6B7j0R55CCZPkF+I25Zr4IumkJKE3WKxZh0Mu5igOjgc/ItycdOX7rFGkpxbB3AptRtQPJNV/KYiMqooz1ij/zFS5PYzyVPXzIdBp5/YEcZym4SXmTxB4aPj86NvtLhmu2TAarVNL2+1py1BTyymK9ZTVpWv5FZzblsJa6iyLiy0mROWXCnaMW2O0rRe49ODNs8lwfUFocpwASlQnbbtoavXV9iTlW8Jh6AjcgIp3h6vysSZmEbTpxflAOIIADCfSdd/99rjq4Ak8ZLKcWv1sv+8SbTV+/KzzPKURRyDhgTpAd1sc5NMGlxq816eVWhCr2lpvpI76DQLEd2zZggPDNqpBJDu2Qvs8Rt4E0owtu8TBhC8fQHCIxwrAKjHOI48n/l62RIRDp9kaTmGPBTqIUc4+vMXYkGkLl7JyJJRbPIFS3NlyGf5FJ41CcISzogdbWRXetvfz9Opkd4n0FjD7KjSnfL1ioyyNTtS1JXS3+IufEGIvtPj8P0I0iNPBq9dl0JwjcEr4onc5QDIjzn6MRlJBv5PZBX4foKraBYCZnilV7n2e4xXzCl3FDG7pboApZLk055y5aKXeUZa9ZjLXptIPhfe52wvGZYfy+Wep7rGgp+f797LMrLEMs0jVBYJY1S+rZy2ddvt9yy0Yze5849Ivh4YF6fLTwZT+U13SLKsGtKE36aM0g5fX3qNwTlQrPCqI4Xb55qBgP2OTsfCKcIx4kboZ/3BdmBySh4lDiJzZmB5k3Qk/MUnOyqtSmJSTiJBFU1z/QFYvseAWIgZ7aNhLGFmumQoqwKkulzkSci8YAFHoDJiNP795cmzvs4QXET/clYdlOe6m8e36jXkNwvWetRRTxFeJKK5PVOj+BY8Je+o0rfWJ2/QCaJzbOdAyI8Z/sMXQR9yKuA8EcEQQreK5co3zk2YYuXKxJskR0nAQvlRcb7b6hdY4LEMAMtSdTRQIjX+gPvnHRjrJlEvaT28zpEP20Dgf94yzkZiccDJ/CJVnH8IyvVT9xSWFusRuzTPC3NqU+lkQ7zRE8gTdcajPDV+YrAnA5Z6AdPLDIr1hbLSEGo6X4Bu+32cPtAYPZeAWAJv+0he6TVm2iO28hZk44262TIS2rSSdeUKwBm0/1REDdRPANExjqcOR9vgODvntFQm5uTJGlgEI9ba5IC6TMp2BOdX4EDCPdg1K/fnnhtMJxJngT7NDz3jYeaUQqdFAvN7g/UAP/zZncowwtnoagv39ecKeo9u0cmUjcXB4RX8LnuEK9lPQfgjru6zloZk41mE4sN+L4hf+eAA46gs69mzxnAApR1162v+PT15fpU36VpIgE5kG6p//2h+92TJFGDoHZ3uvG8fkOtHY5w75xBthDUWExRFRql1Fe26B/aaS0wyWM1JODEjXhkEqoTPwAqJH7i52c/UkrzvjB3ajia4rPNU/CjhtZaUOGR1gkk13uadDClJmATBxGO/6jLBz0/CEhuD9om3VEA7ViAFKGIf1CAEseNZRqTToYFX6OU1RQrq9XJwIriG3T7SMTmjKiSYBu3o0Pg/UtHXS5Uu5rukHTL8U0lShSWjj9iCf8FhWDj0RbPc6f9SnkyiclE0WVy6k/vrN2+qghnMVnJ17LtGDuJI23jz56x82lWlhihuLq70Yh0Q9lGtkjPpXMgq9/LSx/e1dkD1HTNNfnNZTptYklOZYSfoV85Nub0hLI5wipOMijcdU3Fx9dZIS+mDmLqG5TEkBt+tN996LwH+RiwOmcQtQXvnnWS5z4459nTE4QbXbL/FVztbqlW3LTeCKnV5WMA4aEwi4Qe5CfCxQ9wJvGDM3DImtU7KkdJ+seQ1WQGLONtzBqpUSubj2Y4GOG2r9QjTjd5mHKZ5IMhFjnAgUxAaNCOrki4dqxox/6+CFKOJYiBt3uxgoYbWgziiXhtNcgb8uhkbQBenIEw9d4ZDypwoJ8YYWTzAfoPtXnf6QzhIKlDvkInX1Gq0muI+/oSfmKzT+FN+NUhr3NmA5NOUTQUfWhTwQM7a9MvZOX3QIh55UC/CoUwhTYb+Lu4fVt5Jpt0Vg5IJGq+HJixHs33DrFdLnAAEVa7t5Qd7XW3kJqw6Usm8mr8sdV1W/vQbeYGJILMvI5lxVDNeuWn72jyBaJPnXMKJUsiOOWkaJiK4YS8vl4Hd6cktevChuANsE8d90cBcrOYxjA0tOjzT6fVVKYikdCpvMcK2zoGdODVSZI5Ip4rTUpd8qnMVKNDaEdurFedPw7pEBg59QAvR6E+B6KkSvKV8XJSAHLUov7jSR8s6MkrOyKsdtWp4IYWJOFYfISlDBrpiiL1u4Me5GtPbBHcLP9KSwDFNJEpJd4hYp0nXNE/HHKB28nWBrxBu6oV1cUoPE1E18y0X94rwGYwp3Mw8Oopd7c/qf526mORNebLW/I/trPGqM3euhdxkuO751PtY7A6I7NrYq4TA8Le6sEmw+r6wiz/E04QLB4siAMiPC+IXbnUeGVtwTXVQy1nnQJEQx8rle49NLh5ZQWCjEktn2z9xB12yvO1j93VeGLk5HkXrInC1Dqi/JPvk8FuadL7I0TDudAxQUw8Pxrqd0fkqvS/Czz0xb4Q1yvcZZygZGHZKKGekNKA57QboIrsG2OTRFlyHZRWWKEZJkLqfMiGhfralfo3WgOgaCbVBk2NRznsUZrNUquO+PfafdF2F5eGzSAANZlvXGOAGiDxLJQYWVWt2TEYQdnpZIPHCEP97rT/7EAo3qE3xLU6mRHYpZPEOHRYpZKsrFBDdE4yiKeN+7J/jSsMOgf8vz/oOupE+tKZjUvys6EFubdGf+8NtXBryFpfsGSC7d7wM2/3ICGrVCLwPlvk9L07q5AuMPkW8XjZcEB4pVs2w7uaB6JRyW7aWIKcVoJMgPL23cHogVN9glez8GRNqfnbjzRusigFQ7pBMCTEswH++SO+k12+DF5xFxgWIo9P9AZoObA5CX+SboIMKvhDmqdeSrop5RAANubwQnuRcpaiSvWofLWAP8Ziq+KLu8yIY0pes4HudpbaNx59rivwh64gDsaZFLmZKMQZ7m9vNFUXqZL9yEBVZaHqpjXaOkjwpMcZ8mIdss93B9DnG8PIQpoS1QyA11P8rStUKKCZciFteJf5K5HaKap7JPjiEe/ByXjNkGTGTD0ecvN6k+K+aytqSk0LYfZlpj5z99j6HD03+mGfV5LqARC/A1d3VevqKixZbjvPPD7xygU4sIAV4QI9iZezjAP4o93UXHxzpVYw9xb0ZihJ95M3hkYnoQeEAJcs+2XZSAAXNKkOtbah8Ilbq3RImsVPq3TTKaWP2MOQnzqHgxoC0TMwk95w1vf4En92MpJmdZ7V8OJPAMxgjx51cSRYK+kDcEEZLhCQ7J2VdD39MC71rqnSPLJWS3yvU5EIjIIpGg6AOEgeP1ohk/bjG3Q3rDPN9hAHQm+o111fr9IS1qb0CK1qvM+0DkEW1Nq316tuXm/UqGUJWTyd3Mv/HVM9ao88fcDz3hhU9Zk+dJVO/pU7qresKYV1ICdEZ68//O7xYX/sjZw9KpTYun1LuUmXXud7dkvxTI5yQITnHJ24eZGNHMJ//mCziizSyQs1uRdgAM/js/bwqwd6EBWTzfrtxFCROPO69eXffaQJEhuMn0J4wMNT7OAk85v3HZ0jQXgd45O4fe4DQGMgwo14iWdyKjzNfd/M1XRYm7kydQRIiISZSQ6Up2+GlHD8IXkx5kstjKxKheSOTaZvXG8CN0iusSlIRQ/JnUx9RQMA+be26x++1gK+CbEONSlp+KX/+U6jNMrG/Nri96Z0SMYYsxrgAM3ur1d+cqfVYpBflFo70f8sTi3kBMhG+e2fvzX5QapmPrkP2GiREPWx7cVb15QDm5MvZedx/F1658jAwUFkTwWj0j/QBHxqnbW5Nk9MRZLOmmX0Pd3GtoyGJg6FcGBFVd79Tcan29xCQMXrNPL/2jd8987arK0ymTyL0AfA5e3a9WVfm/R/e++AWhNPLT6FS4mWWM72jzOht5x/spuuKEAervQGiZbJBxA1kd5kLBCTzZMvXNSxYE0/ElUV4lxhlpPiaTMIjV1Evp5slAVRM9Pz4wh94wazUSeDu9YxJ1HqwtkJZtckeRoFJSHjIje45IGteVsb9ZC1caPgBxCLz+5rzIiHfvpD52E7ExO/yTYu3h7dIpUp0ptEImy1RvrINca7tyHm9mJys3AMyRMeF++xWWEYeKjBbJGBMkFyYychBsOR/l9fsZ90RSHcZ2hIw8/9i9sL79nVkP3uYFND4LmOYc/rR4aGA/EqLOkjK1RKYboyG5DNM/2S+H3ZcEBQBFk2oxMHQjhwom30we8d4bXCdTKQ1/DRrUX/8OkNuWLBwmo+7gg8+2b7Tw+NIUepoGyBUcNEvcUs/bM7C8rylTGN5wWWfmxf4EF9ssu/WC9NoYmUn0ruDRZneIaf6PRBU598HserKlRmPYlCXugHfQLkQhG2eyR0qMMP5bzHO9UH5HGNltpQrNpYra4tUUFqnAObk58rk8l5Nop85h+0+s4PRZ0hNhEjZtBTDSb5tnrtinK1QSODI1lMt74AuuNMaBsKJj8Rx0opDd9vrWYBSnIkSBmwhf51j+2MN8lFLrVfbDhUPIUd6hfvW1VRpMfFnFBrIyv+nn0d//H2wIhQMjiIzp9ZbX7inpXI4CvCc+qEL6tvIjwvq+kUHEwowvyf3xz75WlHJiQr4CP/8fmNW1aV4PacWLyA0H0j7l+93v78GQcCx4QUA4QTQOhGneyv7s6rKFBCbzwf2TRmsRbk4oKyX2VEAABAAElEQVRPQtaMJdBOuRF7ILWQmy1CrS5KPzzVOTAP2nF4K/vCfCDIxMVQmCzhTY2YKAjQiKGa1kmn0CP4BU3xGkAHjFRiIAwd4l+0RIcqpcSghus3SlqhBgcEtwUA8/Sz4GzOE13+rE+MyHl1iBmHLQBRXn/9nK3TzwgGHcW7V3I8sPnRe1auKDPNemA2nsC7jTenc9D50z+eQfx9imvfNL1VSsnfPrhix/pyMVPYNEuW52/pt7/97eU5MnFU0xzA/rrArD593mZDxKvQh5PItHRwbW2BWiksYQvdtKTnaFqvVRZb1YzX32cPR4SMc6APeGULs519oZo8GXJh4kxKSJDQCKIcv1g/gnAL5IPL9OyfJHW0EFkXOgdMA9lQEmCugcdqpTT2Q9Juhhly6UIdpFyPb3cgyoNOIDBM/vEOFQrich7r8GJgOfGMOLWz+ZxoMPcBaIC9+XSX/+9esA2F8fKmeMAl3UvLWA6ukf/PPU2NFeaMm7ikG7LikKZd3hA8Qn5z0hlNyg2XoA3q7E9tykeuHtEpLMGT5XogsIddrkO9ascFia20QH/H+nzosQWZgGQUH7X7TnaMROYsZyh475KcBGbA0NhYZXn4prrbYE+c5Wk1TRVSfkpaA9xfv2w/2emDu1MueAVN034xv4H+RAqP/wCtL1bAnXk2QDrR4bRuHPC6MLyf6e6Sj2BsxjxiNn/wtmMUycFnx6hNPwJp23bX6D9//8rmaiuE7Vwx0cLC0jfiOtTuSA0vnxoV5neFQbauIc9iRLoC8bPMOSBKz8t8guPDQ+1C5C4YGXD0+ZjZqmD8zdvDvDzgb6ywmPS542xC01ajutSqCji8rZNhIjkKfTBeUuChN2iVUyUWBfJCx0BLqKl4Lrs5ADk5GGb3n/X89wH3QJinM+QewSAgN99Va/jSvU2ra6z4Ovudz86BQrM94Q7CYfsPLY705DUxinUUdf/6vBs2lhvFeKrsnMJFpUqE50VlZ7Z2BiUZcvbKePZ0j9s/S8ONxQvSUDDAV1nk1aWmzB6w2TU8oLFEQhC62KLyOv3nxpEoW1gbBOCGhuBQT1DLcXkGGTyTBTXP2TU8kZokDkChLZfSdk/0rVPuF076+lENNbM8jFQ8D622fO6OhpU1eURuzrBvS+o+Ww6R4fzQ2ZEfvjPggrF/Ftn4I91epHrghuq6crOQ2jtbRiHSsVgcEOF5sTiZ7f3Ar0cul4yPeSBozlb1YQnzIt4nGK0sUBdaNDm0omFrkWfW1pXoQnbf6cwIjelBHE+HLRr0MPlGaZ6BOGgtmYo221+W7KIP2IwXcngy/Oox156W4DD89YUVJYRs+II9sMry2O76xqo8IHiuvMmQm/E+IkfQ797rPTgcnMnVmjQVhTL63o0F122oEAtgJHFlOR+K8LycZzd5bNhua1RyGc2e63S4YYOetcBhuz7gDhcpqOoyk1Yl5F6c3F3WHGP9hQxtNqgayvTyQPDIkF9J0hPPGl6MYDiRDTqjTgejV1B5ZgWUpbCn5soKnjUsv6KEAJsROXaqy/fyMeeenghCqDKJzcTuHmY/tdby2d0N9eVGOap5zAHjV3QQ83kY7QtG3z7S/8zR8ZAQ2XDv21ao+PjN9WUFupwa13zGLrYR5oAIz8J8WZZnEX8ChI4EgmdGfIwQgDGUJOAJ1xepi/N1uRIGHZ8pbD6MOmVtiUEVCBwc9MNhSBif4eFM0wM+ZngkrJHyRWY5QlMW6Ne8LF+NLB0UHMEQcv3+afdTBz1H7ci7khmYeAp22cc35X3itoa6cguwOUuHlIGsKMue75747gudIyhzIrQBKVVJPnVt2fZ1ZWkZYTP0J55eDhwQ4Xk5zOL8x6AGPIejnX3usTDcXgXuGw+ySG3VVGU26WPJQAWaZOkpILROo2ioMBVJ2ffaXVKS+kNohESnTY9H+I7BsNMdaS5T6dWy+SUWy9KBL1OyaMSgO7zMf79p33PWNxihhN/X6cEj9fgXNhd88rbG8iKDLEOS6um22fWbxKPTFOql/s/rHe8N+AWrX8Bdc0ep5jO3N4oeYdk1eZeZGhGeLzODs6x7ogc2qgMe34l+H7IzClFHnxr3NBoklUUGpVIu2ELorqw4h9HpNMqqEkORjD3S4yHZs4XHSKQwP0Wfn2COdIdW5MuKzQqS0TIrBnG1E4F5gNFBq5T0joX+/nnb++PRIPwLMswjmAXlh4Xi/3Rn8afvaC7O00K4zK2XFiOAheXt44P/8uaABNXXhT4ahvmTu+rWiHWdhZizjM+J8LyMJ1d4aCqFDEFWjjF3uysioCtEzgep3O72ba1DbKUq5xxEsYxDgd9QaanS0e29Ll8MooUZAaFFQjvC7L4WP8vw66s0AAYiyRAkyLUVPtMIc+w8YTsSiqnkkqffm/zzlyddLC/JbKdAY6BZoYT/4o3ln7lzpV6DitlzqL+zlBd4Q9sGXY/+4CiPwltC9KOex8fX5T1658p4ivIsHYZI1mXggAjPl4GpWd+lXqsIBn1dfV73rCCrOO1DHlYSDK+qMmvVueVfQ8jHGg+Lclmhvswk89n9Q36orjPCLcA4SksOdvvGx5mVZQqNEhI41kNRkF6ClxhiL6yuI5OR77888XSLX6OUorxHxpmDkYLl15oVX9tddd+ueuQ1Q5I4ge3mEoxjYY8MhplfvHju6ERYCqXBLCUBdANrdJJvfWqt1ahZWL9i69zngAjPuT+HCx8B4oPzTNqREVe3I8II3Y6l7kifZ0W+sh4QlyGYWOi+LDqnkEsqio2FRjnn8g67mUyJP2MUI+RM2u2KvHPaW6CiaopVSNANqBAh+opNJ2AJDA9HuA/PeX7yruuYI4pUnXPzH+bY64sVX/3Yihs2VSpJbe/ck5uxCUSevufe7/7XtwflwgntaIOE+tqtVdvWluacHuuKvTzL+EEiPC/jyZ1raPCi0qokbd0O+IgJtkOFBfeYa2WlIbfCoBNjISu+hCorNKBOkToaOTvsJxVBMstiUHSHIEb3Bp0TEZR31KklWPQvooRUggDxYJ4ciOfp7B8nYc1PH/cNhlG3EvOUaapoCM06mvrUeutjdzauW1EYkzkF5M55Pn1Jm3Hw1v6r37SEIfcLqQlQCfTTay2fur0ZhduXlE7x4UvDARGel4bv2fBUq0kd9AU+6nZzQksD1otBH+sY82xuyteisjIPz9lMK2Y2jEaABhAMGTjfrIGzWL6MtTlC40FmTnUpBVa0OZm2vhCyQloNMqUCpk9RjBbg7aKcArJCeev0MsfafU8ecL81EAnD0iz0NiYeB2xeb1F8ZlvRw7c21paaYpOTe4JlXDFgcwWe2ttx1CZclgqcWWdSfOmexvJCfc796SXmSzy4FA6I8Hwp3MvtexEGDU/XsUFHhwt5mATGAmNeqz1cImM3NBYQNyqBJtl+iiA0TRu0ytpyc12+MujwdzjCEqKuzzwampqM8i2jEb+L4RnWqJMZNWLk1eJPtEktnfRET3X63jzl++8z/rEwf0Gfa9R0ua1S+9jNVTdtqco3qeKTm2ubxilOev3h1w50PvPRuFfoVSTbFpb/1p3Vm1aWKOQ5FsO9+O/K1dqjCM9X68zHxq3TKvON8g9Pj3uF8ohh3UCYSsugt7lQhZpXc8udWc5H+KtD0V1dqLZSbKctiErMc+w3sOIjqXOrPdo+HA76o7BsosgxPJXETN2XPsvQRsA3O4RCnyOhvSfcvznpP4Hd0IWU0xCa8+T0Z9ZZP3Fz7camYoQeQMq+dGKWpIdYRWf+RNvYk2/2dARQ2ENgpwgf7ic2WO65vs6cQyVqloSby/qhIjwv6+m90OCwMKCkhJKJvNnuzOQCFmL5sSH32lpTrvuOYnuRZ9LUlhlrjLLzvS5nmI2J0Rl5hHUT2U/PTUZGx9lxRwi+O7VFKojdyIARwwaBVTVjX+KFGAeQaQQK7TO9PgDzy6cCbw+H/NgmCeHTNMNoeIhFOW6FTvant1R+7Pq6qlITdlqQm6cb5NjvmFqbb+2zP7uv99BwEBWdZw8Ae5HVOsnn7mzIofo0s0chnrl0DojwfOk8zO0egMplxYbguOusLQRxWWDho2l7iNOwvsbKPBXceHJ2ZcQ8AQl0GjnE6A2VOiRH65oMsYJDnp5SMlaaRp7FlkmmbyRsd4SNWqlJBzdbJJuc27N4ugvxN2EhrYInNs8PTYT3nnC9cNz/wVB4JBq7IABPySyjpRx3V43+K3fVb19bmmdS53pKSwwXJuc973f//pTdl+FvqVRBf+32ms2rSsXSF8mvwlV4LMLzVTjp6UNGlHCBSXno9JibE1wsaYZne8Yics63srpQQZJl5vAHSyJirgqtuvUN+YVyDp5xcM+GoAywFRw8hgqQ5mnKFuZaJ9izbd6BiXCRSVaVr2RYyDk5zIrLTzrhKLYyeqUETHvugOOFI579g5HBMCdQdVyIGtof+cym/K8/vKah0oqKqJiIDIgmdHP2nUMkFcdzx1vHfvLu4ASDd0row3OPXlOwe1s1lFW5vBMWGpp4boEcEOF5gQxbjs1h+EM9iUKtZM/pCWEVN00HOD7sCFUXaiqKjLnOAyzxCOxGkqkVVZbN5RrnuKfPFRUs4ZcyUppGjPgkR5+zs0fa/HZXxKqTonQ0cjmJIJ3CqOkvkJiBzSP2yAsHHT99z7l/OGJj6VgA+gVxhw5H2DqN7HuPr3l09wqDTo0wP2KevuB904/Ozt+Icj5yfuS7z7d2ehlBkzM0MjcUqR7aVV1fYZlT55+d4xOpWmQOiPC8yAzN0e7gxZ1v0egioWNDPp4ScLrByjga4jwTvvIibZFZjZRNub5WYqbkUil2G9euKYw6vQPjwShNISGJsEyTJFujBWpjHx+JvnjaOzIarc6XFZrkSJsMIVyMwgJXOY4kzc7TyfrGQ//6qvO770wcH2f8uADGCZlaE38ycU0E3JQNgdDD1xT9zzeuQwkygskZ5yRxa7YfxMo502N23+/e7nqtL4iiHUkv1Azx1SrJl3ZX71xfjt3IzFnx6GrlgAjPV+vMzxo3EBoOseMD9h638NYeyyuikvJ4pq7cpFPDdTYTkM3qOltPYAT4QY7uHWuKN1RoeX/Y5gr754DoxEBiRaaRPaPNEX2rxWsbjaiklE4lgW0+7oN8Feq8sTWRE88E2h9ke0dDP3tr/Hvvu9ucUQVJt0mDqZl3PtNsZXkLTd2/0vRn9zc9clM9AopId7n/msWGx0+6g3ve6/rxYVsMmwVeED1NPbwh7/YdNVq1Ypoj4u+rmgN0rArAVc0CcfAJDkD5dvjs8Hd+19oeFE4lhi2/UUp9++7qm7ZUQ+OYu8EtiSHjIBboAq8xCcdxT+9tff/0WKuTGQ6g+PV8sQE6SV+QrTHLH1mnv221Vq2SRhlOLpsSgJa36jsOnyzLAYMDQXZ/e+CFE96z9ohOLYUcPF0FUgCNkqcADCxTSZrMsm1riz+2oyLPqMMNmA4I27n+jpGR81wgzL71Uc9f/LaN1yhgc569sUWO0ttqdJ+7o2F1XUEyZ8Tjq5kDovR8Nc9++tiJRVarkLPR1kEvhEjBT4jhO0d95XpJSYEh193E4gMEwMRFXvzbWGVtrjKV66WsL9znIdla5iO9QcBDBlBvmDs8GDrUHnQ4QhxHLASIAML5eKGhCwCUIK+z+yTsynIpiWCedEU7hkPvn/c+9aHrpY6APcKiQAX4lsH3KWVURDzgqB35yk9sL3lwV+11a0uMWphOCIDFdkezgSzl9hz4gsAwljt2fuRHr/aMEcWMsDagSS97YnftpuaiDNdzYKAiiYvOAVF6XnSW5naHWC07B+1Pv9n5YouL+DQLfGiW4e6q0nzxY41NNfnLA6EToyQ2QhqQEz3XPXHk3NjRLteh0RDqDc9pM03cPXWA8pQMxzVZlTdXKzbWa+E+JpPSapUE6TjQIiLM1fROsvA7kAMabLAizHDBEAfHdaePOd0b2NsZbnUgTAp7lAWgKSRmKU9KTl3fZN66qnB1fSGsDOhkAV1kIY9mkYQ/obbeyT/96fF2LyuVCQ/OKqW+dkPZQ7c2amMcmNWHeOIq5YAIz1fpxM8xbJbjznXZfrqn7c2hIJKJCX54lntoheHzH2uuLTND5hZsk9MnGZZz+QIDo959x4dfPjnRHcDaCnEOIxXcsqSPFY1YFtWI+VKNFDrb2gJZgVFWkK8sM8nzDHIwLBQFhM+rq/Sul+A7jX2FSk5DJYA0nEOuqG0ibHMz3TYmZgWAVxxxilvQDgbpObVSyZe2F+5YW4zCYnlG9fJ7i+Kz2zvq/s/nzj7f5pLJhSMSEZz3J9sKHr97pcVA1AbiR+RAggMiPCdYIR7McCAYjr5/vP/Hr/We9TCZxBk+yn3tWvMnb1tbbIHhbLkhdHxthflz3O7vGHCc77a/eGKi1RmRxdS2M5yaxxGQnmV5OI3VmuTbSmWNxUqTXqZRkaAsjVqK6CP0AajOHrSGlIydCFKZxgVlb4CFZd3tZ1xepm00fGyYbXNFIiwnlUpjMfCQCOe7zwAUYfNXoZM/tD5vTa11ZX1+oVkbv1lYrpwHe7O2CcY1avf/6IVzvzw+oRSuF4mS1dzNpar/9dkN1aXmrB2ISNhScUCE56XifLY/1+MPv/JB94/eHRwJQ+E924xIllMzz318U/6XHliDmhPZPp6Loi8WD0OFo5w/EBlz+H/1ds8bp20THCzK0ky7lkzPISImsUjTJpmkVE1bVbRVJy8wSIqsysp8ebFVYdHKCEizxFQJDfu0z2YCtuYLgZkImHU+GVanLJ7Ye0BKRktXkB2eCPdPRMfsYUeAdfr4UR8zHOTdDFhCCj4myJrVrcAJJOaEJwPDsPkyyX2bCu/ZWgrHBcSdwzC//DZ28fFjtsIR5mcvnf/FgRE3mXYBtkC50qyRfO/L1yxXFZTAmMVTC+FAYhVYyE1i26uDAxOuwL8/ffLZVjcqFgiNGMm0eCXP/8M95Q/fvBINlutSGx87QNPhCQ2Ouc/3TPz2oO3UREghk2SyJgqxa+YcoJdohOE7JpEUqSRQgJcapYBqs05aYJRDttaTChwSSNhwLovfRmAbEMdzl2i5JpIxxcNbLdFzhOFDEcjHnDfIQj6GORmKa5uHG3azwwEWCU1hR4eXlwQbkoWB8tR4MVSY29db5HdvKNy8srCiWG/Wa5afKntmdmNH3kDk5f1dP3qrfzTCC/75YPqZEPPLx1feuLlq2XMjjTni13lyQITneTLqamwGQcnpDT/2z++3BPgMRmi8P1whFf3a7upP7l5FQHxhJsjc4yo01VGGtbuDbxwbenb/IFF3QwSUQj5cqDhNxk4gmodmgqQVhYVAI+F1EkpN8XK5BJHlEK8L86QWg6LcTBfpZQYow+USrZIow6MxlIa0DUEbH2A9SYuS+iGSKTy5JBSM5riCoGT8G4xywQimlRnzMpOIH/OwYy7e4Qr7gtEoLlG0j6MCHA1MgZwMsoDIUxuE1M7n8Y28G/AirNVIH7yu/I7N5YVmDYLNYrHRy80UkswNTANsIq9+0P3j13syByhS0ij7T/fW3rmzTnQHS+aeeJzMARGek7khHgtw4GyX7f7vH0VYq3BCboIvfKmc/s4nm6/fUI77l7cMHWcQlmCA9KQzcLpz4tVjI3vbXAGeymRfFODpnKfAT+AimmCVh8iqoknaarWUNshpnUKql3M6lcKiIxCOsooKtVzJs0qlQEngcJiJRPkwyweiPIzHgTDjDVLeqMQXYT1RPsjyQYaDRI7QZGSAi7v3CWtJ5qRW8CJSckLo3l1v/NTO8qaavAKLFgnaLkr2Fuw+q0+Go+z+4/0/fbXjmJPLlCkWnnFf31H02J3NVpMmqwcjErekHBDheUnZnyMP//D04F/+8uw4WciFNXXEiqaX/91n16yvy8cSf5UgNFTNkHoBoie7Jl7Y33eizT7KSdxQQ9Pw0YW9/qIEasFXAvZeIgmjuiIfT/SBoCY0hIacgzSfIUIdDYh7l4SCDxeOiQtaTBDGl7guhIbEvUiATKjBIyjewFOFCmpVjemBXTVbm4pwklwiVC9niZkMnuxTMRvUmc7xH/yx9Z2RYIzhsTchfnnqXxouCNcWyP7+8U01pZarZMuSwgDxy7w5IMLzvFl1FTeERnfPe53f2dPtzLycYK2/s1r3pXubGivNF2mSzVkOY12GtnnMEejqs79zZrxlwNvving5HtV8L85ee/k5AaCOQ+pFP2q6B+IoRpmkVLlOvrZCt2NVAapLFefrIC5jNxDbD1z0I3LsRiTda+2Z+MUrHXu6fZmcErCRvbVM89UHViIBjmhyzrEJvuLkivB8xVmemw90eYNPvtLy4ml7f8ZYaCIWfGqV6XN3NVUU6RF0k5sDvRiqAc+QbOMyIjzIWgdcJ1tGu0e8w45Qjyfa72XCsRjoTKrOi3nkkt4Tq6PJo1ZXpV5WY5AXGRUN5cYNjQV15Rb4tMfFZULgcndESEwChgxjR9+I67m3O39+zA53BEFfDYjSm60KZAfbvq5MpbiK/kASjBIPFsQBEZ4XxK6rtzHMoZPuwG9fb/3FR+P+DDI0HJT0FP+JdZZbt1bUl5tRpPJqUGkKvhPQN3gC0Umnr3vI3TPkahvydToiI76oj4WeN3ZHtorVgsPBSWIQx4ejDDK6UCWptypXVhqqSgw1paZ8q9agUSyz/HGZ+CB4Hvbmjn7779/peuq0kwSMC33AwM0WxedurbpuQ6XoDibEIfFcOgdEeE7niPg9EwcAOf2jrmff7HjpvMvGZFKN0gzLNuiYL9xUc9vWuqsWoePciQOxPxQdHPeMjHuHJz12d7R/InjGFux1RxHfDFZLSMHoTCxf4vNAFBi5sUYAeqsMsjUF6jKrqsCsKMo3Fufra4v1aiVJwxkH7gx7tiUewuV+PCYa8c1wn/z13q4XuzwyOWRioT8NnqrTSB6/ofy2rVWiO9jlnpRl078Iz8tmKq/EQIDQnQOOp15v/327Gx5QGR/Jc6u10s/fWXn9+hoUqbx6lJwZGUJyfDKBMBeKMAjKsrsCE45A62igd9w3PBkYD3LuCBeikASUhq8WcC4zZ+d4wsVdwqOm4ATKDxLixcFxjAclFglVrJeWGJUwVTSX6gos6nyL1mpUQyurUWFPISwjXhwRuXsXbBmnO8Z//ELLm0PhTPZmMLVETj12bcm9u+rzTJorOLm5y1eRcsIBEZ7F92BhHADAtPRMPPNW1wtdPkEDW7w7pPxcaZZ96faKm6+pUy2oVMLCyMmZ1jGf6ylIAx5GoqzdE/L4Qi5P0OUNoe7TgD3UMeJttQVhqw4gMCnmj41yV0hMstCM1hdkCgFkkhqFjvt+I4RLIpOYlLJinbSpQF2Xry4v0GnUcrNeYTKoobg26lUaks10mv5F9cQmlnt8cs1QDR7C3gxsnpabiXu80IfW0/wXtxfet6u+JF8v1EA8J3JAmAMiPAvzRTw7BwdgaTvZNvqTlzv2jYUh7CXEr7Rb4Mu9Sid59NbyO7Y3AKFxdRnIDXEvsMUaCHqDyzeKJUNyDYSigSAWfNYXiPRPBAYmA2PukMsVQs4Qd5ix+1kkDAlzfAjRUEn+4IhZxn9xzsePY/+CwKlwq0QDEkzN8yoJrZTQSH5iUkktGhkynxjzNEVGVUWepsyq1pFEm8gELoeIjCpbUulUFhE8YLGGHCc1AckoDtY/5gmHozlX/QyapFPdEz98/vx7I0HkpUl7+RNf4Ub3hU15n7u7udCiSexvElfFA5EDc3BAhOc5mCNeysgB1Mw4fG7khy+2HvdMYYNgUwhotTrm0zvLP3HzGmUijaRg0xw5CVyxuYKDEz6fN8TSEq1aXmBSl1i1i5g+Go9Als0og1yYHPJXBENRfI1EmQiD0hrkktMXcfij/kDUH+GA5e4omYJIKOqbThyjk/CKWGlCk1ampGijRqbVyJEaxIgcJkqpAjFPAGnoqJUytUqOSkoyiQT0x85nhJnFnR9sSGBxP945cfL82MkuZ0OZ/hO7G1EeY3Gfcvl6AzYfPjf85Bvd7wwG5ogdR2nRR1aa/uzBVaX5hqvTNn/5puBq6Fl07r8aZnnxxwifoK2rS+Hd9J3n2/tJqV8IVwI4DamiL6D4yd7BYIR9dPc6TVyGXlxBbPEHl94jEfVoSTxN2PPv95zosI87QsGYc5xaRut1iqoS/W2bStbW5VlREzCmqr0UOQn3qpX4iTE01htk67j7FSiD8AxZGx+cJF/jv4iuOoX/CcdwSczxDP/gDI5j2o6pAQIwyMWl0Co7feF/+82Jc4NeFFxxRHkPw+8c9+QKPCO++WDL2JOvdh4YD4OlTCbVAs89UKf5xifWYgMnYvPUOyf+WggHRHheCLfEtkkcgP5z58ZKuAh99ckzIbki6UrKISQ6OyX/6Vtj0cixR+/YYMzN2lZIHv30a61PvjswxtIhQFoMFGGKpcMUH4kes9vfPmdfU6S6f0f5rduqIYmmsOBiv5BtTMzcG8uWfbG9ZOV9OpW80xU55mJIJlQJfWgsdL7HUV9hRRmrrKR3hihg84en+/7r5d7jjmhcWyG424Te6JYK7dc/vr7ApBWxeYZ94tFCOCD99re/vZD2YluRAzMcgP8uIl/LtPTBdmcks3USsicrkZzs8VJB94qqPDVSSOfIikXkZoqHNvuvfnHsBx+MhuSyKLH7xlyryRBiFSfwjaeCNN/v5586MORz+tfXWVUYI6pw5sgwZ2b0Sh1hV1dTpNlzeAQSPUqCIDEpbO2rKwzFVhhos5RreBlIPu1Tw997peeUI5r5fYcHPoUMet/61Do4vWfraK7UTIvPuQQOiPB8CcwTbwVA0XRNubnaIGnpdroyFDsEjkHxykhlXUNBScRdBoFCTSr95gL/eLsn8NSrbS+dd6IKIzzV46utjKYtMrpARhdLeS1cqCR0iFyjDBpZ21hgvN/WUGGCt3OOjHFJ5oGDwX5owH5uMgRm8lLa5omssSpqSo3Z6ecP0wFqihw6PfyDlzrP2iMo8JGJa3qaurlS+5X7mqtKTGL4WSYuiefnwwERnufDJbHNXBzAGlRZbMxXU2Mj3lH4S2XCXZ6ChH2+1ydlfKVWvVajyPLFC9KS2xd+Zm/7Dz8cA+XTmkzaTPE3VunuWl/4sWsrbt9WvmWFtdYo07HsqDsaRoUMmm91RBmHr6HcpNcqwI2MC/lcTF3217BhQ3FM6veHRmlSO4JCSU6zjFpba0EoV7ZxjLwJ/sgHJwb+9wud7V4GQWiZpgfYfFeD4Ym7mxoqLdAtZWomnhc5MB8OiPA8Hy6JbS7AAaxEZUUGZNoeH/YMBzMgNNH2UlFacgYtPM4Sq96oR4xP9kqYyOp1+OzIsweGRxHMFHOwAhfyZPT9ayyP3tm4c31ZfamxJE9fXaRfWZvfUG5wjTta7RHigEVRNmc4T0nVlJlhoc82sLnAXF6Ry2TXQlOog9nTa+9xRoj/moQacUU2VujKCvRZAmzYQWDugM2wbrx/ouffX+7tDfNxVztBJkGbsrve8MjNtQ1VVlIRRPyIHLg0DojwfGn8E++e5gDyPqKsb6FeGpz09riZTO7AsMcylOTscEgWchs0SosRCajIGphtQiYW5f5R94v7e9/o91ExMQjiHcJpvrSt6JFbVtSVmRGcBE13bPS8XCZFNqgCs+oPh0bi6zfKVWkYBpgNnojwPP2OpP9GKJdBJXnv7AQ2beBlIMr63aGNtWaDVo6vS/9KEF94rnfMu/dAz9+8OuBBnrzpXVr6SCjKKKXvbjZ9/Jb6pup8vA+zG4hnRA4slAMiPC+UY2L7jBzAags0QqYL94S3z8fMsbxCwjwxGnaOuCx62orE3Ap5tmGYLxjdf3wQ7mDwDYsvygzD3Vau/soDq8sL9XHoAM3kJwbS+Ae5lN8/NTrijZLKVDw1EWTXl2jqys1zyFsZWbncL8DHCj+ICjNo5JOjzrM2kt8GfB4YC2yrM5YXGbFpm+P9uQLsATSDvs5B52/3tv/ysC0KnUhsogUfDWx+aJXpoRvrUEwzS0R/QTrFk7nFATGwKrfmK6upBVYhMOaaVSVyuUTzds+bQxlrT8KOi5RUbwyHPC/3PuAI3LOzEa7OGBtW6GwYIURnhzt4qssR5ulEIuUKnfxPHlhZmq8jdApRCf2BRiPneT9Jni2hHGF0EgqGmewPFhIazeKfI7IoRSGPSueAfWjc5/YHkbEUuUINRg3DezH9wOOoQnrg9Oi21SUwCiw+BfPuES8AsrkdPjv8xw8GftfqQpXMTLeifrOClnxynfWBG2tFX7BMXBLPXxwHlvJv4OIoFu/Kcg4AjTY1F8tlEulbPe8MBIKp6TKSiCcFg4/ZI8N7h+z+0APXNyN7Q9zal9RmaQ5RSsrm9B8c8COfFhTvWJtDIebzN1WtqiuYQ78ZjUYkkSiSOPISYqqeSqq5NCO4+KfGpmumfDWAKsLA9EBBYSu4KZnnkzCzSDPeNeg4eHrkw1Z7vyvqJs7ulFWDyuDSWKQ4ybUChr963rW7x751ZRF4uFTbNW8gCmz+5Zu9hybCSK8WizxIHyhGJOH4MMt9eUfBI7c0FOfpstzVMX0A4ves54AIz1k/RTlIIHKKrVtRpNcqZXvOvdEfDhK5ifw/+wMcG4lS/7nPNjEZePDG5uaafMBDZiXi7A4uyxmUaj7c6ejzROO1exEvZlJKr9tQiodlgigMD5L2P3xm7cEzo//0Rp8zwFq0CljW1coc+xMD8zEFKJI4YvcPTPhGJ/0+d3BjU8HahsJLgh+eO99te+rN7g/6vJMRDpsXdzBablRORPihSb8ODnQk1I5wdyLKPrOvZ2W11agledqv/Gfc6X/9g549x8ZPOyMxl0DhV1dG8QGG++7dFbu31+UZVUu1k7jy/BGfeMU4kGNrxxXji/igS+QAlJMrKq1ffmCN+pW2Z9pc0GWTVV8A3EhSjxAleea0v3v05BfvabpmZQm8XpcWob2+0PvnJ1BXMf7nEQ0z9+4oRrkhyHNYqgUGETsJ+RLqzaI8/fY1xW8dHjg37CtYOifkuBCcwIz412TRH2JxfIoDYdbpCXr9EYcv4vGGkMD7jq1Vv327451joxMBBpnF0SzfpGqqzkOq0Yt7K2DEbemZ/OVrnXt7vJwEMid9W5Xm4V3Va+rykJv0ZLvt5Q8HXusPEJs9RaEWx2tn7I8O2Dc1lZBXRpDdF0fHnHdhZpHSfHDMvWd/z3PHbGNRKuGuL3AfT2kk9N/cXvmx6xv0GuUVI1KAEvHU8uWACM/Ld26XemTQXdeXm//8k+u9/3MsVqkeCE1iq1LX2ynRBK5BR2zM6DMtn93pvPeGxiW01wJLPP5w72RIIpPGE1ljII9sr4DjWwLtBFmLcUG+1KokNaWmR+/SQwBVKUhYztx3CXa1GCc5JFTpG/czLB+Ksr4QU1WgrysxzNh0YebnueEJ3y9eajnc5vDwNMvyjITmGP6GdaVWtfTd4aAKEi2SrkRZlzcSjnJIA35xn0CIOds1+XaXi5FJGY7Syfi/f2wDvAjjHs43bVZXlxqVe1p/1+ZB6VG8I4xKtufYyDXNgGfsIS5yT7BgUnmuvd/+oz+c3zfkx34x7TVN6Q0h2hT/vU82b1tbCkVRyiXxi8iBxeOACM+Lx0uxp1kcADLlmzTf+eKWqhfP/uroRAACSibxk6KA0N1+9t/3DgEL7t3RWGjVSkgI8Vzr5KwHLsIJSGz+YMSF/CrT2SdqLYqShVgWMWoAc9zZDQQB72HL9AQiyMMsV8iMWgUukQidOcJ0Lnkc8Gxq7XE89ONTDOo6szyKl/z7A3UV+XDBm/qTh6TYOeD4xi+On56MKBRSHmlXUJmSo4JBpmXAqTdqfP6wyqCCdIvKWX4gPEPE6NmfuBQeL9qBUh1ogLHFR4djjBIN3L5Qx5AnKCGPZln2G3fUAJtjLCANoCypLjHdvbXs5EgHHP6BjLj07KGxz93irik2zn7i4p6Jbw/hsLb/xMA/vtCFGPeYw0HGh2DHtj1P+cTu2u3ryhLMzNhavCBy4BI4IMLzJTBPvHV+HDBolV95cG2BuePX+4d6gyxL5KEpoTmtA6gTnTz1z2+Od/b6Pnf3SoSpkKweV9adGxgTo3CGtHIDnHOBIwv4AKEBS8DIMUfgrWODUBSPoMgVx6glsrJCzeZ6y+7NZeWFhsWq4YgdAKRkoFoiqgeGXHjn6eQSJrbJ8AVIWbHkD+KaXjvYd9bFylUyDBmZNcskfJ5eosjTTnrDpVbNdUXqsgINskY3VplXVxp1s2qZYAqB8ehnbNL7YcvEuT6Xyx/BI8qtmtu3ljVVWLALiZuroTk/bwuChZCFocCuLTOC1IQlG5phuEZvWVP6BUfg/987EODg18/7oty/PXf2+1/dnhhRMvGLdYwhoNjJpCf8m9daf31w1AMvtTmzyCCA6poi9RfuaoAlHo76i0WG2I/IAUEOiPAsyBbx5CJzADrAh25eUZqnfea9vrcG/HOUr4exEYv1H7qCPc+c/PJNtZtXlZr1RKl6xVTEQA61nFbJJL6YYhXWT0WsAhWW8vlDNLDZF2ROtY/9fl/fC+1u6MklUppj5TzDtfX53+7x/u7I2EPr827ZUgFNOGDs4kaHp0Dn7PaHbXDjGvM0Vllmx/YAtuOKWna69GR8aqF7f/msAwp7YoLmqPUl6idurGqqyTNoiHCPxt//+vayPK02Vjc67W0gqBZTCcDb6/2To388Yx/yxuAf6g4JxTHO/z409pm1ZuToaKyyElTmeV+EoG7843QGYmJ2Sq94UH2FaZ1l9KANqblopVp+4OxE15BzRYX54piT0rvQlzj32vsmn9/X8/Njk+qpYlkYnMAHzCtTSe5sNt93fU19hZiwU4BF4qlF54AIz4vOUrFDYQ5AE7hjfTmqI+veaD84FLbF6iULNYXwSkFoPjXB/c3znV91eW5cX1ucD99eobaX4RzgxKxX1eWrj4/6ER0G2W7QHUFQ0DS4zOuRQE1g83/8seWIg4N4Co1oqUranAfTKoWKhK1OZjjAfv+DMUicT9y1AqJY3OsqDuqIYIJR9oJSIyTmSXfw2PnR10+MHevxuCPMr7+2qbJ4hjx4zj++KQ9dxes3wL5LMp3FPkBHSLSJuHRgz30bChFtrNcgXddUmxVlpunGRA0AcTxBErAZj37lo/4fvNrt4GnIkbVmZamGSJMdHsYThe8X/aszrn7byb/+7EZkWMO9SgjLPEXkYpZ/p8V+65aqRG/xp+DfArO2Kk/1wRjioTEJvEuuOHBqBLdfDjEV3HN5Qifaxv722bahKB/DZkFgxrSTyLpmveSOtfl3XVcbK0I1xaIE5eKByIHLwYErteZdDtrFPnONAxCLAUXIElZ3qP/FExMdAQ7LsOAHCI013c7w/+vlkc/1u2/eXLOhsQhKcsHGi3sS+GQ0aHY3m0+NBogWnuO7JkOnOyeQtjOWx/PCSzOW/oEx90sH+o/ZWSm8qzi+Uiv7wg1lq+vyIJmGAqH2Puf/7B9uc4XfHg6p3+pB8FVTTT5ALhwJv36gT6WUmQ1Id6q2GtWFVl0GDpEw4sMt41/4VYsMOm25xAKPZ7BsujWQuLbM/OWH1kM+BtiBzzgTd8WKs4uBYhpSbewGKOKRHiQB3vEGCON2+KIufxQE212hyhJDZbEpjql49DN727733giM1nqp5M4Gw3Ur860mFTrsHnT/9uBIV5DDcz8aj/50T+vXH1oNcbzaKD81HgQdIHXv2ck/tXngNpjYCsSfqNUqtKoZjTG2Rm+eHN+1sbS2zLK4U4zkrK29k/tPDP3ww1E/Q6wAmawt5DxPrTbJH7+pcsuakkKzdnEpEXsTOTAHB0R4noM54qXF5wBAqL7cqlMrzAbVi4dGTjijwh5H5MkkEEupkP7qrP+t1lN/cXfN1lUVEKPjGDMNQ4tPIXpEpsltq4s2n508MhmBoZxjqZ+81l1ZbFhRYU1+HuTgSWcA4AcoTVgiIQH7g9GDp0aeOeeSKYmzer5CAmyG4AXZNHa7oa7CCgz+xz1ddpaC6ruxbKS0yGg1qEcckb9/sTNKSUwqKappfG5n2R3X1voCYbs7CN8l4C/E+uJ8PepoAW4jLAfsRId4CgRT2MeT0Rf8gboizXcJ4iF+cAmgbNCpDHKJk0EOFQi1NLYgTZN+rUKCbKbos7HS6g5EfvdO97lBz4A9POoMfvPu2nyzFjskDPDwuZEffjCqUslQkOvOWu1nb61rrrZArw0pfHV9IfzI/vODMZDISuhTQ/5jLWPb1pTUFWmoNjcsz9gs+MLR/SdHAM9xYhIsxS5ianJjmwY4+bc4IghRKy1IcjhPtL6oAxA/6Q619U4+g6x2vT4WbmlzLoEA8gcbjHBbE520L4rf4k2XxAEx5/YlsU+8+SI4gLVXp5GXFeor8lTeSV+/N6OaO965RCrxUtJjPd6Qyyeho8V5BiInXsSD530LEBdOW+FAaF+Hi+hZpfSYjwk7PAq1rMisiUuQoQhzvnvixfd7TndOBsPRArMmZqKGsE3ZHIGfvdY5jIhhGvZmakep+uM31ZLaGOgr9oFkCZzrHXJ2OMLQYss5ftsKq0mvPNPr+OPBEVYpCzAUgrq21xmxO3lpf89bJ0bfOWM72mILMeyqastTr55v6bG39zuPdzs6nWFCIc1rJfTKCgMc40EYpFtkQ0G2L6QWsXtCNncIHmo4r1HK4I/dNertGXW3Dzj3tdrDRA9Nwy8sHIxOjrtPtE+8f2oMkHzj+hJ4k/31My0nx4PITupn+FKram2NVadRQK39nd+c6fchtRoxxz5yXfnWNaUxyZ0MDzm2ivJ1h0+PjgdRFkXiZfkiBdVcbQ5H2KPdziDuIQnIaJc92FRlLLakCKMIv/7w7CiEbMx4fK7ATUU0uqLCCL33vGcvY0N4sbX22l870PPLff0HxyP8tGd+phuCIfYvry361G312HOkbXQy3SKeFzmwiByYc+u4iM8RuxI5kMQByFAWg3rr6lKDVlF1sP+pkw4IWzDQzihnkxrjEOu+m6WePGVvGfIB/DY3l5UWGi5r9hJo4G+8pnzCHX7+xKQLUp6Ufq7Vc3a89cFrHKX5WplcOmH3HzhrgwTGUHR9i+PeASdSa9VVWk1a5ZDNc2ICAyJeVxjWiDv88ge9NSUGWH+hr84DkAOS5dI8Dfnrk6I+9DgycxMPrYExXwR5qMldZPynup34efa0IwQNq4Qg6NoVeaEw83/2DUc5Cv5qPKzUUgnuhJ7BydJPvd9fqBvRqOSFWuljdzYjevuZtzqdAQbFPMJh5trVBXfvrEMWsJ++0DLoZyF5+9gphmPDBFCEMh9iNPZKJSo/IpWhkW4qVE8M+onZmaOHxvzBYJiitP02b8ugh0IQNMfna6QlxYa4yAtdgtMbcnpC/aMepB2Pf7BdONHn3THqxdi3lWlf7vIibAnbFkz4f73U9s2HpPCMi6u4scVp67W3jwaQ2xy7ATeCsLHJkErMRjWTIaZr+iEX/g09vsMTOtU29tLBobd6fUE8cs4UpdhjrdJLPn5bxS1bKgstupgwf+GniC1EDiwuB0R4Xlx+ir0tgAOQSNbUFwJoC8xdf/Vqn0krx8Id07/O7gQIicxjkiMOkqN787nJj+2s2bKq5PIlhYCqFnWTPnFLPZAz5tYLAyXd5or8277hYp1UIZNMBhh7kEXecKzdnT4GVsyVZ23f+sz6VVXWjzocfpaEz2K3Abfp8262/ZCtTG2vM0r1KkllkWHdyqJKqwa1rTAojqM88K4GIMCvaswbHzlgE52/0uJEPxHwhPhe87SMXV9lRIKRUVcIYU5QHcug/53On4HMqUdHghQVQFTYej396Tv4UIT9sNN53s2AcwD1hjI9Yo5h/T3S5xxhULSDxHWTrFw0DfsCziNjGFKLQ2XtiFCBcFSjlDcUqN/u98F6Ds/zYUcISnU4hTndIX7KT29KhYHzp3omz3RMDo56XEF20MOMeGEUoIGvcF/vZKKI1NrSXHTT+sITY8GREMnTIpPT7/b5tM+d3rW5clNjoc8fgjngzVO2E7bQN28pB8k/fqOvoUjz7QdWwE0aWyUopeMoHufP/P8FW0Fz95Dz6Tc7T3S7WgIcUq9kcB+YevdYhi9X0X/9cPPqugIxI9j8WS22XHQOiPC86CwVO1wAB6AUhbvNJ29vri01fv+lzpOuSFx1nKkLYMlwlN/TE+y2d9w/7Ll+YxlANO7TNIUVme5c4Hn0BhV0RbHxaw+vXVc39PN9g+cmgnKlBBU+erwAvNhnRsVOKxj24etqgM3QASBfN7AEpKLRuny1SSnpnAx1OcMdbhrGWnl3oPb0ZJlRdgxljoHf0EzH8AJINj7mQ5YucpLncQ0RRnlSemOJOl8rd4bYzkkpvL0UCtnPPt2ETJwoh/Vuh7vNEyEP4iGFc9g0RHiOjbIKWWxrABW9VMpLYv53sQQvoEcpkyD2ukgnK9UrJrwRgCVOwpsa24zv3l/fWG7CJol4BuiJn1d5gTYYsSF5GvYA9gDr8UNCxgPILfiA1B5P9Mm9nbCot474+/xsiOUjAFKG06hk1xSrb6gzNlRbKwt1xXl6nIEO/I5e55Mn7AyBRwlc4TGPJ4fbqyx90MN3uCKTIU5NcavrrCWFxi115pW1+dClE9F8Ov9o7LHz+odsdmKIPukKfHhy8MWPhj8cCUbJnMwhCYPrxBL/xY2Wh26uhx/cHIWq5kWE2EjkwKVxQITnS+OfePdicAAxr9dvqljdUPAvT5/67TnU75sLarHAQrg862X73h169uDIn9/bcMPGisuxkgI1oQGF1fNjN9Rfv6n0X353/sf7hyBc6mNKaYw7LnrCQgkB7QePrbr1mgoUHgyE+ZEAJFsABHTC/Ge2l9y0pSoUjr55fPhX+wcO93mg1o5SdHsgBnIELPgClQSxT05fGMph+H+hZ4wRqb5q9LJv3lN3w8ZyEk1MUcFQBI7NkDwfvqURPtfwSgtEzp87aYcpN8zwjzQa/t9PrIX5d9IbcXtDOrUcplwowAl0QzaWwNMbgEuVFWif/dvrLXp5IEK9vL/rm6/0kzya0JxH2cZS/cYVBbHiUcAxYsO2GJQcg72IAsp1W5iFyxsk0bhhOA5zLpba2+2BUQJRzcEQA+G7qUT3yDVF920rhz8XiIk7CcAWDlEeibsfvLVx2H7q1cEgnkk8DiR0f4TqH4fOHDU4Kfhh/dMnm1bWFgDLESKfyFtyEXlpyAtES8793/auNDau6zrPm33fOZzhTpGiJJKiKNmyFFm2JW+NE0dxnCZN0iQFWqPogqI/gqBB/xVo2r8BgqRIkaDN0iJIgqZx6sRWrNiRJVuWbK3URorUcBkOZ9/XN0u/+x45Gu6LZ0RSOgOJ8/jmvbt8T5rvnnPP+Y47/I/fOz8e5+NyOZMiw8mlX+wpYDioFfpPL3U9d7ijOsFs6TvoLCFQfwSInuuPMfWwBgTwXWw3ab/xpcFHL4x+/9T0CjlXQmOMchJl7lay8MqPrr8yNHHieO9AJ1PAwGtjXtDlxogmYZ3bTfp/feXgX3xi1+3RwJnb4ZGpRCQP9zUHQbFn+i1H97XCiIfdD9ORaXzgb5nJhhlknFolwyauWa/66vO7vvB0992ZxIQ3dvaK9+yd2N04D17CxPc61CqFPJ3Jp8TQKZbLU+4zyb726Z6nH+sQ2mSTUilYwU3xxcEnLpHE0jBEhTmXSyg1jWhw7Og7hehy7LaCj2BEYzjMJAT5QZ4TYd4KpdOmxK/Q2GbsyxdwChSeyRfTKCRVhR7I1WFFMBlbGYCMYSsHwhm+UDLoVVwed7FkbvA92mo2yZ/oMBzcbe9qtUAKDYst9JdI5YY90SlP9M1rAa5Q+ssTu/u77D0t5q99ccD86s1fDoXSZcyIxYDxhbKyXOq1ql55ufvYo22wmIUpodt1v0SscNvETOLnZ9zfenNCIkc0+OrfclgcPN+i+erHu1FpjaLA1o073VAfBFb/h1uffqlVQmAhArDYbGbtS8d6Wxzm771683a0JEiX4Lu6wkrVt7CTsM6UUskPLqW+dfbsNz/d/OXnBkBRCrlIWdUXf6RjkS3Ao1DqwJ8TT7HWwH/gPrAmzK6KwxS/wkvcZ1NNhLOwDWGuwgjGS+weEWFiC88+2gpX9h+GvKcvz4xNRgY6TQadEhWmUTFCAk0PXF8o99iVPR0s37d6tVHNW2BK7ENLhTxh+JPBatVWJhsby3RGHBZUNVjMeJ7xM1zpsy+MGc5wLSM0NjyME7lb1cpi8O3Dc9BqUc2kMS4gLb0xk/4kX+xw6M0mdYRtiWMVInmhx/jXL+3pEVLO0NjsaMulH7058o2f34YRL1fKTnRAPh0Dwl/Jjhbrv/zN40fOj79xZtwXz0NT02LQHO53vHCovcmmYy3MjXC975gG/O5IDDv1vvvbv74znOdghc/tQyzXGCqplTo10mM9qGKCf3jG5a6j84TA/UeA6Pn+Y049roQALKojA83tLtOb58Z/c9F3MZIX4sWWvQWEgNRVZCX98xu+88PnvnC0ef8eF3KI1yghsmy7y3wADhD5A3Q1e8l8PgEn/tGA4/cjMVyXLErGpuOInKqEsIF5+WLRPR01GdTP7Gt6drDZF0rBsw1y9QZSosMbzcKr7rLpIYSyzCjYaeiKpFC3Y24pgpTlBYlCsOY1iAsXXPBY4sCjjrsq4+fKRSxlpEoZM5mZh4DLMN81o+rZFwp7qOU7G3Uzo1HmepZKhn1plNZw2XXPDDj+/ZwXq42SVHJpOn3rbrjNaYJXvLKSQDOJFA9u1mgVCBDDfjbM8NlmsR7gpC8+1v78gRY480GoqBFSkQ6ttDA3iNXf2YiFDfFoKnf7bvD1c5O/uhmLlaRqGZOfm/9w5rWGZZCcKz/fov3ME22HWBLB/RC9mTcC+oUQWBGBuf8zK15EHxIC9xMBfEfDjvniC70dzcaT70/9wZ1EDrG42bnUMARGEQRM3p5InfnJrT85EPr8k+3wNuMLd+VAs6VaW+Xc4q/7BWdgdB7Y7TjiGj/t5eFc/s8LgV3tloP9MoMGQV0ctmDd07GvfPtCv1P76UNNu9ssSJg2G9Ug++lgCglFYvdmTuJ0rqLFAUs3jECsuRKdulnNk8r4payYCEaDSwQTPJ9H4LbIxewa2PmgZx1XjiNpGpWtOQ4XVG5mB2VUqpAfbje8A3pmDoLSWCibzKDohQ4VL1676AugMU7ijvOvn/e4GnSIc1bDlSFhqqUeX/zScAjto5FmpXRPhwF+ERbhxSLmZpc1YPeaiHBhOxwLII8/cerC5HfOzuTKWK7BVp8VRJs3o6pfEA13xKEa7DC+dGyHaPpXfUiHhMCWQIDoeUs8BhrEYgSYGb2vhaUhXZ/57km3J1sqzKlVLL5YPAMPLKJz/+tyCHvDT++1IxEZ0lSQnkZo1QISXa6FGpznpE67/ivPdUf/b/RqlI/my//2m9GxqeieDqvZqJryJX/6hwlftuhzJ952Dw9YlV//7C6YbnDqhhN5SH2wXGmOc2ilbU4EKq30gjs6kZ9btUilUAETI9jn7ilh0qi1gTA64QxivO5xM87gNCK09Wp5LFeGZQzTm1WNRDmxuRcugNroQKdZIfPA0ERDwVzx7nQcIc0IUD8xaP/uez4mJy6Xnp5Mm9++i8AxV6MJ3vxpX+L01RkIruFx6Mqlj/dbsTdfc9tUWHWUEMGOmhYf3vS/dS34rh9lmlnku+AjmJvGondY9pBweanX+MLHWvd2N5gNmkWX0AlCYEsgQPS8JR4DDWJJBGBgdTZbHMzNq/ngVuCnHwTCjFdWoFrEIMNRy70f5s+8OXXoSvDlw66Bbhtc5Sa9ZqX7lux+QyfRP1zZhwdawIa/OTf1ljt5wTnkJwAAE6ZJREFUNZw//7sptcILqc6ZRB7BYvADw06GWNiBDkOLwwAT1x/NeMPISxJtvrLTqNjhXGUfFHvUopgJhglHO0Q9F8Qmw1IVRURxAbafQc/Mdw1bWsAPQEHAxGhQTuSy+BQGZyAO+3rWfBenDnO/waKFKKmPR6AZSlGVrk3Gjw6W4Iv+7LM9kUQOUi2M1yXcj4ciJ+/Ee5oNfI6/5s2wtG+p1CGXnOizvni0A/lpG8Jy4U0CJbOFBQ4Q6O7xxYbHI99/Z+qSN6OCgslqqzfMHbvvx5vUx/objgw2IUvt3g7Fwq7od0Jg8xEget78Z0AjWBkBkMHxg227O237e2w/Oz1xapJV0liBotEauAfG96VwfvTkxKGhwCNdZljS/V0NCKKuOFdX7vQjfgrD9MkDrR0u4+BNP4o9X/elQ4WSP1OGgxsto54VXL4vP+qAZxWqLBjSZCCJOCkWWi1lVIocJKd1pY1nNAItrSQPOmeh4kiOMukUC3wEAAn5z6BkvHB9FvQs8tvc3KAYimKd5UCWxWXLJJBJKcy/ABdCjaXdIA+EEKvNLGy3N8HjKiiWNBv//MU9auXwL64EU6yWFYes5ZmxGJzKoHgTV9prV3/xePvBPY1QM60dCzIHQCZXvDIWunxj5upY9K2pVKYo0VQV0pib3MJ3rEwgQfryPhtqbECqDFIn9+dfwsJx0O+EwJoRIHpeM1R04eYhgG/Spga2fwm/8eM3fL/6wAfqhR9zpRGx0GWWfPW7ifRvx1PHhiPP9oUGeuz4aoY/k/EVI0OYYnMRXiu1te7PsHzAqqKn3dpoNxzZ4/AGksFoZjqUDqQglilvNStRlxCB2S67XqSu6UDKn0QtDNzHqaSc0wQeF2Kyl+kZNAo5syze2EIF4p5SOKIXWM9sdpVGpMhfKs0zjpHVLZNatXIhHAzdlv3JgiheVukT4MDC7nZo3gvmYF4jfMwTxPYzL3IbZvfKib7DfYHrY5GrniT0u2HBtpgUg+2mlgYNfOAtjUbDbBHlSpMbORBnCf9/JMm7PeHrY+E3rvjPTaYKWI9gzivhBDub6b5Adey5Tv0nDzdBpQ7LhZpHJGxkVnQPIbAaAkTPqyFEn28ZBGAQ9+6wtzYa+rptr77jFgJ0maG84guRQpyszJ3xZIYCnt7L/r4W3bFHmpHeihKKdeLmynhAvVaDyqJXdDabwY48K+LIFgaYCEpuVEKdIcfhD6aCeUYkoFvEV7lsq5jOsIMRZQYPOf4DI2sKLUDSC43f8+8Kyw7IklReUOaqHLODMkuMbjapUGcKulzYc4aImEDV865CiQuHRc3zkBWTgNW88TzisNiqAoVCpNggN0BC/HB/E1RNRNMc18BFgTxuhJWt4uKY18/Kv5QSaRQg8f/+w+mhicRojIeznUW9rXzT3KcdaulnHnN+6mNtWNvdN/fJXOf0TghsHAGi541jR3fefwRACbB99+9SQf7iyRH/L9+ZeGMys2qqrLghjSoLZ4P586HcB+7kwR3ew72OwT0ueHfZLCoJu3WYEhYBCGlWK2e3fUGSC3gF3IacY/SM1Ca4lx1aSVPDmgo0CVHZjNPx+hl2uTOFBrsOupt7O22weitTge9a9G8LZwQHuuA2gF5ms12LnQK4o3FFJF/OgcOr0rhxPa4x66BYWsxkWSoXuoLeSFXLUq2K+QkqZ3BwL/u5+uw6j+fcG9JYKnfh5syF674LY/FrMUSFM6fIivEH93qCoNtfHbSfONre3WolIbB7uNDRNkGA6HmbPCgaZhUCMNFQR8h+UAtZ5q6Tt399KQBtyIWkV3V95RA8ja/3yzH+9uXwq5eDe5vcf/pM52CPgxVdWFMDlZY2ciCy8gJuRkOw4//2j/d+/tmeYW986G5kfCLSOL/S4uLOYPgiaAsb2DPMQw+7ljs1kT7rvqWQ8LlM6dVvPsvMRCkHRzriuSTCjnsStrGgNVZpDRa8y4J4b4yoVJZKoUqCROQ2WNVVDn/sPTdYNcdcqh2tlrZGXX+nBT5tUWRUbGexB2LxmUqPaz+AnwFe9NNXPP/xxth4NJ+VMrVztqhY0ZUtto+1CHTS+k2Kv/ty7xP7mjEFcQdh7b3TlYTAVkCA6HkrPAUaw7oRgOMUJI0N6b//woGXnor++PXhn1wMFvFNjNCkWXtypTbxXZ+RcJ6J1Gs/uH7UMfKpxxxI/kGAsVDNSEjPXenuGn8GPlMolE0N+GM4NsCSrFbtAASJPdTPHXR85y2PRKMoSqWo3Iw6ieWiQquTwt7FQmTWsY1LBVNUkPma1zACsx0mlapURiUqbbkAlh71Z/q6qjzkwtLh2KPtT+xv1WmgwFnlK5/XUg1+qcyaL5avj4ffv+z58bveu+ki2/NmpbXYHNbygs55k0b29Rc6MGaWbE0vQmDbIlDt9dq2k6CBP/QIQGLz3PWZ/3179JovdwfpwGsxpSuglSXxTFEjLX/pEcdXnu50OQyQEBFlLCuXbLUDRmacNBTPnHz37oWbvlCSFxWzMU61VvXDf3gKpIzEp//+/cjbH0xpBbUQ7Lt+/Uv7OppM1dbtdCDx2wuTEL90mDVWk7rTod+UkGY8PuzNp9L5senoz89M/uL8TFomW0s8duW5YE+/QS7pMSsf3235zPGdkDarnmblMjogBLYRAkTP2+hh0VBXQSCeyt0YC7z27sTFicTdVFlwh65yS+VjfL9DsdKukj3Vpjsy6NzfZWtCJJEQDg2qW+yRrty4uQcICoMTOI0MaEFRBLHZ8CDACseo8BF0LvO5AkuLFupjQhsEUWmbO+Dq3sHK2ClHJS5PIHnxlve962FE8IWRYy3a6WsG3SHnukyK43vtRwebEYVHNS2qQabj7YsA0fP2fXY08iUQgBM0ksicH/JcvRP5YCw2FC2khdzgJS5d+hT8w6VsrtBlUX1uv/1gr8Np05mMGqN2NtNJ9LGumTiW7qOuZ2sSmVXXEaJxVKtMpPMoeQnJ8dc/9P7PNZTHZBrgqyTLLRwWp+Ekx5rVAzvMj/U19u5AXjvt1i3EiH7fvggQPW/fZ0cjXxYBGI5w/A67Q+9d84kknSnB4b3GrVOmSoUMYNR6alRK9zs1e3dYoG0JxcoWO0uZZY7vrczPy6KyyR9UPNiBWMbtiVwcDt/wpt73oEA2q1a5LgcFnk+jQjrQqH58t+2R3kaowlFg9iY/Xeq+DggQPdcBVGpyayAAPoBxNjoVueWOQJP5HX+e1XRaJ7MiuRhyWzoZd7zL+IlBB/zDrga91ayxGGCqMUexuA28zla3BkB1HkXFjoetHI5lApGUP5we9cRP3Y586M2kswW1BrnR60MOmmRGOfdij3Gw29rdZt7VYV+Q1lXnOVHzhMD9Q4Do+f5hTT1tCgKCZEcONRyvDgdPXvbfQJmKAqpQro8VsDONkGCMf6dettuh6WjU7mwxtbaYm6xa6Hcii6muUc2bgttH7BSwQ9cMSdJ3ZxIeb2xkKjYykx6J8t4Mk2aBNvq6zGUMBtopnRrZwTb94wONvZ02KLFroWW6vsf4EedEtxMC9xUBouf7Cjd1tlkIwJJjZQcDSdRzfPuq/7XheAq5vhv6coc9jdZsavmgU9Pr1DrM6maX0W7VdjmNYl2mSg7QhprfLIQ23m+1/4B5LCKZCX/C70/4wmlPKHPZmxkO5eJ8kVnKa1X6mh0MlkR4SAjq7reoPjVgHdhpRwURQfyLiHnjz4vu3C4IED1vlydF46wBAiCPPF+MxLPDE+GzV7zvjCVHwBtryJNe3DcoGidRvsIilzRqpA06RYdD29pk7HHpUQpJq1FCBBu6Hw88Q4ObIS8KQxlxXnemYren4pPeuCeSD6QLvmwpLrgc4HrYwEoICKvLkgMNqif7bB/b60QBb51QM5syphb/a6QzDyQCRM8P5GOlSa2EAIgV4pDJVG4mnLowNPPT876roSzEpefuqVi/cydWe6+4vrEt2qGXoyyEWaeAxlaT09jqNHQ2GlFOqkIqYuvbi7aZfSzU66gggVl4Q6m707GJQHLaG58JZwIJ3hPnPdlyWiwsLYXE18ZmyUE9FBliT7fp/ux4e0+7zWJUQ6MUQXmV3umAEHgYECB6fhieMs1xaQRgTCPvFmbfe0Pe0xen3hjPpfF7LdKcUVwapRyVEolRWnaYVR1Nhv4O874OE3Ss1GqFTiVfXJsBhFfNZgt+XXoC9+usuJGczvHZbOGON46aUUOTcU8wHUoV8yVJhivzEm59UjBLjRyrHMiO7jcrD+0wPH+4bW+3A5QMUq6sbJa6ic4RAg8sAkTPD+yjpYmtC4FMjkdc8e/OT3zr1GSyIutZTZjrau7exfgvVmLlnMA9Zc4kKew0Kdtc+g6XwWFStzn1PS4jOLtSPlI0OHELuEpwCDOTcYNW6L0xLHskmMX3PgURCj57nGEu64lAamQ65gumJqfjbn/aHc5NpYtplMliQqHlMt5qgA/rHRHwqAvy8Q79559sG9jVaDNqyFa+91To6GFFgOj5YX3yNO+lEAA5oUTSxRveSyPBmxOxO7GiP1tCEBkIskZMJORUFyX5fAFKXyhHodMqW4yKdot6T4Omu8XQZtMgvkyBcpNyCHHL4HKHzhfiwsVaznAXi1TNCkPP0fYKHCns/M7qVbMVguBYF9+wYsjxkNIs4GcGtSj5AhYooUR+fDo+7EvjjzuS82cKmWwBg8QmOn7WkDLZdoCkbJSyvYAuh6av3XSor7G71aJRzSt+tdQjonOEwMOCANHzw/KkaZ5rRwA0hs1pOL1vuUPvXvMNTycDKd7PS4I5qJVsMN57Ue9M/IRxFH4KLIqKyyJ9qstlHVe2aORGtdyqlen1Suy8WvRKhUJq0Smgjw3fOApUqEHeKsbcmmWs2HyJ44vFXL6YRcHKLIgWRSH5eIZPpEDKpXgyF8sVo7FcPFtM8KVwhs9IZCibIZOWORSeZlvNYvoTjgVWXzSBDZxAQ1qOc6ilFqXUZZBD7evxfU0o4I0cqRpy/wYGRrcQAlsQAaLnLfhQaEhbCAHYlJO++Ph0zO1NTPhTo77Mu8EcTE/wYq3s6SVnCyZj9F0qw7LFBawUJHbKBQJHhhLOSJmLmRnTbIN2KQblyxzKMuLKQkHg1+rbcasUUtzsdsxj1iRfchy1OMls5VK5WSvrc2m7beoWh67dZehus9pNGsoXrwXA1MaDiQDR84P5XGlWtUUAQWTIvo0mstAgGxmPeoIpdzDri/PuZAG5Q2Cf+nL1vckItqxozQokzTpnMWXiqXvXYUjC53NnIDw++zsHURDhlrmP6vCODoRxSZwKrt0gb7aqW2zqribDznary64X8qNIGLUOuFOTDxYCRM8P1vOk2dQfAQQxhaJpSFSGotlgNHNnOnFhLH45itMSJh5WV5u6/rP7KD3AUQ+/AnzjeoX0aLtuX7MOjmubWW01ahptOuypkwf7o8BL9z5sCBA9P2xPnOZbGwSEeGwWb4wtan845Q2mpgMpeL9nYvmRcN6dLojdzNmstel0q7XCzPAiqx1ikUsR5NVuVbXaNfBdO61aKJPbLVqDVokCl+TB3moPjsazLRAget4Wj4kGuaURgCM3xxfSWURd5fEzmcl7kZI0FTs3nrjky6bzRdjUgmE9Gw62pSezyuCYc0CUDYFHH0FeRzv0g+2mHS6D2ajSa5VQIMdPUhFZBUX6mBBYAwJEz2sAiS4hBNaMQMWqzjKe5kOxNGzrqUDGH8kgVWkmlL2R4HNFZnZCEHQDlSHWPJCNX8gGJ2ikwFnNgrpYWBrGyrnU0i6TotmucZqUrQ06h03baNWZ9CoEk6uRCyYEkJOEiAAe/SAEaoAA0XMNQKQmCIElEQC5CcJkLKyMLxQh9w35LSh+T/mTo4H0ldvBM55UsihlceBMs4SDcKWQxSTEfy3ZYn1PzlrGWDdkcwUEdiO6e5dBcbDbvLdFv6PZ2GBh5bmQjY1xqhTsYyUrc0Fam/V9KtT6Q4sA0fND++hp4puAAAi7xHKnQdtlUDU84fFkFqW0QtFMJJ4LRDOxdCEQzyPN2hfLQ786USginApX4hY5C3ZGKjOqYTLLWyKIWouWLj6tkCQzdYWXGKktUr2YYYXLwKyiaxoyI/C347xNKevUy+16eYNeYdYrLQal1ah22rVmgxqWsR4J1oyKEZqOlGi0i/fZ9umNECAE6ooA0XNd4aXGCYG1IgCiFd3IjIvL2N8tie5xbzABfU1vLBcIZ8LRTJCXTAUznkQ+ksPl5XQesuGsViPSoNET/NAIxIKIKE6WOZlOyQxcJce59LJGi6bFoDAruUaHvsGkNhpUFrWswaJTq+QorgVTWEiAZmokZBCv9ZnRdYRAPREgeq4nutQ2IVBrBLC3nS8wyxuGL15QBoUqJzrBGV7Y0sYx6ljC5sYftYL9hAMaG8M4YGlfZPvW+olQe4RAnRAgeq4TsNQsIUAIEAKEACGwcQQqO1Ybb4LuJAQIAUKAECAECIHaIkD0XFs8qTVCgBAgBAgBQqAGCBA91wBEaoIQIAQIAUKAEKgtAkTPtcWTWiMECAFCgBAgBGqAANFzDUCkJggBQoAQIAQIgdoiQPRcWzypNUKAECAECAFCoAYIED3XAERqghAgBAgBQoAQqC0CRM+1xZNaIwQIAUKAECAEaoAA0XMNQKQmCAFCgBAgBAiB2iJA9FxbPKk1QoAQIAQIAUKgBggQPdcARGqCECAECAFCgBCoLQL/D8GplVHwMegcAAAAAElFTkSuQmCC"/>
 </defs>

From f4afdf0541eb348d8812e84134bf1af136e44510 Mon Sep 17 00:00:00 2001
From: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com>
Date: Mon, 4 May 2026 14:59:27 +0100
Subject: [PATCH 13/29] chore(ui): decrement changelog entry version to 1.25.2
 (#10974)


From 269e51259dc1dadf9e975859fbd7d03b020d44b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= <ruben@prowler.com>
Date: Mon, 4 May 2026 17:24:09 +0200
Subject: [PATCH 14/29] docs: add troubleshooting guide for stuck scans after
 worker crash (#10938)

---
 docs/troubleshooting.mdx | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/docs/troubleshooting.mdx b/docs/troubleshooting.mdx
index a6a28c0ad6..9d60c57321 100644
--- a/docs/troubleshooting.mdx
+++ b/docs/troubleshooting.mdx
@@ -159,6 +159,40 @@ When these environment variables are set, the API will use them directly instead
 A fix addressing this permission issue is being evaluated in [PR #9953](https://github.com/prowler-cloud/prowler/pull/9953).
 </Note>
 
+### Scan Stuck in Executing State After Worker Crash
+
+When running Prowler App via Docker Compose, a scan may remain indefinitely in the `executing` state if the worker process crashes (for example, due to an Out of Memory condition) before it can update the scan status. Since it is not currently possible to cancel a scan in `executing` state through the UI, the workaround is to manually update the scan record in the database.
+
+**Root Cause:**
+
+The Celery worker process terminates unexpectedly (OOM, node failure, etc.) before transitioning the scan state to `completed` or `failed`. The scan record remains in `executing` with no active process to advance it.
+
+**Solution:**
+
+Connect to the database using the `prowler_admin` user. Due to Row-Level Security (RLS), the default database user cannot see scan records — you must use `prowler_admin`:
+
+```bash
+psql -U prowler_admin -d prowler_db
+```
+
+Identify the stuck scan by filtering for scans in `executing` state:
+
+```sql
+SELECT id, name, state, started_at FROM scans WHERE state = 'executing';
+```
+
+Update the scan state to `failed` using the scan ID:
+
+```sql
+UPDATE scans SET state = 'failed' WHERE id = '<scan-id>';
+```
+
+After this change, the scan will appear as failed in the UI and you can launch a new scan.
+
+<Note>
+A feature to cancel executing scans directly from the UI is being tracked in [GitHub Issue #6893](https://github.com/prowler-cloud/prowler/issues/6893).
+</Note>
+
 ### SAML/OAuth ACS URL Incorrect When Running Behind a Proxy or Load Balancer
 
 See [GitHub Issue #9724](https://github.com/prowler-cloud/prowler/issues/9724) for more details.

From 0dd8981ee450fcfee3a33313faec33e69d6e4b57 Mon Sep 17 00:00:00 2001
From: Daniel Barranquero <74871504+danibarranqueroo@users.noreply.github.com>
Date: Mon, 4 May 2026 17:47:39 +0200
Subject: [PATCH 15/29] feat: add issue template for creating new checks
 (#10976)

---
 .github/ISSUE_TEMPLATE/new-check-request.yml | 143 +++++++++++++++++++
 docs/developer-guide/checks.mdx              |  24 +++-
 2 files changed, 162 insertions(+), 5 deletions(-)
 create mode 100644 .github/ISSUE_TEMPLATE/new-check-request.yml

diff --git a/.github/ISSUE_TEMPLATE/new-check-request.yml b/.github/ISSUE_TEMPLATE/new-check-request.yml
new file mode 100644
index 0000000000..6c6687e14f
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/new-check-request.yml
@@ -0,0 +1,143 @@
+name: "🔎 New Check Request"
+description: Request a new Prowler security check
+title: "[New Check]: "
+labels: ["feature-request", "status/needs-triage"]
+
+body:
+  - type: checkboxes
+    id: search
+    attributes:
+      label: Existing check search
+      description: Confirm this check does not already exist before opening a new request.
+      options:
+        - label: I have searched existing issues, Prowler Hub, and the public roadmap, and this check does not already exist.
+          required: true
+
+  - type: markdown
+    attributes:
+      value: |
+        Use this form to describe the security condition that Prowler should evaluate.
+
+        The most useful inputs for [Prowler Studio](https://github.com/prowler-cloud/prowler-studio) are:
+        - What should be detected
+        - What PASS and FAIL mean
+        - Vendor docs, API references, SDK methods, CLI commands, or reference code
+
+  - type: dropdown
+    id: provider
+    attributes:
+      label: Provider
+      description: Cloud or platform this check targets.
+      options:
+        - AWS
+        - Azure
+        - GCP
+        - Kubernetes
+        - GitHub
+        - Microsoft 365
+        - OCI
+        - Alibaba Cloud
+        - Cloudflare
+        - MongoDB Atlas
+        - Google Workspace
+        - OpenStack
+        - Vercel
+        - NHN
+        - Other / New provider
+    validations:
+      required: true
+
+  - type: input
+    id: other_provider_name
+    attributes:
+      label: New provider name
+      description: Only fill this if you selected "Other / New provider" above.
+      placeholder: "NewProviderName"
+    validations:
+      required: false
+
+  - type: input
+    id: service_name
+    attributes:
+      label: Service or product area
+      description: Optional. Main service, product, or feature to audit.
+      placeholder: "s3, bedrock, entra, repository, apiserver"
+    validations:
+      required: false
+
+  - type: input
+    id: suggested_check_name
+    attributes:
+      label: Suggested check name
+      description: Optional. Use `snake_case` following `<service>_<resource>_<best_practice>`, with lowercase letters and underscores only.
+      placeholder: "bedrock_guardrail_sensitive_information_filter_enabled"
+    validations:
+      required: false
+
+  - type: textarea
+    id: context
+    attributes:
+      label: Context and goal
+      description: Describe the security problem, why it matters, and what this new check should help detect.
+      placeholder: |-
+        - Security condition to validate:
+        - Why it matters:
+        - Resource, feature, or configuration involved:
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected_behavior
+    attributes:
+      label: Expected behavior
+      description: Explain what the check should evaluate and what PASS, FAIL, or MANUAL should mean.
+      placeholder: |-
+        - Resource or scope to evaluate:
+        - PASS when:
+        - FAIL when:
+        - MANUAL when (if applicable):
+        - Exclusions, thresholds, or edge cases:
+    validations:
+      required: true
+
+  - type: textarea
+    id: references
+    attributes:
+      label: References
+      description: Add vendor docs, API references, SDK methods, CLI commands, endpoint docs, sample payloads, or similar reference material.
+      placeholder: |-
+        - Product or service documentation:
+        - API or SDK reference:
+        - CLI command or endpoint documentation:
+        - Sample payload or response:
+        - Security advisory or benchmark:
+    validations:
+      required: true
+
+  - type: dropdown
+    id: severity
+    attributes:
+      label: Suggested severity
+      description: Your best estimate. Reviewers will confirm during triage.
+      options:
+        - Critical
+        - High
+        - Medium
+        - Low
+        - Informational
+        - Not sure
+    validations:
+      required: true
+
+  - type: textarea
+    id: implementation_notes
+    attributes:
+      label: Additional implementation notes
+      description: Optional. Add permissions, unsupported regions, config knobs, product limitations, or anything else that may affect implementation.
+      placeholder: |-
+        - Required permissions or scopes:
+        - Region, tenant, or subscription limitations:
+        - Configurable behavior or thresholds:
+        - Other constraints:
+    validations:
+      required: false
diff --git a/docs/developer-guide/checks.mdx b/docs/developer-guide/checks.mdx
index 956dc293d1..c5dacc72d9 100644
--- a/docs/developer-guide/checks.mdx
+++ b/docs/developer-guide/checks.mdx
@@ -27,14 +27,28 @@ The most common high level steps to create a new check are:
 
 ### Naming Format for Checks
 
-Checks must be named following the format: `service_subservice_resource_action`.
+If you already know the check name when creating a request or implementing a check, use a descriptive identifier with lowercase letters and underscores only.
+
+Recommended patterns:
+
+- `<service>_<resource>_<best_practice>`
 
 The name components are:
 
-- `service` – The main service being audited (e.g., ec2, entra, iam, etc.)
-- `subservice` – An individual component or subset of functionality within the service that is being audited. This may correspond to a shortened version of the class attribute accessed within the check. If there is no subservice, just omit.
-- `resource` – The specific resource type being evaluated (e.g., instance, policy, role, etc.)
-- `action` – The security aspect or configuration being checked (e.g., public, encrypted, enabled, etc.)
+- `service` – The main service or product area being audited (e.g., ec2, entra, iam, bedrock).
+- `resource` – The resource, feature, or configuration being evaluated. It can be a single word or a compound phrase joined with underscores (e.g., instance, policy, guardrail, sensitive_information_filter).
+- `best_practice` – The expected secure state or best practice being checked (e.g., enabled, encrypted, restricted, configured, not_publicly_accessible).
+
+Additional guidance:
+
+- Use underscores only. Do not use hyphens.
+- Keep the name specific enough to describe the behavior of the check.
+- The first segment should match the service or product area whenever possible.
+
+Examples:
+
+- `s3_bucket_versioning_enabled`
+- `bedrock_guardrail_sensitive_information_filter_enabled`
 
 ### File Creation
 

From 02f43a7ad62a2482fe069506cfd90863430bc5e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= <ruben@prowler.com>
Date: Mon, 4 May 2026 17:51:02 +0200
Subject: [PATCH 16/29] docs: add Prowler Studio page and remove check-kreator
 pages (#10981)

---
 docs/developer-guide/prowler-studio.mdx       | 131 ++++++++++++++++++
 docs/docs.json                                |   3 +-
 .../cli/tutorials/prowler-check-kreator.mdx   |  47 -------
 .../tutorials/prowler-check-kreator.mdx       |  51 -------
 4 files changed, 133 insertions(+), 99 deletions(-)
 create mode 100644 docs/developer-guide/prowler-studio.mdx
 delete mode 100644 docs/user-guide/cli/tutorials/prowler-check-kreator.mdx
 delete mode 100644 docs/user-guide/tutorials/prowler-check-kreator.mdx

diff --git a/docs/developer-guide/prowler-studio.mdx b/docs/developer-guide/prowler-studio.mdx
new file mode 100644
index 0000000000..a4a2a609b5
--- /dev/null
+++ b/docs/developer-guide/prowler-studio.mdx
@@ -0,0 +1,131 @@
+---
+title: 'Prowler Studio'
+---
+
+**Prowler Studio is an AI workflow that ensures Claude Code follows Prowler's skills, guardrails, and best practices when creating new security checks.** What lands in the resulting pull request is consistent, tested, and ready for human review — not half-correct boilerplate that needs to be rewritten.
+
+<Info>
+**Contributor Tool**: Prowler Studio is a workflow for advanced contributors adding new Prowler security checks. It is not part of Prowler Cloud, Prowler App, or Prowler CLI.
+</Info>
+
+<Warning>
+**Preview Feature**: Prowler Studio is under active development and breaking changes are expected. Please report issues or share feedback on [GitHub](https://github.com/prowler-cloud/prowler-studio/issues) or in the [Slack community](https://goto.prowler.com/slack).
+</Warning>
+
+<Card title="Prowler Studio Repository" icon="github" href="https://github.com/prowler-cloud/prowler-studio" horizontal>
+  Clone the source code, install Prowler Studio, and explore the agent workflow in detail.
+</Card>
+
+## The Problem
+
+Adding a new check to [Prowler](https://github.com/prowler-cloud/prowler) is more than writing detection logic. A correct check has to:
+
+- Match Prowler's exact service and check folder structure and naming conventions
+- Wire up metadata, severity, remediation, tests, and compliance mappings
+- Mirror the patterns used by the hundreds of existing checks in the same provider
+- Actually load when Prowler scans for available checks — silent structural mistakes are easy to make
+
+Asking a general-purpose AI assistant to do this usually means guessing. It misses conventions, skips tests, or invents structure that looks right but does not load. The result is a half-correct PR that needs to be reviewed line by line or rewritten.
+
+## The Solution
+
+Prowler Studio enforces the workflow end-to-end. Describe the check once — a markdown ticket, a Jira issue, or a GitHub issue — and the workflow:
+
+1. **Loads Prowler-specific skills into every agent.** Every step starts with the same context an experienced Prowler engineer would have in mind. See [AI Skills System](/developer-guide/ai-skills) for how skills are structured.
+2. **Runs specialized agents in sequence.** Implementation → testing → compliance mapping → review → PR creation. Each agent has one job and a tight scope.
+3. **Verifies as it goes.** The check must load in Prowler. Tests must pass. If something fails, the agent fixes it and re-runs (up to a bounded number of attempts) before moving on.
+4. **Produces a complete pull request.** Branch, passing check, tests, compliance mappings, and a pull request waiting for human review.
+
+The result is a consistent starting point, every time, on every supported provider.
+
+## Quick Start
+
+### Install
+
+Prowler Studio requires [`uv`](https://docs.astral.sh/uv/getting-started/installation/) — see the official [installation guide](https://docs.astral.sh/uv/getting-started/installation/).
+
+```bash
+git clone https://github.com/prowler-cloud/prowler-studio
+cd prowler-studio
+uv sync
+source .venv/bin/activate
+```
+
+### Describe the Check
+
+A ticket is a structured markdown description of the check to create. It is the only input the workflow needs; every agent (implementation, testing, compliance mapping, review, PR creation) uses it as the source of truth, so the more concrete it is, the closer the first PR will land to the desired outcome.
+
+The ticket can be supplied in three ways:
+
+- **Local markdown file** → `--ticket path/to/ticket.md`
+- **Jira issue** → `--jira-url https://...` (uses the issue body)
+- **GitHub issue** → `--github-url https://...` (uses the issue body)
+
+The content should follow the **New Check Request** template:
+
+- The local copy at [`check_ticket_template.md`](https://github.com/prowler-cloud/prowler-studio/blob/main/check_ticket_template.md) covers `--ticket` and Jira tickets.
+- A prefilled GitHub form is also available: [Create a New Check Request issue](https://github.com/prowler-cloud/prowler/issues/new?template=new-check-request.yml).
+
+Sections marked *Optional* can be skipped; everything else helps the agents make the right decisions.
+
+### Run the Workflow
+
+From a local markdown ticket:
+
+```bash
+prowler-studio --ticket check_ticket.md
+```
+
+From a Jira ticket:
+
+```bash
+prowler-studio --jira-url https://mycompany.atlassian.net/browse/PROJ-123
+```
+
+From a GitHub issue:
+
+```bash
+prowler-studio --github-url https://github.com/owner/repo/issues/123
+```
+
+<Note>
+Provide exactly one of `--ticket`, `--jira-url`, or `--github-url`.
+</Note>
+
+Keep changes local (no push, no pull request):
+
+```bash
+prowler-studio -b feat/my-check --ticket check_ticket.md --local
+```
+
+### What You Get
+
+After a successful run the working environment contains:
+
+- A new branch on a clean Prowler worktree containing the check, metadata, tests, and compliance mappings
+- A pull request opened against Prowler (skipped with `--local`)
+- A timestamped log file under `logs/` capturing every step the agents took
+
+## CLI Options
+
+| Option | Short | Description |
+|--------|-------|-------------|
+| `--branch` | `-b` | Branch name (default: `feat/<ticket>-<check_name>` or `feat/<check_name>`) |
+| `--ticket` | `-t` | Path to a markdown check ticket file |
+| `--jira-url` | `-j` | Jira ticket URL (e.g., `https://mycompany.atlassian.net/browse/PROJ-123`) |
+| `--github-url` | `-g` | GitHub issue URL (e.g., `https://github.com/owner/repo/issues/123`) |
+| `--working-dir` | `-w` | Working directory for the Prowler clone (default: `./working`) |
+| `--no-worktree` |  | Legacy mode — work directly on the main clone instead of using worktrees |
+| `--cleanup-worktree` |  | Remove the worktree after a successful pull request is created |
+| `--local` |  | Keep changes local — skip push and pull request creation |
+
+## Configuration
+
+Set these environment variables depending on the input source:
+
+| Variable | When Needed | Purpose |
+|----------|-------------|---------|
+| `GITHUB_TOKEN` | `--github-url` (recommended) | Higher GitHub API rate limits and access to private issues |
+| `JIRA_SITE_URL` | `--jira-url` | Jira site, e.g. `https://mycompany.atlassian.net` |
+| `JIRA_EMAIL` | `--jira-url` | Email of the Jira account used to fetch the ticket |
+| `JIRA_API_TOKEN` | `--jira-url` | API token for the Jira account |
diff --git a/docs/docs.json b/docs/docs.json
index aee4e3259a..e9c8cc9347 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -365,7 +365,8 @@
               "developer-guide/security-compliance-framework",
               "developer-guide/lighthouse-architecture",
               "developer-guide/mcp-server",
-              "developer-guide/ai-skills"
+              "developer-guide/ai-skills",
+              "developer-guide/prowler-studio"
             ]
           },
           {
diff --git a/docs/user-guide/cli/tutorials/prowler-check-kreator.mdx b/docs/user-guide/cli/tutorials/prowler-check-kreator.mdx
deleted file mode 100644
index e6c708a212..0000000000
--- a/docs/user-guide/cli/tutorials/prowler-check-kreator.mdx
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: 'Prowler Check Kreator'
----
-
-<Note>
-Currently, this tool is only available for creating checks for the AWS provider.
-
-</Note>
-<Note>
-If you are looking for a way to create new checks for all the supported providers, you can use [Prowler Studio](https://github.com/prowler-cloud/prowler-studio), it is an AI-powered toolkit for generating and managing security checks for Prowler (better version of the Check Kreator).
-
-</Note>
-## Introduction
-
-**Prowler Check Kreator** is a utility designed to streamline the creation of new checks for Prowler. This tool generates all necessary files required to add a new check to the Prowler repository. Specifically, it creates:
-
-- A dedicated folder for the check.
-- The main check script.
-- A metadata file with essential details.
-- A folder and file structure for testing the check.
-
-## Usage
-
-To use the tool, execute the main script with the following command:
-
-```bash
-python util/prowler_check_kreator/prowler_check_kreator.py <prowler_provider> <check_name>
-```
-
-Parameters:
-
-- `<prowler_provider>`: Currently only AWS is supported.
-- `<check_name>`: The name you wish to assign to the new check.
-
-## AI integration
-
-This tool optionally integrates AI to assist in generating the check code and metadata file content. When AI assistance is chosen, the tool uses [Gemini](https://gemini.google.com/) to produce preliminary code and metadata.
-
-<Note>
-For this feature to work, you must have the library `google-generativeai` installed in your Python environment.
-
-</Note>
-<Warning>
-AI-generated code and metadata might contain errors or require adjustments to align with specific Prowler requirements. Carefully review all AI-generated content before committing.
-
-</Warning>
-To enable AI assistance, simply confirm when prompted by the tool. Additionally, ensure that the `GEMINI_API_KEY` environment variable is set with a valid Gemini API key. For instructions on obtaining your API key, refer to the [Gemini documentation](https://ai.google.dev/gemini-api/docs/api-key).
diff --git a/docs/user-guide/tutorials/prowler-check-kreator.mdx b/docs/user-guide/tutorials/prowler-check-kreator.mdx
deleted file mode 100644
index 253f659814..0000000000
--- a/docs/user-guide/tutorials/prowler-check-kreator.mdx
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: 'Prowler Check Kreator'
----
-
-<Note>
-Currently, this tool is only available for creating checks for the AWS provider.
-
-</Note>
-
-<Note>
-If you are looking for a way to create new checks for all the supported providers, you can use [Prowler Studio](https://github.com/prowler-cloud/prowler-studio), it is an AI-powered toolkit for generating and managing security checks for Prowler (better version of the Check Kreator).
-
-</Note>
-
-## Introduction
-
-**Prowler Check Kreator** is a utility designed to streamline the creation of new checks for Prowler. This tool generates all necessary files required to add a new check to the Prowler repository. Specifically, it creates:
-
-- A dedicated folder for the check.
-- The main check script.
-- A metadata file with essential details.
-- A folder and file structure for testing the check.
-
-## Usage
-
-To use the tool, execute the main script with the following command:
-
-```bash
-python util/prowler_check_kreator/prowler_check_kreator.py <prowler_provider> <check_name>
-```
-
-Parameters:
-
-- `<prowler_provider>`: Currently only AWS is supported.
-- `<check_name>`: The name you wish to assign to the new check.
-
-## AI integration
-
-This tool optionally integrates AI to assist in generating the check code and metadata file content. When AI assistance is chosen, the tool uses [Gemini](https://gemini.google.com/) to produce preliminary code and metadata.
-
-<Note>
-For this feature to work, you must have the library `google-generativeai` installed in your Python environment.
-
-</Note>
-
-<Warning>
-AI-generated code and metadata might contain errors or require adjustments to align with specific Prowler requirements. Carefully review all AI-generated content before committing.
-
-</Warning>
-
-To enable AI assistance, simply confirm when prompted by the tool. Additionally, ensure that the `GEMINI_API_KEY` environment variable is set with a valid Gemini API key. For instructions on obtaining your API key, refer to the [Gemini documentation](https://ai.google.dev/gemini-api/docs/api-key).

From f314725f4d83d5e9c5c3cf63609698465f833df9 Mon Sep 17 00:00:00 2001
From: Pepe Fagoaga <pepe@prowler.com>
Date: Mon, 4 May 2026 18:11:38 +0200
Subject: [PATCH 17/29] fix(k8s): deduplicate RBAC findings by unique subject
 (#10242)

Co-authored-by: Andoni A. <14891798+andoniaf@users.noreply.github.com>
---
 prowler/CHANGELOG.md                          |  8 ++++
 .../rbac_minimize_csr_approval_access.py      | 40 +++++++++++--------
 ..._minimize_node_proxy_subresource_access.py | 36 +++++++++++------
 .../rbac_minimize_pv_creation_access.py       | 37 +++++++++++------
 ...minimize_service_account_token_creation.py | 36 +++++++++++------
 .../rbac_minimize_webhook_config_access.py    | 40 +++++++++++--------
 6 files changed, 128 insertions(+), 69 deletions(-)

diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index 589f76323c..5bb7da487f 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -32,6 +32,14 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ---
 
+## [5.25.2] (Prowler v5.25.2)
+
+### 🐞 Fixed
+
+- Duplicate Kubernetes RBAC findings when the same User or Group subject appeared in multiple ClusterRoleBindings [(#10242)](https://github.com/prowler-cloud/prowler/pull/10242)
+
+---
+
 ## [5.25.1] (Prowler v5.25.1)
 
 ### 🐞 Fixed
diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py
index f2527b4606..17e56add55 100644
--- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py
+++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py
@@ -11,24 +11,32 @@ resources = ["certificatesigningrequests/approval"]
 class rbac_minimize_csr_approval_access(Check):
     def execute(self) -> Check_Report_Kubernetes:
         findings = []
+        # Collect unique subjects and the ClusterRole names bound to them
+        subjects_bound_roles = {}
         for crb in rbac_client.cluster_role_bindings.values():
             for subject in crb.subjects:
+                # CIS benchmarks scope these checks to human identities only
                 if subject.kind in ["User", "Group"]:
-                    report = Check_Report_Kubernetes(
-                        metadata=self.metadata(), resource=subject
-                    )
-                    report.status = "PASS"
-                    report.status_extended = f"User or group '{subject.name}' does not have access to update the CSR approval sub-resource."
-                    for cr in rbac_client.cluster_roles.values():
-                        if cr.metadata.name == crb.roleRef.name:
-                            if is_rule_allowing_permissions(
-                                cr.rules,
-                                resources,
-                                verbs,
-                            ):
-                                report.status = "FAIL"
-                                report.status_extended = f"User or group '{subject.name}' has access to update the CSR approval sub-resource."
-                                break
-                    findings.append(report)
+                    key = (subject.kind, subject.name, subject.namespace)
+                    if key not in subjects_bound_roles:
+                        subjects_bound_roles[key] = (subject, set())
+                    subjects_bound_roles[key][1].add(crb.roleRef.name)
+
+        cluster_roles_by_name = {
+            cr.metadata.name: cr for cr in rbac_client.cluster_roles.values()
+        }
+        for _, (subject, role_names) in subjects_bound_roles.items():
+            report = Check_Report_Kubernetes(metadata=self.metadata(), resource=subject)
+            report.resource_name = f"{subject.kind}:{subject.name}"
+            report.resource_id = f"{subject.kind}/{subject.name}"
+            report.status = "PASS"
+            report.status_extended = f"User or group '{subject.name}' does not have access to update the CSR approval sub-resource."
+            for role_name in role_names:
+                cr = cluster_roles_by_name.get(role_name)
+                if cr and is_rule_allowing_permissions(cr.rules, resources, verbs):
+                    report.status = "FAIL"
+                    report.status_extended = f"User or group '{subject.name}' has access to update the CSR approval sub-resource."
+                    break
+            findings.append(report)
 
         return findings
diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.py
index 913d968f31..377e5345da 100644
--- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.py
+++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.py
@@ -11,20 +11,32 @@ resources = ["nodes/proxy"]
 class rbac_minimize_node_proxy_subresource_access(Check):
     def execute(self) -> Check_Report_Kubernetes:
         findings = []
+        # Collect unique subjects and the ClusterRole names bound to them
+        subjects_bound_roles = {}
         for crb in rbac_client.cluster_role_bindings.values():
             for subject in crb.subjects:
+                # CIS benchmarks scope these checks to human identities only
                 if subject.kind in ["User", "Group"]:
-                    report = Check_Report_Kubernetes(
-                        metadata=self.metadata(), resource=subject
-                    )
-                    report.status = "PASS"
-                    report.status_extended = f"User or group '{subject.name}' does not have access to the node proxy sub-resource."
-                    for cr in rbac_client.cluster_roles.values():
-                        if cr.metadata.name == crb.roleRef.name:
-                            if is_rule_allowing_permissions(cr.rules, resources, verbs):
-                                report.status = "FAIL"
-                                report.status_extended = f"User or group '{subject.name}' has access to the node proxy sub-resource."
-                                break
-                    findings.append(report)
+                    key = (subject.kind, subject.name, subject.namespace)
+                    if key not in subjects_bound_roles:
+                        subjects_bound_roles[key] = (subject, set())
+                    subjects_bound_roles[key][1].add(crb.roleRef.name)
+
+        cluster_roles_by_name = {
+            cr.metadata.name: cr for cr in rbac_client.cluster_roles.values()
+        }
+        for _, (subject, role_names) in subjects_bound_roles.items():
+            report = Check_Report_Kubernetes(metadata=self.metadata(), resource=subject)
+            report.resource_name = f"{subject.kind}:{subject.name}"
+            report.resource_id = f"{subject.kind}/{subject.name}"
+            report.status = "PASS"
+            report.status_extended = f"User or group '{subject.name}' does not have access to the node proxy sub-resource."
+            for role_name in role_names:
+                cr = cluster_roles_by_name.get(role_name)
+                if cr and is_rule_allowing_permissions(cr.rules, resources, verbs):
+                    report.status = "FAIL"
+                    report.status_extended = f"User or group '{subject.name}' has access to the node proxy sub-resource."
+                    break
+            findings.append(report)
 
         return findings
diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.py
index 204942c57e..2fb76bbed7 100644
--- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.py
+++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.py
@@ -11,21 +11,32 @@ resources = ["persistentvolumes"]
 class rbac_minimize_pv_creation_access(Check):
     def execute(self) -> Check_Report_Kubernetes:
         findings = []
-        # Check each ClusterRoleBinding for access to create PersistentVolumes
+        # Collect unique subjects and the ClusterRole names bound to them
+        subjects_bound_roles = {}
         for crb in rbac_client.cluster_role_bindings.values():
             for subject in crb.subjects:
+                # CIS benchmarks scope these checks to human identities only
                 if subject.kind in ["User", "Group"]:
-                    report = Check_Report_Kubernetes(
-                        metadata=self.metadata(), resource=subject
-                    )
-                    report.status = "PASS"
-                    report.status_extended = f"User or group '{subject.name}' does not have access to create PersistentVolumes."
-                    for cr in rbac_client.cluster_roles.values():
-                        if cr.metadata.name == crb.roleRef.name:
-                            if is_rule_allowing_permissions(cr.rules, resources, verbs):
-                                report.status = "FAIL"
-                                report.status_extended = f"User or group '{subject.name}' has access to create PersistentVolumes."
-                                break
-                    findings.append(report)
+                    key = (subject.kind, subject.name, subject.namespace)
+                    if key not in subjects_bound_roles:
+                        subjects_bound_roles[key] = (subject, set())
+                    subjects_bound_roles[key][1].add(crb.roleRef.name)
+
+        cluster_roles_by_name = {
+            cr.metadata.name: cr for cr in rbac_client.cluster_roles.values()
+        }
+        for _, (subject, role_names) in subjects_bound_roles.items():
+            report = Check_Report_Kubernetes(metadata=self.metadata(), resource=subject)
+            report.resource_name = f"{subject.kind}:{subject.name}"
+            report.resource_id = f"{subject.kind}/{subject.name}"
+            report.status = "PASS"
+            report.status_extended = f"User or group '{subject.name}' does not have access to create PersistentVolumes."
+            for role_name in role_names:
+                cr = cluster_roles_by_name.get(role_name)
+                if cr and is_rule_allowing_permissions(cr.rules, resources, verbs):
+                    report.status = "FAIL"
+                    report.status_extended = f"User or group '{subject.name}' has access to create PersistentVolumes."
+                    break
+            findings.append(report)
 
         return findings
diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.py
index 9b1318c92f..8e492309db 100644
--- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.py
+++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.py
@@ -11,20 +11,32 @@ resources = ["serviceaccounts/token"]
 class rbac_minimize_service_account_token_creation(Check):
     def execute(self) -> Check_Report_Kubernetes:
         findings = []
+        # Collect unique subjects and the ClusterRole names bound to them
+        subjects_bound_roles = {}
         for crb in rbac_client.cluster_role_bindings.values():
             for subject in crb.subjects:
+                # CIS benchmarks scope these checks to human identities only
                 if subject.kind in ["User", "Group"]:
-                    report = Check_Report_Kubernetes(
-                        metadata=self.metadata(), resource=subject
-                    )
-                    report.status = "PASS"
-                    report.status_extended = f"User or group '{subject.name}' does not have access to create service account tokens."
-                    for cr in rbac_client.cluster_roles.values():
-                        if cr.metadata.name == crb.roleRef.name:
-                            if is_rule_allowing_permissions(cr.rules, resources, verbs):
-                                report.status = "FAIL"
-                                report.status_extended = f"User or group '{subject.name}' has access to create service account tokens."
-                                break
-                    findings.append(report)
+                    key = (subject.kind, subject.name, subject.namespace)
+                    if key not in subjects_bound_roles:
+                        subjects_bound_roles[key] = (subject, set())
+                    subjects_bound_roles[key][1].add(crb.roleRef.name)
+
+        cluster_roles_by_name = {
+            cr.metadata.name: cr for cr in rbac_client.cluster_roles.values()
+        }
+        for _, (subject, role_names) in subjects_bound_roles.items():
+            report = Check_Report_Kubernetes(metadata=self.metadata(), resource=subject)
+            report.resource_name = f"{subject.kind}:{subject.name}"
+            report.resource_id = f"{subject.kind}/{subject.name}"
+            report.status = "PASS"
+            report.status_extended = f"User or group '{subject.name}' does not have access to create service account tokens."
+            for role_name in role_names:
+                cr = cluster_roles_by_name.get(role_name)
+                if cr and is_rule_allowing_permissions(cr.rules, resources, verbs):
+                    report.status = "FAIL"
+                    report.status_extended = f"User or group '{subject.name}' has access to create service account tokens."
+                    break
+            findings.append(report)
 
         return findings
diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py
index 2da9893dab..ffdad52a19 100644
--- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py
+++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py
@@ -14,24 +14,32 @@ verbs = ["create", "update", "delete"]
 class rbac_minimize_webhook_config_access(Check):
     def execute(self) -> Check_Report_Kubernetes:
         findings = []
+        # Collect unique subjects and the ClusterRole names bound to them
+        subjects_bound_roles = {}
         for crb in rbac_client.cluster_role_bindings.values():
             for subject in crb.subjects:
+                # CIS benchmarks scope these checks to human identities only
                 if subject.kind in ["User", "Group"]:
-                    report = Check_Report_Kubernetes(
-                        metadata=self.metadata(), resource=subject
-                    )
-                    report.status = "PASS"
-                    report.status_extended = f"User or group '{subject.name}' does not have access to create, update, or delete webhook configurations."
-                    for cr in rbac_client.cluster_roles.values():
-                        if cr.metadata.name == crb.roleRef.name:
-                            if is_rule_allowing_permissions(
-                                cr.rules,
-                                resources,
-                                verbs,
-                            ):
-                                report.status = "FAIL"
-                                report.status_extended = f"User or group '{subject.name}' has access to create, update, or delete webhook configurations."
-                                break
-                    findings.append(report)
+                    key = (subject.kind, subject.name, subject.namespace)
+                    if key not in subjects_bound_roles:
+                        subjects_bound_roles[key] = (subject, set())
+                    subjects_bound_roles[key][1].add(crb.roleRef.name)
+
+        cluster_roles_by_name = {
+            cr.metadata.name: cr for cr in rbac_client.cluster_roles.values()
+        }
+        for _, (subject, role_names) in subjects_bound_roles.items():
+            report = Check_Report_Kubernetes(metadata=self.metadata(), resource=subject)
+            report.resource_name = f"{subject.kind}:{subject.name}"
+            report.resource_id = f"{subject.kind}/{subject.name}"
+            report.status = "PASS"
+            report.status_extended = f"User or group '{subject.name}' does not have access to create, update, or delete webhook configurations."
+            for role_name in role_names:
+                cr = cluster_roles_by_name.get(role_name)
+                if cr and is_rule_allowing_permissions(cr.rules, resources, verbs):
+                    report.status = "FAIL"
+                    report.status_extended = f"User or group '{subject.name}' has access to create, update, or delete webhook configurations."
+                    break
+            findings.append(report)
 
         return findings

From 21d7d08b4b8b43eeedc5b4a75c4ccee6b0a112f2 Mon Sep 17 00:00:00 2001
From: Pepe Fagoaga <pepe@prowler.com>
Date: Mon, 4 May 2026 19:39:17 +0200
Subject: [PATCH 18/29] fix(timeline): Return a compact actor name from
 CloudTrail events (#10986)

---
 prowler/CHANGELOG.md                          |  1 +
 .../cloudtrail_timeline.py                    | 31 +++-------
 .../cloudtrail_timeline_test.py               | 57 ++++++++++++++-----
 3 files changed, 52 insertions(+), 37 deletions(-)

diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index 5bb7da487f..8f2b480a36 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -37,6 +37,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 ### 🐞 Fixed
 
 - Duplicate Kubernetes RBAC findings when the same User or Group subject appeared in multiple ClusterRoleBindings [(#10242)](https://github.com/prowler-cloud/prowler/pull/10242)
+- Return a compact actor name from CloudTrail `userIdentity` events [(#10986)](https://github.com/prowler-cloud/prowler/pull/10986)
 
 ---
 
diff --git a/prowler/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline.py b/prowler/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline.py
index b73d070078..2f03dd8c84 100644
--- a/prowler/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline.py
+++ b/prowler/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline.py
@@ -221,27 +221,12 @@ class CloudTrailTimeline(TimelineService):
 
     @staticmethod
     def _extract_actor(user_identity: Dict[str, Any]) -> str:
-        """Extract a human-readable actor name from CloudTrail userIdentity."""
-        # Try ARN first - most reliable
+        """Return a compact actor name from CloudTrail userIdentity.
+
+        For ARNs, returns the resource portion (everything after the last
+        `:`) — e.g. `user/alice`, `assumed-role/MyRole/session-name`,
+        `root`. The full ARN is preserved separately in `actor_uid`.
+        """
         if arn := user_identity.get("arn"):
-            if "/" in arn:
-                parts = arn.split("/")
-                # For assumed-role, return the role name (second-to-last part)
-                if "assumed-role" in arn and len(parts) >= 2:
-                    return parts[-2]
-                return parts[-1]
-            return arn.split(":")[-1]
-
-        # Fall back to userName
-        if username := user_identity.get("userName"):
-            return username
-
-        # Fall back to principalId
-        if principal_id := user_identity.get("principalId"):
-            return principal_id
-
-        # For service-invoked actions
-        if invoking_service := user_identity.get("invokedBy"):
-            return invoking_service
-
-        return "Unknown"
+            return arn.rsplit(":", 1)[-1]
+        return user_identity.get("invokedBy") or "Unknown"
diff --git a/tests/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline_test.py b/tests/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline_test.py
index aeca0f7c1d..5c2c99cbfc 100644
--- a/tests/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline_test.py
+++ b/tests/providers/aws/lib/cloudtrail_timeline/cloudtrail_timeline_test.py
@@ -100,7 +100,7 @@ class TestCloudTrailTimeline:
 
         assert len(result) == 1
         assert result[0]["event_name"] == "RunInstances"
-        assert result[0]["actor"] == "admin"
+        assert result[0]["actor"] == "user/admin"
         assert result[0]["source_ip_address"] == "203.0.113.1"
 
     def test_get_resource_timeline_with_resource_uid(
@@ -304,14 +304,28 @@ class TestExtractActor:
             "arn": "arn:aws:iam::123456789012:user/alice",
             "userName": "alice",
         }
-        assert CloudTrailTimeline._extract_actor(user_identity) == "alice"
+        assert CloudTrailTimeline._extract_actor(user_identity) == "user/alice"
 
     def test_extract_actor_assumed_role(self):
         user_identity = {
             "type": "AssumedRole",
             "arn": "arn:aws:sts::123456789012:assumed-role/MyRole/session-name",
         }
-        assert CloudTrailTimeline._extract_actor(user_identity) == "MyRole"
+        assert (
+            CloudTrailTimeline._extract_actor(user_identity)
+            == "assumed-role/MyRole/session-name"
+        )
+
+    def test_extract_actor_assumed_role_sso(self):
+        """SSO sessions store the user identity in the session name."""
+        user_identity = {
+            "type": "AssumedRole",
+            "arn": "arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_abcdef1234567890/user@example.com",
+        }
+        assert (
+            CloudTrailTimeline._extract_actor(user_identity)
+            == "assumed-role/AWSReservedSSO_AdministratorAccess_abcdef1234567890/user@example.com"
+        )
 
     def test_extract_actor_root(self):
         user_identity = {"type": "Root", "arn": "arn:aws:iam::123456789012:root"}
@@ -327,21 +341,33 @@ class TestExtractActor:
             == "elasticloadbalancing.amazonaws.com"
         )
 
-    def test_extract_actor_fallback_to_principal_id(self):
-        user_identity = {"type": "Unknown", "principalId": "AROAEXAMPLEID:session"}
-        assert (
-            CloudTrailTimeline._extract_actor(user_identity) == "AROAEXAMPLEID:session"
-        )
-
     def test_extract_actor_unknown(self):
         assert CloudTrailTimeline._extract_actor({}) == "Unknown"
 
+    def test_extract_actor_username_only_returns_unknown(self):
+        """When userIdentity carries only userName/principalId (no arn or
+        invokedBy), we deliberately return "Unknown" — we rely on the ARN
+        from the upstream service for the actor."""
+        assert (
+            CloudTrailTimeline._extract_actor({"type": "IAMUser", "userName": "alice"})
+            == "Unknown"
+        )
+        assert (
+            CloudTrailTimeline._extract_actor(
+                {"type": "Unknown", "principalId": "AROAEXAMPLEID:session"}
+            )
+            == "Unknown"
+        )
+
     def test_extract_actor_federated_user(self):
         user_identity = {
             "type": "FederatedUser",
             "arn": "arn:aws:sts::123456789012:federated-user/developer",
         }
-        assert CloudTrailTimeline._extract_actor(user_identity) == "developer"
+        assert (
+            CloudTrailTimeline._extract_actor(user_identity)
+            == "federated-user/developer"
+        )
 
 
 class TestParseEvent:
@@ -380,7 +406,7 @@ class TestParseEvent:
         assert result is not None
         assert result["event_name"] == "RunInstances"
         assert result["event_source"] == "ec2.amazonaws.com"
-        assert result["actor"] == "admin"
+        assert result["actor"] == "user/admin"
         assert result["actor_uid"] == "arn:aws:iam::123456789012:user/admin"
         assert result["actor_type"] == "IAMUser"
 
@@ -424,7 +450,10 @@ class TestParseEvent:
             "EventName": "RunInstances",
             "EventSource": "ec2.amazonaws.com",
             "CloudTrailEvent": {
-                "userIdentity": {"type": "IAMUser", "userName": "admin"},
+                "userIdentity": {
+                    "type": "IAMUser",
+                    "arn": "arn:aws:iam::123456789012:user/admin",
+                },
             },
         }
         timeline = CloudTrailTimeline(session=mock_session)
@@ -432,7 +461,7 @@ class TestParseEvent:
 
         assert result is not None
         assert result["event_name"] == "RunInstances"
-        assert result["actor"] == "admin"
+        assert result["actor"] == "user/admin"
 
     def test_parse_event_missing_event_id(self, mock_session):
         """Test parsing event without EventId returns None (event_id is required)."""
@@ -506,7 +535,7 @@ class TestParseEvent:
 
         assert result is not None
         assert result["event_name"] == "RunInstances"
-        assert result["actor"] == "admin"
+        assert result["actor"] == "user/admin"
         # actor_type should be None when not present in userIdentity
         assert result["actor_type"] is None
 

From 7c6d658154982e376e30aec216a8af11b7b36cb2 Mon Sep 17 00:00:00 2001
From: Pepe Fagoaga <pepe@prowler.com>
Date: Mon, 4 May 2026 19:54:03 +0200
Subject: [PATCH 19/29] fix(k8s): match RBAC rules by apiGroup, not just core
 (#10969)

Co-authored-by: Andoni A. <14891798+andoniaf@users.noreply.github.com>
---
 prowler/CHANGELOG.md                          |   1 +
 .../services/rbac/lib/role_permissions.py     |  57 ++++----
 .../rbac_minimize_csr_approval_access.py      |   5 +-
 .../rbac_minimize_webhook_config_access.py    |   5 +-
 .../rbac/lib/role_permissions_test.py         | 124 +++++++++---------
 5 files changed, 101 insertions(+), 91 deletions(-)

diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index 8f2b480a36..6e4f231ec2 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -37,6 +37,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 ### 🐞 Fixed
 
 - Duplicate Kubernetes RBAC findings when the same User or Group subject appeared in multiple ClusterRoleBindings [(#10242)](https://github.com/prowler-cloud/prowler/pull/10242)
+- Match K8s RBAC rules by `apiGroup` [(#10969)](https://github.com/prowler-cloud/prowler/pull/10969)
 - Return a compact actor name from CloudTrail `userIdentity` events [(#10986)](https://github.com/prowler-cloud/prowler/pull/10986)
 
 ---
diff --git a/prowler/providers/kubernetes/services/rbac/lib/role_permissions.py b/prowler/providers/kubernetes/services/rbac/lib/role_permissions.py
index c3db38b2f7..04bf9b4c9c 100644
--- a/prowler/providers/kubernetes/services/rbac/lib/role_permissions.py
+++ b/prowler/providers/kubernetes/services/rbac/lib/role_permissions.py
@@ -1,36 +1,37 @@
-def is_rule_allowing_permissions(rules, resources, verbs):
+def is_rule_allowing_permissions(rules, resources, verbs, api_groups=("",)):
     """
-    Check Kubernetes role permissions.
+    Check whether any RBAC rule grants the specified verbs on the specified
+    resources within the specified API groups.
 
-    This function takes in Kubernetes role rules, resources, and verbs,
-    and checks if any of the rules grant permissions on the specified
-    resources with the specified verbs.
+    A rule matches when its `apiGroups` includes any of `api_groups` (or "*"),
+    its `resources` includes any of `resources` (or "*"), and its `verbs`
+    includes any of `verbs` (or "*").
 
     Args:
-        rules (List[Rule]): The list of Kubernetes role rules.
-        resources (List[str]): The list of resources to check permissions for.
-        verbs (List[str]): The list of verbs to check permissions for.
+        rules (List[Rule]): RBAC rules from a Role or ClusterRole.
+        resources (List[str]): Resources (or sub-resources) to check.
+        verbs (List[str]): Verbs to check.
+        api_groups (Iterable[str]): API groups the resources live in. Defaults
+            to ("",), the core API group, which matches the most common case.
+            Pass an explicit value for resources outside the core group, e.g.
+            ("admissionregistration.k8s.io",) for webhook configurations.
 
     Returns:
-        bool: True if any of the rules grant permissions, False otherwise.
+        bool: True if any rule grants the permission, False otherwise.
     """
-    if rules:
-        # Iterate through each rule in the list of rules
-        for rule in rules:
-            # Ensure apiGroups are relevant ("" or "v1" for secrets)
-            if rule.apiGroups and all(api not in ["", "v1"] for api in rule.apiGroups):
-                continue  # Skip rules with unrelated apiGroups
-            # Check if the rule has resources, verbs, and matches any of the specified resources and verbs
-            if (
-                rule.resources
-                and (
-                    any(resource in rule.resources for resource in resources)
-                    or "*" in rule.resources
-                )
-                and rule.verbs
-                and (any(verb in rule.verbs for verb in verbs) or "*" in rule.verbs)
-            ):
-                # If the rule matches, return True
-                return True
-    # If no rule matches, return False
+    if not rules:
+        return False
+    for rule in rules:
+        rule_api_groups = rule.apiGroups or [""]
+        if not (
+            any(g in rule_api_groups for g in api_groups) or "*" in rule_api_groups
+        ):
+            continue
+        if (
+            rule.resources
+            and (any(r in rule.resources for r in resources) or "*" in rule.resources)
+            and rule.verbs
+            and (any(v in rule.verbs for v in verbs) or "*" in rule.verbs)
+        ):
+            return True
     return False
diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py
index 17e56add55..2b86f0cafe 100644
--- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py
+++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py
@@ -6,6 +6,7 @@ from prowler.providers.kubernetes.services.rbac.rbac_client import rbac_client
 
 verbs = ["update", "patch"]
 resources = ["certificatesigningrequests/approval"]
+api_groups = ["certificates.k8s.io"]
 
 
 class rbac_minimize_csr_approval_access(Check):
@@ -33,7 +34,9 @@ class rbac_minimize_csr_approval_access(Check):
             report.status_extended = f"User or group '{subject.name}' does not have access to update the CSR approval sub-resource."
             for role_name in role_names:
                 cr = cluster_roles_by_name.get(role_name)
-                if cr and is_rule_allowing_permissions(cr.rules, resources, verbs):
+                if cr and is_rule_allowing_permissions(
+                    cr.rules, resources, verbs, api_groups
+                ):
                     report.status = "FAIL"
                     report.status_extended = f"User or group '{subject.name}' has access to update the CSR approval sub-resource."
                     break
diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py
index ffdad52a19..e646efeeef 100644
--- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py
+++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py
@@ -9,6 +9,7 @@ resources = [
     "mutatingwebhookconfigurations",
 ]
 verbs = ["create", "update", "delete"]
+api_groups = ["admissionregistration.k8s.io"]
 
 
 class rbac_minimize_webhook_config_access(Check):
@@ -36,7 +37,9 @@ class rbac_minimize_webhook_config_access(Check):
             report.status_extended = f"User or group '{subject.name}' does not have access to create, update, or delete webhook configurations."
             for role_name in role_names:
                 cr = cluster_roles_by_name.get(role_name)
-                if cr and is_rule_allowing_permissions(cr.rules, resources, verbs):
+                if cr and is_rule_allowing_permissions(
+                    cr.rules, resources, verbs, api_groups
+                ):
                     report.status = "FAIL"
                     report.status_extended = f"User or group '{subject.name}' has access to create, update, or delete webhook configurations."
                     break
diff --git a/tests/providers/kubernetes/services/rbac/lib/role_permissions_test.py b/tests/providers/kubernetes/services/rbac/lib/role_permissions_test.py
index 696550c06c..94028547e9 100644
--- a/tests/providers/kubernetes/services/rbac/lib/role_permissions_test.py
+++ b/tests/providers/kubernetes/services/rbac/lib/role_permissions_test.py
@@ -6,90 +6,92 @@ from prowler.providers.kubernetes.services.rbac.rbac_service import Rule
 
 class TestCheckRolePermissions:
     def test_is_rule_allowing_permissions(self):
-        # Define some sample rules, resources, and verbs for testing
         rules = [
-            # Rule 1: Allows 'get' and 'list' on 'pods' and 'services'
             Rule(resources=["pods", "services"], verbs=["get", "list"]),
-            # Rule 2: Allows 'create' and 'delete' on 'deployments'
             Rule(resources=["deployments"], verbs=["create", "delete"]),
         ]
-        resources = ["pods", "deployments"]
-        verbs = ["get", "create"]
-
-        assert is_rule_allowing_permissions(rules, resources, verbs)
+        assert is_rule_allowing_permissions(
+            rules, ["pods", "deployments"], ["get", "create"]
+        )
 
     def test_no_permissions(self):
-        # Test when there are no rules
-        rules = []
-        resources = ["pods", "deployments"]
-        verbs = ["get", "create"]
-
-        assert not is_rule_allowing_permissions(rules, resources, verbs)
+        assert not is_rule_allowing_permissions([], ["pods"], ["get"])
 
     def test_no_matching_rules(self):
-        # Test when there are rules, but none match the specified resources and verbs
         rules = [
             Rule(resources=["services"], verbs=["get", "list"]),
             Rule(resources=["pods"], verbs=["create", "delete"]),
         ]
-        resources = ["deployments", "configmaps"]
-        verbs = ["get", "create"]
-
-        assert not is_rule_allowing_permissions(rules, resources, verbs)
+        assert not is_rule_allowing_permissions(
+            rules, ["deployments", "configmaps"], ["get", "create"]
+        )
 
     def test_empty_rules(self):
-        # Test when the rules list is empty
-        rules = []
-        resources = ["pods", "deployments"]
-        verbs = ["get", "create"]
-
-        assert not is_rule_allowing_permissions(rules, resources, verbs)
+        assert not is_rule_allowing_permissions([], ["pods"], ["get"])
 
     def test_empty_resources_and_verbs(self):
-        # Test when resources and verbs are empty lists
-        rules = [
-            Rule(resources=["pods"], verbs=["get"]),
-            Rule(resources=["services"], verbs=["list"]),
-        ]
-        resources = []
-        verbs = []
-
-        assert not is_rule_allowing_permissions(rules, resources, verbs)
+        rules = [Rule(resources=["pods"], verbs=["get"])]
+        assert not is_rule_allowing_permissions(rules, [], [])
 
     def test_matching_rule_with_empty_resources_or_verbs(self):
-        # Test when a rule matches, but either resources or verbs are empty
+        rules = [Rule(resources=["pods"], verbs=["get"])]
+        assert not is_rule_allowing_permissions(rules, [], ["get"])
+        assert not is_rule_allowing_permissions(rules, ["pods"], [])
+
+    def test_rule_with_non_matching_api_group(self):
+        rules = [Rule(resources=["pods"], verbs=["get"], apiGroups=["apps"])]
+        assert not is_rule_allowing_permissions(rules, ["pods"], ["get"])
+
+    def test_rule_with_matching_api_group(self):
+        rules = [Rule(resources=["pods"], verbs=["get"], apiGroups=[""])]
+        assert is_rule_allowing_permissions(rules, ["pods"], ["get"])
+
+    def test_default_api_group_is_core(self):
+        rules = [Rule(resources=["pods"], verbs=["get"], apiGroups=None)]
+        assert is_rule_allowing_permissions(rules, ["pods"], ["get"])
+
+    def test_rule_with_empty_api_groups_does_not_match_non_core_request(self):
+        rules = [Rule(resources=["pods"], verbs=["get"], apiGroups=None)]
+        assert not is_rule_allowing_permissions(
+            rules, ["pods"], ["get"], ["admissionregistration.k8s.io"]
+        )
+
+    def test_non_core_rule_does_not_match_without_api_groups_argument(self):
         rules = [
-            Rule(resources=["pods"], verbs=["get"]),
-            Rule(resources=["services"], verbs=["list"]),
+            Rule(
+                resources=["validatingwebhookconfigurations"],
+                verbs=["create"],
+                apiGroups=["admissionregistration.k8s.io"],
+            )
         ]
-        resources = []
-        verbs = ["get"]
+        assert not is_rule_allowing_permissions(
+            rules, ["validatingwebhookconfigurations"], ["create"]
+        )
 
-        assert not is_rule_allowing_permissions(rules, resources, verbs)
-
-        resources = ["pods"]
-        verbs = []
-
-        assert not is_rule_allowing_permissions(rules, resources, verbs)
-
-    def test_rule_with_ignored_api_groups(self):
-        # Test when a rule has apiGroups that are not relevant
+    def test_explicit_non_core_api_group(self):
         rules = [
-            Rule(resources=["pods"], verbs=["get"], apiGroups=["test"]),
-            Rule(resources=["services"], verbs=["list"], apiGroups=["test2"]),
+            Rule(
+                resources=["validatingwebhookconfigurations"],
+                verbs=["create"],
+                apiGroups=["admissionregistration.k8s.io"],
+            )
         ]
-        resources = ["pods"]
-        verbs = ["get"]
+        assert is_rule_allowing_permissions(
+            rules,
+            ["validatingwebhookconfigurations"],
+            ["create"],
+            ["admissionregistration.k8s.io"],
+        )
 
-        assert not is_rule_allowing_permissions(rules, resources, verbs)
+    def test_rule_with_wildcard_api_group(self):
+        rules = [Rule(resources=["pods"], verbs=["get"], apiGroups=["*"])]
+        assert is_rule_allowing_permissions(rules, ["pods"], ["get"])
+        assert is_rule_allowing_permissions(rules, ["pods"], ["get"], ["apps"])
 
-    def test_rule_with_relevant_api_groups(self):
-        # Test when a rule has apiGroups that are relevant
-        rules = [
-            Rule(resources=["pods"], verbs=["get"], apiGroups=["", "v1"]),
-            Rule(resources=["services"], verbs=["list"], apiGroups=["test2"]),
-        ]
-        resources = ["pods"]
-        verbs = ["get"]
+    def test_rule_with_wildcard_resources(self):
+        rules = [Rule(resources=["*"], verbs=["get"], apiGroups=[""])]
+        assert is_rule_allowing_permissions(rules, ["pods"], ["get"])
 
-        assert is_rule_allowing_permissions(rules, resources, verbs)
+    def test_rule_with_wildcard_verbs(self):
+        rules = [Rule(resources=["pods"], verbs=["*"], apiGroups=[""])]
+        assert is_rule_allowing_permissions(rules, ["pods"], ["get"])

From 703a33108cc69de6c06ea5277a4a88e6d73b8261 Mon Sep 17 00:00:00 2001
From: Pepe Fagoaga <pepe@prowler.com>
Date: Tue, 5 May 2026 08:47:28 +0200
Subject: [PATCH 20/29] chore(changelog): prepare for v5.25.2 (#10991)

---
 api/CHANGELOG.md     | 2 +-
 prowler/CHANGELOG.md | 4 ++--
 ui/CHANGELOG.md      | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/api/CHANGELOG.md b/api/CHANGELOG.md
index 8c57285025..c03906d7e8 100644
--- a/api/CHANGELOG.md
+++ b/api/CHANGELOG.md
@@ -6,7 +6,7 @@ All notable changes to the **Prowler API** are documented in this file.
 
 ### 🚀 Added
 
-- New `scan-reset-ephemeral-resources` post-scan task zeroes `failed_findings_count` for resources missing from the latest full-scope scan, keeping ephemeral resources from polluting the Resources page sort [(#10929)](https://github.com/prowler-cloud/prowler/pull/10929)
+- `scan-reset-ephemeral-resources` post-scan task zeroes `failed_findings_count` for resources missing from the latest full-scope scan, keeping ephemeral resources from polluting the Resources page sort [(#10929)](https://github.com/prowler-cloud/prowler/pull/10929)
 
 ---
 
diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index 6e4f231ec2..3945d1621a 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -14,9 +14,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ### 🔄 Changed
 
-- `route53_dangling_ip_subdomain_takeover` now also flags `CNAME` records pointing to S3 website endpoints whose buckets are missing from the account [(#10920)](https://github.com/prowler-cloud/prowler/pull/10920)
 - Azure Network Watcher flow log checks now require workspace-backed Traffic Analytics for `network_flow_log_captured_sent` and align metadata with VNet-compatible flow log guidance [(#10645)](https://github.com/prowler-cloud/prowler/pull/10645)
-- Azure compliance entries for legacy Network Watcher flow log controls now use retirement-aware guidance and point new deployments to VNet flow logs
+- Azure compliance entries for legacy Network Watcher flow log controls now use retirement-aware guidance and point new deployments to VNet flow logs [(#10937)](https://github.com/prowler-cloud/prowler/pull/10937)
 - AWS CodeBuild service now batches `BatchGetProjects` and `BatchGetBuilds` calls per region (up to 100 items per call) to reduce API call volume and prevent throttling-induced false positives in `codebuild_project_not_publicly_accessible` [(#10639)](https://github.com/prowler-cloud/prowler/pull/10639)
 - `display_compliance_table` dispatch switched from substring `in` checks to `startswith` to prevent false matches between similarly named frameworks (e.g. `cisa` vs `cis`) [(#10301)](https://github.com/prowler-cloud/prowler/pull/10301)
 
@@ -36,6 +35,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ### 🐞 Fixed
 
+- `route53_dangling_ip_subdomain_takeover` now also flags `CNAME` records pointing to S3 website endpoints whose buckets are missing from the account [(#10920)](https://github.com/prowler-cloud/prowler/pull/10920)
 - Duplicate Kubernetes RBAC findings when the same User or Group subject appeared in multiple ClusterRoleBindings [(#10242)](https://github.com/prowler-cloud/prowler/pull/10242)
 - Match K8s RBAC rules by `apiGroup` [(#10969)](https://github.com/prowler-cloud/prowler/pull/10969)
 - Return a compact actor name from CloudTrail `userIdentity` events [(#10986)](https://github.com/prowler-cloud/prowler/pull/10986)
diff --git a/ui/CHANGELOG.md b/ui/CHANGELOG.md
index 4b63c9cd84..8b0f8d17e6 100644
--- a/ui/CHANGELOG.md
+++ b/ui/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 All notable changes to the **Prowler UI** are documented in this file.
 
-## [1.25.2] (Prowler UNRELEASED)
+## [1.25.2] (Prowler v5.25.2)
 
 ### 🔄 Changed
 

From 786059bfb24abe690bbcba2cdc9f4ef8431acf5e Mon Sep 17 00:00:00 2001
From: Prowler Bot <bot@prowler.com>
Date: Tue, 5 May 2026 10:45:07 +0200
Subject: [PATCH 21/29] chore(docs): Bump version to v5.25.2 (#10993)

Co-authored-by: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
---
 docs/getting-started/installation/prowler-app.mdx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/getting-started/installation/prowler-app.mdx b/docs/getting-started/installation/prowler-app.mdx
index 0b9d15852b..cf88d1aded 100644
--- a/docs/getting-started/installation/prowler-app.mdx
+++ b/docs/getting-started/installation/prowler-app.mdx
@@ -121,8 +121,8 @@ To update the environment file:
 Edit the `.env` file and change version values:
 
 ```env
-PROWLER_UI_VERSION="5.25.1"
-PROWLER_API_VERSION="5.25.1"
+PROWLER_UI_VERSION="5.25.2"
+PROWLER_API_VERSION="5.25.2"
 ```
 
 <Note>

From d23c2f3b5317ca8aa1bb3031093b7ba85941f172 Mon Sep 17 00:00:00 2001
From: "Pablo Fernandez Guerra (PFE)"
 <148432447+pfe-nazaries@users.noreply.github.com>
Date: Tue, 5 May 2026 14:39:54 +0200
Subject: [PATCH 22/29] refactor(ui): standardize "Providers" wording across UI
 and docs (#10971)

Co-authored-by: Pablo F.G <pablo.fernandez@prowler.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 docs/developer-guide/provider.mdx             |  2 +-
 .../basic-usage/prowler-app.mdx               |  6 +--
 .../getting-started-alibabacloud.mdx          |  8 +--
 .../providers/aws/getting-started-aws.mdx     |  8 +--
 .../providers/azure/getting-started-azure.mdx |  8 +--
 .../cloudflare/getting-started-cloudflare.mdx |  8 +--
 .../providers/gcp/getting-started-gcp.mdx     |  8 +--
 .../providers/github/authentication.mdx       |  2 +-
 .../github/getting-started-github.mdx         |  8 +--
 .../getting-started-googleworkspace.mdx       |  8 +--
 .../providers/iac/getting-started-iac.mdx     |  8 +--
 .../providers/image/getting-started-image.mdx |  8 +--
 .../kubernetes/getting-started-k8s.mdx        |  8 +--
 .../microsoft365/getting-started-m365.mdx     |  8 +--
 .../getting-started-mongodbatlas.mdx          |  2 +-
 .../providers/oci/getting-started-oci.mdx     |  4 +-
 .../openstack/getting-started-openstack.mdx   |  2 +-
 .../vercel/getting-started-vercel.mdx         |  8 +--
 .../user-guide/tutorials/prowler-app-rbac.mdx |  4 +-
 .../tutorials/prowler-app-s3-integration.mdx  |  2 +-
 docs/user-guide/tutorials/prowler-app.mdx     |  4 +-
 .../prowler-cloud-aws-organizations.mdx       |  4 +-
 ui/CHANGELOG.md                               |  8 +++
 ui/actions/manage-groups/manage-groups.ts     |  6 +--
 .../_components/accounts-selector.tsx         |  6 +--
 .../_components/provider-type-selector.tsx    |  3 +-
 .../_components/scan-list-table.tsx           |  2 +-
 ui/app/(prowler)/manage-groups/page.tsx       |  4 +-
 ui/app/(prowler)/providers/page.test.ts       |  2 +-
 ui/app/(prowler)/providers/page.tsx           | 22 ++++----
 ...ontent.tsx => provider-groups-content.tsx} | 10 ++--
 .../providers/provider-page-tabs.shared.ts    |  8 +--
 .../providers/provider-page-tabs.test.tsx     | 51 +++++++++----------
 .../providers/provider-page-tabs.tsx          | 24 ++++-----
 .../compliance/compliance-card.test.tsx       |  4 +-
 ui/components/filters/data-filters.ts         |  4 +-
 .../table/column-standalone-findings.tsx      |  2 +-
 .../manage-groups/forms/delete-group-form.tsx |  2 +-
 .../manage-groups/forms/edit-group-form.tsx   |  4 +-
 .../manage-groups/manage-groups-button.tsx    |  2 +-
 .../table/data-table-row-actions.tsx          |  6 +--
 .../table/skeleton-table-new-findings.tsx     |  2 +-
 .../providers/table/column-providers.tsx      |  6 +--
 .../table/skeleton-table-provider.tsx         |  8 +--
 .../wizard/provider-wizard-modal.tsx          |  2 +-
 .../provider-wizard-modal.utils.test.ts       |  2 +-
 .../wizard/provider-wizard-modal.utils.ts     |  4 +-
 .../providers/wizard/wizard-stepper.tsx       |  2 +-
 .../resources/table/column-resources.tsx      |  2 +-
 .../launch-workflow/select-scan-provider.tsx  |  6 +--
 ui/components/scans/no-providers-added.tsx    |  8 +--
 .../scans/no-providers-connected.tsx          | 12 ++---
 .../scans/table/scans/column-get-scans.tsx    |  2 +-
 ui/lib/helper.ts                              |  5 +-
 ui/lib/menu-list.ts                           |  2 +-
 ui/tests/providers/providers-page.ts          | 10 ++--
 ui/tests/scans/scans-page.ts                  |  4 +-
 .../manage-cloud-providers.auth.setup.ts      |  2 +-
 58 files changed, 191 insertions(+), 186 deletions(-)
 rename ui/app/(prowler)/providers/{account-groups-content.tsx => provider-groups-content.tsx} (93%)

diff --git a/docs/developer-guide/provider.mdx b/docs/developer-guide/provider.mdx
index ec3e106150..f7a1057d11 100644
--- a/docs/developer-guide/provider.mdx
+++ b/docs/developer-guide/provider.mdx
@@ -1003,7 +1003,7 @@ class ProwlerArgumentParser:
             formatter_class=RawTextHelpFormatter,
             usage="prowler [-h] [--version] {aws,azure,gcp,kubernetes,m365,github,nhn,dashboard,iac,your_provider} ...",
             epilog="""
-Available Cloud Providers:
+Available Providers:
   {aws,azure,gcp,kubernetes,m365,github,iac,nhn,your_provider}
     aws                 AWS Provider
     azure               Azure Provider
diff --git a/docs/getting-started/basic-usage/prowler-app.mdx b/docs/getting-started/basic-usage/prowler-app.mdx
index 26d7d8ee2e..bc39353dcc 100644
--- a/docs/getting-started/basic-usage/prowler-app.mdx
+++ b/docs/getting-started/basic-usage/prowler-app.mdx
@@ -32,11 +32,11 @@ Access Prowler App by logging in with **email and password**.
 
 <img src="/images/log-in.png" alt="Log In" width="285" />
 
-## Add Cloud Provider
+## Add Provider
 
-Configure a cloud provider for scanning:
+Configure a provider for scanning:
 
-1. Navigate to `Settings > Cloud Providers` and click `Add Account`.
+1. Navigate to `Settings > Providers` and click `Add Provider`.
 2. Select the cloud provider.
 3. Enter the provider's identifier (Optional: Add an alias):
     - **AWS**: Account ID
diff --git a/docs/user-guide/providers/alibabacloud/getting-started-alibabacloud.mdx b/docs/user-guide/providers/alibabacloud/getting-started-alibabacloud.mdx
index a3de5fc8fa..36520a8f8c 100644
--- a/docs/user-guide/providers/alibabacloud/getting-started-alibabacloud.mdx
+++ b/docs/user-guide/providers/alibabacloud/getting-started-alibabacloud.mdx
@@ -40,13 +40,13 @@ Before you begin, make sure you have:
 ### Step 2: Access Prowler Cloud
 
 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app)
-2. Go to "Configuration" > "Cloud Providers"
+2. Go to "Configuration" > "Providers"
 
-    ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png)
+    ![Providers Page](/images/prowler-app/cloud-providers-page.png)
 
-3. Click "Add Cloud Provider"
+3. Click "Add Provider"
 
-    ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png)
+    ![Add a Provider](/images/prowler-app/add-cloud-provider.png)
 
 4. Select "Alibaba Cloud"
 
diff --git a/docs/user-guide/providers/aws/getting-started-aws.mdx b/docs/user-guide/providers/aws/getting-started-aws.mdx
index 8127e873e7..f0c5ab882a 100644
--- a/docs/user-guide/providers/aws/getting-started-aws.mdx
+++ b/docs/user-guide/providers/aws/getting-started-aws.mdx
@@ -19,13 +19,13 @@ title: 'Getting Started With AWS on Prowler'
 ### Step 2: Access Prowler Cloud
 
 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app)
-2. Go to "Configuration" > "Cloud Providers"
+2. Go to "Configuration" > "Providers"
 
-    ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png)
+    ![Providers Page](/images/prowler-app/cloud-providers-page.png)
 
-3. Click "Add Cloud Provider"
+3. Click "Add Provider"
 
-    ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png)
+    ![Add a Provider](/images/prowler-app/add-cloud-provider.png)
 
 4. Select "Amazon Web Services"
 
diff --git a/docs/user-guide/providers/azure/getting-started-azure.mdx b/docs/user-guide/providers/azure/getting-started-azure.mdx
index 456c226aab..66b3b14e3a 100644
--- a/docs/user-guide/providers/azure/getting-started-azure.mdx
+++ b/docs/user-guide/providers/azure/getting-started-azure.mdx
@@ -35,13 +35,13 @@ For detailed instructions on how to create the Service Principal and configure p
 ### Step 2: Access Prowler Cloud
 
 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app)
-2. Navigate to `Configuration` > `Cloud Providers`
+2. Navigate to `Configuration` > `Providers`
 
-    ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png)
+    ![Providers Page](/images/prowler-app/cloud-providers-page.png)
 
-3. Click on `Add Cloud Provider`
+3. Click on `Add Provider`
 
-    ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png)
+    ![Add a Provider](/images/prowler-app/add-cloud-provider.png)
 
 4. Select `Microsoft Azure`
 
diff --git a/docs/user-guide/providers/cloudflare/getting-started-cloudflare.mdx b/docs/user-guide/providers/cloudflare/getting-started-cloudflare.mdx
index 2bc18bcca8..00320bd34f 100644
--- a/docs/user-guide/providers/cloudflare/getting-started-cloudflare.mdx
+++ b/docs/user-guide/providers/cloudflare/getting-started-cloudflare.mdx
@@ -42,13 +42,13 @@ The Account ID is a 32-character hexadecimal string (e.g., `372e67954025e0ba6aaa
 ### Step 2: Open Prowler Cloud
 
 1. Go to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app).
-2. Navigate to "Configuration" > "Cloud Providers".
+2. Navigate to "Configuration" > "Providers".
 
-    ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png)
+    ![Providers Page](/images/prowler-app/cloud-providers-page.png)
 
-3. Click "Add Cloud Provider".
+3. Click "Add Provider".
 
-    ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png)
+    ![Add a Provider](/images/prowler-app/add-cloud-provider.png)
 
 4. Select "Cloudflare".
 
diff --git a/docs/user-guide/providers/gcp/getting-started-gcp.mdx b/docs/user-guide/providers/gcp/getting-started-gcp.mdx
index c70250c8a9..e16114e19a 100644
--- a/docs/user-guide/providers/gcp/getting-started-gcp.mdx
+++ b/docs/user-guide/providers/gcp/getting-started-gcp.mdx
@@ -14,13 +14,13 @@ title: 'Getting Started With GCP on Prowler'
 ### Step 2: Access Prowler Cloud
 
 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app)
-2. Go to "Configuration" > "Cloud Providers"
+2. Go to "Configuration" > "Providers"
 
-    ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png)
+    ![Providers Page](/images/prowler-app/cloud-providers-page.png)
 
-3. Click "Add Cloud Provider"
+3. Click "Add Provider"
 
-    ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png)
+    ![Add a Provider](/images/prowler-app/add-cloud-provider.png)
 
 4. Select "Google Cloud Platform"
 
diff --git a/docs/user-guide/providers/github/authentication.mdx b/docs/user-guide/providers/github/authentication.mdx
index adbfd235a8..0b5ab6b720 100644
--- a/docs/user-guide/providers/github/authentication.mdx
+++ b/docs/user-guide/providers/github/authentication.mdx
@@ -275,7 +275,7 @@ For step-by-step setup instructions for Prowler Cloud, see the [Getting Started
 
 ### Using Personal Access Token
 
-1. In Prowler Cloud, navigate to **Configuration** > **Cloud Providers** > **Add Cloud Provider** > **GitHub**.
+1. In Prowler Cloud, navigate to **Configuration** > **Providers** > **Add Provider** > **GitHub**.
 
 2. Enter your GitHub Account ID (username or organization name).
 
diff --git a/docs/user-guide/providers/github/getting-started-github.mdx b/docs/user-guide/providers/github/getting-started-github.mdx
index 3211d7058d..e946660b51 100644
--- a/docs/user-guide/providers/github/getting-started-github.mdx
+++ b/docs/user-guide/providers/github/getting-started-github.mdx
@@ -49,13 +49,13 @@ Before adding GitHub to Prowler Cloud/App, ensure you have:
 ### Step 1: Access Prowler Cloud/App
 
 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app)
-2. Go to **Configuration** → **Cloud Providers**
+2. Go to **Configuration** → **Providers**
 
-    ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png)
+    ![Providers Page](/images/prowler-app/cloud-providers-page.png)
 
-3. Click **Add Cloud Provider**
+3. Click **Add Provider**
 
-    ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png)
+    ![Add a Provider](/images/prowler-app/add-cloud-provider.png)
 
 4. Select **GitHub**
 
diff --git a/docs/user-guide/providers/googleworkspace/getting-started-googleworkspace.mdx b/docs/user-guide/providers/googleworkspace/getting-started-googleworkspace.mdx
index af09ab75c3..8931c43ebd 100644
--- a/docs/user-guide/providers/googleworkspace/getting-started-googleworkspace.mdx
+++ b/docs/user-guide/providers/googleworkspace/getting-started-googleworkspace.mdx
@@ -43,13 +43,13 @@ The Customer ID starts with the letter "C" followed by alphanumeric characters (
 ### Step 2: Open Prowler Cloud
 
 1. Go to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app).
-2. Navigate to "Configuration" > "Cloud Providers".
+2. Navigate to "Configuration" > "Providers".
 
-    ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png)
+    ![Providers Page](/images/prowler-app/cloud-providers-page.png)
 
-3. Click "Add Cloud Provider".
+3. Click "Add Provider".
 
-    ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png)
+    ![Add a Provider](/images/prowler-app/add-cloud-provider.png)
 
 4. Select "Google Workspace".
 
diff --git a/docs/user-guide/providers/iac/getting-started-iac.mdx b/docs/user-guide/providers/iac/getting-started-iac.mdx
index 2a1e588018..d1e978dc75 100644
--- a/docs/user-guide/providers/iac/getting-started-iac.mdx
+++ b/docs/user-guide/providers/iac/getting-started-iac.mdx
@@ -42,13 +42,13 @@ Scanner selection is not configurable in Prowler App. Default scanners, misconfi
 ### Step 1: Access Prowler Cloud/App
 
 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app)
-2. Go to "Configuration" > "Cloud Providers"
+2. Go to "Configuration" > "Providers"
 
-    ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png)
+    ![Providers Page](/images/prowler-app/cloud-providers-page.png)
 
-3. Click "Add Cloud Provider"
+3. Click "Add Provider"
 
-    ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png)
+    ![Add a Provider](/images/prowler-app/add-cloud-provider.png)
 
 4. Select "Infrastructure as Code"
 
diff --git a/docs/user-guide/providers/image/getting-started-image.mdx b/docs/user-guide/providers/image/getting-started-image.mdx
index 9a3d67258d..b9c305d0ef 100644
--- a/docs/user-guide/providers/image/getting-started-image.mdx
+++ b/docs/user-guide/providers/image/getting-started-image.mdx
@@ -34,13 +34,13 @@ Prowler Cloud does not support scanner selection. The vulnerability, secret, and
 ### Step 1: Access Prowler Cloud
 
 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app)
-2. Navigate to "Configuration" > "Cloud Providers"
+2. Navigate to "Configuration" > "Providers"
 
-    ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png)
+    ![Providers Page](/images/prowler-app/cloud-providers-page.png)
 
-3. Click "Add Cloud Provider"
+3. Click "Add Provider"
 
-    ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png)
+    ![Add a Provider](/images/prowler-app/add-cloud-provider.png)
 
 4. Select "Container Registry"
 
diff --git a/docs/user-guide/providers/kubernetes/getting-started-k8s.mdx b/docs/user-guide/providers/kubernetes/getting-started-k8s.mdx
index aff63b81a3..9ca791110f 100644
--- a/docs/user-guide/providers/kubernetes/getting-started-k8s.mdx
+++ b/docs/user-guide/providers/kubernetes/getting-started-k8s.mdx
@@ -7,13 +7,13 @@ title: 'Getting Started with Kubernetes'
 ### Step 1: Access Prowler Cloud/App
 
 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app)
-2. Go to "Configuration" > "Cloud Providers"
+2. Go to "Configuration" > "Providers"
 
-    ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png)
+    ![Providers Page](/images/prowler-app/cloud-providers-page.png)
 
-3. Click "Add Cloud Provider"
+3. Click "Add Provider"
 
-    ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png)
+    ![Add a Provider](/images/prowler-app/add-cloud-provider.png)
 
 4. Select "Kubernetes"
 
diff --git a/docs/user-guide/providers/microsoft365/getting-started-m365.mdx b/docs/user-guide/providers/microsoft365/getting-started-m365.mdx
index 1e6830c722..a21b796b5c 100644
--- a/docs/user-guide/providers/microsoft365/getting-started-m365.mdx
+++ b/docs/user-guide/providers/microsoft365/getting-started-m365.mdx
@@ -42,13 +42,13 @@ Set up authentication for Microsoft 365 with the [Microsoft 365 Authentication](
 ### Step 2: Open Prowler Cloud
 
 1. Go to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app).
-2. Navigate to "Configuration" > "Cloud Providers".
+2. Navigate to "Configuration" > "Providers".
 
-    ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png)
+    ![Providers Page](/images/prowler-app/cloud-providers-page.png)
 
-3. Click "Add Cloud Provider".
+3. Click "Add Provider".
 
-    ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png)
+    ![Add a Provider](/images/prowler-app/add-cloud-provider.png)
 
 4. Select "Microsoft 365".
 
diff --git a/docs/user-guide/providers/mongodbatlas/getting-started-mongodbatlas.mdx b/docs/user-guide/providers/mongodbatlas/getting-started-mongodbatlas.mdx
index c10c6aac30..c68bfac9c2 100644
--- a/docs/user-guide/providers/mongodbatlas/getting-started-mongodbatlas.mdx
+++ b/docs/user-guide/providers/mongodbatlas/getting-started-mongodbatlas.mdx
@@ -38,7 +38,7 @@ If **Require IP Access List for the Atlas Administration API** is enabled in you
 
 ### Step 1: Add the provider
 
-1. Navigate to **Cloud Providers** and click **Add Cloud Provider**.
+1. Navigate to **Providers** and click **Add Provider**.
    ![Add provider list](./img/add-provider-list.png)
 2. Select **MongoDB Atlas** from the provider list.
 3. Enter your **Organization ID** (24 hex characters). This value is visible in the Atlas UI under **Organization Settings**.
diff --git a/docs/user-guide/providers/oci/getting-started-oci.mdx b/docs/user-guide/providers/oci/getting-started-oci.mdx
index 459d9ad685..d3024bc1c1 100644
--- a/docs/user-guide/providers/oci/getting-started-oci.mdx
+++ b/docs/user-guide/providers/oci/getting-started-oci.mdx
@@ -16,8 +16,8 @@ The following steps apply to Prowler Cloud and the self-hosted Prowler App.
 
 ### Step 2: Access Prowler Cloud
 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app).
-2. Go to **Configuration** → **Cloud Providers** and click **Add Cloud Provider**.
-![Add OCI Cloud Provider](./images/oci-add-cloud-provider.png)
+2. Go to **Configuration** → **Providers** and click **Add Provider**.
+![Add OCI Provider](./images/oci-add-cloud-provider.png)
 3. Select **Oracle Cloud** and enter the **Tenancy OCID** and an optional alias, then choose **Next**.
 ![Add OCI Cloud Tenancy](./images/oci-add-tenancy.png)
 
diff --git a/docs/user-guide/providers/openstack/getting-started-openstack.mdx b/docs/user-guide/providers/openstack/getting-started-openstack.mdx
index b80ebe0e9f..1ff80c3e2e 100644
--- a/docs/user-guide/providers/openstack/getting-started-openstack.mdx
+++ b/docs/user-guide/providers/openstack/getting-started-openstack.mdx
@@ -34,7 +34,7 @@ Before running Prowler with the OpenStack provider, ensure you have:
 
 ### Step 1: Add the Provider
 
-1. Navigate to "Cloud Providers" and click "Add Cloud Provider".
+1. Navigate to "Providers" and click "Add Provider".
    ![Providers List](./images/select-provider.png)
 2. Select "OpenStack" from the provider list.
 3. Enter the "Project ID" from the OpenStack provider.
diff --git a/docs/user-guide/providers/vercel/getting-started-vercel.mdx b/docs/user-guide/providers/vercel/getting-started-vercel.mdx
index 8a6fdecc22..c39c5f1e6a 100644
--- a/docs/user-guide/providers/vercel/getting-started-vercel.mdx
+++ b/docs/user-guide/providers/vercel/getting-started-vercel.mdx
@@ -29,13 +29,13 @@ Set up authentication for Vercel with the [Vercel Authentication](/user-guide/pr
 ### Step 1: Add the Provider
 
 1. Go to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app).
-2. Navigate to "Configuration" > "Cloud Providers".
+2. Navigate to "Configuration" > "Providers".
 
-    ![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png)
+    ![Providers Page](/images/prowler-app/cloud-providers-page.png)
 
-3. Click "Add Cloud Provider".
+3. Click "Add Provider".
 
-    ![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png)
+    ![Add a Provider](/images/prowler-app/add-cloud-provider.png)
 
 4. Select "Vercel".
 
diff --git a/docs/user-guide/tutorials/prowler-app-rbac.mdx b/docs/user-guide/tutorials/prowler-app-rbac.mdx
index 31fd4a730e..cccbbc27cc 100644
--- a/docs/user-guide/tutorials/prowler-app-rbac.mdx
+++ b/docs/user-guide/tutorials/prowler-app-rbac.mdx
@@ -123,7 +123,7 @@ The Roles section in Prowler is designed to facilitate the assignment of custom
 </Note>
 ### Provider Groups
 
-Provider Groups control visibility across specific providers. When creating a new role, you can assign specific groups to define their Cloud Provider visibility. This ensures that users with that role have access only to the Cloud Providers that are required.
+Provider Groups control visibility across specific providers. When creating a new role, you can assign specific groups to define their Provider visibility. This ensures that users with that role have access only to the Providers that are required.
 
 By default, a new user role does not have visibility into any group.
 
@@ -223,7 +223,7 @@ Assign administrative permissions by selecting from the following options:
 | Invite and Manage Users | All | Invite new users and manage existing ones. |
 | Manage Account | All | Adjust account settings, delete users and read/manage users permissions. |
 | Manage Scans | All | Run and review scans. |
-| Manage Cloud Providers | All | Add or modify connected cloud providers. |
+| Manage Providers | All | Add or modify connected providers. |
 | Manage Integrations | All | Add or modify the Prowler Integrations. |
 | Manage Ingestions | Prowler Cloud | Allow or deny the ability to submit findings ingestion batches via the API. |
 | Manage Billing | Prowler Cloud | Access and manage billing settings and subscription information. |
diff --git a/docs/user-guide/tutorials/prowler-app-s3-integration.mdx b/docs/user-guide/tutorials/prowler-app-s3-integration.mdx
index 728e4a4354..284b10eaaf 100644
--- a/docs/user-guide/tutorials/prowler-app-s3-integration.mdx
+++ b/docs/user-guide/tutorials/prowler-app-s3-integration.mdx
@@ -320,7 +320,7 @@ Once the required permissions are set up, proceed to configure the S3 integratio
     ![Add integration button](/images/prowler-app/s3/s3-integration-ui-3.png)
 4. Complete the configuration form with the following details:
 
-    - **Cloud Providers:** Select the providers whose scan results should be exported to this S3 bucket
+    - **Providers:** Select the providers whose scan results should be exported to this S3 bucket
     - **Bucket Name:** Enter the name of the target S3 bucket (e.g., `my-security-findings-bucket`)
     - **Output Directory:** Specify the directory path within the bucket (e.g., `/prowler-findings/`, defaults to `output`)
 
diff --git a/docs/user-guide/tutorials/prowler-app.mdx b/docs/user-guide/tutorials/prowler-app.mdx
index 0b368c5ad4..5e99a41ae7 100644
--- a/docs/user-guide/tutorials/prowler-app.mdx
+++ b/docs/user-guide/tutorials/prowler-app.mdx
@@ -72,8 +72,8 @@ To perform security scans, link a cloud provider account. Prowler supports the f
 
 Steps to add a provider:
 
-1. Navigate to `Settings > Cloud Providers`.
-2. Click `Add Account` to set up a new provider and provide your credentials.
+1. Navigate to `Settings > Providers`.
+2. Click `Add Provider` to set up a new provider and provide your credentials.
 
 <img src="/images/add-provider.png" alt="Add Provider" width="700" />
 
diff --git a/docs/user-guide/tutorials/prowler-cloud-aws-organizations.mdx b/docs/user-guide/tutorials/prowler-cloud-aws-organizations.mdx
index e56627ee20..d9c17aaa5f 100644
--- a/docs/user-guide/tutorials/prowler-cloud-aws-organizations.mdx
+++ b/docs/user-guide/tutorials/prowler-cloud-aws-organizations.mdx
@@ -246,10 +246,10 @@ Now that both roles are deployed — the management account role (Step 1) and th
 
 ### Open the Wizard
 
-1. Navigate to **Cloud Providers** and click **Add Cloud Provider**.
+1. Navigate to **Providers** and click **Add Provider**.
 
 <Frame>
-  <img src="/images/organizations/cloud-providers-add.png" alt="Cloud Providers page showing the Add Cloud Provider button" />
+  <img src="/images/organizations/cloud-providers-add.png" alt="Providers page showing the Add Provider button" />
 </Frame>
 
 2. Select **Amazon Web Services** as the provider.
diff --git a/ui/CHANGELOG.md b/ui/CHANGELOG.md
index 8b0f8d17e6..994c5c9116 100644
--- a/ui/CHANGELOG.md
+++ b/ui/CHANGELOG.md
@@ -2,6 +2,14 @@
 
 All notable changes to the **Prowler UI** are documented in this file.
 
+## [1.26.0] (Prowler UNRELEASED)
+
+### 🔄 Changed
+
+- Standardized "Providers" wording across UI and documentation, replacing legacy "Cloud Providers" / "Accounts" / "Account Groups" copy [(#10971)](https://github.com/prowler-cloud/prowler/pull/10971)
+
+---
+
 ## [1.25.2] (Prowler v5.25.2)
 
 ### 🔄 Changed
diff --git a/ui/actions/manage-groups/manage-groups.ts b/ui/actions/manage-groups/manage-groups.ts
index 8758b66f68..933dabbdbc 100644
--- a/ui/actions/manage-groups/manage-groups.ts
+++ b/ui/actions/manage-groups/manage-groups.ts
@@ -23,7 +23,7 @@ export const getProviderGroups = async ({
   const headers = await getAuthHeaders({ contentType: false });
 
   if (isNaN(Number(page)) || page < 1)
-    redirect("/providers?tab=account-groups");
+    redirect("/providers?tab=provider-groups");
 
   const url = new URL(`${apiBaseUrl}/provider-groups`);
 
@@ -112,7 +112,7 @@ export const createProviderGroup = async (formData: FormData) => {
       body,
     });
 
-    return await handleApiResponse(response, "/providers?tab=account-groups");
+    return await handleApiResponse(response, "/providers?tab=provider-groups");
   } catch (error) {
     handleApiError(error);
   }
@@ -169,7 +169,7 @@ export const deleteProviderGroup = async (formData: FormData) => {
 
   if (!providerGroupId) {
     return {
-      errors: [{ detail: "Account Group ID is required." }],
+      errors: [{ detail: "Provider Group ID is required." }],
     };
   }
 
diff --git a/ui/app/(prowler)/_overview/_components/accounts-selector.tsx b/ui/app/(prowler)/_overview/_components/accounts-selector.tsx
index e134625d98..7d20c96355 100644
--- a/ui/app/(prowler)/_overview/_components/accounts-selector.tsx
+++ b/ui/app/(prowler)/_overview/_components/accounts-selector.tsx
@@ -146,7 +146,7 @@ export function AccountsSelector({
   const filterDescription =
     selectedProviderTypes && selectedProviderTypes.length > 0
       ? `Accounts for ${selectedProviderTypes.map(getProviderDisplayName).join(", ")}`
-      : "All connected cloud provider accounts";
+      : "All connected provider accounts";
 
   return (
     <div className="relative">
@@ -155,8 +155,8 @@ export function AccountsSelector({
         className="sr-only"
         id="accounts-label"
       >
-        Filter by cloud provider account. {filterDescription}. Select one or
-        more accounts to view findings.
+        Filter by provider account. {filterDescription}. Select one or more
+        accounts to view findings.
       </label>
       <MultiSelect values={selectedIds} onValuesChange={handleMultiValueChange}>
         <MultiSelectTrigger
diff --git a/ui/app/(prowler)/_overview/_components/provider-type-selector.tsx b/ui/app/(prowler)/_overview/_components/provider-type-selector.tsx
index 819bc49000..04af59d0ba 100644
--- a/ui/app/(prowler)/_overview/_components/provider-type-selector.tsx
+++ b/ui/app/(prowler)/_overview/_components/provider-type-selector.tsx
@@ -277,8 +277,7 @@ export const ProviderTypeSelector = ({
         className="sr-only"
         id="provider-type-label"
       >
-        Filter by cloud provider type. Select one or more providers to view
-        findings.
+        Filter by provider type. Select one or more providers to view findings.
       </label>
       <MultiSelect
         values={selectedTypes}
diff --git a/ui/app/(prowler)/attack-paths/(workflow)/query-builder/_components/scan-list-table.tsx b/ui/app/(prowler)/attack-paths/(workflow)/query-builder/_components/scan-list-table.tsx
index 2ccd76ce89..9700628bd2 100644
--- a/ui/app/(prowler)/attack-paths/(workflow)/query-builder/_components/scan-list-table.tsx
+++ b/ui/app/(prowler)/attack-paths/(workflow)/query-builder/_components/scan-list-table.tsx
@@ -150,7 +150,7 @@ const getColumns = ({
   {
     accessorKey: "provider",
     header: ({ column }) => (
-      <DataTableColumnHeader column={column} title="Account" />
+      <DataTableColumnHeader column={column} title="Provider" />
     ),
     cell: ({ row }) => (
       <EntityInfo
diff --git a/ui/app/(prowler)/manage-groups/page.tsx b/ui/app/(prowler)/manage-groups/page.tsx
index 8eb286f77a..e51c8d011e 100644
--- a/ui/app/(prowler)/manage-groups/page.tsx
+++ b/ui/app/(prowler)/manage-groups/page.tsx
@@ -11,8 +11,8 @@ export default async function ManageGroupsPage({
   const groupId = resolvedSearchParams.groupId;
 
   const target = groupId
-    ? `/providers?tab=account-groups&groupId=${groupId}`
-    : "/providers?tab=account-groups";
+    ? `/providers?tab=provider-groups&groupId=${groupId}`
+    : "/providers?tab=provider-groups";
 
   redirect(target);
 }
diff --git a/ui/app/(prowler)/providers/page.test.ts b/ui/app/(prowler)/providers/page.test.ts
index 8e2aabf50a..52e22c9ba8 100644
--- a/ui/app/(prowler)/providers/page.test.ts
+++ b/ui/app/(prowler)/providers/page.test.ts
@@ -29,7 +29,7 @@ describe("providers page", () => {
     );
     const source = readFileSync(columnsPath, "utf8");
 
-    // Account is fixed, Account Groups is fluid (no explicit size)
+    // Provider is fixed, Provider Groups is fluid (no explicit size)
     expect(source).toContain("size: 420");
     expect(source).toContain("size: 160");
     expect(source).toContain("size: 140");
diff --git a/ui/app/(prowler)/providers/page.tsx b/ui/app/(prowler)/providers/page.tsx
index 8cbdfb3459..cb2dae2e8b 100644
--- a/ui/app/(prowler)/providers/page.tsx
+++ b/ui/app/(prowler)/providers/page.tsx
@@ -7,7 +7,7 @@ import { ContentLayout } from "@/components/ui";
 import { FilterTransitionWrapper } from "@/contexts";
 import { SearchParamsProps } from "@/types";
 
-import { AccountGroupsContent } from "./account-groups-content";
+import { ProviderGroupsContent } from "./provider-groups-content";
 import { ProviderPageTabs } from "./provider-page-tabs";
 import { getProviderTab } from "./provider-page-tabs.shared";
 import { loadProvidersAccountsViewData } from "./providers-page.utils";
@@ -25,24 +25,24 @@ export default async function Providers({
   const searchParamsKey = JSON.stringify(paramsWithoutTab);
 
   return (
-    <ContentLayout title="Cloud Providers" icon="lucide:cloud-cog">
+    <ContentLayout title="Providers" icon="lucide:cloud-cog">
       <FilterTransitionWrapper>
         <ProviderPageTabs
           activeTab={activeTab}
-          accountsContent={
+          providersContent={
             <Suspense
-              key={`accounts-${searchParamsKey}`}
+              key={`providers-${searchParamsKey}`}
               fallback={<ProvidersTableFallback />}
             >
-              <ProvidersAccountsContent searchParams={resolvedSearchParams} />
+              <ProvidersTabContent searchParams={resolvedSearchParams} />
             </Suspense>
           }
-          accountGroupsContent={
+          providerGroupsContent={
             <Suspense
               key={`groups-${searchParamsKey}`}
-              fallback={<AccountGroupsFallback />}
+              fallback={<ProviderGroupsFallback />}
             >
-              <AccountGroupsContent searchParams={resolvedSearchParams} />
+              <ProviderGroupsContent searchParams={resolvedSearchParams} />
             </Suspense>
           }
         />
@@ -59,7 +59,7 @@ const ProvidersTableFallback = () => {
         <Skeleton className="h-[52px] min-w-[200px] flex-1 rounded-lg md:max-w-[280px]" />
         {/* Organizations filter */}
         <Skeleton className="h-[52px] max-w-[240px] min-w-[180px] flex-1 rounded-lg" />
-        {/* Account Groups filter */}
+        {/* Provider Groups filter */}
         <Skeleton className="h-[52px] max-w-[240px] min-w-[180px] flex-1 rounded-lg" />
         {/* Status filter */}
         <Skeleton className="h-[52px] max-w-[240px] min-w-[180px] flex-1 rounded-lg" />
@@ -74,7 +74,7 @@ const ProvidersTableFallback = () => {
   );
 };
 
-const AccountGroupsFallback = () => {
+const ProviderGroupsFallback = () => {
   return (
     <div className="grid min-h-[50vh] grid-cols-1 items-start gap-8 md:grid-cols-12">
       <div className="col-span-1 md:col-span-4">
@@ -95,7 +95,7 @@ const AccountGroupsFallback = () => {
   );
 };
 
-const ProvidersAccountsContent = async ({
+const ProvidersTabContent = async ({
   searchParams,
 }: {
   searchParams: SearchParamsProps;
diff --git a/ui/app/(prowler)/providers/account-groups-content.tsx b/ui/app/(prowler)/providers/provider-groups-content.tsx
similarity index 93%
rename from ui/app/(prowler)/providers/account-groups-content.tsx
rename to ui/app/(prowler)/providers/provider-groups-content.tsx
index f171f521f9..2bb4cd9ae8 100644
--- a/ui/app/(prowler)/providers/account-groups-content.tsx
+++ b/ui/app/(prowler)/providers/provider-groups-content.tsx
@@ -9,7 +9,7 @@ import { ColumnGroups } from "@/components/manage-groups/table";
 import { DataTable } from "@/components/ui/table";
 import { ProviderProps, Role, SearchParamsProps } from "@/types";
 
-export const AccountGroupsContent = async ({
+export const ProviderGroupsContent = async ({
   searchParams,
 }: {
   searchParams: SearchParamsProps;
@@ -57,10 +57,10 @@ export const AccountGroupsContent = async ({
         ) : (
           <div className="flex flex-col">
             <h1 className="mb-2 text-xl font-medium">
-              Create a new account group
+              Create a new provider group
             </h1>
             <p className="text-text-neutral-tertiary mb-5 text-sm">
-              Create a new account group to manage the providers and roles.
+              Create a new provider group to manage the providers and roles.
             </p>
             <AddGroupForm providers={providersList} roles={rolesList} />
           </div>
@@ -127,9 +127,9 @@ const EditGroupSection = ({
 
   return (
     <div className="flex flex-col">
-      <h1 className="mb-2 text-xl font-medium">Edit account group</h1>
+      <h1 className="mb-2 text-xl font-medium">Edit provider group</h1>
       <p className="text-text-neutral-tertiary mb-5 text-sm">
-        Edit the account group to manage the providers and roles.
+        Edit the provider group to manage the providers and roles.
       </p>
       <EditGroupForm
         providerGroupId={providerGroupId}
diff --git a/ui/app/(prowler)/providers/provider-page-tabs.shared.ts b/ui/app/(prowler)/providers/provider-page-tabs.shared.ts
index 25136ba49e..fb53ddfa5b 100644
--- a/ui/app/(prowler)/providers/provider-page-tabs.shared.ts
+++ b/ui/app/(prowler)/providers/provider-page-tabs.shared.ts
@@ -1,6 +1,6 @@
 const PROVIDER_TAB = {
-  ACCOUNTS: "accounts",
-  ACCOUNT_GROUPS: "account-groups",
+  PROVIDERS: "providers",
+  PROVIDER_GROUPS: "provider-groups",
 } as const;
 
 type ProviderTab = (typeof PROVIDER_TAB)[keyof typeof PROVIDER_TAB];
@@ -11,10 +11,10 @@ function isProviderTab(value: string): value is ProviderTab {
 
 function getProviderTab(value: string | string[] | undefined): ProviderTab {
   if (typeof value !== "string") {
-    return PROVIDER_TAB.ACCOUNTS;
+    return PROVIDER_TAB.PROVIDERS;
   }
 
-  return isProviderTab(value) ? value : PROVIDER_TAB.ACCOUNTS;
+  return isProviderTab(value) ? value : PROVIDER_TAB.PROVIDERS;
 }
 
 export type { ProviderTab };
diff --git a/ui/app/(prowler)/providers/provider-page-tabs.test.tsx b/ui/app/(prowler)/providers/provider-page-tabs.test.tsx
index 0707218a87..8abc2eb48c 100644
--- a/ui/app/(prowler)/providers/provider-page-tabs.test.tsx
+++ b/ui/app/(prowler)/providers/provider-page-tabs.test.tsx
@@ -20,42 +20,41 @@ describe("ProviderPageTabs", () => {
     pushMock.mockClear();
   });
 
-  it("falls back to accounts when tab search params are invalid", () => {
-    expect(getProviderTab(undefined)).toBe(PROVIDER_TAB.ACCOUNTS);
-    expect(getProviderTab(["account-groups"])).toBe(PROVIDER_TAB.ACCOUNTS);
-    expect(getProviderTab("invalid-tab")).toBe(PROVIDER_TAB.ACCOUNTS);
-    expect(getProviderTab(PROVIDER_TAB.ACCOUNT_GROUPS)).toBe(
-      PROVIDER_TAB.ACCOUNT_GROUPS,
+  it("falls back to providers when tab search params are invalid", () => {
+    expect(getProviderTab(undefined)).toBe(PROVIDER_TAB.PROVIDERS);
+    expect(getProviderTab(["provider-groups"])).toBe(PROVIDER_TAB.PROVIDERS);
+    expect(getProviderTab("invalid-tab")).toBe(PROVIDER_TAB.PROVIDERS);
+    expect(getProviderTab(PROVIDER_TAB.PROVIDER_GROUPS)).toBe(
+      PROVIDER_TAB.PROVIDER_GROUPS,
     );
   });
 
-  it("shows the accounts tab when the route changes back to accounts", () => {
+  it("shows the providers tab when the route changes back to providers", () => {
     const { rerender } = render(
       <ProviderPageTabs
-        activeTab={PROVIDER_TAB.ACCOUNT_GROUPS}
-        accountsContent={<div>Accounts content</div>}
-        accountGroupsContent={<div>Account groups content</div>}
+        activeTab={PROVIDER_TAB.PROVIDER_GROUPS}
+        providersContent={<div>Providers content</div>}
+        providerGroupsContent={<div>Provider groups content</div>}
       />,
     );
 
-    expect(screen.getByRole("tab", { name: "Account Groups" })).toHaveAttribute(
-      "data-state",
-      "active",
-    );
+    expect(
+      screen.getByRole("tab", { name: "Provider Groups" }),
+    ).toHaveAttribute("data-state", "active");
 
     rerender(
       <ProviderPageTabs
-        activeTab={PROVIDER_TAB.ACCOUNTS}
-        accountsContent={<div>Accounts content</div>}
-        accountGroupsContent={<div>Account groups content</div>}
+        activeTab={PROVIDER_TAB.PROVIDERS}
+        providersContent={<div>Providers content</div>}
+        providerGroupsContent={<div>Provider groups content</div>}
       />,
     );
 
-    expect(screen.getByRole("tab", { name: "Accounts" })).toHaveAttribute(
+    expect(screen.getByRole("tab", { name: "Providers" })).toHaveAttribute(
       "data-state",
       "active",
     );
-    expect(screen.getByText("Accounts content")).toBeVisible();
+    expect(screen.getByText("Providers content")).toBeVisible();
   });
 
   it("does not switch the active tab before navigation updates the route", async () => {
@@ -63,21 +62,21 @@ describe("ProviderPageTabs", () => {
 
     render(
       <ProviderPageTabs
-        activeTab={PROVIDER_TAB.ACCOUNTS}
-        accountsContent={<div>Accounts content</div>}
-        accountGroupsContent={<div>Account groups content</div>}
+        activeTab={PROVIDER_TAB.PROVIDERS}
+        providersContent={<div>Providers content</div>}
+        providerGroupsContent={<div>Provider groups content</div>}
       />,
     );
 
-    await user.click(screen.getByRole("tab", { name: "Account Groups" }));
+    await user.click(screen.getByRole("tab", { name: "Provider Groups" }));
 
-    expect(pushMock).toHaveBeenCalledWith("/providers?tab=account-groups");
-    expect(screen.getByRole("tab", { name: "Accounts" })).toHaveAttribute(
+    expect(pushMock).toHaveBeenCalledWith("/providers?tab=provider-groups");
+    expect(screen.getByRole("tab", { name: "Providers" })).toHaveAttribute(
       "data-state",
       "active",
     );
     expect(
-      screen.getByRole("tab", { name: "Account Groups" }),
+      screen.getByRole("tab", { name: "Provider Groups" }),
     ).not.toHaveAttribute("data-state", "active");
   });
 });
diff --git a/ui/app/(prowler)/providers/provider-page-tabs.tsx b/ui/app/(prowler)/providers/provider-page-tabs.tsx
index 437c8b6da0..61934fbdf0 100644
--- a/ui/app/(prowler)/providers/provider-page-tabs.tsx
+++ b/ui/app/(prowler)/providers/provider-page-tabs.tsx
@@ -9,14 +9,14 @@ import { PROVIDER_TAB, type ProviderTab } from "./provider-page-tabs.shared";
 
 interface ProviderPageTabsProps {
   activeTab: ProviderTab;
-  accountsContent: ReactNode;
-  accountGroupsContent: ReactNode;
+  providersContent: ReactNode;
+  providerGroupsContent: ReactNode;
 }
 
 export const ProviderPageTabs = ({
   activeTab,
-  accountsContent,
-  accountGroupsContent,
+  providersContent,
+  providerGroupsContent,
 }: ProviderPageTabsProps) => {
   const router = useRouter();
 
@@ -27,7 +27,7 @@ export const ProviderPageTabs = ({
       return;
     }
 
-    if (typedTab === PROVIDER_TAB.ACCOUNTS) {
+    if (typedTab === PROVIDER_TAB.PROVIDERS) {
       router.push("/providers");
     } else {
       router.push(`/providers?tab=${typedTab}`);
@@ -41,18 +41,18 @@ export const ProviderPageTabs = ({
       className="flex w-full flex-col gap-6"
     >
       <TabsList>
-        <TabsTrigger value={PROVIDER_TAB.ACCOUNTS}>Accounts</TabsTrigger>
-        <TabsTrigger value={PROVIDER_TAB.ACCOUNT_GROUPS}>
-          Account Groups
+        <TabsTrigger value={PROVIDER_TAB.PROVIDERS}>Providers</TabsTrigger>
+        <TabsTrigger value={PROVIDER_TAB.PROVIDER_GROUPS}>
+          Provider Groups
         </TabsTrigger>
       </TabsList>
 
-      <TabsContent value={PROVIDER_TAB.ACCOUNTS} className="mt-0">
-        {accountsContent}
+      <TabsContent value={PROVIDER_TAB.PROVIDERS} className="mt-0">
+        {providersContent}
       </TabsContent>
 
-      <TabsContent value={PROVIDER_TAB.ACCOUNT_GROUPS} className="mt-0">
-        {accountGroupsContent}
+      <TabsContent value={PROVIDER_TAB.PROVIDER_GROUPS} className="mt-0">
+        {providerGroupsContent}
       </TabsContent>
     </Tabs>
   );
diff --git a/ui/components/compliance/compliance-card.test.tsx b/ui/components/compliance/compliance-card.test.tsx
index c7a199a7fc..996c8cb979 100644
--- a/ui/components/compliance/compliance-card.test.tsx
+++ b/ui/components/compliance/compliance-card.test.tsx
@@ -13,9 +13,9 @@ describe("ComplianceCard", () => {
     expect(source).toContain('variant="base"');
   });
 
-  it("uses a responsive stacked layout for narrow screens", () => {
+  it("uses a single-column stacked layout", () => {
     expect(source).toContain("flex-col");
-    expect(source).toContain("sm:flex-row");
+    expect(source).not.toContain("sm:flex-row");
   });
 
   it("uses the shadcn progress component instead of Hero UI", () => {
diff --git a/ui/components/filters/data-filters.ts b/ui/components/filters/data-filters.ts
index 0baf89a3df..2457b1a8b2 100644
--- a/ui/components/filters/data-filters.ts
+++ b/ui/components/filters/data-filters.ts
@@ -24,7 +24,7 @@ export const filterProviders: FilterOption[] = [
   },
   {
     key: "provider__in",
-    labelCheckboxGroup: "Cloud Provider",
+    labelCheckboxGroup: "Provider",
     values: [...PROVIDER_TYPES],
     valueLabelMapping: PROVIDER_TYPE_MAPPING,
   },
@@ -34,7 +34,7 @@ export const filterProviders: FilterOption[] = [
 export const filterScans = [
   {
     key: "provider_type__in",
-    labelCheckboxGroup: "Cloud Provider",
+    labelCheckboxGroup: "Provider",
     values: [...PROVIDER_TYPES],
     valueLabelMapping: PROVIDER_TYPE_MAPPING,
     index: 0,
diff --git a/ui/components/findings/table/column-standalone-findings.tsx b/ui/components/findings/table/column-standalone-findings.tsx
index 59e30ea6a3..0f457140f1 100644
--- a/ui/components/findings/table/column-standalone-findings.tsx
+++ b/ui/components/findings/table/column-standalone-findings.tsx
@@ -169,7 +169,7 @@ export function getStandaloneFindingColumns({
     {
       accessorKey: "provider",
       header: ({ column }) => (
-        <DataTableColumnHeader column={column} title="Cloud Provider" />
+        <DataTableColumnHeader column={column} title="Provider" />
       ),
       cell: ({ row }) => {
         const provider = getProviderData(row, "provider");
diff --git a/ui/components/manage-groups/forms/delete-group-form.tsx b/ui/components/manage-groups/forms/delete-group-form.tsx
index 7f79817440..0504178cb7 100644
--- a/ui/components/manage-groups/forms/delete-group-form.tsx
+++ b/ui/components/manage-groups/forms/delete-group-form.tsx
@@ -48,7 +48,7 @@ export const DeleteGroupForm = ({
         title: "Success!",
         description: "The provider group was removed successfully.",
       });
-      router.push("/providers?tab=account-groups");
+      router.push("/providers?tab=provider-groups");
     }
     setIsOpen(false); // Close the modal on success
   }
diff --git a/ui/components/manage-groups/forms/edit-group-form.tsx b/ui/components/manage-groups/forms/edit-group-form.tsx
index 907e372b0e..02503940f1 100644
--- a/ui/components/manage-groups/forms/edit-group-form.tsx
+++ b/ui/components/manage-groups/forms/edit-group-form.tsx
@@ -130,7 +130,7 @@ export const EditGroupForm = ({
           title: "Success!",
           description: "The group was updated successfully.",
         });
-        router.push("/providers?tab=account-groups");
+        router.push("/providers?tab=provider-groups");
       }
     } catch (_error) {
       toast({
@@ -263,7 +263,7 @@ export const EditGroupForm = ({
             type="button"
             variant="ghost"
             onClick={() => {
-              router.push("/providers?tab=account-groups");
+              router.push("/providers?tab=provider-groups");
             }}
             disabled={isLoading}
           >
diff --git a/ui/components/manage-groups/manage-groups-button.tsx b/ui/components/manage-groups/manage-groups-button.tsx
index 3b08f5d8eb..48dc1d42c1 100644
--- a/ui/components/manage-groups/manage-groups-button.tsx
+++ b/ui/components/manage-groups/manage-groups-button.tsx
@@ -10,7 +10,7 @@ export const ManageGroupsButton = () => {
     <Button asChild variant="outline">
       <Link href="/manage-groups">
         <SettingsIcon size={20} />
-        Account Groups
+        Provider Groups
       </Link>
     </Button>
   );
diff --git a/ui/components/manage-groups/table/data-table-row-actions.tsx b/ui/components/manage-groups/table/data-table-row-actions.tsx
index 6787897450..e05a16c807 100644
--- a/ui/components/manage-groups/table/data-table-row-actions.tsx
+++ b/ui/components/manage-groups/table/data-table-row-actions.tsx
@@ -41,15 +41,15 @@ export function DataTableRowActions<ProviderProps>({
         <ActionDropdown>
           <ActionDropdownItem
             icon={<Pencil />}
-            label="Edit Account Group"
+            label="Edit Provider Group"
             onSelect={() =>
-              router.push(`/providers?tab=account-groups&groupId=${groupId}`)
+              router.push(`/providers?tab=provider-groups&groupId=${groupId}`)
             }
           />
           <ActionDropdownDangerZone>
             <ActionDropdownItem
               icon={<Trash2 />}
-              label="Delete Account Group"
+              label="Delete Provider Group"
               destructive
               onSelect={() => setIsDeleteOpen(true)}
             />
diff --git a/ui/components/overview/new-findings-table/table/skeleton-table-new-findings.tsx b/ui/components/overview/new-findings-table/table/skeleton-table-new-findings.tsx
index df5017712e..76c7851d30 100644
--- a/ui/components/overview/new-findings-table/table/skeleton-table-new-findings.tsx
+++ b/ui/components/overview/new-findings-table/table/skeleton-table-new-findings.tsx
@@ -85,7 +85,7 @@ export const SkeletonTableNewFindings = () => {
             <th className="px-3 py-3 text-left">
               <Skeleton className="h-4 w-16 rounded" />
             </th>
-            {/* Cloud Provider */}
+            {/* Provider */}
             <th className="px-3 py-3 text-left">
               <Skeleton className="h-4 w-24 rounded" />
             </th>
diff --git a/ui/components/providers/table/column-providers.tsx b/ui/components/providers/table/column-providers.tsx
index 1203234a31..ec5766f491 100644
--- a/ui/components/providers/table/column-providers.tsx
+++ b/ui/components/providers/table/column-providers.tsx
@@ -140,7 +140,7 @@ export function getColumnProviders(
           <div className="ml-2">
             <DataTableColumnHeader
               column={column}
-              title="Account"
+              title="Provider"
               param="alias"
             />
           </div>
@@ -200,7 +200,7 @@ export function getColumnProviders(
       accessorKey: "groupNames",
       size: 160,
       header: ({ column }) => (
-        <DataTableColumnHeader column={column} title="Account Groups" />
+        <DataTableColumnHeader column={column} title="Provider Groups" />
       ),
       cell: ({ row }) => {
         if (isProvidersOrganizationRow(row.original)) {
@@ -251,7 +251,7 @@ export function getColumnProviders(
         if (isProvidersOrganizationRow(row.original)) {
           return (
             <span className="text-text-neutral-tertiary text-sm">
-              {row.original.providerCount} Accounts
+              {row.original.providerCount} Providers
             </span>
           );
         }
diff --git a/ui/components/providers/table/skeleton-table-provider.tsx b/ui/components/providers/table/skeleton-table-provider.tsx
index 7d57112291..1fe557b808 100644
--- a/ui/components/providers/table/skeleton-table-provider.tsx
+++ b/ui/components/providers/table/skeleton-table-provider.tsx
@@ -3,7 +3,7 @@ import { Skeleton } from "@/components/shadcn/skeleton/skeleton";
 const SkeletonTableRow = () => {
   return (
     <tr className="border-border-neutral-secondary border-b">
-      {/* Account: provider logo + alias + UID */}
+      {/* Provider: logo + alias + UID */}
       <td className="w-[420px] px-3 py-4">
         <div className="flex items-center gap-3">
           <Skeleton className="size-9 rounded-lg" />
@@ -13,7 +13,7 @@ const SkeletonTableRow = () => {
           </div>
         </div>
       </td>
-      {/* Account Groups: badge chips */}
+      {/* Provider Groups: badge chips */}
       <td className="px-3 py-4">
         <div className="flex items-center gap-1.5">
           <Skeleton className="h-6 w-14 rounded-md" />
@@ -68,11 +68,11 @@ export const SkeletonTableProviders = () => {
       <table className="w-full">
         <thead>
           <tr className="border-border-neutral-secondary border-b">
-            {/* Account */}
+            {/* Provider */}
             <th className="w-[420px] px-3 py-3 text-left">
               <Skeleton className="h-4 w-16 rounded" />
             </th>
-            {/* Account Groups */}
+            {/* Provider Groups */}
             <th className="px-3 py-3 text-left">
               <Skeleton className="h-4 w-24 rounded" />
             </th>
diff --git a/ui/components/providers/wizard/provider-wizard-modal.tsx b/ui/components/providers/wizard/provider-wizard-modal.tsx
index 706045a829..d731ca5786 100644
--- a/ui/components/providers/wizard/provider-wizard-modal.tsx
+++ b/ui/components/providers/wizard/provider-wizard-modal.tsx
@@ -93,7 +93,7 @@ export function ProviderWizardModal({
         </DialogTitle>
         <div className="text-muted-foreground flex flex-wrap items-center gap-2 text-sm">
           <Info className="size-4 shrink-0" />
-          <span>For assistance connecting a Cloud Provider visit</span>
+          <span>For assistance connecting a Provider visit</span>
           <Button variant="link" size="link-sm" className="h-auto p-0" asChild>
             <a href={docsLink} target="_blank" rel="noopener noreferrer">
               <ExternalLink className="size-3.5 shrink-0" />
diff --git a/ui/components/providers/wizard/provider-wizard-modal.utils.test.ts b/ui/components/providers/wizard/provider-wizard-modal.utils.test.ts
index b96fbc8a1f..099dfa73c3 100644
--- a/ui/components/providers/wizard/provider-wizard-modal.utils.test.ts
+++ b/ui/components/providers/wizard/provider-wizard-modal.utils.test.ts
@@ -42,7 +42,7 @@ describe("getProviderWizardModalTitle", () => {
   it("returns add title for add mode", () => {
     const title = getProviderWizardModalTitle(PROVIDER_WIZARD_MODE.ADD);
 
-    expect(title).toBe("Adding A Cloud Provider");
+    expect(title).toBe("Adding A Provider");
   });
 
   it("returns update title for update mode", () => {
diff --git a/ui/components/providers/wizard/provider-wizard-modal.utils.ts b/ui/components/providers/wizard/provider-wizard-modal.utils.ts
index be1c7985eb..2e43c8c964 100644
--- a/ui/components/providers/wizard/provider-wizard-modal.utils.ts
+++ b/ui/components/providers/wizard/provider-wizard-modal.utils.ts
@@ -25,7 +25,7 @@ export function getProviderWizardModalTitle(mode: ProviderWizardMode) {
     return "Update Provider Credentials";
   }
 
-  return "Adding A Cloud Provider";
+  return "Adding A Provider";
 }
 
 export function getProviderWizardDocsDestination(docsLink: string) {
@@ -44,7 +44,7 @@ export function getProviderWizardDocsDestination(docsLink: string) {
     alibabacloud: "Alibaba Cloud",
     cloudflare: "Cloudflare",
     openstack: "OpenStack",
-    help: "Cloud Provider",
+    help: "Provider",
   };
 
   try {
diff --git a/ui/components/providers/wizard/wizard-stepper.tsx b/ui/components/providers/wizard/wizard-stepper.tsx
index 6dfacea82a..4d86680977 100644
--- a/ui/components/providers/wizard/wizard-stepper.tsx
+++ b/ui/components/providers/wizard/wizard-stepper.tsx
@@ -21,7 +21,7 @@ interface WizardStepperProps {
 
 const STEPS: StepConfig[] = [
   {
-    label: "Link a Cloud Provider",
+    label: "Link a Provider",
     description: "Enter the provider details you would like to add in Prowler.",
     icon: FolderGit2,
   },
diff --git a/ui/components/resources/table/column-resources.tsx b/ui/components/resources/table/column-resources.tsx
index a3dedd6564..4fb32da3de 100644
--- a/ui/components/resources/table/column-resources.tsx
+++ b/ui/components/resources/table/column-resources.tsx
@@ -92,7 +92,7 @@ export function getColumnResources({
     {
       accessorKey: "provider",
       header: ({ column }) => (
-        <DataTableColumnHeader column={column} title="Cloud Provider" />
+        <DataTableColumnHeader column={column} title="Provider" />
       ),
       cell: ({ row }) => {
         const provider = getProviderData(row, "provider");
diff --git a/ui/components/scans/launch-workflow/select-scan-provider.tsx b/ui/components/scans/launch-workflow/select-scan-provider.tsx
index a817565a50..999c65bea4 100644
--- a/ui/components/scans/launch-workflow/select-scan-provider.tsx
+++ b/ui/components/scans/launch-workflow/select-scan-provider.tsx
@@ -47,12 +47,12 @@ export const SelectScanProvider = <
         return (
           <div className="flex flex-col gap-2">
             <span className="text-text-neutral-primary text-sm font-medium">
-              Select a cloud provider to launch a scan
+              Select a provider to launch a scan
             </span>
             <FormControl>
               <Select value={field.value} onValueChange={field.onChange}>
                 <SelectTrigger>
-                  <SelectValue placeholder="Choose a cloud provider">
+                  <SelectValue placeholder="Choose a provider">
                     {selectedItem ? (
                       <EntityInfo
                         cloudProvider={
@@ -67,7 +67,7 @@ export const SelectScanProvider = <
                         showCopyAction={false}
                       />
                     ) : (
-                      "Choose a cloud provider"
+                      "Choose a provider"
                     )}
                   </SelectValue>
                 </SelectTrigger>
diff --git a/ui/components/scans/no-providers-added.tsx b/ui/components/scans/no-providers-added.tsx
index da9d8bf318..b5f7e08766 100644
--- a/ui/components/scans/no-providers-added.tsx
+++ b/ui/components/scans/no-providers-added.tsx
@@ -18,18 +18,18 @@ export const NoProvidersAdded = () => {
             <div className="flex flex-col items-center gap-4">
               <InfoIcon className="h-10 w-10 text-gray-800 dark:text-white" />
               <h2 className="text-2xl font-bold text-gray-800 dark:text-white">
-                No Cloud Providers Configured
+                No Providers Configured
               </h2>
             </div>
             <div className="flex flex-col items-center gap-3">
               <p className="text-md leading-relaxed text-gray-600 dark:text-gray-300">
-                No cloud providers have been configured. Start by setting up a
-                cloud provider.
+                No providers have been configured. Start by setting up a
+                provider.
               </p>
             </div>
 
             <Button
-              aria-label="Open Add Cloud Provider modal"
+              aria-label="Open Add Provider modal"
               className="w-full max-w-xs justify-center"
               size="lg"
               onClick={() => setOpen(true)}
diff --git a/ui/components/scans/no-providers-connected.tsx b/ui/components/scans/no-providers-connected.tsx
index 2aa4734af1..d2cd428987 100644
--- a/ui/components/scans/no-providers-connected.tsx
+++ b/ui/components/scans/no-providers-connected.tsx
@@ -14,15 +14,15 @@ export const NoProvidersConnected = () => {
           <div className="flex items-center justify-start gap-3">
             <InfoIcon className="h-6 w-6 text-gray-800 dark:text-white" />
             <h2 className="text-lg font-bold text-gray-800 dark:text-white">
-              No Connected Cloud Providers
+              No Connected Providers
             </h2>
           </div>
           <p className="text-sm text-gray-600 dark:text-gray-300">
-            No cloud providers are currently connected. Connecting a cloud
-            provider is required to launch on-demand scans.
+            No providers are currently connected. Connecting a provider is
+            required to launch on-demand scans.
           </p>
           <p className="text-sm text-gray-600 dark:text-gray-300">
-            Once the cloud providers are correctly configured, this message will
+            Once the providers are correctly configured, this message will
             disappear, and on-demand scans can be launched.
           </p>
         </div>
@@ -30,9 +30,9 @@ export const NoProvidersConnected = () => {
           <Button
             asChild
             className="w-full justify-center md:w-fit"
-            aria-label="Go to Cloud providers page"
+            aria-label="Go to Providers page"
           >
-            <Link href="/providers">Review Cloud Providers</Link>
+            <Link href="/providers">Review Providers</Link>
           </Button>
         </div>
       </CardContent>
diff --git a/ui/components/scans/table/scans/column-get-scans.tsx b/ui/components/scans/table/scans/column-get-scans.tsx
index e9a073ac1c..bacb1894f2 100644
--- a/ui/components/scans/table/scans/column-get-scans.tsx
+++ b/ui/components/scans/table/scans/column-get-scans.tsx
@@ -75,7 +75,7 @@ export const ColumnGetScans: ColumnDef<ScanProps>[] = [
   {
     accessorKey: "cloudProvider",
     header: ({ column }) => (
-      <DataTableColumnHeader column={column} title="Cloud Provider" />
+      <DataTableColumnHeader column={column} title="Provider" />
     ),
     cell: ({ row }) => {
       const providerInfo = row.original.providerInfo;
diff --git a/ui/lib/helper.ts b/ui/lib/helper.ts
index c41d5c132a..d88d418585 100644
--- a/ui/lib/helper.ts
+++ b/ui/lib/helper.ts
@@ -385,9 +385,8 @@ export const permissionFormFields: PermissionInfo[] = [
   },
   {
     field: "manage_providers",
-    label: "Manage Cloud Providers",
-    description:
-      "Allows configuration and management of cloud provider connections",
+    label: "Manage Providers",
+    description: "Allows configuration and management of provider connections",
   },
   {
     field: "manage_integrations",
diff --git a/ui/lib/menu-list.ts b/ui/lib/menu-list.ts
index 4de7429fec..9cd709a502 100644
--- a/ui/lib/menu-list.ts
+++ b/ui/lib/menu-list.ts
@@ -107,7 +107,7 @@ export const getMenuList = ({ pathname }: MenuListOptions): GroupProps[] => {
           label: "Configuration",
           icon: Settings,
           submenus: [
-            { href: "/providers", label: "Cloud Providers", icon: CloudCog },
+            { href: "/providers", label: "Providers", icon: CloudCog },
             {
               href: "/mutelist",
               label: "Mutelist",
diff --git a/ui/tests/providers/providers-page.ts b/ui/tests/providers/providers-page.ts
index b8a5d28e91..a5833768b3 100644
--- a/ui/tests/providers/providers-page.ts
+++ b/ui/tests/providers/providers-page.ts
@@ -232,7 +232,7 @@ export class ProvidersPage extends BasePage {
   // Alias input
   readonly aliasInput: Locator;
 
-  // Button to add a new cloud provider
+  // Button to add a new provider
   readonly addProviderButton: Locator;
   readonly providersTable: Locator;
 
@@ -333,15 +333,15 @@ export class ProvidersPage extends BasePage {
       .getByRole("dialog")
       .filter({
         has: page.getByRole("heading", {
-          name: /Adding A Cloud Provider|Update Provider Credentials/i,
+          name: /Adding A Provider|Update Provider Credentials/i,
         }),
       })
       .first();
     this.wizardTitle = page.getByRole("heading", {
-      name: /Adding A Cloud Provider|Update Provider Credentials/i,
+      name: /Adding A Provider|Update Provider Credentials/i,
     });
 
-    // Button to add a new cloud provider
+    // Button to add a new provider
     this.addProviderButton = page
       .getByRole("button", {
         name: "Add Provider",
@@ -357,7 +357,7 @@ export class ProvidersPage extends BasePage {
     // Table displaying existing providers
     this.providersTable = page.getByRole("table");
 
-    // Option buttons to select the type of cloud provider (listbox with options)
+    // Option buttons to select the type of provider (listbox with options)
     this.awsProviderRadio = page.getByRole("option", {
       name: /Amazon Web Services/i,
     });
diff --git a/ui/tests/scans/scans-page.ts b/ui/tests/scans/scans-page.ts
index 1d968bafa7..a161ea89ae 100644
--- a/ui/tests/scans/scans-page.ts
+++ b/ui/tests/scans/scans-page.ts
@@ -20,7 +20,7 @@ export class ScansPage extends BasePage {
     super(page);
 
     // Scan provider selection elements
-    this.scanProviderSelect = page.getByRole('combobox').filter({ hasText: 'Choose a cloud provider' })
+    this.scanProviderSelect = page.getByRole('combobox').filter({ hasText: 'Choose a provider' })
     this.scanAliasInput = page.getByRole("textbox", { name: "Scan label (optional)" });
     this.startNowButton = page.getByRole("button", { name: /Start now|Start scan now/i });
 
@@ -107,7 +107,7 @@ export class ScansPage extends BasePage {
     // Scan Table exists
     await expect(this.scanTable).toBeVisible();
 
-    // Find a row that contains the account ID (provider UID in Cloud Provider column)
+    // Find a row that contains the account ID (provider UID in Provider column)
     // Note: Use a more specific locator strategy if possible in the future
     const rowWithAccountId = this.scanTable
       .locator("tbody tr")
diff --git a/ui/tests/setups/manage-cloud-providers.auth.setup.ts b/ui/tests/setups/manage-cloud-providers.auth.setup.ts
index 3ddaeeca70..96578f276c 100644
--- a/ui/tests/setups/manage-cloud-providers.auth.setup.ts
+++ b/ui/tests/setups/manage-cloud-providers.auth.setup.ts
@@ -3,7 +3,7 @@ import { SignInPage } from '../sign-in-base/sign-in-base-page';
 
 const manageCloudProvidersUserFile = 'playwright/.auth/manage_cloud_providers_user.json';
 
-authManageCloudProvidersSetup('authenticate as manage cloud providers e2e user',  async ({ page }) => {
+authManageCloudProvidersSetup('authenticate as manage providers e2e user',  async ({ page }) => {
   const cloudProvidersEmail = process.env.E2E_MANAGE_CLOUD_PROVIDERS_USER;
   const cloudProvidersPassword = process.env.E2E_MANAGE_CLOUD_PROVIDERS_PASSWORD;
     

From 369d6cecc120d8c336e7b1eef89eca6ccc1dad91 Mon Sep 17 00:00:00 2001
From: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com>
Date: Tue, 5 May 2026 15:04:44 +0100
Subject: [PATCH 23/29] fix: patch CVE-2026-39892 and CVE-2026-33186 across
 SDK, API and MCP images (#10978)

Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
---
 Dockerfile              |   2 +-
 api/CHANGELOG.md        |   4 ++
 api/Dockerfile          |   2 +-
 api/poetry.lock         | 114 ++++++++++++++++++++--------------------
 api/pyproject.toml      |   2 +-
 mcp_server/CHANGELOG.md |   8 +++
 mcp_server/uv.lock      |  91 ++++++++++++++++----------------
 poetry.lock             | 106 ++++++++++++++++++-------------------
 prowler/CHANGELOG.md    |   1 +
 pyproject.toml          |   2 +-
 10 files changed, 171 insertions(+), 161 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 49fbc5356e..ca2fee8903 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,7 @@ LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler"
 ARG POWERSHELL_VERSION=7.5.0
 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
 
-ARG TRIVY_VERSION=0.69.2
+ARG TRIVY_VERSION=0.70.0
 ENV TRIVY_VERSION=${TRIVY_VERSION}
 
 ARG ZIZMOR_VERSION=1.24.1
diff --git a/api/CHANGELOG.md b/api/CHANGELOG.md
index c03906d7e8..e9fb0f0770 100644
--- a/api/CHANGELOG.md
+++ b/api/CHANGELOG.md
@@ -8,6 +8,10 @@ All notable changes to the **Prowler API** are documented in this file.
 
 - `scan-reset-ephemeral-resources` post-scan task zeroes `failed_findings_count` for resources missing from the latest full-scope scan, keeping ephemeral resources from polluting the Resources page sort [(#10929)](https://github.com/prowler-cloud/prowler/pull/10929)
 
+### 🔐 Security
+
+- `trivy` binary from 0.69.2 to 0.70.0 and `cryptography` from 46.0.6 to 46.0.7 (transitive via prowler SDK) in the API image for CVE-2026-33186 and CVE-2026-39892 [(#10978)](https://github.com/prowler-cloud/prowler/pull/10978)
+
 ---
 
 ## [1.26.1] (Prowler v5.25.1)
diff --git a/api/Dockerfile b/api/Dockerfile
index 6f8385934d..55b14dcf16 100644
--- a/api/Dockerfile
+++ b/api/Dockerfile
@@ -5,7 +5,7 @@ LABEL maintainer="https://github.com/prowler-cloud/api"
 ARG POWERSHELL_VERSION=7.5.0
 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
 
-ARG TRIVY_VERSION=0.69.2
+ARG TRIVY_VERSION=0.70.0
 ENV TRIVY_VERSION=${TRIVY_VERSION}
 
 ARG ZIZMOR_VERSION=1.24.1
diff --git a/api/poetry.lock b/api/poetry.lock
index f93e0d21e6..584c977a2d 100644
--- a/api/poetry.lock
+++ b/api/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.3.4 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.3.2 and should not be changed by hand.
 
 [[package]]
 name = "about-time"
@@ -2504,61 +2504,61 @@ dev = ["bandit", "coverage", "flake8", "pydocstyle", "pylint", "pytest", "pytest
 
 [[package]]
 name = "cryptography"
-version = "46.0.6"
+version = "46.0.7"
 description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers."
 optional = false
 python-versions = "!=3.9.0,!=3.9.1,>=3.8"
 groups = ["main", "dev"]
 files = [
-    {file = "cryptography-46.0.6-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:64235194bad039a10bb6d2d930ab3323baaec67e2ce36215fd0952fad0930ca8"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:26031f1e5ca62fcb9d1fcb34b2b60b390d1aacaa15dc8b895a9ed00968b97b30"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:9a693028b9cbe51b5a1136232ee8f2bc242e4e19d456ded3fa7c86e43c713b4a"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:67177e8a9f421aa2d3a170c3e56eca4e0128883cf52a071a7cbf53297f18b175"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:d9528b535a6c4f8ff37847144b8986a9a143585f0540fbcb1a98115b543aa463"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:22259338084d6ae497a19bae5d4c66b7ca1387d3264d1c2c0e72d9e9b6a77b97"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:760997a4b950ff00d418398ad73fbc91aa2894b5c1db7ccb45b4f68b42a63b3c"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:3dfa6567f2e9e4c5dceb8ccb5a708158a2a871052fa75c8b78cb0977063f1507"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:cdcd3edcbc5d55757e5f5f3d330dd00007ae463a7e7aa5bf132d1f22a4b62b19"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:d4e4aadb7fc1f88687f47ca20bb7227981b03afaae69287029da08096853b738"},
-    {file = "cryptography-46.0.6-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:2b417edbe8877cda9022dde3a008e2deb50be9c407eef034aeeb3a8b11d9db3c"},
-    {file = "cryptography-46.0.6-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:380343e0653b1c9d7e1f55b52aaa2dbb2fdf2730088d48c43ca1c7c0abb7cc2f"},
-    {file = "cryptography-46.0.6-cp311-abi3-win32.whl", hash = "sha256:bcb87663e1f7b075e48c3be3ecb5f0b46c8fc50b50a97cf264e7f60242dca3f2"},
-    {file = "cryptography-46.0.6-cp311-abi3-win_amd64.whl", hash = "sha256:6739d56300662c468fddb0e5e291f9b4d084bead381667b9e654c7dd81705124"},
-    {file = "cryptography-46.0.6-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:2ef9e69886cbb137c2aef9772c2e7138dc581fad4fcbcf13cc181eb5a3ab6275"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:7f417f034f91dcec1cb6c5c35b07cdbb2ef262557f701b4ecd803ee8cefed4f4"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:d24c13369e856b94892a89ddf70b332e0b70ad4a5c43cf3e9cb71d6d7ffa1f7b"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:aad75154a7ac9039936d50cf431719a2f8d4ed3d3c277ac03f3339ded1a5e707"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:3c21d92ed15e9cfc6eb64c1f5a0326db22ca9c2566ca46d845119b45b4400361"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:4668298aef7cddeaf5c6ecc244c2302a2b8e40f384255505c22875eebb47888b"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:8ce35b77aaf02f3b59c90b2c8a05c73bac12cea5b4e8f3fbece1f5fddea5f0ca"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:c89eb37fae9216985d8734c1afd172ba4927f5a05cfd9bf0e4863c6d5465b013"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:ed418c37d095aeddf5336898a132fba01091f0ac5844e3e8018506f014b6d2c4"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:69cf0056d6947edc6e6760e5f17afe4bea06b56a9ac8a06de9d2bd6b532d4f3a"},
-    {file = "cryptography-46.0.6-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:8e7304c4f4e9490e11efe56af6713983460ee0780f16c63f219984dab3af9d2d"},
-    {file = "cryptography-46.0.6-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:b928a3ca837c77a10e81a814a693f2295200adb3352395fad024559b7be7a736"},
-    {file = "cryptography-46.0.6-cp314-cp314t-win32.whl", hash = "sha256:97c8115b27e19e592a05c45d0dd89c57f81f841cc9880e353e0d3bf25b2139ed"},
-    {file = "cryptography-46.0.6-cp314-cp314t-win_amd64.whl", hash = "sha256:c797e2517cb7880f8297e2c0f43bb910e91381339336f75d2c1c2cbf811b70b4"},
-    {file = "cryptography-46.0.6-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:12cae594e9473bca1a7aceb90536060643128bb274fcea0fc459ab90f7d1ae7a"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:639301950939d844a9e1c4464d7e07f902fe9a7f6b215bb0d4f28584729935d8"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:ed3775295fb91f70b4027aeba878d79b3e55c0b3e97eaa4de71f8f23a9f2eb77"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:8927ccfbe967c7df312ade694f987e7e9e22b2425976ddbf28271d7e58845290"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:b12c6b1e1651e42ab5de8b1e00dc3b6354fdfd778e7fa60541ddacc27cd21410"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:063b67749f338ca9c5a0b7fe438a52c25f9526b851e24e6c9310e7195aad3b4d"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:02fad249cb0e090b574e30b276a3da6a149e04ee2f049725b1f69e7b8351ec70"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:7e6142674f2a9291463e5e150090b95a8519b2fb6e6aaec8917dd8d094ce750d"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:456b3215172aeefb9284550b162801d62f5f264a081049a3e94307fe20792cfa"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:341359d6c9e68834e204ceaf25936dffeafea3829ab80e9503860dcc4f4dac58"},
-    {file = "cryptography-46.0.6-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:9a9c42a2723999a710445bc0d974e345c32adfd8d2fac6d8a251fa829ad31cfb"},
-    {file = "cryptography-46.0.6-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:6617f67b1606dfd9fe4dbfa354a9508d4a6d37afe30306fe6c101b7ce3274b72"},
-    {file = "cryptography-46.0.6-cp38-abi3-win32.whl", hash = "sha256:7f6690b6c55e9c5332c0b59b9c8a3fb232ebf059094c17f9019a51e9827df91c"},
-    {file = "cryptography-46.0.6-cp38-abi3-win_amd64.whl", hash = "sha256:79e865c642cfc5c0b3eb12af83c35c5aeff4fa5c672dc28c43721c2c9fdd2f0f"},
-    {file = "cryptography-46.0.6-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:2ea0f37e9a9cf0df2952893ad145fd9627d326a59daec9b0802480fa3bcd2ead"},
-    {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:a3e84d5ec9ba01f8fd03802b2147ba77f0c8f2617b2aff254cedd551844209c8"},
-    {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:12f0fa16cc247b13c43d56d7b35287ff1569b5b1f4c5e87e92cc4fcc00cd10c0"},
-    {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:50575a76e2951fe7dbd1f56d181f8c5ceeeb075e9ff88e7ad997d2f42af06e7b"},
-    {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:90e5f0a7b3be5f40c3a0a0eafb32c681d8d2c181fc2a1bdabe9b3f611d9f6b1a"},
-    {file = "cryptography-46.0.6-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:6728c49e3b2c180ef26f8e9f0a883a2c585638db64cf265b49c9ba10652d430e"},
-    {file = "cryptography-46.0.6.tar.gz", hash = "sha256:27550628a518c5c6c903d84f637fbecf287f6cb9ced3804838a1295dc1fd0759"},
+    {file = "cryptography-46.0.7-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:ea42cbe97209df307fdc3b155f1b6fa2577c0defa8f1f7d3be7d31d189108ad4"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:b36a4695e29fe69215d75960b22577197aca3f7a25b9cf9d165dcfe9d80bc325"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:5ad9ef796328c5e3c4ceed237a183f5d41d21150f972455a9d926593a1dcb308"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:73510b83623e080a2c35c62c15298096e2a5dc8d51c3b4e1740211839d0dea77"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:cbd5fb06b62bd0721e1170273d3f4d5a277044c47ca27ee257025146c34cbdd1"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:420b1e4109cc95f0e5700eed79908cef9268265c773d3a66f7af1eef53d409ef"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:24402210aa54baae71d99441d15bb5a1919c195398a87b563df84468160a65de"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:8a469028a86f12eb7d2fe97162d0634026d92a21f3ae0ac87ed1c4a447886c83"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:9694078c5d44c157ef3162e3bf3946510b857df5a3955458381d1c7cfc143ddb"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:42a1e5f98abb6391717978baf9f90dc28a743b7d9be7f0751a6f56a75d14065b"},
+    {file = "cryptography-46.0.7-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:91bbcb08347344f810cbe49065914fe048949648f6bd5c2519f34619142bbe85"},
+    {file = "cryptography-46.0.7-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:5d1c02a14ceb9148cc7816249f64f623fbfee39e8c03b3650d842ad3f34d637e"},
+    {file = "cryptography-46.0.7-cp311-abi3-win32.whl", hash = "sha256:d23c8ca48e44ee015cd0a54aeccdf9f09004eba9fc96f38c911011d9ff1bd457"},
+    {file = "cryptography-46.0.7-cp311-abi3-win_amd64.whl", hash = "sha256:397655da831414d165029da9bc483bed2fe0e75dde6a1523ec2fe63f3c46046b"},
+    {file = "cryptography-46.0.7-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:d151173275e1728cf7839aaa80c34fe550c04ddb27b34f48c232193df8db5842"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:db0f493b9181c7820c8134437eb8b0b4792085d37dbb24da050476ccb664e59c"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:ebd6daf519b9f189f85c479427bbd6e9c9037862cf8fe89ee35503bd209ed902"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:b7b412817be92117ec5ed95f880defe9cf18a832e8cafacf0a22337dc1981b4d"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:fbfd0e5f273877695cb93baf14b185f4878128b250cc9f8e617ea0c025dfb022"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:ffca7aa1d00cf7d6469b988c581598f2259e46215e0140af408966a24cf086ce"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:60627cf07e0d9274338521205899337c5d18249db56865f943cbe753aa96f40f"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:80406c3065e2c55d7f49a9550fe0c49b3f12e5bfff5dedb727e319e1afb9bf99"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:c5b1ccd1239f48b7151a65bc6dd54bcfcc15e028c8ac126d3fada09db0e07ef1"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:d5f7520159cd9c2154eb61eb67548ca05c5774d39e9c2c4339fd793fe7d097b2"},
+    {file = "cryptography-46.0.7-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:fcd8eac50d9138c1d7fc53a653ba60a2bee81a505f9f8850b6b2888555a45d0e"},
+    {file = "cryptography-46.0.7-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:65814c60f8cc400c63131584e3e1fad01235edba2614b61fbfbfa954082db0ee"},
+    {file = "cryptography-46.0.7-cp314-cp314t-win32.whl", hash = "sha256:fdd1736fed309b4300346f88f74cd120c27c56852c3838cab416e7a166f67298"},
+    {file = "cryptography-46.0.7-cp314-cp314t-win_amd64.whl", hash = "sha256:e06acf3c99be55aa3b516397fe42f5855597f430add9c17fa46bf2e0fb34c9bb"},
+    {file = "cryptography-46.0.7-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:462ad5cb1c148a22b2e3bcc5ad52504dff325d17daf5df8d88c17dda1f75f2a4"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:84d4cced91f0f159a7ddacad249cc077e63195c36aac40b4150e7a57e84fffe7"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:128c5edfe5e5938b86b03941e94fac9ee793a94452ad1365c9fc3f4f62216832"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:5e51be372b26ef4ba3de3c167cd3d1022934bc838ae9eaad7e644986d2a3d163"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:cdf1a610ef82abb396451862739e3fc93b071c844399e15b90726ef7470eeaf2"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:1d25aee46d0c6f1a501adcddb2d2fee4b979381346a78558ed13e50aa8a59067"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:cdfbe22376065ffcf8be74dc9a909f032df19bc58a699456a21712d6e5eabfd0"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:abad9dac36cbf55de6eb49badd4016806b3165d396f64925bf2999bcb67837ba"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:935ce7e3cfdb53e3536119a542b839bb94ec1ad081013e9ab9b7cfd478b05006"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:35719dc79d4730d30f1c2b6474bd6acda36ae2dfae1e3c16f2051f215df33ce0"},
+    {file = "cryptography-46.0.7-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:7bbc6ccf49d05ac8f7d7b5e2e2c33830d4fe2061def88210a126d130d7f71a85"},
+    {file = "cryptography-46.0.7-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:a1529d614f44b863a7b480c6d000fe93b59acee9c82ffa027cfadc77521a9f5e"},
+    {file = "cryptography-46.0.7-cp38-abi3-win32.whl", hash = "sha256:f247c8c1a1fb45e12586afbb436ef21ff1e80670b2861a90353d9b025583d246"},
+    {file = "cryptography-46.0.7-cp38-abi3-win_amd64.whl", hash = "sha256:506c4ff91eff4f82bdac7633318a526b1d1309fc07ca76a3ad182cb5b686d6d3"},
+    {file = "cryptography-46.0.7-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:fc9ab8856ae6cf7c9358430e49b368f3108f050031442eaeb6b9d87e4dcf4e4f"},
+    {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:d3b99c535a9de0adced13d159c5a9cf65c325601aa30f4be08afd680643e9c15"},
+    {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:d02c738dacda7dc2a74d1b2b3177042009d5cab7c7079db74afc19e56ca1b455"},
+    {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:04959522f938493042d595a736e7dbdff6eb6cc2339c11465b3ff89343b65f65"},
+    {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:3986ac1dee6def53797289999eabe84798ad7817f3e97779b5061a95b0ee4968"},
+    {file = "cryptography-46.0.7-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:258514877e15963bd43b558917bc9f54cf7cf866c38aa576ebf47a77ddbc43a4"},
+    {file = "cryptography-46.0.7.tar.gz", hash = "sha256:e4cfd68c5f3e0bfdad0d38e023239b96a2fe84146481852dffbcca442c245aa5"},
 ]
 
 [package.dependencies]
@@ -2571,7 +2571,7 @@ nox = ["nox[uv] (>=2024.4.15)"]
 pep8test = ["check-sdist", "click (>=8.0.1)", "mypy (>=1.14)", "ruff (>=0.11.11)"]
 sdist = ["build (>=1.0.0)"]
 ssh = ["bcrypt (>=3.1.5)"]
-test = ["certifi (>=2024)", "cryptography-vectors (==46.0.6)", "pretend (>=0.7)", "pytest (>=7.4.0)", "pytest-benchmark (>=4.0)", "pytest-cov (>=2.10.1)", "pytest-xdist (>=3.5.0)"]
+test = ["certifi (>=2024)", "cryptography-vectors (==46.0.7)", "pretend (>=0.7)", "pytest (>=7.4.0)", "pytest-benchmark (>=4.0)", "pytest-cov (>=2.10.1)", "pytest-xdist (>=3.5.0)"]
 test-randomorder = ["pytest-randomly"]
 
 [[package]]
@@ -6665,7 +6665,7 @@ files = [
 
 [[package]]
 name = "prowler"
-version = "5.25.0"
+version = "5.26.0"
 description = "Prowler is an Open Source security tool to perform AWS, GCP and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme) and your custom security frameworks."
 optional = false
 python-versions = ">=3.10,<3.13"
@@ -6720,7 +6720,7 @@ boto3 = "1.40.61"
 botocore = "1.40.61"
 cloudflare = "4.3.1"
 colorama = "0.4.6"
-cryptography = "46.0.6"
+cryptography = "46.0.7"
 dash = "3.1.1"
 dash-bootstrap-components = "2.0.3"
 defusedxml = "0.7.1"
@@ -6754,8 +6754,8 @@ uuid6 = "2024.7.10"
 [package.source]
 type = "git"
 url = "https://github.com/prowler-cloud/prowler.git"
-reference = "master"
-resolved_reference = "ca29e354b622198ff6a70e2ea5eb04e4a44a0903"
+reference = "eb1b4190ab2d9c265b46c9ede0298b81bdcf35a8"
+resolved_reference = "eb1b4190ab2d9c265b46c9ede0298b81bdcf35a8"
 
 [[package]]
 name = "psutil"
@@ -9424,4 +9424,4 @@ files = [
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.11,<3.13"
-content-hash = "a3ab982d11a87d951ff15694d2ca7fd51f1f51a451abb0baa067ccf6966367a8"
+content-hash = "df8a20081fe91c40d071e508dbe19590c8b7ffb5dcc61e71cf30ed016bad5a34"
diff --git a/api/pyproject.toml b/api/pyproject.toml
index 838a30fdf7..a634831549 100644
--- a/api/pyproject.toml
+++ b/api/pyproject.toml
@@ -25,7 +25,7 @@ dependencies = [
   "defusedxml==0.7.1",
   "gunicorn==23.0.0",
   "lxml==5.3.2",
-  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
+  "prowler @ git+https://github.com/prowler-cloud/prowler.git@eb1b4190ab2d9c265b46c9ede0298b81bdcf35a8",
   "psycopg2-binary==2.9.9",
   "pytest-celery[redis] (==1.3.0)",
   "sentry-sdk[django] (==2.56.0)",
diff --git a/mcp_server/CHANGELOG.md b/mcp_server/CHANGELOG.md
index 64ea033f0e..b0a1d70565 100644
--- a/mcp_server/CHANGELOG.md
+++ b/mcp_server/CHANGELOG.md
@@ -2,6 +2,14 @@
 
 All notable changes to the **Prowler MCP Server** are documented in this file.
 
+## [0.7.0] (Prowler UNRELEASED)
+
+### 🔐 Security
+
+- `cryptography` from 46.0.1 to 47.0.0 (transitive) for CVE-2026-39892 and CVE-2026-26007 / CVE-2026-34073 [(#10978)](https://github.com/prowler-cloud/prowler/pull/10978)
+
+---
+
 ## [0.6.0] (Prowler v5.23.0)
 
 ### 🚀 Added
diff --git a/mcp_server/uv.lock b/mcp_server/uv.lock
index 5daf74c94a..0c49cdb89a 100644
--- a/mcp_server/uv.lock
+++ b/mcp_server/uv.lock
@@ -204,58 +204,55 @@ wheels = [
 
 [[package]]
 name = "cryptography"
-version = "46.0.1"
+version = "47.0.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "cffi", marker = "platform_python_implementation != 'PyPy'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/a9/62/e3664e6ffd7743e1694b244dde70b43a394f6f7fbcacf7014a8ff5197c73/cryptography-46.0.1.tar.gz", hash = "sha256:ed570874e88f213437f5cf758f9ef26cbfc3f336d889b1e592ee11283bb8d1c7", size = 749198, upload-time = "2025-09-17T00:10:35.797Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/ef/b2/7ffa7fe8207a8c42147ffe70c3e360b228160c1d85dc3faff16aaa3244c0/cryptography-47.0.0.tar.gz", hash = "sha256:9f8e55fe4e63613a5e1cc5819030f27b97742d720203a087802ce4ce9ceb52bb", size = 830863, upload-time = "2026-04-24T19:54:57.056Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/4c/8c/44ee01267ec01e26e43ebfdae3f120ec2312aa72fa4c0507ebe41a26739f/cryptography-46.0.1-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:1cd6d50c1a8b79af1a6f703709d8973845f677c8e97b1268f5ff323d38ce8475", size = 7285044, upload-time = "2025-09-17T00:08:36.807Z" },
-    { url = "https://files.pythonhosted.org/packages/22/59/9ae689a25047e0601adfcb159ec4f83c0b4149fdb5c3030cc94cd218141d/cryptography-46.0.1-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:0ff483716be32690c14636e54a1f6e2e1b7bf8e22ca50b989f88fa1b2d287080", size = 4308182, upload-time = "2025-09-17T00:08:39.388Z" },
-    { url = "https://files.pythonhosted.org/packages/c4/ee/ca6cc9df7118f2fcd142c76b1da0f14340d77518c05b1ebfbbabca6b9e7d/cryptography-46.0.1-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:9873bf7c1f2a6330bdfe8621e7ce64b725784f9f0c3a6a55c3047af5849f920e", size = 4572393, upload-time = "2025-09-17T00:08:41.663Z" },
-    { url = "https://files.pythonhosted.org/packages/7f/a3/0f5296f63815d8e985922b05c31f77ce44787b3127a67c0b7f70f115c45f/cryptography-46.0.1-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:0dfb7c88d4462a0cfdd0d87a3c245a7bc3feb59de101f6ff88194f740f72eda6", size = 4308400, upload-time = "2025-09-17T00:08:43.559Z" },
-    { url = "https://files.pythonhosted.org/packages/5d/8c/74fcda3e4e01be1d32775d5b4dd841acaac3c1b8fa4d0774c7ac8d52463d/cryptography-46.0.1-cp311-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:e22801b61613ebdebf7deb18b507919e107547a1d39a3b57f5f855032dd7cfb8", size = 4015786, upload-time = "2025-09-17T00:08:45.758Z" },
-    { url = "https://files.pythonhosted.org/packages/dc/b8/85d23287baeef273b0834481a3dd55bbed3a53587e3b8d9f0898235b8f91/cryptography-46.0.1-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:757af4f6341ce7a1e47c326ca2a81f41d236070217e5fbbad61bbfe299d55d28", size = 4982606, upload-time = "2025-09-17T00:08:47.602Z" },
-    { url = "https://files.pythonhosted.org/packages/e5/d3/de61ad5b52433b389afca0bc70f02a7a1f074651221f599ce368da0fe437/cryptography-46.0.1-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:f7a24ea78de345cfa7f6a8d3bde8b242c7fac27f2bd78fa23474ca38dfaeeab9", size = 4604234, upload-time = "2025-09-17T00:08:49.879Z" },
-    { url = "https://files.pythonhosted.org/packages/dc/1f/dbd4d6570d84748439237a7478d124ee0134bf166ad129267b7ed8ea6d22/cryptography-46.0.1-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:9e8776dac9e660c22241b6587fae51a67b4b0147daa4d176b172c3ff768ad736", size = 4307669, upload-time = "2025-09-17T00:08:52.321Z" },
-    { url = "https://files.pythonhosted.org/packages/ec/fd/ca0a14ce7f0bfe92fa727aacaf2217eb25eb7e4ed513b14d8e03b26e63ed/cryptography-46.0.1-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:9f40642a140c0c8649987027867242b801486865277cbabc8c6059ddef16dc8b", size = 4947579, upload-time = "2025-09-17T00:08:54.697Z" },
-    { url = "https://files.pythonhosted.org/packages/89/6b/09c30543bb93401f6f88fce556b3bdbb21e55ae14912c04b7bf355f5f96c/cryptography-46.0.1-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:449ef2b321bec7d97ef2c944173275ebdab78f3abdd005400cc409e27cd159ab", size = 4603669, upload-time = "2025-09-17T00:08:57.16Z" },
-    { url = "https://files.pythonhosted.org/packages/23/9a/38cb01cb09ce0adceda9fc627c9cf98eb890fc8d50cacbe79b011df20f8a/cryptography-46.0.1-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:2dd339ba3345b908fa3141ddba4025568fa6fd398eabce3ef72a29ac2d73ad75", size = 4435828, upload-time = "2025-09-17T00:08:59.606Z" },
-    { url = "https://files.pythonhosted.org/packages/0f/53/435b5c36a78d06ae0bef96d666209b0ecd8f8181bfe4dda46536705df59e/cryptography-46.0.1-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:7411c910fb2a412053cf33cfad0153ee20d27e256c6c3f14d7d7d1d9fec59fd5", size = 4709553, upload-time = "2025-09-17T00:09:01.832Z" },
-    { url = "https://files.pythonhosted.org/packages/f5/c4/0da6e55595d9b9cd3b6eb5dc22f3a07ded7f116a3ea72629cab595abb804/cryptography-46.0.1-cp311-abi3-win32.whl", hash = "sha256:cbb8e769d4cac884bb28e3ff620ef1001b75588a5c83c9c9f1fdc9afbe7f29b0", size = 3058327, upload-time = "2025-09-17T00:09:03.726Z" },
-    { url = "https://files.pythonhosted.org/packages/95/0f/cd29a35e0d6e78a0ee61793564c8cff0929c38391cb0de27627bdc7525aa/cryptography-46.0.1-cp311-abi3-win_amd64.whl", hash = "sha256:92e8cfe8bd7dd86eac0a677499894862cd5cc2fd74de917daa881d00871ac8e7", size = 3523893, upload-time = "2025-09-17T00:09:06.272Z" },
-    { url = "https://files.pythonhosted.org/packages/f2/dd/eea390f3e78432bc3d2f53952375f8b37cb4d37783e626faa6a51e751719/cryptography-46.0.1-cp311-abi3-win_arm64.whl", hash = "sha256:db5597a4c7353b2e5fb05a8e6cb74b56a4658a2b7bf3cb6b1821ae7e7fd6eaa0", size = 2932145, upload-time = "2025-09-17T00:09:08.568Z" },
-    { url = "https://files.pythonhosted.org/packages/0a/fb/c73588561afcd5e24b089952bd210b14676c0c5bf1213376350ae111945c/cryptography-46.0.1-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:4c49eda9a23019e11d32a0eb51a27b3e7ddedde91e099c0ac6373e3aacc0d2ee", size = 7193928, upload-time = "2025-09-17T00:09:10.595Z" },
-    { url = "https://files.pythonhosted.org/packages/26/34/0ff0bb2d2c79f25a2a63109f3b76b9108a906dd2a2eb5c1d460b9938adbb/cryptography-46.0.1-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:9babb7818fdd71394e576cf26c5452df77a355eac1a27ddfa24096665a27f8fd", size = 4293515, upload-time = "2025-09-17T00:09:12.861Z" },
-    { url = "https://files.pythonhosted.org/packages/df/b7/d4f848aee24ecd1be01db6c42c4a270069a4f02a105d9c57e143daf6cf0f/cryptography-46.0.1-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:9f2c4cc63be3ef43c0221861177cee5d14b505cd4d4599a89e2cd273c4d3542a", size = 4545619, upload-time = "2025-09-17T00:09:15.397Z" },
-    { url = "https://files.pythonhosted.org/packages/44/a5/42fedefc754fd1901e2d95a69815ea4ec8a9eed31f4c4361fcab80288661/cryptography-46.0.1-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:41c281a74df173876da1dc9a9b6953d387f06e3d3ed9284e3baae3ab3f40883a", size = 4299160, upload-time = "2025-09-17T00:09:17.155Z" },
-    { url = "https://files.pythonhosted.org/packages/86/a1/cd21174f56e769c831fbbd6399a1b7519b0ff6280acec1b826d7b072640c/cryptography-46.0.1-cp314-cp314t-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:0a17377fa52563d730248ba1f68185461fff36e8bc75d8787a7dd2e20a802b7a", size = 3994491, upload-time = "2025-09-17T00:09:18.971Z" },
-    { url = "https://files.pythonhosted.org/packages/8d/2f/a8cbfa1c029987ddc746fd966711d4fa71efc891d37fbe9f030fe5ab4eec/cryptography-46.0.1-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:0d1922d9280e08cde90b518a10cd66831f632960a8d08cb3418922d83fce6f12", size = 4960157, upload-time = "2025-09-17T00:09:20.923Z" },
-    { url = "https://files.pythonhosted.org/packages/67/ae/63a84e6789e0d5a2502edf06b552bcb0fa9ff16147265d5c44a211942abe/cryptography-46.0.1-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:af84e8e99f1a82cea149e253014ea9dc89f75b82c87bb6c7242203186f465129", size = 4577263, upload-time = "2025-09-17T00:09:23.356Z" },
-    { url = "https://files.pythonhosted.org/packages/ef/8f/1b9fa8e92bd9cbcb3b7e1e593a5232f2c1e6f9bd72b919c1a6b37d315f92/cryptography-46.0.1-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:ef648d2c690703501714588b2ba640facd50fd16548133b11b2859e8655a69da", size = 4298703, upload-time = "2025-09-17T00:09:25.566Z" },
-    { url = "https://files.pythonhosted.org/packages/c3/af/bb95db070e73fea3fae31d8a69ac1463d89d1c084220f549b00dd01094a8/cryptography-46.0.1-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:e94eb5fa32a8a9f9bf991f424f002913e3dd7c699ef552db9b14ba6a76a6313b", size = 4926363, upload-time = "2025-09-17T00:09:27.451Z" },
-    { url = "https://files.pythonhosted.org/packages/f5/3b/d8fb17ffeb3a83157a1cc0aa5c60691d062aceecba09c2e5e77ebfc1870c/cryptography-46.0.1-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:534b96c0831855e29fc3b069b085fd185aa5353033631a585d5cd4dd5d40d657", size = 4576958, upload-time = "2025-09-17T00:09:29.924Z" },
-    { url = "https://files.pythonhosted.org/packages/d9/46/86bc3a05c10c8aa88c8ae7e953a8b4e407c57823ed201dbcba55c4d655f4/cryptography-46.0.1-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:f9b55038b5c6c47559aa33626d8ecd092f354e23de3c6975e4bb205df128a2a0", size = 4422507, upload-time = "2025-09-17T00:09:32.222Z" },
-    { url = "https://files.pythonhosted.org/packages/a8/4e/387e5a21dfd2b4198e74968a541cfd6128f66f8ec94ed971776e15091ac3/cryptography-46.0.1-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:ec13b7105117dbc9afd023300fb9954d72ca855c274fe563e72428ece10191c0", size = 4683964, upload-time = "2025-09-17T00:09:34.118Z" },
-    { url = "https://files.pythonhosted.org/packages/25/a3/f9f5907b166adb8f26762071474b38bbfcf89858a5282f032899075a38a1/cryptography-46.0.1-cp314-cp314t-win32.whl", hash = "sha256:504e464944f2c003a0785b81668fe23c06f3b037e9cb9f68a7c672246319f277", size = 3029705, upload-time = "2025-09-17T00:09:36.381Z" },
-    { url = "https://files.pythonhosted.org/packages/12/66/4d3a4f1850db2e71c2b1628d14b70b5e4c1684a1bd462f7fffb93c041c38/cryptography-46.0.1-cp314-cp314t-win_amd64.whl", hash = "sha256:c52fded6383f7e20eaf70a60aeddd796b3677c3ad2922c801be330db62778e05", size = 3502175, upload-time = "2025-09-17T00:09:38.261Z" },
-    { url = "https://files.pythonhosted.org/packages/52/c7/9f10ad91435ef7d0d99a0b93c4360bea3df18050ff5b9038c489c31ac2f5/cryptography-46.0.1-cp314-cp314t-win_arm64.whl", hash = "sha256:9495d78f52c804b5ec8878b5b8c7873aa8e63db9cd9ee387ff2db3fffe4df784", size = 2912354, upload-time = "2025-09-17T00:09:40.078Z" },
-    { url = "https://files.pythonhosted.org/packages/98/e5/fbd632385542a3311915976f88e0dfcf09e62a3fc0aff86fb6762162a24d/cryptography-46.0.1-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:d84c40bdb8674c29fa192373498b6cb1e84f882889d21a471b45d1f868d8d44b", size = 7255677, upload-time = "2025-09-17T00:09:42.407Z" },
-    { url = "https://files.pythonhosted.org/packages/56/3e/13ce6eab9ad6eba1b15a7bd476f005a4c1b3f299f4c2f32b22408b0edccf/cryptography-46.0.1-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:9ed64e5083fa806709e74fc5ea067dfef9090e5b7a2320a49be3c9df3583a2d8", size = 4301110, upload-time = "2025-09-17T00:09:45.614Z" },
-    { url = "https://files.pythonhosted.org/packages/a2/67/65dc233c1ddd688073cf7b136b06ff4b84bf517ba5529607c9d79720fc67/cryptography-46.0.1-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:341fb7a26bc9d6093c1b124b9f13acc283d2d51da440b98b55ab3f79f2522ead", size = 4562369, upload-time = "2025-09-17T00:09:47.601Z" },
-    { url = "https://files.pythonhosted.org/packages/17/db/d64ae4c6f4e98c3dac5bf35dd4d103f4c7c345703e43560113e5e8e31b2b/cryptography-46.0.1-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:6ef1488967e729948d424d09c94753d0167ce59afba8d0f6c07a22b629c557b2", size = 4302126, upload-time = "2025-09-17T00:09:49.335Z" },
-    { url = "https://files.pythonhosted.org/packages/3d/19/5f1eea17d4805ebdc2e685b7b02800c4f63f3dd46cfa8d4c18373fea46c8/cryptography-46.0.1-cp38-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:7823bc7cdf0b747ecfb096d004cc41573c2f5c7e3a29861603a2871b43d3ef32", size = 4009431, upload-time = "2025-09-17T00:09:51.239Z" },
-    { url = "https://files.pythonhosted.org/packages/81/b5/229ba6088fe7abccbfe4c5edb96c7a5ad547fac5fdd0d40aa6ea540b2985/cryptography-46.0.1-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:f736ab8036796f5a119ff8211deda416f8c15ce03776db704a7a4e17381cb2ef", size = 4980739, upload-time = "2025-09-17T00:09:54.181Z" },
-    { url = "https://files.pythonhosted.org/packages/3a/9c/50aa38907b201e74bc43c572f9603fa82b58e831bd13c245613a23cff736/cryptography-46.0.1-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:e46710a240a41d594953012213ea8ca398cd2448fbc5d0f1be8160b5511104a0", size = 4592289, upload-time = "2025-09-17T00:09:56.731Z" },
-    { url = "https://files.pythonhosted.org/packages/5a/33/229858f8a5bb22f82468bb285e9f4c44a31978d5f5830bb4ea1cf8a4e454/cryptography-46.0.1-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:84ef1f145de5aee82ea2447224dc23f065ff4cc5791bb3b506615957a6ba8128", size = 4301815, upload-time = "2025-09-17T00:09:58.548Z" },
-    { url = "https://files.pythonhosted.org/packages/52/cb/b76b2c87fbd6ed4a231884bea3ce073406ba8e2dae9defad910d33cbf408/cryptography-46.0.1-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:9394c7d5a7565ac5f7d9ba38b2617448eba384d7b107b262d63890079fad77ca", size = 4943251, upload-time = "2025-09-17T00:10:00.475Z" },
-    { url = "https://files.pythonhosted.org/packages/94/0f/f66125ecf88e4cb5b8017ff43f3a87ede2d064cb54a1c5893f9da9d65093/cryptography-46.0.1-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:ed957044e368ed295257ae3d212b95456bd9756df490e1ac4538857f67531fcc", size = 4591247, upload-time = "2025-09-17T00:10:02.874Z" },
-    { url = "https://files.pythonhosted.org/packages/f6/22/9f3134ae436b63b463cfdf0ff506a0570da6873adb4bf8c19b8a5b4bac64/cryptography-46.0.1-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:f7de12fa0eee6234de9a9ce0ffcfa6ce97361db7a50b09b65c63ac58e5f22fc7", size = 4428534, upload-time = "2025-09-17T00:10:04.994Z" },
-    { url = "https://files.pythonhosted.org/packages/89/39/e6042bcb2638650b0005c752c38ea830cbfbcbb1830e4d64d530000aa8dc/cryptography-46.0.1-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:7fab1187b6c6b2f11a326f33b036f7168f5b996aedd0c059f9738915e4e8f53a", size = 4699541, upload-time = "2025-09-17T00:10:06.925Z" },
-    { url = "https://files.pythonhosted.org/packages/68/46/753d457492d15458c7b5a653fc9a84a1c9c7a83af6ebdc94c3fc373ca6e8/cryptography-46.0.1-cp38-abi3-win32.whl", hash = "sha256:45f790934ac1018adeba46a0f7289b2b8fe76ba774a88c7f1922213a56c98bc1", size = 3043779, upload-time = "2025-09-17T00:10:08.951Z" },
-    { url = "https://files.pythonhosted.org/packages/2f/50/b6f3b540c2f6ee712feeb5fa780bb11fad76634e71334718568e7695cb55/cryptography-46.0.1-cp38-abi3-win_amd64.whl", hash = "sha256:7176a5ab56fac98d706921f6416a05e5aff7df0e4b91516f450f8627cda22af3", size = 3517226, upload-time = "2025-09-17T00:10:10.769Z" },
-    { url = "https://files.pythonhosted.org/packages/ff/e8/77d17d00981cdd27cc493e81e1749a0b8bbfb843780dbd841e30d7f50743/cryptography-46.0.1-cp38-abi3-win_arm64.whl", hash = "sha256:efc9e51c3e595267ff84adf56e9b357db89ab2279d7e375ffcaf8f678606f3d9", size = 2923149, upload-time = "2025-09-17T00:10:13.236Z" },
+    { url = "https://files.pythonhosted.org/packages/a4/98/40dfe932134bdcae4f6ab5927c87488754bf9eb79297d7e0070b78dd58e9/cryptography-47.0.0-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:160ad728f128972d362e714054f6ba0067cab7fb350c5202a9ae8ae4ce3ef1a0", size = 7912214, upload-time = "2026-04-24T19:53:03.864Z" },
+    { url = "https://files.pythonhosted.org/packages/34/c6/2733531243fba725f58611b918056b277692f1033373dcc8bd01af1c05d4/cryptography-47.0.0-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:b9a8943e359b7615db1a3ba587994618e094ff3d6fa5a390c73d079ce18b3973", size = 4644617, upload-time = "2026-04-24T19:53:06.909Z" },
+    { url = "https://files.pythonhosted.org/packages/00/e3/b27be1a670a9b87f855d211cf0e1174a5d721216b7616bd52d8581d912ed/cryptography-47.0.0-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:f5c15764f261394b22aef6b00252f5195f46f2ca300bec57149474e2538b31f8", size = 4668186, upload-time = "2026-04-24T19:53:09.053Z" },
+    { url = "https://files.pythonhosted.org/packages/81/b9/8443cfe5d17d482d348cee7048acf502bb89a51b6382f06240fd290d4ca3/cryptography-47.0.0-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:9c59ab0e0fa3a180a5a9c59f3a5abe3ef90d474bc56d7fadfbe80359491b615b", size = 4651244, upload-time = "2026-04-24T19:53:11.217Z" },
+    { url = "https://files.pythonhosted.org/packages/5d/5e/13ed0cdd0eb88ba159d6dd5ebfece8cb901dbcf1ae5ac4072e28b55d3153/cryptography-47.0.0-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:34b4358b925a5ea3e14384ca781a2c0ef7ac219b57bb9eacc4457078e2b19f92", size = 5252906, upload-time = "2026-04-24T19:53:13.532Z" },
+    { url = "https://files.pythonhosted.org/packages/64/16/ed058e1df0f33d440217cd120d41d5dda9dd215a80b8187f68483185af82/cryptography-47.0.0-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:0024b87d47ae2399165a6bfb20d24888881eeab83ae2566d62467c5ff0030ce7", size = 4701842, upload-time = "2026-04-24T19:53:15.618Z" },
+    { url = "https://files.pythonhosted.org/packages/02/e0/3d30986b30fdbd9e969abbdf8ba00ed0618615144341faeb57f395a084fe/cryptography-47.0.0-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:1e47422b5557bb82d3fff997e8d92cff4e28b9789576984f08c248d2b3535d93", size = 4289313, upload-time = "2026-04-24T19:53:17.755Z" },
+    { url = "https://files.pythonhosted.org/packages/df/fd/32db38e3ad0cb331f0691cb4c7a8a6f176f679124dee746b3af6633db4d9/cryptography-47.0.0-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:6f29f36582e6151d9686235e586dd35bb67491f024767d10b842e520dc6a07ac", size = 4650964, upload-time = "2026-04-24T19:53:20.062Z" },
+    { url = "https://files.pythonhosted.org/packages/86/53/5395d944dfd48cb1f67917f533c609c34347185ef15eb4308024c876f274/cryptography-47.0.0-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:a9b761f012a943b7de0e828843c5688d0de94a0578d44d6c85a1bae32f87791f", size = 5207817, upload-time = "2026-04-24T19:53:22.498Z" },
+    { url = "https://files.pythonhosted.org/packages/34/4f/e5711b28e1901f7d480a2b1b688b645aa4c77c73f10731ed17e7f7db3f0d/cryptography-47.0.0-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:4e1de79e047e25d6e9f8cea71c86b4a53aced64134f0f003bbcbf3655fd172c8", size = 4701544, upload-time = "2026-04-24T19:53:24.356Z" },
+    { url = "https://files.pythonhosted.org/packages/22/22/c8ddc25de3010fc8da447648f5a092c40e7a8fadf01dd6d255d9c0b9373d/cryptography-47.0.0-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:ef6b3634087f18d2155b1e8ce264e5345a753da2c5fa9815e7d41315c90f8318", size = 4783536, upload-time = "2026-04-24T19:53:26.665Z" },
+    { url = "https://files.pythonhosted.org/packages/66/b6/d4a68f4ea999c6d89e8498579cba1c5fcba4276284de7773b17e4fa69293/cryptography-47.0.0-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:11dbb9f50a0f1bb9757b3d8c27c1101780efb8f0bdecfb12439c22a74d64c001", size = 4926106, upload-time = "2026-04-24T19:53:28.686Z" },
+    { url = "https://files.pythonhosted.org/packages/54/ed/5f524db1fade9c013aa618e1c99c6ed05e8ffc9ceee6cda22fed22dda3f4/cryptography-47.0.0-cp311-abi3-win32.whl", hash = "sha256:7fda2f02c9015db3f42bb8a22324a454516ed10a8c29ca6ece6cdbb5efe2a203", size = 3258581, upload-time = "2026-04-24T19:53:31.058Z" },
+    { url = "https://files.pythonhosted.org/packages/b2/dc/1b901990b174786569029f67542b3edf72ac068b6c3c8683c17e6a2f5363/cryptography-47.0.0-cp311-abi3-win_amd64.whl", hash = "sha256:f5c3296dab66202f1b18a91fa266be93d6aa0c2806ea3d67762c69f60adc71aa", size = 3775309, upload-time = "2026-04-24T19:53:33.054Z" },
+    { url = "https://files.pythonhosted.org/packages/14/88/7aa18ad9c11bc87689affa5ce4368d884b517502d75739d475fc6f4a03c7/cryptography-47.0.0-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:be12cb6a204f77ed968bcefe68086eb061695b540a3dd05edac507a3111b25f0", size = 7904299, upload-time = "2026-04-24T19:53:35.003Z" },
+    { url = "https://files.pythonhosted.org/packages/07/55/c18f75724544872f234678fdedc871391722cb34a2aee19faa9f63100bb2/cryptography-47.0.0-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:2ebd84adf0728c039a3be2700289378e1c164afc6748df1a5ed456767bef9ba7", size = 4631180, upload-time = "2026-04-24T19:53:37.517Z" },
+    { url = "https://files.pythonhosted.org/packages/ee/65/31a5cc0eaca99cec5bafffe155d407115d96136bb161e8b49e0ef73f09a7/cryptography-47.0.0-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:7f68d6fbc7fbbcfb0939fea72c3b96a9f9a6edfc0e1b1d29778a2066030418b1", size = 4653529, upload-time = "2026-04-24T19:53:39.775Z" },
+    { url = "https://files.pythonhosted.org/packages/e5/bc/641c0519a495f3bfd0421b48d7cd325c4336578523ccd76ea322b6c29c7a/cryptography-47.0.0-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:6651d32eff255423503aa276739da98c30f26c40cbeffcc6048e0d54ef704c0c", size = 4638570, upload-time = "2026-04-24T19:53:42.129Z" },
+    { url = "https://files.pythonhosted.org/packages/2b/f2/300327b0a47f6dc94dd8b71b57052aefe178bb51745073d73d80604f11ab/cryptography-47.0.0-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:3fb8fa48075fad7193f2e5496135c6a76ac4b2aa5a38433df0a539296b377829", size = 5238019, upload-time = "2026-04-24T19:53:44.577Z" },
+    { url = "https://files.pythonhosted.org/packages/e9/5a/5b5cf994391d4bf9d9c7efd4c66aabe4d95227256627f8fea6cff7dfadbd/cryptography-47.0.0-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:11438c7518132d95f354fa01a4aa2f806d172a061a7bed18cf18cbdacdb204d7", size = 4686832, upload-time = "2026-04-24T19:53:47.015Z" },
+    { url = "https://files.pythonhosted.org/packages/dc/2c/ae950e28fd6475c852fc21a44db3e6b5bcc1261d1e370f2b6e42fa800fef/cryptography-47.0.0-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:8c1a736bbb3288005796c3f7ccb9453360d7fed483b13b9f468aea5171432923", size = 4269301, upload-time = "2026-04-24T19:53:48.97Z" },
+    { url = "https://files.pythonhosted.org/packages/67/fb/6a39782e150ffe5cc1b0018cb6ddc48bf7ca62b498d7539ffc8a758e977d/cryptography-47.0.0-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:f1557695e5c2b86e204f6ce9470497848634100787935ab7adc5397c54abd7ab", size = 4638110, upload-time = "2026-04-24T19:53:51.011Z" },
+    { url = "https://files.pythonhosted.org/packages/8e/d7/0b3c71090a76e5c203164a47688b697635ece006dcd2499ab3a4dbd3f0bd/cryptography-47.0.0-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:f9a034b642b960767fb343766ae5ba6ad653f2e890ddd82955aef288ffea8736", size = 5194988, upload-time = "2026-04-24T19:53:52.962Z" },
+    { url = "https://files.pythonhosted.org/packages/63/33/63a961498a9df51721ab578c5a2622661411fc520e00bd83b0cc64eb20c4/cryptography-47.0.0-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:b1c76fca783aa7698eb21eb14f9c4aa09452248ee54a627d125025a43f83e7a7", size = 4686563, upload-time = "2026-04-24T19:53:55.274Z" },
+    { url = "https://files.pythonhosted.org/packages/b7/bf/5ee5b145248f92250de86145d1c1d6edebbd57a7fe7caa4dedb5d4cf06a1/cryptography-47.0.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:4f7722c97826770bab8ae92959a2e7b20a5e9e9bf4deae68fd86c3ca457bab52", size = 4770094, upload-time = "2026-04-24T19:53:57.753Z" },
+    { url = "https://files.pythonhosted.org/packages/92/43/21d220b2da5d517773894dacdcdb5c682c28d3fffce65548cb06e87d5501/cryptography-47.0.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:09f6d7bf6724f8db8b32f11eccf23efc8e759924bc5603800335cf8859a3ddbd", size = 4913811, upload-time = "2026-04-24T19:54:00.236Z" },
+    { url = "https://files.pythonhosted.org/packages/31/98/dc4ad376ac5f1a1a7d4a83f7b0c6f2bcad36b5d2d8f30aeb482d3a7d9582/cryptography-47.0.0-cp314-cp314t-win32.whl", hash = "sha256:6eebcaf0df1d21ce1f90605c9b432dd2c4f4ab665ac29a40d5e3fc68f51b5e63", size = 3237158, upload-time = "2026-04-24T19:54:02.606Z" },
+    { url = "https://files.pythonhosted.org/packages/bc/da/97f62d18306b5133468bc3f8cc73a3111e8cdc8cf8d3e69474d6e5fd2d1b/cryptography-47.0.0-cp314-cp314t-win_amd64.whl", hash = "sha256:51c9313e90bd1690ec5a75ed047c27c0b8e6c570029712943d6116ef9a90620b", size = 3758706, upload-time = "2026-04-24T19:54:04.433Z" },
+    { url = "https://files.pythonhosted.org/packages/e0/34/a4fae8ae7c3bc227460c9ae43f56abf1b911da0ec29e0ebac53bb0a4b6b7/cryptography-47.0.0-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:14432c8a9bcb37009784f9594a62fae211a2ae9543e96c92b2a8e4c3cd5cd0c4", size = 7904072, upload-time = "2026-04-24T19:54:06.411Z" },
+    { url = "https://files.pythonhosted.org/packages/01/64/d7b1e54fdb69f22d24a64bb3e88dc718b31c7fb10ef0b9691a3cf7eeea6e/cryptography-47.0.0-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:07efe86201817e7d3c18781ca9770bc0db04e1e48c994be384e4602bc38f8f27", size = 4635767, upload-time = "2026-04-24T19:54:08.519Z" },
+    { url = "https://files.pythonhosted.org/packages/8b/7b/cca826391fb2a94efdcdfe4631eb69306ee1cff0b22f664a412c90713877/cryptography-47.0.0-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:2b45761c6ec22b7c726d6a829558777e32d0f1c8be7c3f3480f9c912d5ee8a10", size = 4654350, upload-time = "2026-04-24T19:54:10.795Z" },
+    { url = "https://files.pythonhosted.org/packages/4c/65/4b57bcc823f42a991627c51c2f68c9fd6eb1393c1756aac876cba2accae2/cryptography-47.0.0-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:edd4da498015da5b9f26d38d3bfc2e90257bfa9cbed1f6767c282a0025ae649b", size = 4643394, upload-time = "2026-04-24T19:54:13.275Z" },
+    { url = "https://files.pythonhosted.org/packages/f4/c4/2c5fbeea70adbbca2bbae865e1d605d6a4a7f8dbd9d33eaf69645087f06c/cryptography-47.0.0-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:9af828c0d5a65c70ec729cd7495a4bf1a67ecb66417b8f02ff125ab8a6326a74", size = 5225777, upload-time = "2026-04-24T19:54:15.18Z" },
+    { url = "https://files.pythonhosted.org/packages/7e/b8/ac57107ef32749d2b244e36069bb688792a363aaaa3acc9e3cf84c130315/cryptography-47.0.0-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:256d07c78a04d6b276f5df935a9923275f53bd1522f214447fdf365494e2d515", size = 4688771, upload-time = "2026-04-24T19:54:17.835Z" },
+    { url = "https://files.pythonhosted.org/packages/56/fc/9f1de22ff8be99d991f240a46863c52d475404c408886c5a38d2b5c3bb26/cryptography-47.0.0-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:5d0e362ff51041b0c0d219cc7d6924d7b8996f57ce5712bdcef71eb3c65a59cc", size = 4270753, upload-time = "2026-04-24T19:54:19.963Z" },
+    { url = "https://files.pythonhosted.org/packages/00/68/d70c852797aa68e8e48d12e5a87170c43f67bb4a59403627259dd57d15de/cryptography-47.0.0-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:1581aef4219f7ca2849d0250edaa3866212fb74bf5667284f46aa92f9e65c1ca", size = 4642911, upload-time = "2026-04-24T19:54:21.818Z" },
+    { url = "https://files.pythonhosted.org/packages/a5/51/661cbee74f594c5d97ff82d34f10d5551c085ca4668645f4606ebd22bd5d/cryptography-47.0.0-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:a49a3eb5341b9503fa3000a9a0db033161db90d47285291f53c2a9d2cd1b7f76", size = 5181411, upload-time = "2026-04-24T19:54:24.376Z" },
+    { url = "https://files.pythonhosted.org/packages/94/87/f2b6c374a82cf076cfa1416992ac8e8ec94d79facc37aec87c1a5cb72352/cryptography-47.0.0-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:2207a498b03275d0051589e326b79d4cf59985c99031b05bb292ac52631c37fe", size = 4688262, upload-time = "2026-04-24T19:54:26.946Z" },
+    { url = "https://files.pythonhosted.org/packages/14/e2/8b7462f4acf21ec509616f0245018bb197194ab0b65c2ea21a0bdd53c0eb/cryptography-47.0.0-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:7a02675e2fabd0c0fc04c868b8781863cbf1967691543c22f5470500ff840b31", size = 4775506, upload-time = "2026-04-24T19:54:28.926Z" },
+    { url = "https://files.pythonhosted.org/packages/70/75/158e494e4c08dc05e039da5bb48553826bd26c23930cf8d3cd5f21fa8921/cryptography-47.0.0-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:80887c5cbd1774683cb126f0ab4184567f080071d5acf62205acb354b4b753b7", size = 4912060, upload-time = "2026-04-24T19:54:30.869Z" },
+    { url = "https://files.pythonhosted.org/packages/06/bd/0a9d3edbf5eadbac926d7b9b3cd0c4be584eeeae4a003d24d9eda4affbbd/cryptography-47.0.0-cp38-abi3-win32.whl", hash = "sha256:ed67ea4e0cfb5faa5bc7ecb6e2b8838f3807a03758eec239d6c21c8769355310", size = 3248487, upload-time = "2026-04-24T19:54:33.494Z" },
+    { url = "https://files.pythonhosted.org/packages/60/80/5681af756d0da3a599b7bdb586fac5a1540f1bcefd2717a20e611ddade45/cryptography-47.0.0-cp38-abi3-win_amd64.whl", hash = "sha256:835d2d7f47cdc53b3224e90810fb1d36ca94ea29cc1801fb4c1bc43876735769", size = 3755737, upload-time = "2026-04-24T19:54:35.408Z" },
 ]
 
 [[package]]
diff --git a/poetry.lock b/poetry.lock
index 06941386e5..601f9035a4 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.3.4 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.3.2 and should not be changed by hand.
 
 [[package]]
 name = "about-time"
@@ -2029,61 +2029,61 @@ toml = ["tomli ; python_full_version <= \"3.11.0a6\""]
 
 [[package]]
 name = "cryptography"
-version = "46.0.6"
+version = "46.0.7"
 description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers."
 optional = false
 python-versions = "!=3.9.0,!=3.9.1,>=3.8"
 groups = ["main", "dev"]
 files = [
-    {file = "cryptography-46.0.6-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:64235194bad039a10bb6d2d930ab3323baaec67e2ce36215fd0952fad0930ca8"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:26031f1e5ca62fcb9d1fcb34b2b60b390d1aacaa15dc8b895a9ed00968b97b30"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:9a693028b9cbe51b5a1136232ee8f2bc242e4e19d456ded3fa7c86e43c713b4a"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:67177e8a9f421aa2d3a170c3e56eca4e0128883cf52a071a7cbf53297f18b175"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:d9528b535a6c4f8ff37847144b8986a9a143585f0540fbcb1a98115b543aa463"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:22259338084d6ae497a19bae5d4c66b7ca1387d3264d1c2c0e72d9e9b6a77b97"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:760997a4b950ff00d418398ad73fbc91aa2894b5c1db7ccb45b4f68b42a63b3c"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:3dfa6567f2e9e4c5dceb8ccb5a708158a2a871052fa75c8b78cb0977063f1507"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:cdcd3edcbc5d55757e5f5f3d330dd00007ae463a7e7aa5bf132d1f22a4b62b19"},
-    {file = "cryptography-46.0.6-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:d4e4aadb7fc1f88687f47ca20bb7227981b03afaae69287029da08096853b738"},
-    {file = "cryptography-46.0.6-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:2b417edbe8877cda9022dde3a008e2deb50be9c407eef034aeeb3a8b11d9db3c"},
-    {file = "cryptography-46.0.6-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:380343e0653b1c9d7e1f55b52aaa2dbb2fdf2730088d48c43ca1c7c0abb7cc2f"},
-    {file = "cryptography-46.0.6-cp311-abi3-win32.whl", hash = "sha256:bcb87663e1f7b075e48c3be3ecb5f0b46c8fc50b50a97cf264e7f60242dca3f2"},
-    {file = "cryptography-46.0.6-cp311-abi3-win_amd64.whl", hash = "sha256:6739d56300662c468fddb0e5e291f9b4d084bead381667b9e654c7dd81705124"},
-    {file = "cryptography-46.0.6-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:2ef9e69886cbb137c2aef9772c2e7138dc581fad4fcbcf13cc181eb5a3ab6275"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:7f417f034f91dcec1cb6c5c35b07cdbb2ef262557f701b4ecd803ee8cefed4f4"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:d24c13369e856b94892a89ddf70b332e0b70ad4a5c43cf3e9cb71d6d7ffa1f7b"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:aad75154a7ac9039936d50cf431719a2f8d4ed3d3c277ac03f3339ded1a5e707"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:3c21d92ed15e9cfc6eb64c1f5a0326db22ca9c2566ca46d845119b45b4400361"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:4668298aef7cddeaf5c6ecc244c2302a2b8e40f384255505c22875eebb47888b"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:8ce35b77aaf02f3b59c90b2c8a05c73bac12cea5b4e8f3fbece1f5fddea5f0ca"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:c89eb37fae9216985d8734c1afd172ba4927f5a05cfd9bf0e4863c6d5465b013"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:ed418c37d095aeddf5336898a132fba01091f0ac5844e3e8018506f014b6d2c4"},
-    {file = "cryptography-46.0.6-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:69cf0056d6947edc6e6760e5f17afe4bea06b56a9ac8a06de9d2bd6b532d4f3a"},
-    {file = "cryptography-46.0.6-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:8e7304c4f4e9490e11efe56af6713983460ee0780f16c63f219984dab3af9d2d"},
-    {file = "cryptography-46.0.6-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:b928a3ca837c77a10e81a814a693f2295200adb3352395fad024559b7be7a736"},
-    {file = "cryptography-46.0.6-cp314-cp314t-win32.whl", hash = "sha256:97c8115b27e19e592a05c45d0dd89c57f81f841cc9880e353e0d3bf25b2139ed"},
-    {file = "cryptography-46.0.6-cp314-cp314t-win_amd64.whl", hash = "sha256:c797e2517cb7880f8297e2c0f43bb910e91381339336f75d2c1c2cbf811b70b4"},
-    {file = "cryptography-46.0.6-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:12cae594e9473bca1a7aceb90536060643128bb274fcea0fc459ab90f7d1ae7a"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:639301950939d844a9e1c4464d7e07f902fe9a7f6b215bb0d4f28584729935d8"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:ed3775295fb91f70b4027aeba878d79b3e55c0b3e97eaa4de71f8f23a9f2eb77"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:8927ccfbe967c7df312ade694f987e7e9e22b2425976ddbf28271d7e58845290"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:b12c6b1e1651e42ab5de8b1e00dc3b6354fdfd778e7fa60541ddacc27cd21410"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:063b67749f338ca9c5a0b7fe438a52c25f9526b851e24e6c9310e7195aad3b4d"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:02fad249cb0e090b574e30b276a3da6a149e04ee2f049725b1f69e7b8351ec70"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:7e6142674f2a9291463e5e150090b95a8519b2fb6e6aaec8917dd8d094ce750d"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:456b3215172aeefb9284550b162801d62f5f264a081049a3e94307fe20792cfa"},
-    {file = "cryptography-46.0.6-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:341359d6c9e68834e204ceaf25936dffeafea3829ab80e9503860dcc4f4dac58"},
-    {file = "cryptography-46.0.6-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:9a9c42a2723999a710445bc0d974e345c32adfd8d2fac6d8a251fa829ad31cfb"},
-    {file = "cryptography-46.0.6-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:6617f67b1606dfd9fe4dbfa354a9508d4a6d37afe30306fe6c101b7ce3274b72"},
-    {file = "cryptography-46.0.6-cp38-abi3-win32.whl", hash = "sha256:7f6690b6c55e9c5332c0b59b9c8a3fb232ebf059094c17f9019a51e9827df91c"},
-    {file = "cryptography-46.0.6-cp38-abi3-win_amd64.whl", hash = "sha256:79e865c642cfc5c0b3eb12af83c35c5aeff4fa5c672dc28c43721c2c9fdd2f0f"},
-    {file = "cryptography-46.0.6-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:2ea0f37e9a9cf0df2952893ad145fd9627d326a59daec9b0802480fa3bcd2ead"},
-    {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:a3e84d5ec9ba01f8fd03802b2147ba77f0c8f2617b2aff254cedd551844209c8"},
-    {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:12f0fa16cc247b13c43d56d7b35287ff1569b5b1f4c5e87e92cc4fcc00cd10c0"},
-    {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:50575a76e2951fe7dbd1f56d181f8c5ceeeb075e9ff88e7ad997d2f42af06e7b"},
-    {file = "cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:90e5f0a7b3be5f40c3a0a0eafb32c681d8d2c181fc2a1bdabe9b3f611d9f6b1a"},
-    {file = "cryptography-46.0.6-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:6728c49e3b2c180ef26f8e9f0a883a2c585638db64cf265b49c9ba10652d430e"},
-    {file = "cryptography-46.0.6.tar.gz", hash = "sha256:27550628a518c5c6c903d84f637fbecf287f6cb9ced3804838a1295dc1fd0759"},
+    {file = "cryptography-46.0.7-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:ea42cbe97209df307fdc3b155f1b6fa2577c0defa8f1f7d3be7d31d189108ad4"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:b36a4695e29fe69215d75960b22577197aca3f7a25b9cf9d165dcfe9d80bc325"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:5ad9ef796328c5e3c4ceed237a183f5d41d21150f972455a9d926593a1dcb308"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:73510b83623e080a2c35c62c15298096e2a5dc8d51c3b4e1740211839d0dea77"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:cbd5fb06b62bd0721e1170273d3f4d5a277044c47ca27ee257025146c34cbdd1"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:420b1e4109cc95f0e5700eed79908cef9268265c773d3a66f7af1eef53d409ef"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:24402210aa54baae71d99441d15bb5a1919c195398a87b563df84468160a65de"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:8a469028a86f12eb7d2fe97162d0634026d92a21f3ae0ac87ed1c4a447886c83"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:9694078c5d44c157ef3162e3bf3946510b857df5a3955458381d1c7cfc143ddb"},
+    {file = "cryptography-46.0.7-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:42a1e5f98abb6391717978baf9f90dc28a743b7d9be7f0751a6f56a75d14065b"},
+    {file = "cryptography-46.0.7-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:91bbcb08347344f810cbe49065914fe048949648f6bd5c2519f34619142bbe85"},
+    {file = "cryptography-46.0.7-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:5d1c02a14ceb9148cc7816249f64f623fbfee39e8c03b3650d842ad3f34d637e"},
+    {file = "cryptography-46.0.7-cp311-abi3-win32.whl", hash = "sha256:d23c8ca48e44ee015cd0a54aeccdf9f09004eba9fc96f38c911011d9ff1bd457"},
+    {file = "cryptography-46.0.7-cp311-abi3-win_amd64.whl", hash = "sha256:397655da831414d165029da9bc483bed2fe0e75dde6a1523ec2fe63f3c46046b"},
+    {file = "cryptography-46.0.7-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:d151173275e1728cf7839aaa80c34fe550c04ddb27b34f48c232193df8db5842"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:db0f493b9181c7820c8134437eb8b0b4792085d37dbb24da050476ccb664e59c"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:ebd6daf519b9f189f85c479427bbd6e9c9037862cf8fe89ee35503bd209ed902"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:b7b412817be92117ec5ed95f880defe9cf18a832e8cafacf0a22337dc1981b4d"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:fbfd0e5f273877695cb93baf14b185f4878128b250cc9f8e617ea0c025dfb022"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:ffca7aa1d00cf7d6469b988c581598f2259e46215e0140af408966a24cf086ce"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:60627cf07e0d9274338521205899337c5d18249db56865f943cbe753aa96f40f"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:80406c3065e2c55d7f49a9550fe0c49b3f12e5bfff5dedb727e319e1afb9bf99"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:c5b1ccd1239f48b7151a65bc6dd54bcfcc15e028c8ac126d3fada09db0e07ef1"},
+    {file = "cryptography-46.0.7-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:d5f7520159cd9c2154eb61eb67548ca05c5774d39e9c2c4339fd793fe7d097b2"},
+    {file = "cryptography-46.0.7-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:fcd8eac50d9138c1d7fc53a653ba60a2bee81a505f9f8850b6b2888555a45d0e"},
+    {file = "cryptography-46.0.7-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:65814c60f8cc400c63131584e3e1fad01235edba2614b61fbfbfa954082db0ee"},
+    {file = "cryptography-46.0.7-cp314-cp314t-win32.whl", hash = "sha256:fdd1736fed309b4300346f88f74cd120c27c56852c3838cab416e7a166f67298"},
+    {file = "cryptography-46.0.7-cp314-cp314t-win_amd64.whl", hash = "sha256:e06acf3c99be55aa3b516397fe42f5855597f430add9c17fa46bf2e0fb34c9bb"},
+    {file = "cryptography-46.0.7-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:462ad5cb1c148a22b2e3bcc5ad52504dff325d17daf5df8d88c17dda1f75f2a4"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:84d4cced91f0f159a7ddacad249cc077e63195c36aac40b4150e7a57e84fffe7"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:128c5edfe5e5938b86b03941e94fac9ee793a94452ad1365c9fc3f4f62216832"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:5e51be372b26ef4ba3de3c167cd3d1022934bc838ae9eaad7e644986d2a3d163"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:cdf1a610ef82abb396451862739e3fc93b071c844399e15b90726ef7470eeaf2"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:1d25aee46d0c6f1a501adcddb2d2fee4b979381346a78558ed13e50aa8a59067"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:cdfbe22376065ffcf8be74dc9a909f032df19bc58a699456a21712d6e5eabfd0"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:abad9dac36cbf55de6eb49badd4016806b3165d396f64925bf2999bcb67837ba"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:935ce7e3cfdb53e3536119a542b839bb94ec1ad081013e9ab9b7cfd478b05006"},
+    {file = "cryptography-46.0.7-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:35719dc79d4730d30f1c2b6474bd6acda36ae2dfae1e3c16f2051f215df33ce0"},
+    {file = "cryptography-46.0.7-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:7bbc6ccf49d05ac8f7d7b5e2e2c33830d4fe2061def88210a126d130d7f71a85"},
+    {file = "cryptography-46.0.7-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:a1529d614f44b863a7b480c6d000fe93b59acee9c82ffa027cfadc77521a9f5e"},
+    {file = "cryptography-46.0.7-cp38-abi3-win32.whl", hash = "sha256:f247c8c1a1fb45e12586afbb436ef21ff1e80670b2861a90353d9b025583d246"},
+    {file = "cryptography-46.0.7-cp38-abi3-win_amd64.whl", hash = "sha256:506c4ff91eff4f82bdac7633318a526b1d1309fc07ca76a3ad182cb5b686d6d3"},
+    {file = "cryptography-46.0.7-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:fc9ab8856ae6cf7c9358430e49b368f3108f050031442eaeb6b9d87e4dcf4e4f"},
+    {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:d3b99c535a9de0adced13d159c5a9cf65c325601aa30f4be08afd680643e9c15"},
+    {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:d02c738dacda7dc2a74d1b2b3177042009d5cab7c7079db74afc19e56ca1b455"},
+    {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:04959522f938493042d595a736e7dbdff6eb6cc2339c11465b3ff89343b65f65"},
+    {file = "cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:3986ac1dee6def53797289999eabe84798ad7817f3e97779b5061a95b0ee4968"},
+    {file = "cryptography-46.0.7-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:258514877e15963bd43b558917bc9f54cf7cf866c38aa576ebf47a77ddbc43a4"},
+    {file = "cryptography-46.0.7.tar.gz", hash = "sha256:e4cfd68c5f3e0bfdad0d38e023239b96a2fe84146481852dffbcca442c245aa5"},
 ]
 
 [package.dependencies]
@@ -2097,7 +2097,7 @@ nox = ["nox[uv] (>=2024.4.15)"]
 pep8test = ["check-sdist", "click (>=8.0.1)", "mypy (>=1.14)", "ruff (>=0.11.11)"]
 sdist = ["build (>=1.0.0)"]
 ssh = ["bcrypt (>=3.1.5)"]
-test = ["certifi (>=2024)", "cryptography-vectors (==46.0.6)", "pretend (>=0.7)", "pytest (>=7.4.0)", "pytest-benchmark (>=4.0)", "pytest-cov (>=2.10.1)", "pytest-xdist (>=3.5.0)"]
+test = ["certifi (>=2024)", "cryptography-vectors (==46.0.7)", "pretend (>=0.7)", "pytest (>=7.4.0)", "pytest-benchmark (>=4.0)", "pytest-cov (>=2.10.1)", "pytest-xdist (>=3.5.0)"]
 test-randomorder = ["pytest-randomly"]
 
 [[package]]
@@ -6735,4 +6735,4 @@ files = [
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.10,<3.13"
-content-hash = "09ce4507a464b318702ed8c6a738f3bb1bc4cc6ff5a50a9c2884f560af9ab034"
+content-hash = "d7e2ad41783a864bb845f63ccc10c88ae1e4ac36d61993ea106bbb4a5f58a843"
diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index 3945d1621a..f4af56d82d 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -28,6 +28,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 ### 🔐 Security
 
 - Parser-mismatch SSRF in image provider registry auth where crafted bearer-token realms and pagination links could force requests to internal addresses and leak credentials cross-origin [(#10945)](https://github.com/prowler-cloud/prowler/pull/10945)
+- `cryptography` from 46.0.6 to 46.0.7 and `trivy` binary from 0.69.2 to 0.70.0 in the SDK image for CVE-2026-39892 and CVE-2026-33186 [(#10978)](https://github.com/prowler-cloud/prowler/pull/10978)
 
 ---
 
diff --git a/pyproject.toml b/pyproject.toml
index 74660c9c30..e363b6b54d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -45,7 +45,7 @@ dependencies = [
   "boto3==1.40.61",
   "botocore==1.40.61",
   "colorama==0.4.6",
-  "cryptography==46.0.6",
+  "cryptography==46.0.7",
   "dash==3.1.1",
   "dash-bootstrap-components==2.0.3",
   "defusedxml==0.7.1",

From aa759ab6b7cf4b0c7dbcfb16f91212e46890e164 Mon Sep 17 00:00:00 2001
From: Daniel Barranquero <74871504+danibarranqueroo@users.noreply.github.com>
Date: Tue, 5 May 2026 16:42:47 +0200
Subject: [PATCH 24/29] fix(attack-surface): restore ec2-imdsv1 category
 alignment (#10998)

---
 api/src/backend/tasks/jobs/scan.py                           | 5 +++--
 api/src/backend/tasks/tests/test_scan.py                     | 1 +
 prowler/CHANGELOG.md                                         | 1 +
 .../ec2_instance_account_imdsv2_enabled.metadata.json        | 3 ++-
 .../ec2_instance_imdsv2_enabled.metadata.json                | 3 ++-
 5 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/api/src/backend/tasks/jobs/scan.py b/api/src/backend/tasks/jobs/scan.py
index 515aea8620..d4bc2afba3 100644
--- a/api/src/backend/tasks/jobs/scan.py
+++ b/api/src/backend/tasks/jobs/scan.py
@@ -202,8 +202,9 @@ def _get_attack_surface_mapping_from_provider(provider_type: str) -> dict:
             "iam_inline_policy_allows_privilege_escalation",
         },
         "ec2-imdsv1": {
-            "ec2_instance_imdsv2_enabled"
-        },  # AWS only - IMDSv1 enabled findings
+            "ec2_instance_imdsv2_enabled",
+            "ec2_instance_account_imdsv2_enabled",
+        },  # AWS only - instance-level IMDSv1 exposure and account IMDS defaults
     }
     for category_name, check_ids in attack_surface_check_mappings.items():
         if check_ids is None:
diff --git a/api/src/backend/tasks/tests/test_scan.py b/api/src/backend/tasks/tests/test_scan.py
index dc13c31e08..0a7193cd4d 100644
--- a/api/src/backend/tasks/tests/test_scan.py
+++ b/api/src/backend/tasks/tests/test_scan.py
@@ -3853,6 +3853,7 @@ class TestAggregateAttackSurface:
             in result["privilege-escalation"]
         )
         assert "ec2_instance_imdsv2_enabled" in result["ec2-imdsv1"]
+        assert "ec2_instance_account_imdsv2_enabled" in result["ec2-imdsv1"]
 
     @patch("tasks.jobs.scan.AttackSurfaceOverview.objects.bulk_create")
     @patch("tasks.jobs.scan.Finding.all_objects.filter")
diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index f4af56d82d..7d0915e31b 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -18,6 +18,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Azure compliance entries for legacy Network Watcher flow log controls now use retirement-aware guidance and point new deployments to VNet flow logs [(#10937)](https://github.com/prowler-cloud/prowler/pull/10937)
 - AWS CodeBuild service now batches `BatchGetProjects` and `BatchGetBuilds` calls per region (up to 100 items per call) to reduce API call volume and prevent throttling-induced false positives in `codebuild_project_not_publicly_accessible` [(#10639)](https://github.com/prowler-cloud/prowler/pull/10639)
 - `display_compliance_table` dispatch switched from substring `in` checks to `startswith` to prevent false matches between similarly named frameworks (e.g. `cisa` vs `cis`) [(#10301)](https://github.com/prowler-cloud/prowler/pull/10301)
+- Restore the `ec2-imdsv1` category for EC2 IMDS checks to keep Attack Surface and findings filters aligned [(#10998)](https://github.com/prowler-cloud/prowler/pull/10998)
 
 ### 🐞 Fixed
 
diff --git a/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json b/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json
index bc074fe730..7228d5dd59 100644
--- a/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json
+++ b/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json
@@ -34,7 +34,8 @@
     }
   },
   "Categories": [
-    "secrets"
+    "secrets",
+    "ec2-imdsv1"
   ],
   "DependsOn": [],
   "RelatedTo": [],
diff --git a/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json b/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json
index 5637f40e23..77d24a4820 100644
--- a/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json
+++ b/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json
@@ -36,7 +36,8 @@
   },
   "Categories": [
     "identity-access",
-    "secrets"
+    "secrets",
+    "ec2-imdsv1"
   ],
   "DependsOn": [],
   "RelatedTo": [],

From 22b233f20631eb0e3ed699d44d4d6434f1e62dc4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pedro=20Mart=C3=ADn?= <pedromarting3@gmail.com>
Date: Tue, 5 May 2026 16:43:18 +0200
Subject: [PATCH 25/29] chore(deps): bump requests to 2.33.1 to fix
 CVE-2026-25645 (#10983)

---
 api/poetry.lock | 14 +++++++-------
 poetry.lock     | 14 +++++++-------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/api/poetry.lock b/api/poetry.lock
index 584c977a2d..f84ad86ba6 100644
--- a/api/poetry.lock
+++ b/api/poetry.lock
@@ -7912,26 +7912,26 @@ shaping = ["uharfbuzz"]
 
 [[package]]
 name = "requests"
-version = "2.32.5"
+version = "2.33.1"
 description = "Python HTTP for Humans."
 optional = false
-python-versions = ">=3.9"
+python-versions = ">=3.10"
 groups = ["main", "dev"]
 files = [
-    {file = "requests-2.32.5-py3-none-any.whl", hash = "sha256:2462f94637a34fd532264295e186976db0f5d453d1cdd31473c85a6a161affb6"},
-    {file = "requests-2.32.5.tar.gz", hash = "sha256:dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf"},
+    {file = "requests-2.33.1-py3-none-any.whl", hash = "sha256:4e6d1ef462f3626a1f0a0a9c42dd93c63bad33f9f1c1937509b8c5c8718ab56a"},
+    {file = "requests-2.33.1.tar.gz", hash = "sha256:18817f8c57c6263968bc123d237e3b8b08ac046f5456bd1e307ee8f4250d3517"},
 ]
 
 [package.dependencies]
-certifi = ">=2017.4.17"
+certifi = ">=2023.5.7"
 charset_normalizer = ">=2,<4"
 idna = ">=2.5,<4"
 PySocks = {version = ">=1.5.6,<1.5.7 || >1.5.7", optional = true, markers = "extra == \"socks\""}
-urllib3 = ">=1.21.1,<3"
+urllib3 = ">=1.26,<3"
 
 [package.extras]
 socks = ["PySocks (>=1.5.6,!=1.5.7)"]
-use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
+use-chardet-on-py3 = ["chardet (>=3.0.2,<8)"]
 
 [[package]]
 name = "requests-file"
diff --git a/poetry.lock b/poetry.lock
index 601f9035a4..5431a16975 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -5445,25 +5445,25 @@ files = [
 
 [[package]]
 name = "requests"
-version = "2.32.4"
+version = "2.33.1"
 description = "Python HTTP for Humans."
 optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.10"
 groups = ["main", "dev"]
 files = [
-    {file = "requests-2.32.4-py3-none-any.whl", hash = "sha256:27babd3cda2a6d50b30443204ee89830707d396671944c998b5975b031ac2b2c"},
-    {file = "requests-2.32.4.tar.gz", hash = "sha256:27d0316682c8a29834d3264820024b62a36942083d52caf2f14c0591336d3422"},
+    {file = "requests-2.33.1-py3-none-any.whl", hash = "sha256:4e6d1ef462f3626a1f0a0a9c42dd93c63bad33f9f1c1937509b8c5c8718ab56a"},
+    {file = "requests-2.33.1.tar.gz", hash = "sha256:18817f8c57c6263968bc123d237e3b8b08ac046f5456bd1e307ee8f4250d3517"},
 ]
 
 [package.dependencies]
-certifi = ">=2017.4.17"
+certifi = ">=2023.5.7"
 charset_normalizer = ">=2,<4"
 idna = ">=2.5,<4"
-urllib3 = ">=1.21.1,<3"
+urllib3 = ">=1.26,<3"
 
 [package.extras]
 socks = ["PySocks (>=1.5.6,!=1.5.7)"]
-use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
+use-chardet-on-py3 = ["chardet (>=3.0.2,<8)"]
 
 [[package]]
 name = "requests-file"

From 0ddd7fbd69236abe93547df888bbdc893a73b371 Mon Sep 17 00:00:00 2001
From: BMO <68750272+mohamedsolaiman@users.noreply.github.com>
Date: Tue, 5 May 2026 17:51:58 +0300
Subject: [PATCH 26/29] docs(aws): add guide for extending existing services
 (#10924)

Co-authored-by: Mohamed Solaiman <mohamedsolaiman@users.noreply.github.com>
Co-authored-by: Daniel Barranquero <74871504+danibarranqueroo@users.noreply.github.com>
---
 docs/developer-guide/aws-details.mdx | 52 ++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/docs/developer-guide/aws-details.mdx b/docs/developer-guide/aws-details.mdx
index 70f94f4006..e6f561ea3d 100644
--- a/docs/developer-guide/aws-details.mdx
+++ b/docs/developer-guide/aws-details.mdx
@@ -73,6 +73,58 @@ The best reference to understand how to implement a new service is following the
 - AWS API calls are wrapped in try/except blocks, with specific handling for `ClientError` and generic exceptions, always logging errors.
 - If ARN is not present for some resource, it can be constructed using string interpolation, always including partition, service, region, account, and resource ID.
 - Tags and additional attributes that cannot be retrieved from the default call, should be collected and stored for each resource using dedicated methods and threading using the resource object list as iterator.
+- When accessing dictionary values from AWS API responses, always use `.get()` with a default value instead of direct dictionary access (e.g., `response.get("Policies", {})` instead of `response["Policies"]`). AWS API responses may not always include all keys, and direct access can cause `KeyError` exceptions that break the entire scan for that service.
+
+### Extending an Existing Service with New Attributes
+
+When adding a new check that requires data not yet collected by an existing service, you need to extend the service by adding new attributes to its resource models and updating the data collection methods. This is a common contributor task that follows a consistent pattern:
+
+1. **Identify the missing data**: Determine which AWS API call provides the data you need and whether it's already being called by the service.
+
+2. **Add new attributes to the resource model**: Extend the Pydantic `BaseModel` class for the resource with the new fields. Use `Optional` types with `None` as the default value to maintain backward compatibility with existing checks.
+
+3. **Update the data collection method**: Modify the existing method that fetches resource details to also extract and store the new attributes. If no existing method fetches the data, add a new method and call it in the constructor using `self.__threading_call__` if possible.
+
+4. **Use safe dictionary access**: When extracting values from API responses, always use `.get()` with appropriate defaults to prevent `KeyError` exceptions when the API doesn't return certain fields.
+
+#### Example: Adding DKIM Status to SES Identities
+
+```python
+# Step 1 & 2: Add new fields to the resource model
+class Identity(BaseModel):
+    name: str
+    arn: str
+    region: str
+    type: Optional[str]
+    policy: Optional[dict] = None
+    tags: Optional[list] = []
+    # New attributes for DKIM check
+    dkim_status: Optional[str] = None
+    dkim_signing_attributes_origin: Optional[str] = None
+
+# Step 3: Update the data collection method
+def _get_email_identities(self, identity):
+    try:
+        regional_client = self.regional_clients[identity.region]
+        identity_attributes = regional_client.get_email_identity(
+            EmailIdentity=identity.name
+        )
+        # Step 4: Use .get() for safe dictionary access
+        for content_key, content_value in identity_attributes.get("Policies", {}).items():
+            identity.policy = loads(content)
+        identity.tags = identity_attributes.get("Tags", [])
+        # Extract new DKIM attributes
+        identity.dkim_status = identity_attributes.get("DkimStatus")
+        identity.dkim_signing_attributes_origin = (
+            identity_attributes.get("DkimSigningAttributesOrigin")
+        )
+    except Exception as error:
+        logger.error(
+            f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+        )
+```
+
+5. **Update the service tests**: Add the new attributes to the test mock data and assertions to verify correct data extraction.
 
 ## Specific Patterns in AWS Checks
 

From 98277689f5336c80b02355cde6c5adad7bec239f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9sar=20Arroba?=
 <19954079+cesararroba@users.noreply.github.com>
Date: Tue, 5 May 2026 17:08:34 +0200
Subject: [PATCH 27/29] ci: reduce GitHub Actions consumption across CI
 workflows (#11007)

---
 .github/workflows/api-code-quality.yml        | 10 ++
 .../workflows/api-container-build-push.yml    |  2 +-
 .github/workflows/api-container-checks.yml    | 30 +++---
 .github/workflows/api-security.yml            | 10 ++
 .github/workflows/api-tests.yml               |  8 ++
 .github/workflows/conventional-commit.yml     |  2 -
 .github/workflows/create-backport-label.yml   |  4 -
 .github/workflows/find-secrets.yml            |  9 +-
 .../workflows/mcp-container-build-push.yml    |  2 +-
 .github/workflows/mcp-container-checks.yml    | 30 +++---
 .github/workflows/mcp-pypi-release.yml        | 21 ++++
 .../nightly-arm64-container-builds.yml        | 98 +++++++++++++++++++
 .github/workflows/pr-check-changelog.yml      |  7 +-
 .../workflows/pr-check-compliance-mapping.yml |  7 +-
 .github/workflows/pr-conflict-checker.yml     |  7 +-
 .../sdk-check-duplicate-test-names.yml        |  3 +
 .github/workflows/sdk-code-quality.yml        | 16 +++
 .../workflows/sdk-container-build-push.yml    | 74 ++------------
 .github/workflows/sdk-container-checks.yml    | 36 +++----
 .github/workflows/sdk-security.yml            | 16 +++
 .github/workflows/sdk-tests.yml               | 14 +++
 .github/workflows/ui-container-build-push.yml |  2 +-
 .github/workflows/ui-container-checks.yml     | 30 +++---
 .github/workflows/ui-e2e-tests-v2.yml         |  4 +
 .github/workflows/ui-tests.yml                |  6 ++
 .github/zizmor.yml                            |  1 +
 26 files changed, 300 insertions(+), 149 deletions(-)
 create mode 100644 .github/workflows/nightly-arm64-container-builds.yml

diff --git a/.github/workflows/api-code-quality.yml b/.github/workflows/api-code-quality.yml
index 1724e51d70..d7bb27aa0a 100644
--- a/.github/workflows/api-code-quality.yml
+++ b/.github/workflows/api-code-quality.yml
@@ -5,10 +5,20 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-tests.yml'
+      - '.github/workflows/api-code-quality.yml'
+      - '.github/actions/setup-python-poetry/**'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-tests.yml'
+      - '.github/workflows/api-code-quality.yml'
+      - '.github/actions/setup-python-poetry/**'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/api-container-build-push.yml b/.github/workflows/api-container-build-push.yml
index e6403ed689..ee73f97f1c 100644
--- a/.github/workflows/api-container-build-push.yml
+++ b/.github/workflows/api-container-build-push.yml
@@ -158,7 +158,7 @@ jobs:
           tags: |
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
           cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }}
 
   # Create and push multi-architecture manifest
   create-manifest:
diff --git a/.github/workflows/api-container-checks.yml b/.github/workflows/api-container-checks.yml
index 5b59939db9..a7705fdeef 100644
--- a/.github/workflows/api-container-checks.yml
+++ b/.github/workflows/api-container-checks.yml
@@ -5,10 +5,16 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-container-checks.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-container-checks.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -57,16 +63,7 @@ jobs:
 
   api-container-build-and-scan:
     if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
+    runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
       contents: read
@@ -119,23 +116,22 @@ jobs:
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      - name: Build container for ${{ matrix.arch }}
+      - name: Build container
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: ${{ env.API_WORKING_DIR }}
           push: false
           load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }}
 
-      - name: Scan container with Trivy for ${{ matrix.arch }}
+      - name: Scan container with Trivy
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: ./.github/actions/trivy-scan
         with:
           image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
+          image-tag: ${{ github.sha }}
           fail-on-critical: 'false'
           severity: 'CRITICAL'
diff --git a/.github/workflows/api-security.yml b/.github/workflows/api-security.yml
index 7b8dc72cb1..d3bb9e6108 100644
--- a/.github/workflows/api-security.yml
+++ b/.github/workflows/api-security.yml
@@ -5,10 +5,20 @@ on:
     branches:
       - "master"
       - "v5.*"
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-tests.yml'
+      - '.github/workflows/api-security.yml'
+      - '.github/actions/setup-python-poetry/**'
   pull_request:
     branches:
       - "master"
       - "v5.*"
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-tests.yml'
+      - '.github/workflows/api-security.yml'
+      - '.github/actions/setup-python-poetry/**'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/api-tests.yml b/.github/workflows/api-tests.yml
index 3d4e7e1799..4aec3af59e 100644
--- a/.github/workflows/api-tests.yml
+++ b/.github/workflows/api-tests.yml
@@ -5,10 +5,18 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-tests.yml'
+      - '.github/actions/setup-python-poetry/**'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'api/**'
+      - '.github/workflows/api-tests.yml'
+      - '.github/actions/setup-python-poetry/**'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/conventional-commit.yml b/.github/workflows/conventional-commit.yml
index 5fc31003a4..b0d6946387 100644
--- a/.github/workflows/conventional-commit.yml
+++ b/.github/workflows/conventional-commit.yml
@@ -4,8 +4,6 @@ on:
   pull_request:
     branches:
       - 'master'
-      - 'v3'
-      - 'v4.*'
       - 'v5.*'
     types:
       - 'opened'
diff --git a/.github/workflows/create-backport-label.yml b/.github/workflows/create-backport-label.yml
index d7aa5709ae..a9ee7f7f95 100644
--- a/.github/workflows/create-backport-label.yml
+++ b/.github/workflows/create-backport-label.yml
@@ -43,14 +43,11 @@ jobs:
 
           echo "Processing release tag: $RELEASE_TAG"
 
-          # Remove 'v' prefix if present (e.g., v3.2.0 -> 3.2.0)
           VERSION_ONLY="${RELEASE_TAG#v}"
 
-          # Check if it's a minor version (X.Y.0)
           if [[ "$VERSION_ONLY" =~ ^([0-9]+)\.([0-9]+)\.0$ ]]; then
             echo "Release $RELEASE_TAG (version $VERSION_ONLY) is a minor version. Proceeding to create backport label."
 
-            # Extract X.Y from X.Y.0 (e.g., 5.6 from 5.6.0)
             MAJOR="${BASH_REMATCH[1]}"
             MINOR="${BASH_REMATCH[2]}"
             TWO_DIGIT_VERSION="${MAJOR}.${MINOR}"
@@ -62,7 +59,6 @@ jobs:
             echo "Label name: $LABEL_NAME"
             echo "Label description: $LABEL_DESC"
 
-            # Check if label already exists
             if gh label list --repo ${{ github.repository }} --limit 1000 | grep -q "^${LABEL_NAME}[[:space:]]"; then
               echo "Label '$LABEL_NAME' already exists."
             else
diff --git a/.github/workflows/find-secrets.yml b/.github/workflows/find-secrets.yml
index 88f84d6729..e166dbb673 100644
--- a/.github/workflows/find-secrets.yml
+++ b/.github/workflows/find-secrets.yml
@@ -37,10 +37,13 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
+          # PRs only need the diff range; push to master/release walks the new range from event.before.
+          # 50 is enough headroom for the longest realistic PR/push chain without paying for a full clone.
+          fetch-depth: 50
           persist-credentials: false
 
-      - name: Scan for secrets with TruffleHog
+      - name: Scan diff for secrets with TruffleHog
+        # Action auto-injects --since-commit/--branch from event payload; passing them in extra_args produces duplicate flags.
         uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 # v3.92.4
         with:
-          extra_args: '--results=verified,unknown'
+          extra_args: --results=verified,unknown
diff --git a/.github/workflows/mcp-container-build-push.yml b/.github/workflows/mcp-container-build-push.yml
index 90157db9ab..1e1338e61c 100644
--- a/.github/workflows/mcp-container-build-push.yml
+++ b/.github/workflows/mcp-container-build-push.yml
@@ -152,7 +152,7 @@ jobs:
             org.opencontainers.image.created=${{ github.event_name == 'release' && github.event.release.published_at || github.event.head_commit.timestamp }}
             ${{ github.event_name == 'release' && format('org.opencontainers.image.version={0}', env.RELEASE_TAG) || '' }}
           cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }}
 
   # Create and push multi-architecture manifest
   create-manifest:
diff --git a/.github/workflows/mcp-container-checks.yml b/.github/workflows/mcp-container-checks.yml
index b205232b0c..5b750f0998 100644
--- a/.github/workflows/mcp-container-checks.yml
+++ b/.github/workflows/mcp-container-checks.yml
@@ -5,10 +5,16 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'mcp_server/**'
+      - '.github/workflows/mcp-container-checks.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'mcp_server/**'
+      - '.github/workflows/mcp-container-checks.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -56,16 +62,7 @@ jobs:
 
   mcp-container-build-and-scan:
     if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
+    runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
       contents: read
@@ -112,23 +109,22 @@ jobs:
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      - name: Build MCP container for ${{ matrix.arch }}
+      - name: Build MCP container
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: ${{ env.MCP_WORKING_DIR }}
           push: false
           load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }}
 
-      - name: Scan MCP container with Trivy for ${{ matrix.arch }}
+      - name: Scan MCP container with Trivy
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: ./.github/actions/trivy-scan
         with:
           image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
+          image-tag: ${{ github.sha }}
           fail-on-critical: 'false'
           severity: 'CRITICAL'
diff --git a/.github/workflows/mcp-pypi-release.yml b/.github/workflows/mcp-pypi-release.yml
index cccda1f664..92015873b5 100644
--- a/.github/workflows/mcp-pypi-release.yml
+++ b/.github/workflows/mcp-pypi-release.yml
@@ -86,11 +86,32 @@ jobs:
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
+      # The MCP server version (mcp_server/pyproject.toml) is decoupled from the Prowler release
+      # version: it only changes when MCP code changes. mcp-bump-version.yml normally keeps it in
+      # sync with mcp_server/CHANGELOG.md, but this publish workflow still runs on every release.
+      # Pre-flight PyPI check covers the legitimate "no MCP changes for this release" case (and any
+      # workflow_dispatch re-runs) without failing with HTTP 400 (version exists).
+      - name: Check if prowler-mcp version already exists on PyPI
+        id: pypi-check
+        working-directory: ${{ env.WORKING_DIRECTORY }}
+        run: |
+          MCP_VERSION=$(grep '^version' pyproject.toml | head -1 | sed -E 's/^version[[:space:]]*=[[:space:]]*"([^"]+)".*/\1/')
+          echo "mcp_version=${MCP_VERSION}" >> "$GITHUB_OUTPUT"
+          if curl -fsS "https://pypi.org/pypi/prowler-mcp/${MCP_VERSION}/json" >/dev/null 2>&1; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            echo "::notice title=Skipping prowler-mcp publish::Version ${MCP_VERSION} already exists on PyPI; bump mcp_server/pyproject.toml to publish a new release."
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+            echo "::notice title=Publishing prowler-mcp::Version ${MCP_VERSION} not on PyPI yet; proceeding."
+          fi
+
       - name: Build prowler-mcp package
+        if: steps.pypi-check.outputs.skip != 'true'
         working-directory: ${{ env.WORKING_DIRECTORY }}
         run: uv build
 
       - name: Publish prowler-mcp package to PyPI
+        if: steps.pypi-check.outputs.skip != 'true'
         uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           packages-dir: ${{ env.WORKING_DIRECTORY }}/dist/
diff --git a/.github/workflows/nightly-arm64-container-builds.yml b/.github/workflows/nightly-arm64-container-builds.yml
new file mode 100644
index 0000000000..c3ad0a92d5
--- /dev/null
+++ b/.github/workflows/nightly-arm64-container-builds.yml
@@ -0,0 +1,98 @@
+name: 'Nightly: ARM64 Container Builds'
+
+# Mitigation for amd64-only PR container-checks: build amd64+arm64 nightly against
+# master to keep arm-specific Dockerfile regressions caught quickly. Build only —
+# no push, no Trivy (weekly checks already cover that).
+
+on:
+  schedule:
+    - cron: '0 4 * * *'
+  workflow_dispatch: {}
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+permissions: {}
+
+jobs:
+  build-arm64:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-24.04-arm
+    timeout-minutes: 60
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - component: sdk
+            context: .
+            dockerfile: ./Dockerfile
+            image_name: prowler
+          - component: api
+            context: ./api
+            dockerfile: ./api/Dockerfile
+            image_name: prowler-api
+          - component: ui
+            context: ./ui
+            dockerfile: ./ui/Dockerfile
+            image_name: prowler-ui
+            target: prod
+            build_args: |
+              NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX
+          - component: mcp
+            context: ./mcp_server
+            dockerfile: ./mcp_server/Dockerfile
+            image_name: prowler-mcp
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Build ${{ matrix.component }} container (linux/arm64)
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        with:
+          context: ${{ matrix.context }}
+          file: ${{ matrix.dockerfile }}
+          target: ${{ matrix.target }}
+          push: false
+          load: false
+          platforms: linux/arm64
+          tags: ${{ matrix.image_name }}:nightly-arm64
+          build-args: ${{ matrix.build_args }}
+          cache-from: type=gha,scope=arm64
+          cache-to: type=gha,mode=min,scope=arm64
+
+  notify-failure:
+    needs: build-arm64
+    if: failure() && github.event_name == 'schedule'
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Notify Slack on failure
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload: |
+            channel: ${{ secrets.SLACK_PLATFORM_DEPLOYMENTS }}
+            text: ":rotating_light: Nightly arm64 container build failed for prowler — <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|view run>"
+          errors: true
diff --git a/.github/workflows/pr-check-changelog.yml b/.github/workflows/pr-check-changelog.yml
index fa01ba4cbe..076ffea55c 100644
--- a/.github/workflows/pr-check-changelog.yml
+++ b/.github/workflows/pr-check-changelog.yml
@@ -41,10 +41,15 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
+          fetch-depth: 1
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
+      - name: Fetch PR base ref for tj-actions/changed-files
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+        run: git fetch --depth=1 origin "${BASE_REF}"
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
diff --git a/.github/workflows/pr-check-compliance-mapping.yml b/.github/workflows/pr-check-compliance-mapping.yml
index be934d5983..d906a522f1 100644
--- a/.github/workflows/pr-check-compliance-mapping.yml
+++ b/.github/workflows/pr-check-compliance-mapping.yml
@@ -45,10 +45,15 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
+          fetch-depth: 1
           # zizmor: ignore[artipacked]
           persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
+      - name: Fetch PR base ref for tj-actions/changed-files
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+        run: git fetch --depth=1 origin "${BASE_REF}"
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
diff --git a/.github/workflows/pr-conflict-checker.yml b/.github/workflows/pr-conflict-checker.yml
index 667f807be8..d8036f1432 100644
--- a/.github/workflows/pr-conflict-checker.yml
+++ b/.github/workflows/pr-conflict-checker.yml
@@ -36,9 +36,14 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-          fetch-depth: 0
+          fetch-depth: 1
           persist-credentials: false
 
+      - name: Fetch PR base ref for tj-actions/changed-files
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+        run: git fetch --depth=1 origin "${BASE_REF}"
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
diff --git a/.github/workflows/sdk-check-duplicate-test-names.yml b/.github/workflows/sdk-check-duplicate-test-names.yml
index 17c595ca11..e5e5506df3 100644
--- a/.github/workflows/sdk-check-duplicate-test-names.yml
+++ b/.github/workflows/sdk-check-duplicate-test-names.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'tests/providers/**/*_test.py'
+      - '.github/workflows/sdk-check-duplicate-test-names.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/sdk-code-quality.yml b/.github/workflows/sdk-code-quality.yml
index b777ee1657..87c6598942 100644
--- a/.github/workflows/sdk-code-quality.yml
+++ b/.github/workflows/sdk-code-quality.yml
@@ -5,10 +5,26 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'pyproject.toml'
+      - 'poetry.lock'
+      - '.github/workflows/sdk-tests.yml'
+      - '.github/workflows/sdk-code-quality.yml'
+      - '.github/actions/setup-python-poetry/**'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'pyproject.toml'
+      - 'poetry.lock'
+      - '.github/workflows/sdk-tests.yml'
+      - '.github/workflows/sdk-code-quality.yml'
+      - '.github/actions/setup-python-poetry/**'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/sdk-container-build-push.yml b/.github/workflows/sdk-container-build-push.yml
index 8a2bba691c..c55c3cceca 100644
--- a/.github/workflows/sdk-container-build-push.yml
+++ b/.github/workflows/sdk-container-build-push.yml
@@ -3,9 +3,7 @@ name: 'SDK: Container Build and Push'
 on:
   push:
     branches:
-      - 'v3'      # For v3-latest
-      - 'v4.6'    # For v4-latest
-      - 'master'  # For latest
+      - 'master'
     paths-ignore:
       - '.github/**'
       - '!.github/workflows/sdk-container-build-push.yml'
@@ -56,7 +54,6 @@ jobs:
     timeout-minutes: 5
     outputs:
       prowler_version: ${{ steps.get-prowler-version.outputs.prowler_version }}
-      prowler_version_major: ${{ steps.get-prowler-version.outputs.prowler_version_major }}
       latest_tag: ${{ steps.get-prowler-version.outputs.latest_tag }}
       stable_tag: ${{ steps.get-prowler-version.outputs.stable_tag }}
     permissions:
@@ -92,32 +89,13 @@ jobs:
           PROWLER_VERSION="$(poetry version -s 2>/dev/null)"
           echo "prowler_version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}"
 
-          # Extract major version
           PROWLER_VERSION_MAJOR="${PROWLER_VERSION%%.*}"
-          echo "prowler_version_major=${PROWLER_VERSION_MAJOR}" >> "${GITHUB_OUTPUT}"
-
-          # Set version-specific tags
-          case ${PROWLER_VERSION_MAJOR} in
-            3)
-              echo "latest_tag=v3-latest" >> "${GITHUB_OUTPUT}"
-              echo "stable_tag=v3-stable" >> "${GITHUB_OUTPUT}"
-              echo "✓ Prowler v3 detected - tags: v3-latest, v3-stable"
-              ;;
-            4)
-              echo "latest_tag=v4-latest" >> "${GITHUB_OUTPUT}"
-              echo "stable_tag=v4-stable" >> "${GITHUB_OUTPUT}"
-              echo "✓ Prowler v4 detected - tags: v4-latest, v4-stable"
-              ;;
-            5)
-              echo "latest_tag=latest" >> "${GITHUB_OUTPUT}"
-              echo "stable_tag=stable" >> "${GITHUB_OUTPUT}"
-              echo "✓ Prowler v5 detected - tags: latest, stable"
-              ;;
-            *)
-              echo "::error::Unsupported Prowler major version: ${PROWLER_VERSION_MAJOR}"
-              exit 1
-              ;;
-          esac
+          if [[ "${PROWLER_VERSION_MAJOR}" != "5" ]]; then
+            echo "::error::Unsupported Prowler major version: ${PROWLER_VERSION_MAJOR}"
+            exit 1
+          fi
+          echo "latest_tag=latest" >> "${GITHUB_OUTPUT}"
+          echo "stable_tag=stable" >> "${GITHUB_OUTPUT}"
 
   notify-release-started:
     if: github.repository == 'prowler-cloud/prowler' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch')
@@ -228,7 +206,7 @@ jobs:
           tags: |
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-${{ matrix.arch }}
           cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }}
 
   # Create and push multi-architecture manifest
   create-manifest:
@@ -386,39 +364,3 @@ jobs:
           payload-file-path: "./.github/scripts/slack-messages/container-release-completed.json"
           step-outcome: ${{ steps.outcome.outputs.outcome }}
           update-ts: ${{ needs.notify-release-started.outputs.message-ts }}
-
-  dispatch-v3-deployment:
-    needs: [setup, container-build-push]
-    if: always() && needs.setup.outputs.prowler_version_major == '3' && needs.setup.result == 'success' && needs.container-build-push.result == 'success'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Calculate short SHA
-        id: short-sha
-        run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
-
-      - name: Dispatch v3 deployment (latest)
-        if: github.event_name == 'push'
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
-        with:
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
-          event-type: dispatch
-          client-payload: '{"version":"v3-latest","tag":"${{ steps.short-sha.outputs.short_sha }}"}'
-
-      - name: Dispatch v3 deployment (release)
-        if: github.event_name == 'release'
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
-        with:
-          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
-          repository: ${{ secrets.DISPATCH_OWNER }}/${{ secrets.DISPATCH_REPO }}
-          event-type: dispatch
-          client-payload: '{"version":"release","tag":"${{ needs.setup.outputs.prowler_version }}"}'
diff --git a/.github/workflows/sdk-container-checks.yml b/.github/workflows/sdk-container-checks.yml
index 3474df676e..218c4e7ebc 100644
--- a/.github/workflows/sdk-container-checks.yml
+++ b/.github/workflows/sdk-container-checks.yml
@@ -5,10 +5,22 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'Dockerfile*'
+      - 'pyproject.toml'
+      - 'poetry.lock'
+      - '.github/workflows/sdk-container-checks.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'Dockerfile*'
+      - 'pyproject.toml'
+      - 'poetry.lock'
+      - '.github/workflows/sdk-container-checks.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -56,16 +68,7 @@ jobs:
 
   sdk-container-build-and-scan:
     if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
+    runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
       contents: read
@@ -132,23 +135,22 @@ jobs:
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      - name: Build SDK container for ${{ matrix.arch }}
+      - name: Build SDK container
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: .
           push: false
           load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }}
 
-      - name: Scan SDK container with Trivy for ${{ matrix.arch }}
+      - name: Scan SDK container with Trivy
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: ./.github/actions/trivy-scan
         with:
           image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
+          image-tag: ${{ github.sha }}
           fail-on-critical: 'false'
           severity: 'CRITICAL'
diff --git a/.github/workflows/sdk-security.yml b/.github/workflows/sdk-security.yml
index ceb6b1db1c..81504a4ec1 100644
--- a/.github/workflows/sdk-security.yml
+++ b/.github/workflows/sdk-security.yml
@@ -5,10 +5,26 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'pyproject.toml'
+      - 'poetry.lock'
+      - '.github/workflows/sdk-tests.yml'
+      - '.github/workflows/sdk-security.yml'
+      - '.github/actions/setup-python-poetry/**'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'pyproject.toml'
+      - 'poetry.lock'
+      - '.github/workflows/sdk-tests.yml'
+      - '.github/workflows/sdk-security.yml'
+      - '.github/actions/setup-python-poetry/**'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/sdk-tests.yml b/.github/workflows/sdk-tests.yml
index 0646e5f8b5..d3cdc1be29 100644
--- a/.github/workflows/sdk-tests.yml
+++ b/.github/workflows/sdk-tests.yml
@@ -5,10 +5,24 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'pyproject.toml'
+      - 'poetry.lock'
+      - '.github/workflows/sdk-tests.yml'
+      - '.github/actions/setup-python-poetry/**'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'prowler/**'
+      - 'tests/**'
+      - 'pyproject.toml'
+      - 'poetry.lock'
+      - '.github/workflows/sdk-tests.yml'
+      - '.github/actions/setup-python-poetry/**'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/ui-container-build-push.yml b/.github/workflows/ui-container-build-push.yml
index 6fab2d1efb..d8db786d49 100644
--- a/.github/workflows/ui-container-build-push.yml
+++ b/.github/workflows/ui-container-build-push.yml
@@ -151,7 +151,7 @@ jobs:
           tags: |
             ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-${{ matrix.arch }}
           cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }},scope=${{ matrix.arch }}
 
   # Create and push multi-architecture manifest
   create-manifest:
diff --git a/.github/workflows/ui-container-checks.yml b/.github/workflows/ui-container-checks.yml
index eb7b508b58..d6ebaf46a3 100644
--- a/.github/workflows/ui-container-checks.yml
+++ b/.github/workflows/ui-container-checks.yml
@@ -5,10 +5,16 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'ui/**'
+      - '.github/workflows/ui-container-checks.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'ui/**'
+      - '.github/workflows/ui-container-checks.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -57,16 +63,7 @@ jobs:
 
   ui-container-build-and-scan:
     if: github.repository == 'prowler-cloud/prowler'
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-            arch: amd64
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-            arch: arm64
+    runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
       contents: read
@@ -114,7 +111,7 @@ jobs:
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      - name: Build UI container for ${{ matrix.arch }}
+      - name: Build UI container
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
@@ -122,18 +119,17 @@ jobs:
           target: prod
           push: false
           load: true
-          platforms: ${{ matrix.platform }}
-          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }}
           build-args: |
             NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX
 
-      - name: Scan UI container with Trivy for ${{ matrix.arch }}
+      - name: Scan UI container with Trivy
         if: steps.check-changes.outputs.any_changed == 'true'
         uses: ./.github/actions/trivy-scan
         with:
           image-name: ${{ env.IMAGE_NAME }}
-          image-tag: ${{ github.sha }}-${{ matrix.arch }}
+          image-tag: ${{ github.sha }}
           fail-on-critical: 'false'
           severity: 'CRITICAL'
diff --git a/.github/workflows/ui-e2e-tests-v2.yml b/.github/workflows/ui-e2e-tests-v2.yml
index 2a91e460be..883f07e2d8 100644
--- a/.github/workflows/ui-e2e-tests-v2.yml
+++ b/.github/workflows/ui-e2e-tests-v2.yml
@@ -15,6 +15,10 @@ on:
       - 'ui/**'
       - 'api/**'  # API changes can affect UI E2E
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
diff --git a/.github/workflows/ui-tests.yml b/.github/workflows/ui-tests.yml
index c11e90b8f4..6d71a9eedf 100644
--- a/.github/workflows/ui-tests.yml
+++ b/.github/workflows/ui-tests.yml
@@ -5,10 +5,16 @@ on:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'ui/**'
+      - '.github/workflows/ui-tests.yml'
   pull_request:
     branches:
       - 'master'
       - 'v5.*'
+    paths:
+      - 'ui/**'
+      - '.github/workflows/ui-tests.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
index 931ef1b94c..ed0d3682d8 100644
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -8,6 +8,7 @@ rules:
       - docs-bump-version.yml
       - issue-triage.lock.yml
       - mcp-container-build-push.yml
+      - nightly-arm64-container-builds.yml
       - pr-merged.yml
       - prepare-release.yml
       - sdk-bump-version.yml

From 1194d343961f4f5b5cfdfc754fe5a56830d7cc16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9sar=20Arroba?=
 <19954079+cesararroba@users.noreply.github.com>
Date: Wed, 6 May 2026 00:09:34 +0200
Subject: [PATCH 28/29] ci(ui-e2e): reduce Playwright artifact retention to 7
 days (#11018)

---
 .github/workflows/ui-e2e-tests-v2.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ui-e2e-tests-v2.yml b/.github/workflows/ui-e2e-tests-v2.yml
index 883f07e2d8..aab93057c7 100644
--- a/.github/workflows/ui-e2e-tests-v2.yml
+++ b/.github/workflows/ui-e2e-tests-v2.yml
@@ -270,7 +270,7 @@ jobs:
         with:
           name: playwright-report
           path: ui/playwright-report/
-          retention-days: 30
+          retention-days: 7
 
       - name: Cleanup services
         if: always()

From 16798e293da365965120961e6539e3a9756564f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9sar=20Arroba?=
 <19954079+cesararroba@users.noreply.github.com>
Date: Wed, 6 May 2026 00:33:40 +0200
Subject: [PATCH 29/29] ci(pr-conflict-checker): restore persist-credentials so
 base ref fetch works on private mirrors (#11019)

---
 .github/workflows/pr-conflict-checker.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pr-conflict-checker.yml b/.github/workflows/pr-conflict-checker.yml
index d8036f1432..6eeac30d82 100644
--- a/.github/workflows/pr-conflict-checker.yml
+++ b/.github/workflows/pr-conflict-checker.yml
@@ -37,7 +37,8 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 1
-          persist-credentials: false
+          # zizmor: ignore[artipacked]
+          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
 
       - name: Fetch PR base ref for tj-actions/changed-files
         env: